First of all, I would like to thank the "hackers" who did not erase them during the development of the Internet. The quotation marks here do not demean anything, but refer to those who are really proficient in code and discover and exploit program vulnerabilities based on their own profound technology. They generally do not do anything, it's just fun in research. I personally think that their existence promotes the rapid development of technology. For the common "tool users", most of them seem to have no strength in addition to messing around, damaging, and self-blocking hacking.
To put it bluntly, some hackers recently studied the code of the online forum and found that they could bypass the program to upload arbitrary files in some way, and then use the uploaded malicious code to do almost everything they wanted to do. The versions affected by this vulnerability are all versions earlier than 7.7.2. in theory, it also affects all sites that use similar program development. To address this vulnerability, we strongly recommend that you upgrade to the latest version. The address is as follows:
Http://bbs.dvbbs.net/dispbbs.asp? Boardid = 8 & id = 704362 & page = 1
If you are lucky enough to win the bid, I will provide some simple methods to scan and kill malicious code (Trojans) in the dynamic network forum based on my experience. The effect of the scan and kill is proportional to the degree of care you have paid, prepare your patience and follow me step by step.
As the saying goes, "Know yourself, know yourself, know yourself, and know yourself. To query Trojans, you must first understand the structure of your website, and secondly understand the composition of Trojans. A good website structure can quickly identify illegal files. A bad structure will make you dizzy. Simply put, it is to classify and release files, delete expired and tested files in time. This topic is not the focus of today. If you are interested, please search for it yourself. The composition of Trojans is complex and changeable. Generally, they appear in various forms based on different functions. A smaller one can be done with dozens of characters. You do not need many tools to check Trojans. An FTP software and Windows built-in search functions are required. A text editor, such as a Windows notepad, is ready. We recommend that you use flashfxp for FTP software. It has some useful functions in trojan detection.
21:10:36, Tom told me that his Forum homepage was changed. I immediately logged on to his website and found that the Forum homepage file was changed. He asked him to come to the FTP account and password, log on to FTP and check it carefully. His space is only placed in a dynamic network forum. According to the analysis of the page being modified, the trojan program is uploaded and modified. So I open flashfxp and select a tool, select search for files on the FTP server, as shown in figure 1.
Generally, the trojan is an ASP file. I enter *. asp in the name and click Search now, as shown in figure 2.
After waiting patiently for a while, the result came out. I clicked "in Folders" to arrange the searched files in folders. The website structure is clear because it uses a dynamic network forum. Except for the root directory and INC directory, no ASP files should exist in other directories. Now there is a suspicious file Haha under the uploadface directory. ASP, I clicked "Modify time" again to arrange the last modification time. I found this file was last modified, and it was really suspicious. For good deletion, I chose it, check the source code and check whether it is a trojan. If you are sure, do not hesitate to delete it! Figure 3.
The idea is that IIS also maps other types of files to ASP. DLL explanation, I searched again like 2 *. CER ,*. CDX ,*. asa ,*. HTR. delete one of these files because the program does not need them.
Hey, I didn't expect it to take 2 minutes to solve the problem. I was so proud that I suddenly thought that what if hackers modified normal files and added malicious code? The file content can not be checked using FTP. I can only go back and check all the files. The directories under upload have hundreds of MB, so I won't be able to continue, you only need to ensure that there are no executable files such as ASP in it, and the database does not need to be deleted. All other files can be downloaded. Figure 4.
Tom is urging me. He wants to activate the forum as soon as possible. He uses the original official program. I will delete the old program first, as shown in Figure 5,
Then download the latest Internet forum 7.0sp2, and upload the files in the root directory and those directories that have just been deleted. Without uploading the database, the Forum will soon be restored, after repeatedly telling him not to install plug-ins or other programs, I concentrated on studying the downloaded files.
Enable the Windows Search function and write the name of the file to be searched *. ASP, think of many Trojans with this line of code "Language = VBScript. encode. encode to find all "VBScript. the ASP file of encode, hey, I found a few, figure 6.
Of course, not all Trojans must use this line of code to continue searching for keywords to determine if they are Trojans. List some keywords for reference.
The keywords I provide are not necessarily the most comprehensive. I hope that experienced users can continue to provide them. I will update the keyword list at any time.
Keywords |
Possibility |
Solution |
Dynamic network includes this Keyword File |
VBScript. encode |
100% |
Delete |
None |
Ocean |
100% |
Delete |
None |
Daoxiang |
100% |
Delete |
None |
Freezing Point |
100% |
Delete |
None |
0d43fe01-f093-11cf-8940-00a0c9054228 |
100% |
Delete |
None |
093ff999-1ea0-4079-9525-9614c3504b74 |
100% |
Delete |
None |
72c24dd5-d70a-438b-8a42-98417b88afb8 |
100% |
Delete |
None |
Createtextfile |
100% |
Delete |
None |
Eval (R |
100% |
Delete |
None |
Execute request |
100% |
Delete or replace |
None It is generally added to a normal file as shown in Figure Execute request ("X ") To execute abnormal code Recommended replacement |
Execute session |
100% |
Delete or replace |
None, same as above |
Opentextfile |
100% |
Delete |
None |
Writeline |
100% |
Delete |
None |
Wscript |
100% |
Delete |
None |
5 xsoft |
100% |
Delete |
None |
Scripting. Dictionary |
100% |
Delete |
None |
Request. binaryread |
100% |
Delete |
None |
Deletefile |
90% |
Delete or replace |
Admin_bbsface.asp Admin_data.asp Admin_postings.asp Admin_uploadlist.asp Admin_upuserface.asp Upfile. asp |
Movefile |
90% |
Delete or replace |
Reg. asp |
GetFile |
90% |
Delete or replace |
Reg. asp Showimg. asp Viewfile. asp |
= Vbs |
90% |
Delete or replace |
Dv_ubbcode.asp |
If you have operation permissions on the server, we recommend that you perform the following settings:
Go to site properties, select the main directory, click configuration, and delete all unnecessary script mappings. Generally, only. asp is available, and all others can be deleted, as shown in figure 7.
In IIS, select the uploadface attribute and set the execution license to none. You also need to set the uploadfile and previewimage directories. If you want, you can set the executable permissions for all directories except the INC directory to none.
Now, the trojan check work has come to an end. Let's summarize the methods.
1. When the website structure is clear, the view directory method can quickly determine the Trojan Horse, the files that appear where the trojan should not appear, and whether the Trojan horse or not can be deleted.
2. Time Comparison Method: Remember the time when you last updated the file. The executable script generated after this time must be faulty. However, note that the database update time is always the latest, do not delete it by mistake.
3. In comparison, this method is not described in detail above. In fact, a complete backup is retained locally. If necessary, use the comparison function of the FTP tool for comparison.
4. Keyword Search: Search for files based on the keywords provided by me. You can determine the Trojan horse.
To put it bluntly, the defense is better than to kill, often pay attention to the dynamic network official forum http://bbs.dvbbs.net, in a timely manner to add the latest dingtalk, as much as possible or less security plug-in, is to ensure the normal operation of your forum the Second Law.
Haikou mobile network pioneer Network Technology Co., Ltd.
2004-5-26
NetizensSigporssonNote: If a trojan is found, you should modify all types of accounts with administrative permissions after processing. Including Forum accounts, database accounts, server operating system accounts, FTP accounts, etc ~
NetizensNetguestSupplement: If your forum contains code similar to <IFRAME src = "http: // www .????. Com "> </iframe> it is estimated that it may be a malicious connection. Search for IFRAME Src in the keyword.
You are welcome to continue to provide additional instructions.