可以在线查找空间里的asp木马
复制代码 代码如下:
<%@LANGUAGE="VBSCRIPT"CODEPAGE="936"%>
<%
'设置密码
PASSWORD="jb51net"
dimReport
ifrequest.QueryString("act")="login"then
ifrequest.Form("pwd")=PASSWORDthensession("pig")=1
endif
%>
<!DOCTYPEHTMLPUBLIC"-//W3C//DTDHTML4.01Transitional//EN""http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<metahttp-equiv="Content-Type"content="text/html;charset=gb2312">
<title>ASPSecurityforHacking</title>
</head>
<body>
<%IfSession("pig")<>1then%>
<formname="form1"method="post"action="?act=login">
<divalign="center">Password:
<inputname="pwd"type="password"size="15">
<inputtype="submit"name="Submit"value="提交">
</div>
</form>
<%
else
ifrequest.QueryString("act")<>"scan"then
%>
<formaction="?act=scan"method="post">
<b>填入你要检查的路径:</b>
<inputname="path"type="text"style="border:1pxsolid#999"value="."size="30"/>
<br>
*网站根目录的相对路径,填“”即检查整个网站;“.”为程序所在目录
<br>
<br>
<inputtype="submit"value="开始扫描"style="background:#fff;border:1pxsolid#999;padding:2px2px0px2px;margin:4px;border-width:1px3px1px3px"/>
</form>
<%
else
server.ScriptTimeout=600
DimFileExt="asp,cer,asa,cdx"
Sun=0
SumFiles=0
SumFolders=1
ifrequest.Form("path")=""then
response.Write("NoHack")
response.End()
endif
timer1=timer
ifrequest.Form("path")=""then
TmpPath=Server.MapPath("")
elseifrequest.Form("path")="."then
TmpPath=Server.MapPath(".")
else
TmpPath=Server.MapPath("")&""&request.Form("path")
endif
CallShowAllFile(TmpPath)
%>
<tablewidth="100%"border="0"cellpadding="0"cellspacing="0"class="CContent">
<tr>
<th>ASPSecurityForHacking
</tr>
<tr>
<tdclass="CPanel"style="padding:5px;line-height:170%;clear:both;font-size:12px">
<divid="updateInfo"style="background:ffffe1;border:1pxsolid#89441f;padding:4px;display:none"></div>
扫描完毕!一共检查文件夹<fontcolor="#FF0000"><%=SumFolders%></font>个,文件<fontcolor="#FF0000"><%=SumFiles%></font>个,发现可疑点<fontcolor="#FF0000"><%=Sun%></font>个
<tablewidth="100%"border="0"cellpadding="0"cellspacing="0">
<tr>
<tdvalign="top">
<tablewidth="100%"border="1"cellpadding="0"cellspacing="0"style="padding:5px;line-height:170%;clear:both;font-size:12px">
<tr>
<tdwidth="20%">文件相对路径</td>
<tdwidth="20%">特征码</td>
<tdwidth="40%">描述</td>
<tdwidth="20%">创建/修改时间</td>
</tr>
<p>
<%=Report%>
<br/></p>
</table></td>
</tr>
</table>
</td></tr></table>
<%
timer2=timer
thetime=cstr(int(((timer2-timer1)*10000)+0.5)/10)
response.write"<br><fontsize=""2"">本页执行共用了"&thetime&"毫秒</font>"
endif
endif
%>
<hr>
<divalign="center">本程序取自<ahref="http://www.0x54.org"target="_blank">雷客图ASP站长安全助手</a>的ASP木马查找功能<br>
poweredby<ahref="http://lake2.0x54.org"target=_blank>lake2</a>
</div>
</body>
</html>
<%
'遍历处理path及其子目录所有文件
SubShowAllFile(Path)
SetFSO=CreateObject("Scripting.FileSystemObject")
ifnotfso.FolderExists(path)thenexitsub
Setf=FSO.GetFolder(Path)
Setfc2=f.files
ForEachmyfileinfc2
IfCheckExt(FSO.GetExtensionName(path&""&myfile.name))Then
CallScanFile(Path&Temp&""&myfile.name,"")
SumFiles=SumFiles+1
EndIf
Next
Setfc=f.SubFolders
ForEachf1infc
ShowAllFilepath&""&f1.name
SumFolders=SumFolders+1
Next
SetFSO=Nothing
EndSub
'检测文件
SubScanFile(FilePath,InFile)
IfInFile<>""Then
Infiles="该文件被<ahref=""http://"&Request.Servervariables("server_name")&""&InFile&"""target=_blank>"&InFile&"</a>文件包含执行"
EndIf
SetFSOs=CreateObject("Scripting.FileSystemObject")
onerrorresumenext
setofile=fsos.OpenTextFile(FilePath)
filetxt=Lcase(ofile.readall())
IferrThenExitSubendif
iflen(filetxt)>0then
'特征码检查
temp="<ahref=""http://"&Request.Servervariables("server_name")&""&replace(FilePath,server.MapPath("")&"","",1,1,1)&"""target=_blank>"&replace(FilePath,server.MapPath("")&"","",1,1,1)&"</a>"
'Check"WScr"&DoMyBest&"ipt.Shell"
Ifinstr(filetxt,Lcase("WScr"&DoMyBest&"ipt.Shell"))orInstr(filetxt,Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8"))then
Report=Report&"<tr><td>"&temp&"</td><td>WScr"&DoMyBest&"ipt.Shell或者clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8</td><td>危险组件,一般被ASP木马利用。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
Endif
'Check"She"&DoMyBest&"ll.Application"
Ifinstr(filetxt,Lcase("She"&DoMyBest&"ll.Application"))orInstr(filetxt,Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000"))then
Report=Report&"<tr><td>"&temp&"</td><td>She"&DoMyBest&"ll.Application或者clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000</td><td>危险组件,一般被ASP木马利用。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'Check.Encode
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern="@s*LANGUAGEs*=s*[""]?s*(vbscript|jscript|javascript).encodeb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>(vbscript|jscript|javascript).Encode</td><td>似乎脚本被加密了,一般ASP文件是不会加密的。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'CheckmyASPbackdoor:(
regEx.Pattern="bEv"&"alb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>Ev"&"al</td><td>e"&"val()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ev"&"al(X)<br>但是javascript代码中也可以使用,有可能是误报。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
'Checkexe&cutebackdoor
regEx.Pattern="[^.]bExe"&"cuteb"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>Exec"&"ute</td><td>e"&"xecute()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ex"&"ecute(X)。<br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
SetregEx=Nothing
'Checkincludefile
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern="<s*#includes*virtuals*=s*"".*"""
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
tFile=Replace(Mid(Match.Value,Instr(Match.Value,"""")+1,Len(Match.Value)-Instr(Match.Value,"""")-1),"/","")
IfNotCheckExt(FSOs.GetExtensionName(tFile))Then
CallScanFile(Server.MapPath("")&""&tFile,replace(FilePath,server.MapPath("")&"","",1,1,1))
SumFiles=SumFiles+1
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
'CheckServer&.Execute|Transfer
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern="Server.(Exec"&"ute|Transfer)([t]*|()"".*"""
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
tFile=Replace(Mid(Match.Value,Instr(Match.Value,"""")+1,Len(Match.Value)-Instr(Match.Value,"""")-1),"/","")
IfNotCheckExt(FSOs.GetExtensionName(tFile))Then
CallScanFile(Mid(FilePath,1,InStrRev(FilePath,""))&tFile,replace(FilePath,server.MapPath("")&"","",1,1,1))
SumFiles=SumFiles+1
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
'CheckServer&.Execute|Transfer
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern="Server.(Exec"&"ute|Transfer)([t]*|()[^""])"
IfregEx.Test(filetxt)Then
Report=Report&"<tr><td>"&temp&"</td><td>Server.Exec"&"ute</td><td>不能跟踪检查Server.e"&"xecute()函数执行的文件。请管理员自行检查。<br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
EndIf
SetMatches=Nothing
SetregEx=Nothing
'CheckCrea"&"teObject
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern="CreateO"&"bject[|t]*(.*)"
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
IfInstr(Match.Value,"&")orInstr(Match.Value,"+")orInstr(Match.Value,"""")=0orInstr(Match.Value,"(")<>InStrRev(Match.Value,"(")Then
Report=Report&"<tr><td>"&temp&"</td><td>Creat"&"eObject</td><td>Crea"&"teObject函数使用了变形技术,仔细复查。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun=Sun+1
exitsub
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
endif
setofile=nothing
setfsos=nothing
EndSub
'检查文件后缀,如果与预定的匹配即返回TRUE
FunctionCheckExt(FileExt)
IfDimFileExt="*"ThenCheckExt=True
Ext=Split(DimFileExt,",")
Fori=0ToUbound(Ext)
IfLcase(FileExt)=Ext(i)Then
CheckExt=True
ExitFunction
EndIf
Next
EndFunction
FunctionGetDateModify(filepath)
Setfso=CreateObject("Scripting.FileSystemObject")
Setf=fso.GetFile(filepath)
s=f.DateLastModified
setf=nothing
setfso=nothing
GetDateModify=s
EndFunction
FunctionGetDateCreate(filepath)
Setfso=CreateObject("Scripting.FileSystemObject")
Setf=fso.GetFile(filepath)
s=f.DateCreated
setf=nothing
setfso=nothing
GetDateCreate=s
EndFunction
%>