在线扫描探测检查asp站点木马后门的程序

代码如下:

<%
‘设置登陆密码，使用前务必修改此密码
PASSWORD = “www.pifoo.com”

‘其他扫描设置
DimFileExt = “asp,cer,asa,cdx” ‘文件类型扩展名列表，不在此列表的将不被扫描
maxfilesize= 51200 ‘500K，超过此文件大小的文件(一般不是木马)，将不被扫描
timeout=600 ‘如果扫描超过600秒，脚本将终止

‘[email protected]=阿笨狗=飞云修改于2006.07.07
‘获取最新修改版本，请关注http://www.pifoo.com
‘QQ:33323489 Email:[email protected] Guestbook:http://www.pifoo.com/lyb

dim Report
if request.QueryString(“act”)=”login” then
if request.Form(“pifoo”) = PASSWORD then session(“pifoo”)=”#)\’www.pifoo.com”
end if
%>

asp木马、后门探测器

<%If Session("pifoo") “#)\’www.pifoo.com” then%>

Password:

<%
else
if request.QueryString(“act”)”scan” then
%>

填入你要检查的路径：

* 网站根目录的相对路径，填”\”即检查整个网站；”.”为程序所在目录

<%
else
server.ScriptTimeout = timeout
Sun = 0
SumFiles = 0
SumFolders = 1
if request.Form(“path”)=”” then
response.Write(“没有发现被入侵的迹象.”)
response.End()
end if
timer1 = timer
if request.Form(“path”)=”\” then
TmpPath = Server.MapPath(“\”)
elseif request.Form(“path”)=”.” then
TmpPath = Server.MapPath(“.”)
else
TmpPath = Server.MapPath(“\”)&”\”&request.Form(“path”)
end if
Call ShowAllFile(TmpPath)
%>

扫描完毕！一共检查文件夹个，文件个，发现可疑点个

ASP木马、后门、漏洞扫描探测

文件相对路径

特征码

描述

创建/修改时间

<%
timer2 = timer
thetime=cstr(int(((timer2-timer1)*10000 )+0.5)/10)
response.write “
本页执行共用了”&thetime&”毫秒”
end if
end if
%>

Modified by jspadmin at 2006.07.07

<%
‘遍历处理path及其子目录所有文件
Sub ShowAllFile(Path)
Set FSO = createObject(“Scripting.FileSystemObject”)
if not fso.FolderExists(path) then exit sub
Set f = FSO.GetFolder(Path)
Set fc2 = f.files
For Each myfile in fc2
If CheckExt(FSO.GetExtensionName(path&”\”&myfile.name)) and (myfile.size<=maxfilesize) Then
Call ScanFile(Path&Temp&”\”&来源gao@dai!ma.com搞$代^码网myfile.name, “”)
SumFiles = SumFiles + 1
End If
Next
Set fc = f.SubFolders
For Each f1 in fc
ShowAllFile path&”\”&f1.name
SumFolders = SumFolders + 1
Next
Set FSO = Nothing
End Sub

‘检测文件
Sub ScanFile(FilePath, InFile)
If InFile “” Then
Infiles = “该文件被”& InFile & “文件包含执行”
End If
Set FSOs = createObject(“Scripting.FileSystemObject”)
on error resume next
set ofile = fsos.OpenTextFile(FilePath)
filetxt = Lcase(ofile.readall())
If err Then Exit Sub end if
if len(filetxt)>0 then
‘特征码检查
temp = “”&replace(FilePath,server.MapPath(“\”)&”\”,””,1,1,1)&””
‘Check “WScr”&DoMyBest&”ipt.Shell”
If instr( filetxt, Lcase(“WScr”&DoMyBest&”ipt.Shell”) ) or Instr( filetxt, Lcase(“clsid:72C24DD5-D70A”&DoMyBest&”-438B-8A42-98424B88AFB8″) ) then
Report = Report&”

“&temp&” WScr”&DoMyBest&”ipt.Shell 或者 clsid:72C24DD5-D70A”&DoMyBest&”-438B-8A42-98424B88AFB8 危险组件，一般被ASP木马利用。”&infiles&” “&GetDatecreate(filepath)&”
“&GetDatemodify(filepath)&”

”
Sun = Sun + 1
End if
‘Check “She”&DoMyBest&”ll.Application”
If instr( filetxt, Lcase(“She”&DoMyBest&”ll.Application”) ) or Instr( filetxt, Lcase(“clsid:13709620-C27″&DoMyBest&”9-11CE-A49E-444553540000”) ) then
Report = Report&”

“&temp&” She”&DoMyBest&”ll.Application 或者 clsid:13709620-C27″&DoMyBest&”9-11CE-A49E-444553540000 危险组件，一般被ASP木马利用。”&infiles&” “&GetDatecreate(filepath)&”
“&GetDatemodify(filepath)&”

”
Sun = Sun + 1
End If
‘Check .Encode
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = “@\s*LANGUAGE\s*=\s*[“”]?\s*(vbscript|jscript|javascript).encode\b”
If regEx.Test(filetxt) Then
Report = Report&”

“&temp&” (vbscript|jscript|javascript).Encode 似乎脚本被加密了，一般ASP文件是不会加密的。”&infiles&” “&GetDatecreate(filepath)&”
“&GetDatemodify(filepath)&”

”
Sun = Sun + 1
End If
‘Check my ASP backdoor
regEx.Pattern = “\bEv”&”al\b”
If regEx.Test(filetxt) Then
Report = Report&”

“&temp&” Ev”&”al e”&”val()函数可以执行任意ASP代码，被一些后门利用。其形式一般是：ev”&”al(X)
但是javascript代码中也可以使用，有可能是误报。”&infiles&” “&GetDatecreate(filepath)&”
“&GetDatemodify(filepath)&”

”
Sun = Sun + 1
End If
‘Check exe&cute backdoor
regEx.Pattern = “[^.]\bExe”&”cute\b”
If regEx.Test(filetxt) Then
Report = Report&”

“&temp&” Exec”&”ute e”&”xecute()函数可以执行任意ASP代码，被一些后门利用。其形式一般是：ex”&”ecute(X)。
“&infiles&” “&GetDatecreate(filepath)&”
“&GetDatemodify(filepath)&”

”
Sun = Sun + 1
End If
Set regEx = Nothing

‘检查包含文件
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = “<!–\s*#include\s*file\s*=\s*"".*"""
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
tFile = Replace(Mid(Match.Value, Instr(Match.Value, “”””) + 1, Len(Match.Value) – Instr(Match.Value, “”””) – 1),”/”,”\”)
If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,”\”))&tFile, replace(FilePath,server.MapPath(“\”)&”\”,””,1,1,1) )
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing

‘检查虚拟目录
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = “<!–\s*#include\s*virtual\s*=\s*"".*"""
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
tFile = Replace(Mid(Match.Value, Instr(Match.Value, “”””) + 1, Len(Match.Value) – Instr(Match.Value, “”””) – 1),”/”,”\”)
If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
Call ScanFile( Server.MapPath(“\”)&”\”&tFile, replace(FilePath,server.MapPath(“\”)&”\”,””,1,1,1) )
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing

‘检查特殊命令：Server&.Execute|Transfer
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = “Server.(Exec”&”ute|Transfer)([ \t]*|\()””.*”””
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
tFile = Replace(Mid(Match.Value, Instr(Match.Value, “”””) + 1, Len(Match.Value) – Instr(Match.Value, “”””) – 1),”/”,”\”)
If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,”\”))&tFile, replace(FilePath,server.MapPath(“\”)&”\”,””,1,1,1) )
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing

‘Check Server&.Execute|Transfer
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = “Server.(Exec”&”ute|Transfer)([ \t]*|$)[^””]$”
If regEx.Test(filetxt) Then
Report = Report&”

“&temp&” Server.Exec”&”ute 不能跟踪检查Server.e”&”xecute()函数执行的文件。请管理员自行检查。
“&infiles&” “&GetDatecreate(filepath)&”
“&GetDatemodify(filepath)&”

”
Sun = Sun + 1
End If
Set Matches = Nothing
Set regEx = Nothing

‘检查createobject命令 Crea”&”teObject
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = “createO”&”bject[ |\t]*$.*$”
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
If Instr(Match.Value, “&”) or Instr(Match.Value, “+”) or Instr(Match.Value, “”””) = 0 or Instr(Match.Value, “(“) InStrRev(Match.Value, “(“) Then
Report = Report&”

“&temp&” Creat”&”eObject Crea”&”teObject函数使用了变形技术，仔细复查。”&infiles&” “&GetDatecreate(filepath)&”
“&GetDatemodify(filepath)&”

”
Sun = Sun + 1
exit sub
End If
Next
Set Matches = Nothing
Set regEx = Nothing
end if
set ofile = nothing
set fsos = nothing
End Sub

‘检查文件后缀，如果与预定的匹配即返回TRUE
Function CheckExt(FileExt)
If DimFileExt = “*” Then CheckExt = True
Ext = Split(DimFileExt,”,”)
For i = 0 To Ubound(Ext)
If Lcase(FileExt) = Ext(i) Then
CheckExt = True
Exit Function
End If
Next
End Function

Function GetDatemodify(filepath)
Set fso = createObject(“Scripting.FileSystemObject”)
Set f = fso.GetFile(filepath)
s = f.DateLastModified
set f = nothing
set fso = nothing
GetDatemodify = s
End Function

Function GetDatecreate(filepath)
Set fso = createObject(“Scripting.FileSystemObject”)
Set f = fso.GetFile(filepath)
s = f.Datecreated
set f = nothing
set fso = nothing
GetDatecreate = s
End Function

【asp木马探测器】-在线扫描探测检查asp站点木马后门的程序

可以在线扫描检查探测站点内的所有asp程序代码，检测代码中是否含有危险代码

目前检测的特征码有：CreateObject、Execute、Shell.Application、WScript.Shell、Eval、include……等。

对程序的改进是：增加扩展名后缀列表自定义、扫描文件大小限制、扫描超时限制、session验证改复杂了一点点……

具体请自己打开原始代码查看。

使用后，要么及时删除，要么将登陆密码改掉，尽量改复杂点。（虽然这个程序不会直接提供在线打开文件的功能，但仍然有可能被hacker利用）

准备下一个修改版本加入检查iframe特征码的功能，目前太多站点都是被人挂了iframe，当然，那只是表现，具体漏洞根源还是在程序或其他方面。

点击这里下载asp木马探测器 [注意：解压密码和默认登陆密码都是http://www.pifoo.com]

原作者：雷客图
jspadmin=阿笨狗=飞云修改于2006.07.07
‘获取最新修改版本，请关注http://www.pifoo.com
‘QQ:33323489 Email:[email protected] Guestbook:http://www.pifoo.com/lyb

以上就是在线扫描探测检查asp站点木马后门的程序的详细内容，更多请关注gaodaima搞代码网其它相关文章！

搞代码网（gaodaima.com）提供的所有资源部分来自互联网，如果有侵犯您的版权或其他权益，请说明详细缘由并提供版权或权益证明然后发送到邮箱[email protected]‍，我们会在看到邮件的第一时间内为您处理，或直接联系QQ：872152909。本网站采用BY-NC-SA协议进行授权
转载请注明原文链接：在线扫描探测检查asp站点木马后门的程序

Hi，您需要填写昵称和邮箱！