首先,准备好心脏起搏器。
然后,打开你的window explorer, 打开以下directory:
C:Documents and Settings[you user name]Application Data
打开IE, 把IE视窗缩小,这样你可以同时监视IE和已打开的directrory里的文件列表。
现在,访问西恩地首页,同时观察你的文件列表,你会发现,有一个小东西突然加到里面,她的名字叫‘a.exe' .
- Re: 西恩地埋藏着小秘密,让我来告诉你,那不是一般的小库奇,那是我内心恐惧。。posted on 07/15/2009
What's the consequence? I am too hi-tech illiterate to understand. - Re: 西恩地埋藏着小秘密,让我来告诉你,那不是一般的小库奇,那是我内心恐惧。。posted on 07/15/2009
a EXE file can do anything, I mean ANYTHING in your computer. - Re: 西恩地埋藏着小秘密,让我来告诉你,那不是一般的小库奇,那是我内心恐惧。。posted on 07/15/2009
Is this a.exe going to damage your file system? Do u mean we should not go to CND? - Re: 西恩地埋藏着小秘密,让我来告诉你,那不是一般的小库奇,那是我内心恐惧。。posted on 07/15/2009
Trojan?
- Re: 西恩地埋藏着小秘密,让我来告诉你,那不是一般的小库奇,那是我内心恐惧。。posted on 07/15/2009
Trojan?
- Re: 西恩地埋藏着小秘密,让我来告诉你,那不是一般的小库奇,那是我内心恐惧。。posted on 07/15/2009
I don't know, damage your file system is....., let's say, a little childish, but it can colloect or 'search' some 'usefull' data from your computer, if they are 'nice'.
国内的好多网站干这事儿,没想到CND.....
July wrote:
Is this a.exe going to damage your file system? Do u mean we should not go to CND? - Re: 西恩地埋藏着小秘密,让我来告诉你,那不是一般的小库奇,那是我内心恐惧。。posted on 07/15/2009
My computer warned me about another .gif trojan file from CND as well, and kept on deleting it when a new CND page was opened.
Either it's hacked and wacked by someone, or it's on purpose. - Re: 西恩地埋藏着小秘密,让我来告诉你,那不是一般的小库奇,那是我内心恐惧。。posted on 07/15/2009
No, it is not, it is their own 'little' thing.
夹缝 wrote:
Trojan?
- Re: 西恩地埋藏着小秘密,让我来告诉你,那不是一般的小库奇,那是我内心恐惧。。posted on 07/15/2009
It might be hacked, I suggest stop visiting cnd for a while, especially from your home computer, for most people, their home computer is wide open.
二老板 wrote:
My computer warned me about another .gif trojan file from CND as well, and kept on deleting it when a new CND page was opened.
Either it's hacked and wacked by someone, or it's on purpose. - Re: 西恩地埋藏着小秘密,让我来告诉你,那不是一般的小库奇,那是我内心恐惧。。posted on 07/15/2009
二老板 wrote:
My computer warned me about another .gif trojan file from CND as well, and kept on deleting it when a new CND page was opened.
Either it's hacked and wacked by someone, or it's on purpose.
same here, and it happened before with another popular oversea chinese site. - posted on 07/15/2009
Putain! (feeling such a pain, it really hurts! 秃香的秃斜刚转贴的文章里头说的 关于 swear 的需要,特贡献一个百用百爽的法文 swear。但特此 warning::: 不能用于不认识或不熟悉的人,切忌 !! 不信问巴黎雪同学。)
感谢老面,真的不能逛那个唐人街的杂货店了。。
LM wrote:
It might be hacked, I suggest stop visiting cnd for a while, especially from your home computer, for most people, their home computer is wide open.
二老板 wrote:
My computer warned me about another .gif trojan file from CND as well, and kept on deleting it when a new CND page was opened.
Either it's hacked and wacked by someone, or it's on purpose. - Re: 西恩地埋藏着小秘密,让我来告诉你,那不是一般的小库奇,那是我内心恐惧。。posted on 07/15/2009
今天试着访问CND两次, 电脑的防火墙两次提醒有个IP在ATTACK我的电脑, 这IP是:
202.59.152.65,80
查了一下, 这IP在香港。咖啡有谁懂IT的过来说说吧, 这是怎么回事?
有其他的谁遇到这情况了吗?
不管怎样, 看来最好别再访问CND了,以免麻烦。 - posted on 07/15/2009
I got the same thing today. The ip locked by my company is 202.59.152.65
Host name idc-65-152-59-202.hkt.cc
Country Hong Kong
Country Code HK
City Central District
Latitude 22.2833
Longitude 114.15
Whois Information
[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 202.59.152.0 - 202.59.159.255
netname: NET-FNCL
descr: First Network Communications Limited, ISP at HK
country: HK
admin-c: LC873-AP
tech-c: LC846-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-FNCL
mnt-routes: MAINT-HK-FNCL
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20060712
changed: hm-changed@apnic.net 20060901
changed: hm-changed@apnic.net 20070222
source: APNIC
route: 202.59.152.0/21
descr: Forewin Telecom Group Limited, ISP at HK
origin: AS38186
mnt-by: MAINT-HK-FTG
changed: hostmaster@hkt.cc 20090306
source: APNIC
person: Edward Poon
nic-hdl: LC873-AP
e-mail: edward@hkt.cc
address: Unit C, 8/F Blk 2 Vigor Ind Bldg
address: No. 49-53 Ta Chuen Ping St, Kwai Chung
address: N.T. HONG KONG
address:
address: + Please send spam and abuse reports to
address: + < abuse@hkt.cc > address:
phone: +852-23631363
fax-no: +852-81673882
country: HK
changed: hostmaster@hkt.cc 20090221
mnt-by: MAINT-HK-FTG
source: APNIC
person: Larry Chan
nic-hdl: LC846-AP
e-mail: ckchan@hkt.cc
address: Unit C, 8/F Blk 2 Vigor Ind Bldg
address: No. 49-53 Ta Chuen Ping St, Kwai Chung
address: N.T. HONG KONG
address:
address: + Please send spam and abuse reports to
address: + < abuse@hkt.cc > address:
phone: +852-23631363
fax-no: +852-81673882
country: HK
changed: hostmaster@hkt.cc.com 20090221
mnt-by: MAINT-HK-FTG
source: APNIC
- Re: 西恩地埋藏着小秘密,让我来告诉你,那不是一般的小库奇,那是我内心恐惧。。posted on 07/15/2009
202.59.152.65 is a web site, with a total white index.html.
不知道它是干什么的。
any way, 千万把那个小a.exe 删掉。
夹缝 wrote:
今天试着访问CND两次, 电脑的防火墙两次提醒有个IP在ATTACK我的电脑, 这IP是:
202.59.152.65,80
查了一下, 这IP在香港。咖啡有谁懂IT的过来说说吧, 这是怎么回事?
有其他的谁遇到这情况了吗?
不管怎样, 看来最好别再访问CND了,以免麻烦。 - Re: 西恩地埋藏着小秘密,让我来告诉你,那不是一般的小库奇,那是我内心恐惧。。posted on 07/15/2009
CND网页下载的东西?真的?不太可能吧。除非CND服务器被攻击了,染了病毒或spyware了。他们用PHP,难道是在Windows server上? 没注意过,CND赶快查病毒。:)
至于无故访问其它网站,肯定是病毒了。也不用太紧张。download了Wireshark,做一个Network level snoop, 很简单,能把所有的packets存下来。如果是HTTP,能看一下进出计算机的都是什么信息,一目了然。我不是研究病毒的,不过一般这种病毒没什么大害吧。不要自己吓唬自己。:)
- Re: 西恩地埋藏着小秘密,让我来告诉你,那不是一般的小库奇,那是我内心恐惧。。posted on 07/15/2009
I just tested by opening the Task Master and see whether a.exe
is executed whenever I visit CND. It does, because a.exe
appears on the processes list for half a second and disappears.
But it appears to be persistently activated because I could not delete
the code until I exited the explorer.
Might be some organization sneaked into CND to collect its readers? - posted on 07/17/2009
I don't have a Windows machine but I asked a friend to try it for me. He uses XP with the newest patch and IE 8. We watched the said directory but didn't see the a.exe file. We also looked at the running processes and didn't see anything extra.
Make sure your machine has the latest security updates and your IE is up-to-date, too.
Also try to use a different browser and observe, say firefox.
I don't understand viruses/worms specific to Windows. Some info about a.exe on the net: http://www.file.net/process/a.exe.html. If possible, use a shared file server (such as google) to upload the a.exe and I'll find someone to reverse engineer it.
The cnd web server could be compromised to supply slightly modified content targeted at the weakness of your browser. Buffer overflow is a common weakness. Once exploited, the attack may change the course of your browser's execution, place and run rogue programs on your computer. Most network attacks and spam mails are originated from such hijacked machines -- the owners don't even know their machines are possessed. My office computer is attacked nonstop (trying different login names) by some machines located in South Korea.
- posted on 07/17/2009
This may explain what had happened:
From CND webpage (on the top):
Dear CND Readers: we removed all script-based third-party ads including those from Google and Amazon.com as users have reported page loading issues.
xyz wrote:
I don't have a Windows machine but I asked a friend to try it for me. He uses XP with the newest patch and IE 8. We watched the said directory but didn't see the a.exe file. We also looked at the running processes and didn't see anything extra.
- Re: 西恩地埋藏着小秘密,让我来告诉你,那不是一般的小库奇,那是我内心恐惧。。posted on 07/17/2009
I have it not.
Please paste HTML code and press Enter.
(c) 2010 Maya Chilam Foundation