Code of taote ASP Trojan Scanner

+ ----------------- +
| Taote ASP Trojan scanner |
+ ----------------- +
This program can scan all files of the specified type (asp, cer, asa, cdx) on the server to find suspicious Trojans. The system isolates the scan program from the virus database,
You only need to upgrade the virus library like anti-virus software. Currently, all popular ASP Trojans can be detected and killed.

The system provides three scanning methods: Full-site scan, folder scan, and specified file scan. If there are few website files, we recommend that you use full-site scan. If there are many files, we recommend that you
Scan by folder. During the scanning process, the system records the list of scanned files and displays the files suspected to be Trojans in the form of a list.
The ASP Trojan program has been uploaded, and the system displays the files modified and created in red in particular for the current time within seven days. The system will make a "level" judgment on the files suspected to be Trojans, and color differentiation
We recommend that you manually check programs with a "general" level before processing them. For files with a "severe" level, click the file link under "file name, generally, after the trojan is opened
There is a logon prompt. Click the "delete" Link under "file name" to delete the file directly from the server. If you are worried about accidental deletion, click "Download" to back up the file.
Usage:
Upload the extracted files to the server. Run: http: // your url/scan. asp

+ ----------------- +
| Logon password: totscan |
+ ----------------- +
Virus_lib.aspCopy codeThe Code is as follows: <%
Dim virus (1, 7), virus_Regx (1, 4)
'Define Trojan Components
Virus (0, 0) = "WScript"
Virus (1, 0) = "level: <font color =" "green" "> severe! </Font> <br> most wscripts are Trojan keywords"
Virus (0, 1) = "Shell"
Virus (1, 1) = "level: <font color =" "green" "> severe! </Font> <br> Shell is mostly a trojan keyword"
Virus (0, 2) = "Shell. Application"
Virus (1, 2) = "level: <font color =" "green" "> severe! </Font> <br> asp components, generally used for Trojans"
'Haiyang Components
Virus () = "clsid: 72c24dd5-d70a-438b-8a42-98108b88afb8"
Virus (1, 3) = "level: <font color =" "green" "> severe! </Font> <br> asp WScript components, generally used for Trojans"
Virus () = "clsid: F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"
Virus (1, 4) = "level: <font color =" "green" "> severe! </Font> <br> asp wscript components, generally used for Trojans"
Virus (0, 5) = "clsid: 093FF999-1EA0-4079-9525-9614C3504B74"
Virus (1, 5) = "level: <font color =" "green" "> severe! </Font> <br> asp net components, generally used for Trojans"
Virus () = "clsid: F935DC26-1CF0-11D0-ADB9-00C04FD58A0B"
Virus () = "level: <font color =" "green" "> severe! </Font> <br> asp net components, generally used for Trojans"
Virus (0, 7) = "clsid: 0D43FE01-F093-11CF-8940-00A0C9054228"
Virus () = "level: <font color =" "green" "> severe! </Font> <br> asp fso component, generally used for Trojans"

'Define Trojan keywords
Virus_Regx (0, 0) = "@ \ s * LANGUAGE \ s * = \ s * [" "]? \ S * (vbscript | jscript | javascript). encode \ B"
Virus_Regx (1, 0) = "level: <font color =" "green" "> serious! </Font> <br> the script is encrypted. Generally, ASP files are not encrypted. "
Virus_Regx (0, 1) = "\ bEval \ B"
Virus_Regx () = "level: <font color =" "gray" "> average! </Font> <br> the eval () function can execute any ASP code and be exploited by some backdoors. The format is ev "&" al (X) <br> but it can also be used in javascript code, which may be a false positive. "
Virus_Regx (0, 2) = "[^.] \ bExecute \ B"
Virus_Regx () = "level: <font color =" "gray" "> average! </Font> <br> the execute () function can execute any ASP code and be exploited by some backdoors. The format is: ex "&" ecute (X ). "
Virus_Regx (0, 3) = "Server. (Execute | Transfer) ([\ t] * | \ () [^" "] \)"
Virus_Regx () = "level: <font color =" "gray" "> average! </Font> <br> you cannot track and check the files executed by the Server. e "&" xecute () function. Ask the Administrator to check the vulnerability. "
Virus_Regx (0, 4) = "CreateObject [| \ t] * \ (. * \) $ [^ adodb. recordset]"
Virus_Regx () = "level: <font color =" "gray" "> average! </Font> <br> Crea "&" The teObject function uses the deformation technology and reviews it carefully"
%>

Scan. aspCopy codeThe Code is as follows: <% @ LANGUAGE = "VBSCRIPT" CODEPAGE = "936" %>
<! -- # Include file = "virus_lib.asp" -->
<%
Server. ScriptTimeout = 90000
Dim act
Act = request. QueryString ("act ")
Const PASSWORD = "totscan"
If act = "login" then
If request. Form ("pwd") = PASSWORD then session ("login") = "OK"
End if
%>
<! Doctype html public "-// W3C // dtd html 4.01 Transitional // EN" "http://www.w3.org/TR/html4/loose.dtd">
<Html>
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">
<Title> Asp Trojan scanner </title>
<Script language = "JavaScript" type = "text/JavaScript">

Function ConfirmDel ()
{
If (confirm ("are you sure you want to delete? And cannot be recovered! "))
Return true;
Else
Return false;

}
</Script>
</Head>

<Body>
<Div align = "center"> <Hr>
<%
If Session ("login") <> "OK" then
Call LoginForm ()
Else
Dim pathStr
If request ("path") <> "then
PathStr = request ("path ")
Else
PathStr = server. MapPath ("/")
End if
Response. Write ("<a href =" "javascript: history. back ();" "> Returns response </a> <br>" & Chr (10 ))
If act = "scan" then
Dim ScanFileType, Suspect, ScanFileNum, ScanFolderNum, BeginTime, EndTime, TmpPath, Report
ScanFileType = "asp, cer, asa, cdx"
Suspect = 0
ScanFileNum = 0
ScanFolderNum = 0
BeginTime = timer
Response. Write ("<textarea name =" "textarea" "style =" "width: 100%" "rows =" 5 ">" & Chr (10 ))
Response. Write ("scan log:" & vbcrlf)
If (request. QueryString ("file") <> "") then
Call ScanFile (request. QueryString ("file "),"")
Else
Call ScanFolder (pathStr)
End if
Response. Write ("</textarea> ")
Call ShowResult ()
EndTime = timer
Response. write "<br> <font size =" 2 ""> execution time: "& cstr (int (EndTime-BeginTime) * 10000) + 0.5)/10) & "millisecond </font>"
Elseif act = "del" then
Call DelFile (request. QueryString ("file "))
Response. Write ("<br> <a href =" & request. ServerVariables ("HTTP_REFERER") & ""> return </a> ")
Elseif act = "down" then
Call Download (request. QueryString ("file "))
Else
Call FileList (pathStr)
Call ScanForm ()
End if
End if

%>
<Hr>
</Body>
</Html>
<%
Sub LoginForm
%>
<Form name = "form1" method = "post" action = "? Act = login ">
<Div align = "center"> Password:
<Input name = "pwd" type = "password" size = "15">
<Input type = "submit" name = "Submit" value = "submit">
</Div>
</Form>
<%
End Sub
Sub ScanForm
%>
<Form action = "? Act = scan "method =" post ">
<Input type = "submit" value = "full site scan" style = "background: # fff; border: 1px solid #999; padding: 2px 2px 0px 2px; margin: 4px; border-width: 1px 3px 1px 3px "/>
</Form>
<%
End sub
'Process all files in the path and Its subdirectories through Traversal
Sub FileList (Path)
Set FSO = CreateObject ("Scripting. FileSystemObject ")
If not fso. FolderExists (path) then exit sub
All objects in the Set folders = FSO. GetFolder (Path) 'directory
Set files = folders. files
Set subfolders = folders. SubFolders
'List folder
For Each fl in subfolders
Response. Write ("<a href = ""? Path = "& Path &" \ "& fl. name & "> "& fl. name & "</a>" & Chr (10 ))
Response. Write ("<a href = ""? Act = scan & path = "& Path &" \ "& fl. name &" "> scan </a> <br>" & Chr (10 ))
Next
'List file
For Each file_f in files
Response. Write (" "& file_f.name &" "& Chr (10 ))
Response. Write ("<a href = ""? Act = scan & file = "& Path &" \ "& file_f.name &" "> scan </a> <br>" & Chr (10 ))
Next
Set folders = nothing
Set files = nothing
Set subfolders = nothing
Set FSO = Nothing
End Sub
Sub ShowResult
%>
<Table width = "100%" border = "0" cellpadding = "0" cellspacing = "0" class = "CContent">
<Tr>
<Td class = "CPanel" style = "padding: 5px; line-height: 170%; clear: both; font-size: 12px">
Scan completed! Check a total of <font color = "# FF0000"> <% = ScanFolderNum %> </font> folders, <font color = "# FF0000"> <% = ScanFileNum %> </font> files, suspicious <font color = "# FF0000"> <% = Suspect %> </font>
</Td> </tr> </table>
<Table width = "100%" border = "0" cellpadding = "0" cellspacing = "1" style = "padding: 5px; background-color: #666666; line-height: 18px; clear: both; font-size: 12px ">
<Tr>
<Td width = "30%" bgcolor = "# FFFFFF"> file name </td>
<Td width = "20%" bgcolor = "# FFFFFF"> signature </td>
& Lt; td width = "30%" bgcolor = "# FFFFFF" & gt; description </td>
<Td width = "20%" bgcolor = "# FFFFFF"> creation/modification time </td>
</Tr>
<P>
<% = Report %>
<Br/>
</P>
</Table>
<%
End Sub
'Process all files in the path and Its subdirectories through Traversal
Sub ScanFolder (Path)
Dim folders, files, subfolders
ScanFolderNum = ScanFolderNum + 1
Set FSO = CreateObject ("Scripting. FileSystemObject ")
If not fso. FolderExists (path) then exit sub
Set folders = FSO. GetFolder (Path)
Set files = folders. files
For Each myfile in files
If CheckExt (FSO. GetExtensionName (path & "\" & myfile. name) Then
Call ScanFile (Path & "\" & myfile. name ,"")
End If
Next
Set subfolders = folders. SubFolders
For Each f1 in subfolders
ScanFolder path & "\" & f1.name
Next
Set folders = nothing
Set files = nothing
Set subfolders = nothing
Set FSO = Nothing
End Sub

'Detection File
Sub ScanFile (FilePath, InFile)
Dim FSOs, ofile, filetxt, fileUri, vi
ScanFileNum = ScanFileNum + 1
Response. Write ("scan file:" & FilePath & vbcrlf)
Response. Flush ()
If InFile <> "" Then
Infiles = "this file is <a href =" "http: //" & Request. servervariables ("server_name") & "\" & InFile & "target = _ blank>" & InFile & "</a> File Inclusion execution"
End If
Set FSOs = CreateObject ("Scripting. FileSystemObject ")
On error resume next
Set ofile = fsos. OpenTextFile (FilePath)
Filetxt = Lcase (ofile. readall ())
If err Then Exit Sub end if
If len (filetxt)> 0 then
'Signature check
FileUri = "<a href =" "http: //" & Request. servervariables ("server_name") & ":" & Request. serverVariables ("SERVER_PORT") & "\" & replace (FilePath, server. mapPath ("\") & "\", "", 1, 1) & "" target = _ blank> "& replace (FilePath, server. mapPath ("\") & "\", "", 1, 1) & "</a> <br>"
FileUri = fileUri & "Operation: <a href = ""? Act = del & file = "& FilePath &" onClick = "" return ConfirmDel () ""> Delete </a>"
FileUri = fileUri & "<a href = ""? Act = down & file = "& FilePath &" "> download </a>"
For vi = 0 to ubound (virus, 2)
If instr (filetxt, Lcase (virus (0, vi) then
Report = Report & "<tr bgcolor =" "# FFFFFF" "> <td>" & fileUri & "</td> <td>" & virus (0, vi) & "</td> <td>" & virus (1, vi) & infiles & "</td> <td> Create:" & GetDateCreate (filepath) & "<br> modify:" & GetDateModify (filepath) & "</td> </tr>"
Suspect = Suspect + 1
End if
Next
For vi = 0 to ubound (virus_Regx, 2)
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = virus_Regx (0, vi)
If regEx. Test (filetxt) Then
Report = Report & "<tr bgcolor =" "# FFFFFF" "> <td>" & fileUri & "</td> <td>" & virus_Regx (0, vi) & "</td> <td>" & virus_Regx (1, vi) & infiles & "</td> <td> creation:" & GetDateCreate (filepath) & "<br> modify:" & GetDateModify (filepath) & "</td> </tr>"
Suspect = Suspect + 1
End If
Next

'Check include file
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = "<! -- \ S * # include \ s * file \ s * = \ s *"".*"""
Set Matches = regEx. Execute (filetxt)
For Each Match in Matches
TFile = Replace (Mid (Match. value, Instr (Match. value, ") + 1, Len (Match. value)-Instr (Match. value, ")-1 ),"/","\")
If Not CheckExt (FSOs. GetExtensionName (tFile) Then
Call ScanFile (Mid (FilePath, 1, faster Rev (FilePath, "\") & tFile, replace (FilePath, server. mapPath ("\") & "\", "", 1, 1 ))
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing

'Check include virtual
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = "<! -- \ S * # include \ s * virtual \ s * = \ s *"".*"""
Set Matches = regEx. Execute (filetxt)
For Each Match in Matches
TFile = Replace (Mid (Match. value, Instr (Match. value, ") + 1, Len (Match. value)-Instr (Match. value, ")-1 ),"/","\")
If Not CheckExt (FSOs. GetExtensionName (tFile) Then
Call ScanFile (Server. mapPath ("\") & "\" & tFile, replace (FilePath, server. mapPath ("\") & "\", "", 1, 1 ))
End If
Next
Set Matches = Nothing
Set regEx = Nothing

'Check Server &. Execute | Transfer
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = "Server. (Exec" & "ute | Transfer) ([\ t] * | \()"".*"""
Set Matches = regEx. Execute (filetxt)
For Each Match in Matches
TFile = Replace (Mid (Match. value, Instr (Match. value, ") + 1, Len (Match. value)-Instr (Match. value, ")-1 ),"/","\")
If Not CheckExt (FSOs. GetExtensionName (tFile) Then
Call ScanFile (Mid (FilePath, 1, faster Rev (FilePath, "\") & tFile, replace (FilePath, server. mapPath ("\") & "\", "", 1, 1 ))
End If
Next
Set Matches = Nothing
Set regEx = Nothing

End if
Set ofile = nothing
Set fsos = nothing
End Sub

'Check the file suffix. If it matches the predefined one, TRUE is returned.
Function CheckExt (FileExt)
If ScanFileType = "*" Then CheckExt = True
Ext = Split (ScanFileType ,",")
For I = 0 To Ubound (Ext)
If Lcase (FileExt) = Ext (I) Then
CheckExt = True
Exit Function
End If
Next
End Function
'Delete an object
Sub DelFile (FilePath)
Set fso = Server. CreateObject ("Scripting. FileSystemObject ")
If fso. FileExists (FilePath) then
Fso. DeleteFile (FilePath)
Response. Write ("Else
Response. Write ("End if
Set fso = nothing
End Sub
'Download an object
Sub Download (FilePath)
Dim oStream
Set FSO = Server. CreateObject ("Scripting. FileSystemObject ")
If FSO. FileExists (FilePath) then
Set oStream = Server. CreateObject ("ADODB. Stream ")
OStream. Type = 1
OStream. Open
On error resume next
OStream. LoadFromFile (FilePath)
If Err. Number = 0 then
Response. AddHeader "Content-Disposition", "attachment; filename =" & FSO. GetFileName (FilePath)
Response. AddHeader "Content-Length", oStream. Size
Response. ContentType = "bad/type" 'Yeu cau ie hien hop thoai save-
Response. BinaryWrite oStream. Read
End if
OStream. Close
Set oStream = nothing
End if
Set FSO = nothing
End sub
Function GetDateModify (filepath)
Dim s, days
Set fso = CreateObject ("Scripting. FileSystemObject ")
Set f = fso. GetFile (filepath)
S = f. DateLastModified
Set f = nothing
Set fso = nothing
Days = DateDiff ("d", Cdate (s), now ())
If (days>-7 and days <7) then
S = "<font color =" "red"> "& s &" </font>"
End if
GetDateModify = s
End Function

Function GetDateCreate (filepath)
Dim s, days
Set fso = CreateObject ("Scripting. FileSystemObject ")
Set f = fso. GetFile (filepath)
S = f. DateCreated
Set f = nothing
Set fso = nothing
Days = DateDiff ("d", Cdate (s), now ())
If (days>-7 and days <7) then
S = "<font color =" "red"> "& s &" </font>"
End if
GetDateCreate = s
End Function

%>