Reiche Figure Webmaster Security Assistant VBS version Code (ASP Trojan find) _vbs

Source: Internet
Author: User

are used at the command line


Antiiframe.vbs





#该脚本是批量挂马程序的逆向, for bulk purging of malicious code that is added to a file. Notepad opens the file to modify the pattern parameter to specify the name of the file to be processed, separated by the file name (also supports a VBS regular expression). Because you want to modify the file, use caution (preferably back up the file first)


#用法: CScript antiiframe.vbs [Processed path] [file with purged content]


#例子: CScript antiiframe.vbs d:\Web d:\lake2.txt


----------------------------


Scan.vbs





#该脚本用于本地扫描ASP木马, the speed is much faster than the ASP version. There may be false positives, false reports, depending on the specific circumstances of the treatment


#用法: CScript scan.vbs [Scan path] [result htm file path]


#例子: CScript scan.vbs d:\Web f:\my\report.html





Scan.vbs


Copy Code code as follows:



'-----------------------


' Scan ASP Webshell in VBS


' Author:lake2 (http://lake2.0x54.org)


' Date:2007-7-29


' version:1.1


'-----------------------





Dimfileext = "ASP,CER,ASA,CDX"


Dim, Report2, Sun, Sumfiles, sumfolders





Call Showinfo ()


If WScript.Arguments.Count = 2 Then


Sun = 0


Sumfiles = 0


Sumfolders = 1


If Right (WScript.Arguments.Item (0), 1) = "\" Then


Thepath = Mid (WScript.Arguments.Item (0), 1,len (WScript.Arguments.Item (0))-1)


Else


Thepath = WScript.Arguments.Item (0)


End If


Call Checkarg (Thepath)


WScript.Echo "Start scanning, please wait ..."


Wscript.Sleep (1000)


StartTime = Now ()


Call Showallfile (Thepath)


Endtime = Now ()


WScript.Echo vbCrLf & "Scan complete!" "& vbCrLf


Report2 = report2 & <html><head><title> Reiche diagram ASP Webmaster Security Assistant VBS version Scan report </title> "


Report2 = Report2 & "<meta http-equiv=" "Content-type" "content=" "text/html"; charset=gb2312 "" ></head> "


Report2 = Report2 & "<body><b><font size=4> Reiche map ASP Webmaster Security Assistant VBS Edition SCAN report </FONT></B><BR ><br> "


Report2 = Report2 & "<font size=2> start Time:" &StartTime& "</font><br>"


Report2 = Report2 & "<font size=2> end Time:" &EndTime& "</font><br>"


Report2 = report2 & <font size=2> scan complete! Check the folder <font color= "" #FF0000 "" > "&SumFolders&" </font>, File <font color= "" #FF0000 "" > "& sumfiles& "</font>, found suspicious point <font color=" "#FF0000" ">" &Sun& "</font> (<font color=" "" " FF0000 "" > Red letter </font> displayed for serious suspicious) </font><br/> "


Report2 = Report2 & "<table width=" "100%" "border=" "1" "bordercolor=" "Blue" "style=" "Padding:5px;line-height" : 170%;clear:both;font-size:12px;word-break:break-all "" > "


Report2 = report2 & "<tr>"


Report2 = Report2 & "<td width=" "20%" "> File path </td>"


Report2 = Report2 & "<td width=" "20%" "> Signature </td>"


Report2 = Report2 & "<td width=" "40%" "> Description </td>"


Report2 = Report2 & "<td width=" "20%" "> Create/Modify Time </td>"


Report2 = report2 & "</tr>"


Report2 = report2 & "<p>"


Report2 = Report2 &


Report2 = report2 & "</p>"


Report2 = Report2 & "</table><hr><script src=http://www.0x54.org/announce.js></script>"


Report2 = Report2 & "<div align=center>powered by <a href=" "http://www.0x54.org" "target=_blank> 0x54.org</a></div> "


Report2 = report2 & "</body></html>"


Call WriteToFile ()


Else


Call ShowHelp ()


End If





Sub Showinfo ()


Helpstr = helpstr & "==============================" & vbCrLf


Helpstr = helpstr & "===== Welcome to use customer Map ASP Webmaster Security Assistant VBS version =====" & vbCrLf


Helpstr = helpstr & "===== Check ASP Trojan =====" & vbCrLf


Helpstr = helpstr & "===== author:lake2 =====" & vbCrLf


Helpstr = helpstr & "===== email:lake2@mail.csdn.net =====" & vbCrLf


Helpstr = helpstr & "===== Welcome to Www.0x54.org for more information =====" & vbCrLf


Helpstr = helpstr & "==============================" & vbCrLf


Helpstr = Helpstr & vbCrLf


WScript.Echo Helpstr


End Sub





Sub ShowHelp ()


Helpstr = helpstr & "#用法: CScript scan.vbs [Scan path] [result htm file path]" & vbCrLf


Helpstr = helpstr & "#例子: CScript scan.vbs d:\Web f:\my\report.html" & vbCrLf


Helpstr = Helpstr & vbCrLf


WScript.Echo Helpstr


End Sub





Sub Checkarg (ARG)


Tmppath = arg


TmpPath2 = Left (WScript.Arguments.Item (1), InStrRev (WScript.Arguments.Item (1), "\")-1)


Set objFSO = WScript.CreateObject ("Scripting.FileSystemObject")


If not objfso.folderexists (tmpPath2) Then


WScript.Echo "Error: Wrong Path" "& TmpPath2 &" "! "


Wscript.Quit


ElseIf not objfso.folderexists (Tmppath) Then


WScript.Echo "Error: Wrong Path" "& Tmppath &" "! "


Wscript.Quit


End If


Set objFSO = Nothing


End Sub





' Traversal processes all files of path and its subdirectories


Sub Showallfile (Path)


WScript.Echo "Checking Catalog" & Path


Set FSO = CreateObject ("Scripting.FileSystemObject")


Set f = FSO. GetFolder (Path)


Set FC2 = F.files


For each myfile in FC2


If Checkext (FSO. Getextensionname (path& "\ &myfile.name)") Then


' WScript.Echo is checking files ' & path& ' \ ' &myfile.name


Call Scanfile (path&temp& "\" &myfile.name, "")


Sumfiles = sumfiles + 1


End If


Next


Set FC = F.subfolders


For each F1 in FC


Showallfile path& "\" &f1.name


Sumfolders = sumfolders + 1


Next


Set FSO = Nothing


End Sub





' Check the file suffix and return True if the match is scheduled


Function Checkext (Fileext)


If dimfileext = "*" Then Checkext = True


EXT = Split (Dimfileext, ",")


For i = 0 to Ubound (EXT)


If Lcase (Fileext) = Ext (i) Then


Checkext = True


Exit Function


End If


Next


End Function





' Test file


Sub Scanfile (FilePath, InFile)


If InFile <> "" Then


Infiles = "<font color=red> this file is" & InFile & "file contains execution </font>"


End If


temp = FilePath


On Error Resume Next


Set Tstream = WScript.CreateObject ("ADODB. Stream ")


Tstream.type = 1


Tstream.mode = 3


Tstream.open


Tstream.position=0


Tstream.loadfromfile FilePath


If Err Then Exit Sub End If


Tstream.type = 2


Tstream.charset = "GB2312"


Do Until Tstream.eos


Filetxt = filetxt & LCase (replace (Tstream.readtext (102400), Chr (0), ""))


Loop


Tstream.close ()


Set Tstream = Nothing





Set FSOs = WScript.CreateObject ("Scripting.FileSystemObject")


If Len (filetxt) >0 Then


' Signature check


Filetxt = vbCrLf & Filetxt


' Check ' wscr ' &DoMyBest& ' IPT. Shell "


If Instr (Filetxt, Lcase ("WSCR" &DoMyBest& "IPT.") Shell ")) or Instr (Filetxt, Lcase (" clsid:72c24dd5-d70a "&DoMyBest&" -438b-8a42-98424b88afb8 ")) Then


The report& "<tr><td>" &temp& "</TD><TD>WSCR" &DoMyBest& "IPT". Shell or clsid:72c24dd5-d70a "&DoMyBest&" -438b-8a42-98424b88afb8</td><td><font color=red > Dangerous components, commonly used by ASP Trojans </font> "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify (filepath) &" </td></tr> "


Sun = Sun + 1


End If


' Check ' She ' &DoMyBest& ' ll. Application "


If Instr (Filetxt, Lcase) ("She" &DoMyBest& "LL." Application ")) or Instr (Filetxt, Lcase (" clsid:13709620-c27 "&DoMyBest&" 9-11ce-a49e-444553540000 ")) Then


report& "<tr><td>" &temp& "</td><td>she" &DoMyBest& LL. Application or clsid:13709620-c27 "&DoMyBest&" 9-11ce-a49e-444553540000</td><td><font color= Red> dangerous components, commonly used by ASP Trojans </font> "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify (filepath) &" </td></tr> "


Sun = Sun + 1


End If


' Check. Encode


Set regEx = New RegExp


Regex.ignorecase = True


Regex.global = True


Regex.pattern = "\blanguage\s*=\s*[" "]?\s* (vbscript|jscript|javascript). encode\b"


If regex.test (filetxt) Then


The report& "<tr><td>" &temp& "</td><td> (vbscript|jscript|javascript). Encode</td><td><font color=red> seems to be encrypted, the general ASP file is not encrypted </font> "&infiles&" </td ><td> "&getdatecreate (filepath) &" <br> "&getdatemodify (filepath) &" </td></ Tr> "


Sun = Sun + 1


End If


' Check my ASP Backdoor:(


Regex.pattern = "\bev" & "al\b"


If regex.test (filetxt) Then


report& "<tr><td>" &temp& "</td><td>ev" & "Al</td><td>e" The & Val () function can execute arbitrary ASP code and be used by some backdoor. The format is generally: EV "&" Al (X) <br> but also can be used in JavaScript code, possibly false positives. "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify ( FilePath) & "</td></tr>"


Sun = Sun + 1


End If


' Check Exe&cute Backdoor


Regex.pattern = "[^.] \bexe "&" cute (Global) \b "


If regex.test (filetxt) Then


report& "<tr><td>" &temp& "</td><td>exec" & "Ute () or EXE" & " Cuteglobal () </td><td><font color=red> the function can execute arbitrary ASP code, is used by some backdoor. The form is generally: Ex "&" Ecute (X) </font><br> "&infiles&" </td><td> "&getdatecreate ( FilePath) & "<br>" &getdatemodify (filepath) & "</td></tr>"


Sun = Sun + 1


End If


' Check Script.control


Regex.pattern = "\. Execu "&" testatement\b "


If regex.test (filetxt) Then


"<tr><td>" &temp& "report&" </TD><TD> Exec "&" Utestatement</td><td><font color=red> found Msscriptcontrol.scriptcontrol. Execut "& "Estatement function </font><br>" &infiles& "</td><td>" &getdatecreate (filepath) & "<br>" &getdatemodify (filepath) & "</td></tr>"


Sun = Sun + 1


End If


' Check. (open| Create) textfile


Regex.pattern = "\. (open| Create) textfile\b "


If regex.test (filetxt) Then


"<tr><td>" &temp& "report&" </TD><TD> Crea "&" tetextfile|. O "&" Pentextfile</td><td> uses the FSO's createtextfile| OpenTextFile function Read-write file "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "& Getdatemodify (filepath) & "</td></tr>"


Sun = Sun + 1


End If


' Check. Savet&ofile


Regex.pattern = "\. Savet "&" ofile\b "


If regex.test (filetxt) Then


"<tr><td>" &temp& "report&" </TD><TD> Sa "&" Vetofile</td><td> uses stream or JMail savetofile function to write file "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify (filepath) &" </td></tr> "


Sun = Sun + 1


End If


' Check. &save|. &saveas


Regex.pattern = "\. Sa "&" VE (AS)? \b "


If regex.test (filetxt) Then


"<tr><td>" &temp& "report&" </TD><TD> Sa "&" ve or. Sa ' & ' veas</td><td> uses Save or SaveAs function to write file ' &infiles& ' </td><td> ' & Getdatecreate (filepath) & "<br>" &getdatemodify (filepath) & "</td></tr>"


Sun = Sun + 1


End If


' Check set Server


Regex.pattern = "Set\s*.*\s*=\s*server\s"


If regex.test (filetxt) Then


report& "<tr><td>" &temp& "</td><td>set xxx=se" & "rver</td> <td><font color=red> found set Xxx=ser "& JJ &" ver, ask the administrator to carefully check whether to call .execute</font><br> "& infiles& "</td><td>" &getdatecreate (filepath) & "<br>" &getdatemodify (filepath) & "</td></tr>"


Sun = Sun + 1


End If


' Check Server. (transfer| Ex&ecute)


Regex.pattern = "Server. (Ex "&" ecute| Transfer) ([\t]*|\ () [^ ""]\) "


If regex.test (filetxt) Then


report& "<tr><td>" &temp& "</td><td>server.ex" & ecute</td> <td><font Color=red> cannot track files that are executed by the SERVER.E "&" Xecute () function. Please check with your administrator </font><br> "&infiles&" </td><td> "&getdatecreate (filepath) &" < Br> "&getdatemodify (filepath) &" </td></tr> "


Sun = Sun + 1


End If


' Check. Ru&n


Regex.pattern = "\. R "&" un\b "


If regex.test (filetxt) Then


"<tr><td>" &temp& "report&" </TD><TD> Ru "&" N</td><td><font color=red> found the Run function </font><br> "&infiles&" of WScript </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify (filepath) &" </td ></tr> "


Sun = Sun + 1


End If


' Check. Exe&c


Regex.pattern = "\. Ex "&" ec\b "


If regex.test (filetxt) Then


"<tr><td>" &temp& "report&" </TD><TD> Ex "&" Ec</td><td><font color=red> found WScript Exec function </font><br> "&infiles& "</td><td>" &getdatecreate (filepath) & "<br>" &getdatemodify (filepath) & "</td ></tr> "


Sun = Sun + 1


End If


' Check. Shel&lexecute


Regex.pattern = "\. Shel "&" lexecute\b "


If regex.test (filetxt) Then


"<tr><td>" &temp& "report&" </TD><TD> Shelle "&" Xecute</td><td><font color=red> found application ShellExecute function </font><br > "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify ( FilePath) & "</td></tr>"


Sun = Sun + 1


End If


' Check. &create


Regex.pattern = "\. Cre "&" ate\b "


If regex.test (filetxt) Then


"<tr><td>" &temp& "report&" </TD><TD> Crea "&" te</td><td> discovery Create function <br> "&infiles&" </td><td> "& Getdatecreate (filepath) & "<br>" &getdatemodify (filepath) & "</td></tr>"


Sun = Sun + 1


End If


Set regEx = Nothing








' Check include file not with ' & '


Set regEx = New RegExp


Regex.ignorecase = True


Regex.global = True


Regex.pattern = "<!--\s* #include \s+ (file|virtual) \s*=\s*.*-->"


Set matches = Regex.execute (filetxt)


For the Match in matches


Tfile = Replace (Trim (Match.value, Instr (match.value, "=") + 1, Len (match.value)-Instr (match.value, "=")-1), "/", "\ ")


If Left (tfile, 1) = "'" Then


Tfile = Mid (Tfile, 2, INSTR (2, Tfile, "'", 1)-2)


ElseIf Left (tfile, 1) = "" "Then


Tfile = Mid (Tfile, 2, INSTR (2, Tfile, "" ", 1)-2)


Else


Tfile = Replace (Tfile, CHR (9), "")


If InStr (Tfile, "") <> 0 Then


Tfile = Left (Tfile, InStr (Tfile, "")-1)


Else


Tfile = Left (Tfile, InStr (Tfile, "-")-1)


End If


End If


If not Checkext (Fsos.getextensionname (tfile)) Then


Call Scanfile (Mid (Filepath,1,instrrev (FilePath, "\")) &tfile, FilePath)


Sumfiles = sumfiles + 1


End If


Next


Set matches = Nothing


Set regEx = Nothing





' Check server&. execute| Transfer


Set regEx = New RegExp


Regex.ignorecase = True


Regex.global = True


Regex.pattern = "Server. (Exec "&" ute| Transfer) ([\t]*|\ () "". *? "" "


Set matches = Regex.execute (filetxt)


For the Match in matches


Tfile = Replace (Mid match.value, Instr (Match.value, "" ") + 1, Len (match.value)-Instr (Match.value," "" ")-1),"/"," \ ")


If not Checkext (Fsos.getextensionname (tfile)) Then


Call Scanfile (Mid (Filepath,1,instrrev (FilePath, "\")) &tfile, FilePath)


Sumfiles = sumfiles + 1


End If


Next


Set matches = Nothing


Set regEx = Nothing





' Check Runatscript


Set Xregex = New RegExp


Xregex.ignorecase = True


Xregex.global = True


Xregex.pattern = "<SCR" & "ipt\s*" (. | \ n) *?runat\s*=\s* ""? Server ""? (.| \ n) *?> "


Set xmatches = Xregex.execute (filetxt)


For the Match in Xmatches


TmpLake2 = Mid (Match.value, 1, InStr (Match.value, ">"))


Srcseek = INSTR (1, TmpLake2, "src", 1)


If srcseek > 0 Then


SrcSeek2 = InStr (Srcseek, tmpLake2, "=")


For i = 1 to 50


TMP = Mid (tmpLake2, SrcSeek2 + i, 1)


If tmp <> "" and TMP <> Chr (9) and TMP <> vbCrLf Then


Exit for


End If


Next


If tmp = "" "Then


Tmpname = Mid (tmpLake2, SrcSeek2 + i + 1, Instr (srcSeek2 + i + 1, tmpLake2, "" ")-srcseek2-i-1)


Else


If InStr (srcSeek2 + i + 1, tmpLake2, "") > 0 Then tmpname = Mid (tmpLake2, SrcSeek2 + i, InStr (srcSeek2 + i + 1, Tmplak E2, "")-srcseek2-i Else tmpname = TmpLake2


If InStr (Tmpname, Chr (9)) > 0 Then tmpname = Mid (tmpname, 1, InStr (1, Tmpname, Chr (9))-1


If InStr (Tmpname, vbCrLf) > 0 Then tmpname = Mid (tmpname, 1, InStr (1, Tmpname, vbCrLf)-1)


If InStr (Tmpname, ">") > 0 Then tmpname = Mid (tmpname, 1, InStr (1, Tmpname, ">")-1)


End If


Call Scanfile (Mid (Filepath,1,instrrev (FilePath, "\")) &tmpname, FilePath)


Sumfiles = sumfiles + 1


End If


Next


Set matches = Nothing


Set regEx = Nothing





End If


Set FSOs = Nothing





End Sub





Function getdatemodify (filepath)


Set fso = CreateObject ("Scripting.FileSystemObject")


Set f = fso. GetFile (filepath)


s = f.datelastmodified


Set F = Nothing


Set fso = Nothing


Getdatemodify = S


End Function





Function getdatecreate (filepath)


Set fso = CreateObject ("Scripting.FileSystemObject")


Set f = fso. GetFile (filepath)


s = f.datecreated


Set F = Nothing


Set fso = Nothing


Getdatecreate = S


End Function





Sub WriteToFile ()


Set FSO = CreateObject ("Scripting.FileSystemObject")


Set thefile = FSO. OpenTextFile (WScript.Arguments.Item (1), 2, True)


Thefile.write (REPORT2)


Thefile.close


Set FSO = Nothing


WScript.Echo "Scan results have been written to file" "&wscript.arguments.item (1) &" ", please check it! "


End Sub








Because the code is more, special package for everyone to learn to use. Http://xiazai.jb51.net/200907/yuanma/vbs_aspmuma.rar
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: