可以在线查找空间里的asp木马

复制代码 代码如下:

<%@LANGUAGE="VBSCRIPT"CODEPAGE="936"%>

<%

'设置密码

PASSWORD="jb51net"

dimReport

ifrequest.QueryString("act")="login"then

ifrequest.Form("pwd")=PASSWORDthensession("pig")=1

endif

%>

<!DOCTYPEHTMLPUBLIC"-//W3C//DTDHTML4.01Transitional//EN""http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<metahttp-equiv="Content-Type"content="text/html;charset=gb2312">

<title>ASPSecurityforHacking</title>

</head>

<body>

<%IfSession("pig")<>1then%>

<formname="form1"method="post"action="?act=login">

<divalign="center">Password:

<inputname="pwd"type="password"size="15">

<inputtype="submit"name="Submit"value="提交">

</div>

</form>

<%

else

ifrequest.QueryString("act")<>"scan"then

%>

<formaction="?act=scan"method="post">

<b>填入你要检查的路径：</b>

<inputname="path"type="text"value="."size="30"/>

<br>

*网站根目录的相对路径，填“”即检查整个网站；“.”为程序所在目录

<br>

<br>

<inputtype="submit"value="开始扫描"/>

</form>

<%

else

server.ScriptTimeout=600

DimFileExt="asp,cer,asa,cdx"

Sun=0

SumFiles=0

SumFolders=1

ifrequest.Form("path")=""then

response.Write("NoHack")

response.End()

endif

timer1=timer

ifrequest.Form("path")=""then

TmpPath=Server.MapPath("")

elseifrequest.Form("path")="."then

TmpPath=Server.MapPath(".")

else

TmpPath=Server.MapPath("")&""&request.Form("path")

endif

CallShowAllFile(TmpPath)

%>

<tablewidth="100%"border="0"cellpadding="0"cellspacing="0"class="CContent">

<tr>

<th>ASPSecurityForHacking

</tr>

<tr>

<tdclass="CPanel">

<divid="updateInfo"></div>

扫描完毕！一共检查文件夹<fontcolor="#FF0000"><%=SumFolders%></font>个，文件<fontcolor="#FF0000"><%=SumFiles%></font>个，发现可疑点<fontcolor="#FF0000"><%=Sun%></font>个

<tablewidth="100%"border="0"cellpadding="0"cellspacing="0">

<tr>

<tdvalign="top">

<tablewidth="100%"border="1"cellpadding="0"cellspacing="0">

<tr>

<tdwidth="20%">文件相对路径</td>

<tdwidth="20%">特征码</td>

<tdwidth="40%">描述</td>

<tdwidth="20%">创建/修改时间</td>

</tr>

<p>

<%=Report%>

<br/></p>

</table></td>

</tr>

</table>

</td></tr></table>

<%

timer2=timer

thetime=cstr(int(((timer2-timer1)*10000)+0.5)/10)

response.write"<br><fontsize=""2"">本页执行共用了"&thetime&"毫秒</font>"

endif

endif

%>

<hr>

<divalign="center">本程序取自<ahref="http://www.0x54.org"target="_blank">雷客图ASP站长安全助手</a>的ASP木马查找功能<br>

poweredby<ahref="http://lake2.0x54.org"target=_blank>lake2</a>

</div>

</body>

</html>

<%

'遍历处理path及其子目录所有文件

SubShowAllFile(Path)

SetFSO=CreateObject("Scripting.FileSystemObject")

ifnotfso.FolderExists(path)thenexitsub

Setf=FSO.GetFolder(Path)

Setfc2=f.files

ForEachmyfileinfc2

IfCheckExt(FSO.GetExtensionName(path&""&myfile.name))Then

CallScanFile(Path&Temp&""&myfile.name,"")

SumFiles=SumFiles+1

EndIf

Next

Setfc=f.SubFolders

ForEachf1infc

ShowAllFilepath&""&f1.name

SumFolders=SumFolders+1

Next

SetFSO=Nothing

EndSub

'检测文件

SubScanFile(FilePath,InFile)

IfInFile<>""Then

Infiles="该文件被<ahref=""http://"&Request.Servervariables("server_name")&""&InFile&"""target=_blank>"&InFile&"</a>文件包含执行"

EndIf

SetFSOs=CreateObject("Scripting.FileSystemObject")

onerrorresumenext

setofile=fsos.OpenTextFile(FilePath)

filetxt=Lcase(ofile.readall())

IferrThenExitSubendif

iflen(filetxt)>0then

'特征码检查

temp="<ahref=""http://"&Request.Servervariables("server_name")&""&replace(FilePath,server.MapPath("")&"","",1,1,1)&"""target=_blank>"&replace(FilePath,server.MapPath("")&"","",1,1,1)&"</a>"

'Check"WScr"&DoMyBest&"ipt.Shell"

Ifinstr(filetxt,Lcase("WScr"&DoMyBest&"ipt.Shell"))orInstr(filetxt,Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8"))then

Report=Report&"<tr><td>"&temp&"</td><td>WScr"&DoMyBest&"ipt.Shell或者clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8</td><td>危险组件，一般被ASP木马利用。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

Endif

'Check"She"&DoMyBest&"ll.Application"

Ifinstr(filetxt,Lcase("She"&DoMyBest&"ll.Application"))orInstr(filetxt,Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000"))then

Report=Report&"<tr><td>"&temp&"</td><td>She"&DoMyBest&"ll.Application或者clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000</td><td>危险组件，一般被ASP木马利用。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

EndIf

'Check.Encode

SetregEx=NewRegExp

regEx.IgnoreCase=True

regEx.Global=True

regEx.Pattern="@s*LANGUAGEs*=s*[""]?s*(vbscript|jscript|javascript).encodeb"

IfregEx.Test(filetxt)Then

Report=Report&"<tr><td>"&temp&"</td><td>(vbscript|jscript|javascript).Encode</td><td>似乎脚本被加密了，一般ASP文件是不会加密的。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

EndIf

'CheckmyASPbackdoor:(

regEx.Pattern="bEv"&"alb"

IfregEx.Test(filetxt)Then

Report=Report&"<tr><td>"&temp&"</td><td>Ev"&"al</td><td>e"&"val()函数可以执行任意ASP代码，被一些后门利用。其形式一般是：ev"&"al(X)<br>但是javascript代码中也可以使用，有可能是误报。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

EndIf

'Checkexe&cutebackdoor

regEx.Pattern="[^.]bExe"&"cuteb"

IfregEx.Test(filetxt)Then

Report=Report&"<tr><td>"&temp&"</td><td>Exec"&"ute</td><td>e"&"xecute()函数可以执行任意ASP代码，被一些后门利用。其形式一般是：ex"&"ecute(X)。<br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

EndIf

SetregEx=Nothing

'Checkincludefile

SetregEx=NewRegExp

regEx.IgnoreCase=True

regEx.Global=True

regEx.Pattern="<s*#includes*virtuals*=s*"".*"""

SetMatches=regEx.Execute(filetxt)

ForEachMatchinMatches

tFile=Replace(Mid(Match.Value,Instr(Match.Value,"""")+1,Len(Match.Value)-Instr(Match.Value,"""")-1),"/","")

IfNotCheckExt(FSOs.GetExtensionName(tFile))Then

CallScanFile(Server.MapPath("")&""&tFile,replace(FilePath,server.MapPath("")&"","",1,1,1))

SumFiles=SumFiles+1

EndIf

Next

SetMatches=Nothing

SetregEx=Nothing

'CheckServer&.Execute|Transfer

SetregEx=NewRegExp

regEx.IgnoreCase=True

regEx.Global=True

regEx.Pattern="Server.(Exec"&"ute|Transfer)([t]*|()"".*"""

SetMatches=regEx.Execute(filetxt)

ForEachMatchinMatches

tFile=Replace(Mid(Match.Value,Instr(Match.Value,"""")+1,Len(Match.Value)-Instr(Match.Value,"""")-1),"/","")

IfNotCheckExt(FSOs.GetExtensionName(tFile))Then

CallScanFile(Mid(FilePath,1,InStrRev(FilePath,""))&tFile,replace(FilePath,server.MapPath("")&"","",1,1,1))

SumFiles=SumFiles+1

EndIf

Next

SetMatches=Nothing

SetregEx=Nothing

'CheckServer&.Execute|Transfer

SetregEx=NewRegExp

regEx.IgnoreCase=True

regEx.Global=True

regEx.Pattern="Server.(Exec"&"ute|Transfer)([t]*|()[^""])"

IfregEx.Test(filetxt)Then

Report=Report&"<tr><td>"&temp&"</td><td>Server.Exec"&"ute</td><td>不能跟踪检查Server.e"&"xecute()函数执行的文件。请管理员自行检查。<br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

EndIf

SetMatches=Nothing

SetregEx=Nothing

'CheckCrea"&"teObject

SetregEx=NewRegExp

regEx.IgnoreCase=True

regEx.Global=True

regEx.Pattern="CreateO"&"bject[|t]*(.*)"

SetMatches=regEx.Execute(filetxt)

ForEachMatchinMatches

IfInstr(Match.Value,"&")orInstr(Match.Value,"+")orInstr(Match.Value,"""")=0orInstr(Match.Value,"(")<>InStrRev(Match.Value,"(")Then

Report=Report&"<tr><td>"&temp&"</td><td>Creat"&"eObject</td><td>Crea"&"teObject函数使用了变形技术，仔细复查。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"

Sun=Sun+1

exitsub

EndIf

Next

SetMatches=Nothing

SetregEx=Nothing

endif

setofile=nothing

setfsos=nothing

EndSub

'检查文件后缀，如果与预定的匹配即返回TRUE

FunctionCheckExt(FileExt)

IfDimFileExt="*"ThenCheckExt=True

Ext=Split(DimFileExt,",")

Fori=0ToUbound(Ext)

IfLcase(FileExt)=Ext(i)Then

CheckExt=True

ExitFunction

EndIf

Next

EndFunction

FunctionGetDateModify(filepath)

Setfso=CreateObject("Scripting.FileSystemObject")

Setf=fso.GetFile(filepath)

s=f.DateLastModified

setf=nothing

setfso=nothing

GetDateModify=s

EndFunction

FunctionGetDateCreate(filepath)

Setfso=CreateObject("Scripting.FileSystemObject")

Setf=fso.GetFile(filepath)

s=f.DateCreated

setf=nothing

setfso=nothing

GetDateCreate=s

EndFunction

%>