Online scanning detection of ASP site Trojan back door program _ Application Skills

Source: Internet
Author: User
Tags servervariables
Copy Code code as follows:

<% @LANGUAGE = "VBSCRIPT" codepage= "936"%>
<%
' Set login password, be sure to modify this password before use
PASSWORD = "Www.pifoo.com"

' Other scan settings
Dimfileext = "ASP,CER,ASA,CDX" file type extension list, not listed will not be scanned
Maxfilesize= 51200 ' 500K, files larger than this file size (generally not trojan), will not be scanned
timeout=600 ' If the scan exceeds 600 seconds, the script will terminate

' Jspadmin@asp.web.csdn= dog = Feiyun modified in 2006.07.07
' Get the latest modified version, please pay attention to http://www.pifoo.com
' qq:33323489 email:subaoliang@etang.com guestbook:http://www.pifoo.com/lyb

Dim the
If request. QueryString ("act") = "Login" Then
If request. Form ("pifoo") = PASSWORD then session ("Pifoo") = "#) \ ' Www.pifoo.com"
End If
%>
<! DOCTYPE HTML PUBLIC "-//w3c//dtd HTML 4.01 transitional//en" "HTTP://WWW.W3.ORG/TR/HTML4/LOOSE.DTD" >
<meta http-equiv= "Content-type" content= "text/html; charset=gb2312 ">
<title>asp Trojan, backdoor detectors </title>

<body>
<%if session ("Pifoo") <> "#" "Www.pifoo.com" then%>
<form name= "Form1" method= "Post" action= "Act=login" >
<div align= "Center" >password:
<input name= "Pifoo" type= "password" size= ">"
<input type= "Submit" name= "Submission" value= "submitted" >
</div>
</form>
<%
Else
If request. QueryString ("act") <> "Scan" then
%>
<form action= "? Act=scan" method= "POST" >
<b> fill in the path you want to check:</b>
<input name= "path" type= "text" style= border:1px solid #999 "value=". "Size="/>
<br>
* Site root directory relative path, fill in "\" That is, check the entire site; is the directory where the program resides
<br>
<br>
<input type= "Submit" value= "Start scanning" style= "background: #fff border:1px solid #999;p adding:2px 2px 0px 2px;margin:4px; border-width:1px 3px 1px 3px "/>
</form>
<%
Else
Server. ScriptTimeout = Timeout
Sun = 0
Sumfiles = 0
Sumfolders = 1
If request. Form ("path") = "" Then
Response. Write ("No sign of intrusion.")
Response. End ()
End If
Timer1 = Timer
If request. Form ("path") = "\" Then
Tmppath = Server.MapPath ("\")
ElseIf request. Form ("path") = "." Then
Tmppath = Server.MapPath (".")
Else
Tmppath = Server.MapPath ("\") & "\" &request. Form ("path")
End If
Call Showallfile (Tmppath)
%>
<table width= "100%" border= "0" cellpadding= "0" cellspacing= "0" class= "ccontent" >
<tr>
<th>asp Trojan, backdoor, vulnerability scan detection
</tr>
<tr>
&LT;TD class= "cpanel" style= "padding:5px;line-height:170%;clear:both;font-size:12px" >
<div id= "Updateinfo" style= "background:ffffe1;border:1px solid #89441f;p Adding:4px;display:none" ></div >
Scan Complete! Check the folder <font color= "#FF0000" ><%=SumFolders%></font>, file <font color= "#FF0000" ><%= sumfiles%></font>, suspicious <font color= "#FF0000" ><%=Sun%></font>
<table width= "100%" border= "0" cellpadding= "0" cellspacing= "0" >
<tr>
&LT;TD valign= "Top" >
<table width= "100%" border= "1" cellpadding= "0" cellspacing= "0" style= "padding:5px;line-height:170%;clear:both; font-size:12px ">
<tr>
&LT;TD width= "20%" > File relative path </td>
&LT;TD width= "20%" > Signature </td>
&LT;TD width= "40%" > Description </td>
&LT;TD width= "20%" > Create/Modify Time </td>
</tr>
<p>
<%=Report%>
<br/></p>
</table></td>
</tr>
</table>
</td></tr></table>

<%
Timer2 = Timer
THETIME=CSTR (int ((timer2-timer1) *10000) +0.5)/10)
Response.Write "<br><font size=" "2" "> this page executes a shared" &thetime& "millisecond </font>"
End If
End If
%>

<div align= "center" ><br>
Modified by <a href= "http://www.pifoo.com" target=_blank>jspadmin</a> at 2006.07.07
</div>
</body>

<%
' Traversal processes all files of path and its subdirectories
Sub Showallfile (Path)
Set FSO = CreateObject ("Scripting.FileSystemObject")
If not FSO. FolderExists (Path) then Exit Sub
Set f = FSO. GetFolder (Path)
Set FC2 = F.files
For each myfile in FC2
If Checkext (FSO. Getextensionname (path& "\ &myfile.name)") and (Myfile.size<=maxfilesize) Then
Call Scanfile (path&temp& "\" &myfile.name, "")
Sumfiles = sumfiles + 1
End If
Next
Set FC = F.subfolders
For each F1 in FC
Showallfile path& "\" &f1.name
Sumfolders = sumfolders + 1
Next
Set FSO = Nothing
End Sub

' Test file
Sub Scanfile (FilePath, InFile)
If InFile <> "" Then
Infiles = "This file is <a href=" "http://" &request.servervariables ("SERVER_NAME") & "\" &InFile& "" "target= _blank> "& InFile &" </a> file contains execution "
End If
Set FSOs = CreateObject ("Scripting.FileSystemObject")
On Error Resume Next
Set ofile = FSOs. OpenTextFile (FilePath)
Filetxt = Lcase (Ofile.readall ())
If Err Then Exit Sub End If
If Len (filetxt) >0 Then
' Signature check
temp = "<a href=" "http://" &request.servervariables ("SERVER_NAME") & "\" &replace (filepath,server. MapPath ("\") & "\", "", 1,1,1) & "" Target=_blank> "&replace (filepath,server. MapPath ("\") & "\", "", 1,1,1) & "</a>"
' Check ' wscr ' &DoMyBest& ' IPT. Shell "
If InStr (Filetxt, Lcase ("WSCR" &DoMyBest& "IPT.") Shell ")) or Instr (Filetxt, Lcase (" clsid:72c24dd5-d70a "&DoMyBest&" -438b-8a42-98424b88afb8 ")) Then
The report& "<tr><td>" &temp& "&LT;/TD&GT;&LT;TD&GT;WSCR" &DoMyBest& "IPT". Shell or clsid:72c24dd5-d70a "&DoMyBest&" -438b-8a42-98424b88afb8</td><td> dangerous components, commonly used by ASP Trojans. "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify ( FilePath) & "</td></tr>"
Sun = Sun + 1
End If
' Check ' She ' &DoMyBest& ' ll. Application "
If InStr (Filetxt, Lcase) ("She" &DoMyBest& "LL." Application ")) or Instr (Filetxt, Lcase (" clsid:13709620-c27 "&DoMyBest&" 9-11ce-a49e-444553540000 ")) Then
report& "<tr><td>" &temp& "</td><td>she" &DoMyBest& LL. Application or clsid:13709620-c27 "&DoMyBest&" 9-11ce-a49e-444553540000</td><td> dangerous components, Commonly used by ASP Trojan Horse. "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify ( FilePath) & "</td></tr>"
Sun = Sun + 1
End If
' Check. Encode
Set regEx = New RegExp
Regex.ignorecase = True
Regex.global = True
Regex.pattern = "@\s*language\s*=\s*[" "]?\s* (vbscript|jscript|javascript). encode\b"
If regex.test (filetxt) Then
The report& "<tr><td>" &temp& "</td><td> (vbscript|jscript|javascript). Encode</td><td> It seems that the script is encrypted and the general ASP file is not encrypted. "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify ( FilePath) & "</td></tr>"
Sun = Sun + 1
End If
' Check my ASP Backdoor:(
Regex.pattern = "\bev" & "al\b"
If regex.test (filetxt) Then
report& "<tr><td>" &temp& "</td><td>ev" & "Al</td><td>e" The & Val () function can execute arbitrary ASP code and be used by some backdoor. The format is generally: EV "&" Al (X) <br> but also can be used in JavaScript code, possibly false positives. "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify ( FilePath) & "</td></tr>"
Sun = Sun + 1
End If
' Check Exe&cute Backdoor
Regex.pattern = "[^.] \bexe "&" cute\b "
If regex.test (filetxt) Then
report& "<tr><td>" &temp& "</td><td>exec" & UTE&LT;/TD&GT;&LT;TD The >e "&" Xecute () function can execute arbitrary ASP code and be used by some backdoor. The form is generally: Ex "&" Ecute (X). <br> "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "& Getdatemodify (filepath) & "</td></tr>"
Sun = Sun + 1
End If
Set regEx = Nothing

' Check the Include file
Set regEx = New RegExp
Regex.ignorecase = True
Regex.global = True
Regex.pattern = "<!--\s* #include \s*file\s*=\s*" ". *" ""
Set matches = Regex.execute (filetxt)
For the Match in matches
Tfile = Replace (Mid match.value, Instr (Match.value, "" ") + 1, Len (match.value)-Instr (Match.value," "" ")-1),"/"," \ ")
If not Checkext (Fsos.getextensionname (tfile)) Then
Call Scanfile (Mid Filepath,1,instrrev (FilePath, "\")) &tfile, replace (filepath,server. MapPath ("\") & "\", "", 1,1,1)
Sumfiles = sumfiles + 1
End If
Next
Set matches = Nothing
Set regEx = Nothing

' Check the virtual directory
Set regEx = New RegExp
Regex.ignorecase = True
Regex.global = True
Regex.pattern = "<!--\s* #include \s*virtual\s*=\s*" ". *" ""
Set matches = Regex.execute (filetxt)
For the Match in matches
Tfile = Replace (Mid match.value, Instr (Match.value, "" ") + 1, Len (match.value)-Instr (Match.value," "" ")-1),"/"," \ ")
If not Checkext (Fsos.getextensionname (tfile)) Then
Call Scanfile (Server.MapPath ("\") & "\" &tfile, replace (filepath,server. MapPath ("\") & "\", "", 1,1,1)
Sumfiles = sumfiles + 1
End If
Next
Set matches = Nothing
Set regEx = Nothing

' Check special order: Server& execute| Transfer
Set regEx = New RegExp
Regex.ignorecase = True
Regex.global = True
Regex.pattern = "Server. (Exec "&" ute| Transfer) ([\t]*|\ () "". * "" "
Set matches = Regex.execute (filetxt)
For the Match in matches
Tfile = Replace (Mid match.value, Instr (Match.value, "" ") + 1, Len (match.value)-Instr (Match.value," "" ")-1),"/"," \ ")
If not Checkext (Fsos.getextensionname (tfile)) Then
Call Scanfile (Mid Filepath,1,instrrev (FilePath, "\")) &tfile, replace (filepath,server. MapPath ("\") & "\", "", 1,1,1)
Sumfiles = sumfiles + 1
End If
Next
Set matches = Nothing
Set regEx = Nothing

' Check server&. execute| Transfer
Set regEx = New RegExp
Regex.ignorecase = True
Regex.global = True
Regex.pattern = "Server. (Exec "&" ute| Transfer) ([\t]*|\ () [^ ""]\) "
If regex.test (filetxt) Then
report& "<tr><td>" &temp& "</td><td>server.exec" & ute</td> <td> cannot track files that are executed by checking the SERVER.E "&" Xecute () function. Ask the administrator to check it yourself. <br> "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "& Getdatemodify (filepath) & "</td></tr>"
Sun = Sun + 1
End If
Set matches = Nothing
Set regEx = Nothing

' Check the createobject command Crea ' & ' Teobject
Set regEx = New RegExp
Regex.ignorecase = True
Regex.global = True
Regex.pattern = "Createo" & "bject[|\t]*\ (. *\)"
Set matches = Regex.execute (filetxt)
For the Match in matches
If Instr (Match.value, "&") or Instr (Match.value, "+") or Instr (Match.value, "" "") = 0 or Instr (match.value, "(") <& Gt InStrRev (Match.value, "(") Then
report& "<tr><td>" &temp& "</td><td>creat" & eobject</td>< The Td>crea "&" Teobject function uses the deformation technique and is carefully reviewed. "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify ( FilePath) & "</td></tr>"
Sun = Sun + 1
Exit Sub
End If
Next
Set matches = Nothing
Set regEx = Nothing
End If
Set ofile = Nothing
Set FSOs = Nothing
End Sub

' Check the file suffix and return True if the match is scheduled
Function Checkext (Fileext)
If dimfileext = "*" Then Checkext = True
EXT = Split (Dimfileext, ",")
For i = 0 to Ubound (EXT)
If Lcase (Fileext) = Ext (i) Then
Checkext = True
Exit Function
End If
Next
End Function

Function getdatemodify (filepath)
Set fso = CreateObject ("Scripting.FileSystemObject")
Set f = fso. GetFile (filepath)
s = f.datelastmodified
Set F = Nothing
Set fso = Nothing
Getdatemodify = S
End Function

Function getdatecreate (filepath)
Set fso = CreateObject ("Scripting.FileSystemObject")
Set f = fso. GetFile (filepath)
s = f.datecreated
Set F = Nothing
Set fso = Nothing
Getdatecreate = S
End Function

%>


"ASP Trojan Detector"-Online scanning detection of ASP site Trojan back door program

Can scan online to detect all ASP program code in the site, detect whether the code contains dangerous code

Currently detected signatures are: CreateObject, Execute, Shell.Application, Wscript.Shell, Eval, include ... Wait

The improvement of the program is: to increase the extension suffix list customization, scan file size limit, scan timeout limit, session verification changed a little bit more complex ...

Please open the original code view yourself.

after use, or delete in time, or the login password to change, as far as possible to make complex points. (although this program does not directly provide the ability to open files online, it is still possible to be used hacker)

Prepare the next modified version to join the check IFRAME signature function, at present too many sites are people hang the IFRAME, of course, that is only performance, the specific source of the vulnerabilities in the program or other aspects.

Click here to download ASP Trojan detector [ Note: The decompression password and the default login password are all www.pifoo.com]

Original Author: Reiche Map
jspadmin= a stupid dog = Feiyun modified in 2006.07.07
' Get the latest modified version, please pay attention to http://www.pifoo.com
' qq:33323489 email:subaoliang@etang.com guestbook:http://www.pifoo.com/lyb

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.