Yesterday I used my spare time to browse my blog with my mobile phone. After opening the blog, I found that it was a Webshell page, and the password was still the default "amdin". I checked it on my computer, but I could open my blog normally, after inspection, we found that it was originally wap. the asp file has been replaced with a Trojan, and lpt2.wap has been added. asp and lpt3.wap. asp: These two suspicious files are opened and found to be ASP Trojans. asp file replacement and then deletion of the other two horses can not be deleted, it seems that it is against the legend of the "undead zombie" asp Trojan.
We know that in Windows, aux | prn | con | nul | com1 | com2 | com3 | com4 | com5 | com6 | com7 | com8 | com9 | lpt1 | lpt2 | lpt3 | lpt4 cannot be used. | lpt5 | lpt6 | lpt7 | lpt8 | the names of files or folders are retained by lpt9, however, the copy command can be used to input
Copy E: \ Web \ asp \ wwwroot \ wap. asp \. \ E: \ Web \ asp \ wwwroot \ lpt2.wap. asp
Remember to have \\. \, otherwise the system will prompt "the specified file cannot be found", and such a file can be successfully parsed in IIS, the undead zombie Trojan backdoor in webshell uses this principle to hide the backdoor. This undead Trojan cannot be deleted on the GUI and can only be entered in cmd.
Del \. \ E: \ Web \ asp \ wwwroot \ lpt2.wap. asp
Command to delete, if you do not have this permission, contact your space provider to help delete it.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
