Program for online scanning and detection of asp site Trojan and Backdoor

Copy codeThe Code is as follows: <% @ LANGUAGE = "VBSCRIPT" CODEPAGE = "936" %>
<%
'Set the login password. Make sure to change this password before use.
PASSWORD = "www.pifoo.com"

'Other scan settings
DimFileExt = "asp, cer, asa, cdx" 'file type Extension list. Files Not in this list will not be scanned
Maxfilesize = 51200 '500k. Files larger than the file size (not a Trojan) will not be scanned
Timeout = 100' if the scan lasts more than 600 seconds, the script will be terminated.

'Jspadmin @ asp. web. csdn = dumb dog = Apsara Stack was modified
'Get the latest modified version, follow the http://www.pifoo.com
'Qq: 33323489 Email: subaoliang@etang.com Guestbook: http://www.pifoo.com/lyb

Dim Report
If request. QueryString ("act") = "login" then
If request. Form ("pifoo") = PASSWORD then session ("pifoo") = "#) \ 'www .pifoo.com"
End if
%>
<! Doctype html public "-// W3C // dtd html 4.01 Transitional // EN" "http://www.w3.org/TR/html4/loose.dtd">
<Html>
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">
<Title> asp Trojan and backdoor detector </title>
</Head>

<Body>
<% If Session ("pifoo") <> "#) \ 'www .pifoo.com" then %>
<Form name = "form1" method = "post" action = "? Act = login ">
<Div align = "center"> Password:
<Input name = "pifoo" type = "password" size = "15">
<Input type = "submit" name = "Submit" value = "submit">
</Div>
</Form>
<%
Else
If request. QueryString ("act") <> "scan" then
%>
<Form action = "? Act = scan "method =" post ">
<B> enter the path you want to check: </B>
<Input name = "path" type = "text" style = "border: 1px solid #999" value = "." size = "30"/>
<Br>
* For the relative path of the website root directory, enter "\" to check the entire website. "." indicates the directory where the program is located.
<Br>
<Br>
<Input type = "submit" value = "start scanning" style = "background: # fff; border: 1px solid #999; padding: 2px 2px 0px 2px; margin: 4px; border-width: 1px 3px 1px 3px "/>
</Form>
<%
Else
Server. ScriptTimeout = timeout
Sun = 0
SumFiles = 0
SumFolders = 1
If request. Form ("path") = "" then
Response. Write ("no signs of intrusion found .")
Response. End ()
End if
Timer1 = timer
If request. Form ("path") = "\" then
TmpPath = Server. MapPath ("\")
Elseif request. Form ("path") = "." then
TmpPath = Server. MapPath (".")
Else
TmpPath = Server. MapPath ("\") & "\" & request. Form ("path ")
End if
Call ShowAllFile (TmpPath)
%>
<Table width = "100%" border = "0" cellpadding = "0" cellspacing = "0" class = "CContent">
<Tr>
<Th> ASP Trojan, backdoor, and vulnerability scanning
</Tr>
<Tr>
<Td class = "CPanel" style = "padding: 5px; line-height: 170%; clear: both; font-size: 12px">
<Div id = "updateInfo" style = "background: ffffe1; border: 1px solid # 89441f; padding: 4px; display: none"> </div>
Scan completed! Check a total of <font color = "# FF0000" ><%= SumFolders %> </font> folders, <font color = "# FF0000"> <% = SumFiles %> </font> files, suspicious <font color = "# FF0000"> <% = Sun %> </font>
<Table width = "100%" border = "0" cellpadding = "0" cellspacing = "0">
<Tr>
<Td valign = "top">
<Table width = "100%" border = "1" cellpadding = "0" cellspacing = "0" style = "padding: 5px; line-height: 170%; clear: both; font-size: 12px ">
<Tr>
<Td width = "20%"> relative file path </td>
<Td width = "20%"> signature </td>
<Td width = "40%" type = "option" text = "option"> description </td type = "option" text = "/option">
<Td width = "20%"> creation/modification time </td>
</Tr>
<P>
<% = Report %>
<Br/> </p>
</Table> </td>
</Tr>
</Table>
</Td> </tr> </table>

<%
Timer2 = timer
Thetime = cstr (int (timer2-timer1) * 10000) + 0.5)/10)
Response. write "<br> <font size =" 2 "> This page is shared" & thetime & "millisecond </font>"
End if
End if
%>

<Hr>
<Div align = "center"> <br>
Modified by <a href = "http://www.pifoo.com" target = _ blank> jspadmin </a> at 2006.07.07
</Div>
</Body>
</Html>

<%
'Process all files in the path and Its subdirectories through Traversal
Sub ShowAllFile (Path)
Set FSO = createObject ("Scripting. FileSystemObject ")
If not fso. FolderExists (path) then exit sub
Set f = FSO. GetFolder (Path)
Set fc2 = f. files
For Each myfile in fc2
If CheckExt (FSO. GetExtensionName (path & "\" & myfile. name) and (myfile. size <= maxfilesize) Then
Call ScanFile (Path & Temp & "\" & myfile. name ,"")
SumFiles = SumFiles + 1
End If
Next
Set fc = f. SubFolders
For Each f1 in fc
ShowAllFile path & "\" & f1.name
SumFolders = SumFolders + 1
Next
Set FSO = Nothing
End Sub

'Detection File
Sub ScanFile (FilePath, InFile)
If InFile <> "" Then
Infiles = "this file is <a href =" "http: //" & Request. servervariables ("server_name") & "\" & InFile & "target = _ blank>" & InFile & "</a> File Inclusion execution"
End If
Set FSOs = createObject ("Scripting. FileSystemObject ")
On error resume next
Set ofile = fsos. OpenTextFile (FilePath)
Filetxt = Lcase (ofile. readall ())
If err Then Exit Sub end if
If len (filetxt)> 0 then
'Signature check
Temp = "<a href =" "http: //" & Request. servervariables ("server_name") & "\" & replace (FilePath, server. mapPath ("\") & "\", "", 1, 1) & "" target = _ blank> "& replace (FilePath, server. mapPath ("\") & "\", "", 1, 1) & "</a>"
'Check "WScr" & DoMyBest & "ipt. Shell"
If instr (filetxt, Lcase ("WScr" & DoMyBest & "ept. shell ") or Instr (filetxt, Lcase (" clsid: 72C24DD5-D70A "& DoMyBest &"-438b-8a42-98366b88afb8 ") then
Report = Report & "<tr> <td>" & temp & "</td> <td> WScr" & DoMyBest & "ept. shell or clsid: 72C24DD5-D70A "& DoMyBest &"-438b-8a42-98417b88afb8 </td> <td> dangerous components, which are generally used by ASP Trojans. "& Infiles &" </td> <td> "& GetDatecreate (filepath) &" <br> "& GetDatemodify (filepath) &" </td> </tr>"
Sun = Sun + 1
End if
'Check "She" & DoMyBest & "ll. Application"
If instr (filetxt, Lcase ("She" & DoMyBest & "ll. application ") or Instr (filetxt, Lcase (" clsid: 13709620-C27 "& DoMyBest &" 9-11CE-A49E-444553540000 ") then
Report = Report & "<tr> <td>" & temp & "</td> <td> She" & DoMyBest & "ll. application or clsid: 13709620-C27 "& DoMyBest &" 9-11CE-A49E-444553540000 </td> <td> dangerous components, which are generally used by ASP Trojans. "& Infiles &" </td> <td> "& GetDatecreate (filepath) &" <br> "& GetDatemodify (filepath) &" </td> </tr>"
Sun = Sun + 1
End If
'Check. Encode
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = "@ \ s * LANGUAGE \ s * = \ s * [" "]? \ S * (vbscript | jscript | javascript). encode \ B"
If regEx. Test (filetxt) Then
Report = Report & "<tr> <td>" & temp & "</td> <td> (vbscript | jscript | javascript ). encode </td> <td> the script is encrypted. Generally, ASP files are not encrypted. "& Infiles &" </td> <td> "& GetDatecreate (filepath) &" <br> "& GetDatemodify (filepath) &" </td> </tr>"
Sun = Sun + 1
End If
'Check my ASP backdoor
RegEx. Pattern = "\ bEv" & "al \ B"
If regEx. Test (filetxt) Then
Report = Report & "<tr> <td>" & temp & "</td> <td> Ev" & "al </td> <td> e" & "val () the function can execute arbitrary ASP code and be exploited by some backdoors. The format is ev "&" al (X) <br> but it can also be used in javascript code, which may be a false positive. "& Infiles &" </td> <td> "& GetDatecreate (filepath) &" <br> "& GetDatemodify (filepath) &" </td> </tr>"
Sun = Sun + 1
End If
'Check exe & cute backdoor
RegEx. Pattern = "[^.] \ bExe" & "cute \ B"
If regEx. Test (filetxt) Then
Report = Report & "<tr> <td>" & temp & "</td> <td> Exec" & "ute </td> <td> e" & "xecute () the function can execute arbitrary ASP code and be exploited by some backdoors. The format is: ex "&" ecute (X ). <Br> "& infiles &" </td> <td> "& GetDatecreate (filepath) &" <br> "& GetDatemodify (filepath) & "</td> </tr>"
Sun = Sun + 1
End If
Set regEx = Nothing

'Check the contained files
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = "<! -- \ S * # include \ s * file \ s * = \ s *"".*"""
Set Matches = regEx. Execute (filetxt)
For Each Match in Matches
TFile = Replace (Mid (Match. value, Instr (Match. value, ") + 1, Len (Match. value)-Instr (Match. value, ")-1 ),"/","\")
If Not CheckExt (FSOs. GetExtensionName (tFile) Then
Call ScanFile (Mid (FilePath, 1, faster Rev (FilePath, "\") & tFile, replace (FilePath, server. mapPath ("\") & "\", "", 1, 1 ))
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing

'Check the virtual directory
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = "<! -- \ S * # include \ s * virtual \ s * = \ s *"".*"""
Set Matches = regEx. Execute (filetxt)
For Each Match in Matches
TFile = Replace (Mid (Match. value, Instr (Match. value, ") + 1, Len (Match. value)-Instr (Match. value, ")-1 ),"/","\")
If Not CheckExt (FSOs. GetExtensionName (tFile) Then
Call ScanFile (Server. mapPath ("\") & "\" & tFile, replace (FilePath, server. mapPath ("\") & "\", "", 1, 1 ))
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing

'Check special commands: Server &. Execute | Transfer
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = "Server. (Exec" & "ute | Transfer) ([\ t] * | \()"".*"""
Set Matches = regEx. Execute (filetxt)
For Each Match in Matches
TFile = Replace (Mid (Match. value, Instr (Match. value, ") + 1, Len (Match. value)-Instr (Match. value, ")-1 ),"/","\")
If Not CheckExt (FSOs. GetExtensionName (tFile) Then
Call ScanFile (Mid (FilePath, 1, faster Rev (FilePath, "\") & tFile, replace (FilePath, server. mapPath ("\") & "\", "", 1, 1 ))
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing

'Check Server &. Execute | Transfer
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = "Server. (Exec" & "ute | Transfer) ([\ t] * | \ () [^" "] \)"
If regEx. Test (filetxt) Then
Report = Report & "<tr> <td>" & temp & "</td> <td> Server. exec "&" ute </td> <td> the Server cannot be tracked and checked. e "&" xecute () function execution file. Ask the Administrator to check the vulnerability. <Br> "& infiles &" </td> <td> "& GetDatecreate (filepath) &" <br> "& GetDatemodify (filepath) & "</td> </tr>"
Sun = Sun + 1
End If
Set Matches = Nothing
Set regEx = Nothing

'Check the createobject command Crea "&" teObject
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. Pattern = "createO" & "bject [| \ t] * \ (. * \)"
Set Matches = regEx. Execute (filetxt)
For Each Match in Matches
If Instr (Match. value, "&") or Instr (Match. value, "+") or Instr (Match. value, ") = 0 or Instr (Match. value, "(") <> limit Rev (Match. value, "(") Then
Report = Report & "<tr> <td>" & temp & "</td> <td> Creat" & "eObject </td> <td> Crea" & "teObject the function uses the deformation technology, review carefully. "& Infiles &" </td> <td> "& GetDatecreate (filepath) &" <br> "& GetDatemodify (filepath) &" </td> </tr>"
Sun = Sun + 1
Exit sub
End If
Next
Set Matches = Nothing
Set regEx = Nothing
End if
Set ofile = nothing
Set fsos = nothing
End Sub

'Check the file suffix. If it matches the predefined one, TRUE is returned.
Function CheckExt (FileExt)
If DimFileExt = "*" Then CheckExt = True
Ext = Split (DimFileExt ,",")
For I = 0 To Ubound (Ext)
If Lcase (FileExt) = Ext (I) Then
CheckExt = True
Exit Function
End If
Next
End Function

Function GetDatemodify (filepath)
Set fso = createObject ("Scripting. FileSystemObject ")
Set f = fso. GetFile (filepath)
S = f. DateLastModified
Set f = nothing
Set fso = nothing
GetDatemodify = s
End Function

Function GetDatecreate (filepath)
Set fso = createObject ("Scripting. FileSystemObject ")
Set f = fso. GetFile (filepath)
S = f. Datecreated
Set f = nothing
Set fso = nothing
GetDatecreate = s
End Function

%>

[Asp Trojan detector]-Program for online scanning and detection of Trojan and backdoor in asp site

You can scan and check all asp program code in the site online to check whether the Code contains any dangerous code.

Currently, the detected signatures include CreateObject, Execute, Shell. Application, WScript. Shell, Eval, and include.

The program is improved by adding extension Suffix List customization, scanning file size limit, scanning timeout limit, and modifying session verification ......

Open the original code to view details.

After use, you can either delete it in time or change the logon password as much as possible. (Although this program does not directly provide the function of opening files online, it may still be used by hacker)

Prepare for the next version to add the function of checking the iframe pattern. At present, too many websites are infected with iframe. Of course, this is just a manifestation. The specific root cause of the vulnerability is in the program or other aspects.

Click here to download the asp Trojan detector. [Note: Both the unzipping password and the default logon password are www.pifoo.com]

Original Author: leike Diagram
Jspadmin = a stupid dog = Apsara Stack was modified to 2006.07.07
'Get the latest modified version, follow the http://www.pifoo.com
'Qq: 33323489 Email: subaoliang@etang.com Guestbook: http://www.pifoo.com/lyb