are used at the command line
Antiiframe.vbs
#该脚本是批量挂马程序的逆向, for bulk purging of malicious code that is added to a file. Notepad opens the file to modify the pattern parameter to specify the name of the file to be processed, separated by the file name (also supports a VBS regular expression). Because you want to modify the file, use caution (preferably back up the file first)
#用法: CScript antiiframe.vbs [Processed path] [file with purged content]
#例子: CScript antiiframe.vbs d:\Web d:\lake2.txt
----------------------------
Scan.vbs
#该脚本用于本地扫描ASP木马, the speed is much faster than the ASP version. There may be false positives, false reports, depending on the specific circumstances of the treatment
#用法: CScript scan.vbs [Scan path] [result htm file path]
#例子: CScript scan.vbs d:\Web f:\my\report.html
Scan.vbs
Copy Code code as follows:
'-----------------------
' Scan ASP Webshell in VBS
' Author:lake2 (http://lake2.0x54.org)
' Date:2007-7-29
' version:1.1
'-----------------------
Dimfileext = "ASP,CER,ASA,CDX"
Dim, Report2, Sun, Sumfiles, sumfolders
Call Showinfo ()
If WScript.Arguments.Count = 2 Then
Sun = 0
Sumfiles = 0
Sumfolders = 1
If Right (WScript.Arguments.Item (0), 1) = "\" Then
Thepath = Mid (WScript.Arguments.Item (0), 1,len (WScript.Arguments.Item (0))-1)
Else
Thepath = WScript.Arguments.Item (0)
End If
Call Checkarg (Thepath)
WScript.Echo "Start scanning, please wait ..."
Wscript.Sleep (1000)
StartTime = Now ()
Call Showallfile (Thepath)
Endtime = Now ()
WScript.Echo vbCrLf & "Scan complete!" "& vbCrLf
Report2 = report2 & <html><head><title> Reiche diagram ASP Webmaster Security Assistant VBS version Scan report </title> "
Report2 = Report2 & "<meta http-equiv=" "Content-type" "content=" "text/html"; charset=gb2312 "" ></head> "
Report2 = Report2 & "<body><b><font size=4> Reiche map ASP Webmaster Security Assistant VBS Edition SCAN report </FONT></B><BR ><br> "
Report2 = Report2 & "<font size=2> start Time:" &StartTime& "</font><br>"
Report2 = Report2 & "<font size=2> end Time:" &EndTime& "</font><br>"
Report2 = report2 & <font size=2> scan complete! Check the folder <font color= "" #FF0000 "" > "&SumFolders&" </font>, File <font color= "" #FF0000 "" > "& sumfiles& "</font>, found suspicious point <font color=" "#FF0000" ">" &Sun& "</font> (<font color=" "" " FF0000 "" > Red letter </font> displayed for serious suspicious) </font><br/> "
Report2 = Report2 & "<table width=" "100%" "border=" "1" "bordercolor=" "Blue" "style=" "Padding:5px;line-height" : 170%;clear:both;font-size:12px;word-break:break-all "" > "
Report2 = report2 & "<tr>"
Report2 = Report2 & "<td width=" "20%" "> File path </td>"
Report2 = Report2 & "<td width=" "20%" "> Signature </td>"
Report2 = Report2 & "<td width=" "40%" "> Description </td>"
Report2 = Report2 & "<td width=" "20%" "> Create/Modify Time </td>"
Report2 = report2 & "</tr>"
Report2 = report2 & "<p>"
Report2 = Report2 &
Report2 = report2 & "</p>"
Report2 = Report2 & "</table><hr><script src=http://www.0x54.org/announce.js></script>"
Report2 = Report2 & "<div align=center>powered by <a href=" "http://www.0x54.org" "target=_blank> 0x54.org</a></div> "
Report2 = report2 & "</body></html>"
Call WriteToFile ()
Else
Call ShowHelp ()
End If
Sub Showinfo ()
Helpstr = helpstr & "==============================" & vbCrLf
Helpstr = helpstr & "===== Welcome to use customer Map ASP Webmaster Security Assistant VBS version =====" & vbCrLf
Helpstr = helpstr & "===== Check ASP Trojan =====" & vbCrLf
Helpstr = helpstr & "===== author:lake2 =====" & vbCrLf
Helpstr = helpstr & "===== email:lake2@mail.csdn.net =====" & vbCrLf
Helpstr = helpstr & "===== Welcome to Www.0x54.org for more information =====" & vbCrLf
Helpstr = helpstr & "==============================" & vbCrLf
Helpstr = Helpstr & vbCrLf
WScript.Echo Helpstr
End Sub
Sub ShowHelp ()
Helpstr = helpstr & "#用法: CScript scan.vbs [Scan path] [result htm file path]" & vbCrLf
Helpstr = helpstr & "#例子: CScript scan.vbs d:\Web f:\my\report.html" & vbCrLf
Helpstr = Helpstr & vbCrLf
WScript.Echo Helpstr
End Sub
Sub Checkarg (ARG)
Tmppath = arg
TmpPath2 = Left (WScript.Arguments.Item (1), InStrRev (WScript.Arguments.Item (1), "\")-1)
Set objFSO = WScript.CreateObject ("Scripting.FileSystemObject")
If not objfso.folderexists (tmpPath2) Then
WScript.Echo "Error: Wrong Path" "& TmpPath2 &" "! "
Wscript.Quit
ElseIf not objfso.folderexists (Tmppath) Then
WScript.Echo "Error: Wrong Path" "& Tmppath &" "! "
Wscript.Quit
End If
Set objFSO = Nothing
End Sub
' Traversal processes all files of path and its subdirectories
Sub Showallfile (Path)
WScript.Echo "Checking Catalog" & Path
Set FSO = CreateObject ("Scripting.FileSystemObject")
Set f = FSO. GetFolder (Path)
Set FC2 = F.files
For each myfile in FC2
If Checkext (FSO. Getextensionname (path& "\ &myfile.name)") Then
' WScript.Echo is checking files ' & path& ' \ ' &myfile.name
Call Scanfile (path&temp& "\" &myfile.name, "")
Sumfiles = sumfiles + 1
End If
Next
Set FC = F.subfolders
For each F1 in FC
Showallfile path& "\" &f1.name
Sumfolders = sumfolders + 1
Next
Set FSO = Nothing
End Sub
' Check the file suffix and return True if the match is scheduled
Function Checkext (Fileext)
If dimfileext = "*" Then Checkext = True
EXT = Split (Dimfileext, ",")
For i = 0 to Ubound (EXT)
If Lcase (Fileext) = Ext (i) Then
Checkext = True
Exit Function
End If
Next
End Function
' Test file
Sub Scanfile (FilePath, InFile)
If InFile <> "" Then
Infiles = "<font color=red> this file is" & InFile & "file contains execution </font>"
End If
temp = FilePath
On Error Resume Next
Set Tstream = WScript.CreateObject ("ADODB. Stream ")
Tstream.type = 1
Tstream.mode = 3
Tstream.open
Tstream.position=0
Tstream.loadfromfile FilePath
If Err Then Exit Sub End If
Tstream.type = 2
Tstream.charset = "GB2312"
Do Until Tstream.eos
Filetxt = filetxt & LCase (replace (Tstream.readtext (102400), Chr (0), ""))
Loop
Tstream.close ()
Set Tstream = Nothing
Set FSOs = WScript.CreateObject ("Scripting.FileSystemObject")
If Len (filetxt) >0 Then
' Signature check
Filetxt = vbCrLf & Filetxt
' Check ' wscr ' &DoMyBest& ' IPT. Shell "
If Instr (Filetxt, Lcase ("WSCR" &DoMyBest& "IPT.") Shell ")) or Instr (Filetxt, Lcase (" clsid:72c24dd5-d70a "&DoMyBest&" -438b-8a42-98424b88afb8 ")) Then
The report& "<tr><td>" &temp& "</TD><TD>WSCR" &DoMyBest& "IPT". Shell or clsid:72c24dd5-d70a "&DoMyBest&" -438b-8a42-98424b88afb8</td><td><font color=red > Dangerous components, commonly used by ASP Trojans </font> "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify (filepath) &" </td></tr> "
Sun = Sun + 1
End If
' Check ' She ' &DoMyBest& ' ll. Application "
If Instr (Filetxt, Lcase) ("She" &DoMyBest& "LL." Application ")) or Instr (Filetxt, Lcase (" clsid:13709620-c27 "&DoMyBest&" 9-11ce-a49e-444553540000 ")) Then
report& "<tr><td>" &temp& "</td><td>she" &DoMyBest& LL. Application or clsid:13709620-c27 "&DoMyBest&" 9-11ce-a49e-444553540000</td><td><font color= Red> dangerous components, commonly used by ASP Trojans </font> "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify (filepath) &" </td></tr> "
Sun = Sun + 1
End If
' Check. Encode
Set regEx = New RegExp
Regex.ignorecase = True
Regex.global = True
Regex.pattern = "\blanguage\s*=\s*[" "]?\s* (vbscript|jscript|javascript). encode\b"
If regex.test (filetxt) Then
The report& "<tr><td>" &temp& "</td><td> (vbscript|jscript|javascript). Encode</td><td><font color=red> seems to be encrypted, the general ASP file is not encrypted </font> "&infiles&" </td ><td> "&getdatecreate (filepath) &" <br> "&getdatemodify (filepath) &" </td></ Tr> "
Sun = Sun + 1
End If
' Check my ASP Backdoor:(
Regex.pattern = "\bev" & "al\b"
If regex.test (filetxt) Then
report& "<tr><td>" &temp& "</td><td>ev" & "Al</td><td>e" The & Val () function can execute arbitrary ASP code and be used by some backdoor. The format is generally: EV "&" Al (X) <br> but also can be used in JavaScript code, possibly false positives. "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify ( FilePath) & "</td></tr>"
Sun = Sun + 1
End If
' Check Exe&cute Backdoor
Regex.pattern = "[^.] \bexe "&" cute (Global) \b "
If regex.test (filetxt) Then
report& "<tr><td>" &temp& "</td><td>exec" & "Ute () or EXE" & " Cuteglobal () </td><td><font color=red> the function can execute arbitrary ASP code, is used by some backdoor. The form is generally: Ex "&" Ecute (X) </font><br> "&infiles&" </td><td> "&getdatecreate ( FilePath) & "<br>" &getdatemodify (filepath) & "</td></tr>"
Sun = Sun + 1
End If
' Check Script.control
Regex.pattern = "\. Execu "&" testatement\b "
If regex.test (filetxt) Then
"<tr><td>" &temp& "report&" </TD><TD> Exec "&" Utestatement</td><td><font color=red> found Msscriptcontrol.scriptcontrol. Execut "& "Estatement function </font><br>" &infiles& "</td><td>" &getdatecreate (filepath) & "<br>" &getdatemodify (filepath) & "</td></tr>"
Sun = Sun + 1
End If
' Check. (open| Create) textfile
Regex.pattern = "\. (open| Create) textfile\b "
If regex.test (filetxt) Then
"<tr><td>" &temp& "report&" </TD><TD> Crea "&" tetextfile|. O "&" Pentextfile</td><td> uses the FSO's createtextfile| OpenTextFile function Read-write file "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "& Getdatemodify (filepath) & "</td></tr>"
Sun = Sun + 1
End If
' Check. Savet&ofile
Regex.pattern = "\. Savet "&" ofile\b "
If regex.test (filetxt) Then
"<tr><td>" &temp& "report&" </TD><TD> Sa "&" Vetofile</td><td> uses stream or JMail savetofile function to write file "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify (filepath) &" </td></tr> "
Sun = Sun + 1
End If
' Check. &save|. &saveas
Regex.pattern = "\. Sa "&" VE (AS)? \b "
If regex.test (filetxt) Then
"<tr><td>" &temp& "report&" </TD><TD> Sa "&" ve or. Sa ' & ' veas</td><td> uses Save or SaveAs function to write file ' &infiles& ' </td><td> ' & Getdatecreate (filepath) & "<br>" &getdatemodify (filepath) & "</td></tr>"
Sun = Sun + 1
End If
' Check set Server
Regex.pattern = "Set\s*.*\s*=\s*server\s"
If regex.test (filetxt) Then
report& "<tr><td>" &temp& "</td><td>set xxx=se" & "rver</td> <td><font color=red> found set Xxx=ser "& JJ &" ver, ask the administrator to carefully check whether to call .execute</font><br> "& infiles& "</td><td>" &getdatecreate (filepath) & "<br>" &getdatemodify (filepath) & "</td></tr>"
Sun = Sun + 1
End If
' Check Server. (transfer| Ex&ecute)
Regex.pattern = "Server. (Ex "&" ecute| Transfer) ([\t]*|\ () [^ ""]\) "
If regex.test (filetxt) Then
report& "<tr><td>" &temp& "</td><td>server.ex" & ecute</td> <td><font Color=red> cannot track files that are executed by the SERVER.E "&" Xecute () function. Please check with your administrator </font><br> "&infiles&" </td><td> "&getdatecreate (filepath) &" < Br> "&getdatemodify (filepath) &" </td></tr> "
Sun = Sun + 1
End If
' Check. Ru&n
Regex.pattern = "\. R "&" un\b "
If regex.test (filetxt) Then
"<tr><td>" &temp& "report&" </TD><TD> Ru "&" N</td><td><font color=red> found the Run function </font><br> "&infiles&" of WScript </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify (filepath) &" </td ></tr> "
Sun = Sun + 1
End If
' Check. Exe&c
Regex.pattern = "\. Ex "&" ec\b "
If regex.test (filetxt) Then
"<tr><td>" &temp& "report&" </TD><TD> Ex "&" Ec</td><td><font color=red> found WScript Exec function </font><br> "&infiles& "</td><td>" &getdatecreate (filepath) & "<br>" &getdatemodify (filepath) & "</td ></tr> "
Sun = Sun + 1
End If
' Check. Shel&lexecute
Regex.pattern = "\. Shel "&" lexecute\b "
If regex.test (filetxt) Then
"<tr><td>" &temp& "report&" </TD><TD> Shelle "&" Xecute</td><td><font color=red> found application ShellExecute function </font><br > "&infiles&" </td><td> "&getdatecreate (filepath) &" <br> "&getdatemodify ( FilePath) & "</td></tr>"
Sun = Sun + 1
End If
' Check. &create
Regex.pattern = "\. Cre "&" ate\b "
If regex.test (filetxt) Then
"<tr><td>" &temp& "report&" </TD><TD> Crea "&" te</td><td> discovery Create function <br> "&infiles&" </td><td> "& Getdatecreate (filepath) & "<br>" &getdatemodify (filepath) & "</td></tr>"
Sun = Sun + 1
End If
Set regEx = Nothing
' Check include file not with ' & '
Set regEx = New RegExp
Regex.ignorecase = True
Regex.global = True
Regex.pattern = "<!--\s* #include \s+ (file|virtual) \s*=\s*.*-->"
Set matches = Regex.execute (filetxt)
For the Match in matches
Tfile = Replace (Trim (Match.value, Instr (match.value, "=") + 1, Len (match.value)-Instr (match.value, "=")-1), "/", "\ ")
If Left (tfile, 1) = "'" Then
Tfile = Mid (Tfile, 2, INSTR (2, Tfile, "'", 1)-2)
ElseIf Left (tfile, 1) = "" "Then
Tfile = Mid (Tfile, 2, INSTR (2, Tfile, "" ", 1)-2)
Else
Tfile = Replace (Tfile, CHR (9), "")
If InStr (Tfile, "") <> 0 Then
Tfile = Left (Tfile, InStr (Tfile, "")-1)
Else
Tfile = Left (Tfile, InStr (Tfile, "-")-1)
End If
End If
If not Checkext (Fsos.getextensionname (tfile)) Then
Call Scanfile (Mid (Filepath,1,instrrev (FilePath, "\")) &tfile, FilePath)
Sumfiles = sumfiles + 1
End If
Next
Set matches = Nothing
Set regEx = Nothing
' Check server&. execute| Transfer
Set regEx = New RegExp
Regex.ignorecase = True
Regex.global = True
Regex.pattern = "Server. (Exec "&" ute| Transfer) ([\t]*|\ () "". *? "" "
Set matches = Regex.execute (filetxt)
For the Match in matches
Tfile = Replace (Mid match.value, Instr (Match.value, "" ") + 1, Len (match.value)-Instr (Match.value," "" ")-1),"/"," \ ")
If not Checkext (Fsos.getextensionname (tfile)) Then
Call Scanfile (Mid (Filepath,1,instrrev (FilePath, "\")) &tfile, FilePath)
Sumfiles = sumfiles + 1
End If
Next
Set matches = Nothing
Set regEx = Nothing
' Check Runatscript
Set Xregex = New RegExp
Xregex.ignorecase = True
Xregex.global = True
Xregex.pattern = "<SCR" & "ipt\s*" (. | \ n) *?runat\s*=\s* ""? Server ""? (.| \ n) *?> "
Set xmatches = Xregex.execute (filetxt)
For the Match in Xmatches
TmpLake2 = Mid (Match.value, 1, InStr (Match.value, ">"))
Srcseek = INSTR (1, TmpLake2, "src", 1)
If srcseek > 0 Then
SrcSeek2 = InStr (Srcseek, tmpLake2, "=")
For i = 1 to 50
TMP = Mid (tmpLake2, SrcSeek2 + i, 1)
If tmp <> "" and TMP <> Chr (9) and TMP <> vbCrLf Then
Exit for
End If
Next
If tmp = "" "Then
Tmpname = Mid (tmpLake2, SrcSeek2 + i + 1, Instr (srcSeek2 + i + 1, tmpLake2, "" ")-srcseek2-i-1)
Else
If InStr (srcSeek2 + i + 1, tmpLake2, "") > 0 Then tmpname = Mid (tmpLake2, SrcSeek2 + i, InStr (srcSeek2 + i + 1, Tmplak E2, "")-srcseek2-i Else tmpname = TmpLake2
If InStr (Tmpname, Chr (9)) > 0 Then tmpname = Mid (tmpname, 1, InStr (1, Tmpname, Chr (9))-1
If InStr (Tmpname, vbCrLf) > 0 Then tmpname = Mid (tmpname, 1, InStr (1, Tmpname, vbCrLf)-1)
If InStr (Tmpname, ">") > 0 Then tmpname = Mid (tmpname, 1, InStr (1, Tmpname, ">")-1)
End If
Call Scanfile (Mid (Filepath,1,instrrev (FilePath, "\")) &tmpname, FilePath)
Sumfiles = sumfiles + 1
End If
Next
Set matches = Nothing
Set regEx = Nothing
End If
Set FSOs = Nothing
End Sub
Function getdatemodify (filepath)
Set fso = CreateObject ("Scripting.FileSystemObject")
Set f = fso. GetFile (filepath)
s = f.datelastmodified
Set F = Nothing
Set fso = Nothing
Getdatemodify = S
End Function
Function getdatecreate (filepath)
Set fso = CreateObject ("Scripting.FileSystemObject")
Set f = fso. GetFile (filepath)
s = f.datecreated
Set F = Nothing
Set fso = Nothing
Getdatecreate = S
End Function
Sub WriteToFile ()
Set FSO = CreateObject ("Scripting.FileSystemObject")
Set thefile = FSO. OpenTextFile (WScript.Arguments.Item (1), 2, True)
Thefile.write (REPORT2)
Thefile.close
Set FSO = Nothing
WScript.Echo "Scan results have been written to file" "&wscript.arguments.item (1) &" ", please check it! "
End Sub
Because the code is more, special package for everyone to learn to use. Http://xiazai.jb51.net/200907/yuanma/vbs_aspmuma.rar
