Home > Others

Ntiiframe.vbs is used to bulk purge malicious code that is added to a file _vbs

Source: Internet
Author: User
Tags xpath
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Antiiframe.vbs

#该脚本是批量挂马程序的逆向, for bulk purging of malicious code that is added to a file. Notepad opens the file to modify the pattern parameter to specify the name of the file to be processed, separated by the file name (also supports a VBS regular expression). Because you want to modify the file, use caution (preferably back up the file first)
#用法: CScript antiiframe.vbs [Processed path] [file with purged content]
#例子: CScript antiiframe.vbs d:\Web d:\lake2.txt
Copy Code code as follows:

'-----------------------
' Anti-iframe in VBS
' Author:lake2 (http://lake2.0x54.org)
' Date:2007-2-27
' version:1.1
'-----------------------

'--------Config Start--------------
' Configure the filename to be processed, use the VBS regular expression, or use the (INDEX.ASP|INDEX.HTM|INDEX.HTML) enumeration format
Pattern = "^.+\." (htm|html|asp|aspx|php) $ "
'--------Config End--------------


Call Showinfo ()
If WScript.Arguments.Count = 2 Then
If Right (WScript.Arguments.Item (0), 1) = "\" Then
If Len (WScript.Arguments.Item (0)) >3 Then
Thepath = Mid (WScript.Arguments.Item (0), 1,len (WScript.Arguments.Item (0))-1)
Else
Thepath = WScript.Arguments.Item (0)
End If
Else
Thepath = WScript.Arguments.Item (0)
End If
Call Checkarg (Thepath)
WScript.Echo "Start cleanup, please wait ..."
Call Showallfile (Thepath)
WScript.Echo vbCrLf & "Clean and complete!" "& vbCrLf
Else
Call ShowHelp ()
End If

Sub Showinfo ()
Helpstr = helpstr & "==============================" & vbCrLf
Helpstr = helpstr & "===== Welcome to use customer Map ASP Webmaster Security Assistant VBS version =====" & vbCrLf
Helpstr = helpstr & "===== anti-batch horse =====" & vbCrLf
Helpstr = helpstr & "===== author:lake2 =====" & vbCrLf
Helpstr = helpstr & "===== email:lake2@mail.csdn.net =====" & vbCrLf
Helpstr = helpstr & "===== Welcome to Www.0x54.org for more information =====" & vbCrLf
Helpstr = helpstr & "==============================" & vbCrLf
Helpstr = Helpstr & vbCrLf
WScript.Echo Helpstr
End Sub

Sub ShowHelp ()
Helpstr = helpstr & "#用法: CScript antiiframe.vbs [processed paths] [files containing purged content]" & vbCrLf
Helpstr = helpstr & "#例子: CScript antiiframe.vbs d:\Web d:\lake2.txt" & vbCrLf
Helpstr = Helpstr & vbCrLf
WScript.Echo Helpstr
End Sub

Sub Checkarg (ARG)
Tmppath = arg
Set objFSO = WScript.CreateObject ("Scripting.FileSystemObject")
If not Objfso.fileexists (WScript.Arguments.Item (1)) Then
WScript.Echo "Error: Config file not found" "& WScript.Arguments.Item (1) &" "! "
Wscript.Quit
ElseIf not objfso.folderexists (Tmppath) Then
WScript.Echo "Error: Wrong Path" "& Tmppath &" "! "
Wscript.Quit
End If
Set objFSO = Nothing
End Sub

' Traversal processes all files of path and its subdirectories
Sub Showallfile (Path)
Set FSO = CreateObject ("Scripting.FileSystemObject")
Set g = FSO. GetFile (WScript.Arguments.Item (1))
If g.size > 0 Then
Set ts2 = G.openastextstream (1,-2)
Filecon = ts2. ReadAll
Rst. Close
Set ts2 = Nothing
Else
WScript.Echo "Error: Profile" & WScript.Arguments.Item (1) & "size is 0!" "
Wscript.Quit
End If
Set g = Nothing
Set f = FSO. GetFolder (Path)
Set FC2 = F.files
On Error Resume Next
For each myfile in FC2
If ERR Then wscript.echo "Insufficient permissions, cannot check directory" &thepath:exit Sub
Set regEx = New RegExp
Regex.ignorecase = True
Regex.global = True
Regex.pattern = Pattern
If regex.test (myfile.name) Then
Checkfile path& "\" &myfile.name, Filecon
End If
Set regEx = Nothing
Next
Set FC = F.subfolders
For each F1 in FC
Showallfile path& "\" &f1.name
Next
Set FSO = Nothing
End Sub

Sub checkfile (filepath, Filecon2)
Xset = Getcharset (filepath)
Set Tstream = CreateObject ("ADODB. Stream ")
Tstream.type = 1
Tstream.mode = 3
Tstream.open
Tstream.position=0
Tstream.loadfromfile FilePath
If Err Then Exit Sub End If
Tstream.type = 2
Tstream.charset = Xset
Do Until Tstream.eos
Filecon = Filecon & LCase (Tstream.readtext (102400))
Loop
Tstream.close ()
Set Tstream = Nothing
If InStr (Filecon, Filecon2) > 0 Then
Filecon = Replace (Filecon, Filecon2, "")
Set Tstream = CreateObject ("ADODB. Stream ")
Tstream.type = 2
Tstream.mode = 3
Tstream.charset = Xset
Tstream.open
Tstream.position=0
Tstream.writetext Filecon
Tstream.savetofile filepath, 2
Tstream.close ()
Set Tstream = Nothing
WScript.Echo "The file has been repaired:" &filepath& ... "
End If
End Sub

Function Getcharset (XPath)
Set Tstream = CreateObject ("ADODB. Stream ")
Tstream.type = 1
Tstream.mode = 3
Tstream.open
tstream.position = 0
Tstream.loadfromfile XPath
Byte1 = AscB (Tstream.read (1))
Byte2 = AscB (Tstream.read (1))
Byte3 = AscB (Tstream.read (1))
Tstream.close ()
Set Tstream = Nothing
If byte1=239 and byte2=187 and byte3=191 Then
Getcharset = "UTF-8"
Else
Getcharset = "GB2312"
End If
End Function

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
what protocol is used to send email protocol is used to send email how to know dns server is used how to find out what dns server is used what is php code used for how to tell what dns server is used program is used to create android virtual device

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More