Webmaster How to clean up the Web site Trojan experience

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

As a webmaster, technology is of course limited, and even a lot of webmaster do not know what technology. This for those Trojan attackers is very happy, and so you work hard to do after the traffic, on your site to hang a horse, easy access to traffic, quite hateful.

Some time ago I do a little game site keyword is also good, a few months after the flow of more than 7,000, the relevant keywords ranked very high. But suddenly an uninvited guest, on my website hangs the Trojan, an open page automatically jumps to each other's website, he is also a small game website. So easy to transfer my traffic to his website up. Of course, the first time I found out, it was natural to clean it up as before.

The following is about my normal cleaning Trojan method:

The first step: View the page was modified, mainly to check the time, hanging horse will often hang home, home file index.html, open the Web page with IE, click the "View" menu, select the "Privacy Report" option, you can view the detailed connection address. Here I explain, in addition to direct jump outside the Trojan, can be from here to get the Trojan connection address;

The second step: Copy the first step to get the Trojan link page address, and then to the site root directory began to search according to the relevant words. But this may not work, because some things are not as simple as you see the string, is written in JS, contains a lot of escape characters. The search is deleted, the search is not to enter the third step;

The third step: To view the site's JS file, this can only be manually one JS open to check, find the Trojan code, delete it;

Fourth step: Generally such a lightweight Trojan code, clean up after the end is not it? So tomorrow is not the horse again? The answer is yes, because you didn't deal with the problem at the root. My general practice is to close the Web site write access through the extraterrestrial client, if there is no star, the other is the same, turn off write permission can play a significant role.

Fifth step: Looking for backdoor procedures, general hanging Horse is a backdoor program, it is through the site's vulnerabilities, write another file to your site directory to go, is generally a script file. This is more difficult to find, need to have a certain technical basis of talent can distinguish that is the backdoor program, if not understand the program, it is impossible to distinguish that is a script program. However, in the fourth step, you have turned off the write permission, so even if the backdoor did not delete the program, there is no serious, basically can eliminate part of the Trojan.

The above method is just to eliminate part of the Trojan, there are more powerful Trojan implants, even if you delete the backdoor program, turn off Write permission, as can hang a horse, even if you have all the scripts deleted, only static HTML files, the other side can hang horse. Does that sound scary? Is it a little dizzy? In fact, I this article, here is to say the point, I was very dizzy at first, do not know why.

After I deleted the backdoor script, turned off the Write permission, and later even deleted all the ASP scripts, the next day was still hanging the horse! What can I do next? In the circumstances, I studied the system's Event Viewer.

The first step: look at the trojan door file write time, such as February 6 11:15, find the Application log of the 6th around 11 o'clock event records;

Step two: Found an event is through the MSSQL database permissions, write to the directory of the Backdoor program, the contents are as follows:

18270:

Database variance changes backed up: database: 2144ladb, Date Created (time): 2010/02/02 (00:25:13), dump page: 118, first lsn:408:27203:1, last Lsn:408:27208:1, LSN of full backup : 408:27174:3, number of dump devices: 1, Equipment information: (file=1, Type=disk: {' e:\host\xxxxxx\web\ri.asp '}).

Explain: This ri.asp is one of the backdoor scripts. From here basically can find the source, with the database, but I do not know what is going on.

The third step: Open the Database Enterprise Manager, enter the website corresponding database, in the library of the user found a new account, and a new database table, table name is d99_tmp. I've never met before, just heard that there is a SQL injection such an attack method, by searching d99_tmp table name, only to find that the original table is a SQL injection tool default self add table. Since you know it is a SQL injection attack, then the next good to do, online search, there are corresponding methods to clean up and solve.

Of course these two days will not be hanged horse, before is today clean up, tomorrow morning a work is hanged, I here the solution is:

There are several dangerous extended stored procedures in the MSSQL database, the default public group executable permissions, which can be used by SQL injector to read file directories and user groups, and can be further authorized by writing to the server for a dangerous script, or using certain stored procedures to execute commands, by first written to the database and then exported as files such as xp_cmdshell. These stored procedures are as follows:

Sp_makewebtask

xp_cmdshell

Xp_dirtree

Xp_fileexist

Xp_terminate_process

sp_OAMethod

sp_OACreate

Xp_regaddmultistring

Xp_regdeletekey

Xp_regdeletevalue

Xp_regenumkeys

Xp_regenumvalues

Sp_add_job

Sp_addtask

Xp_regread

Xp_regwrite

Xp_readwebtask

Xp_makewebtask

Xp_regremovemultistring

Response: Delete The above stored procedure or executable file or modify the stored procedure corresponding user group executable permissions, delete the above stored procedure corresponding script is:

Drop PROCEDURE sp_makewebtask

EXEC master ... Sp_dropextendedproc xp_cmdshell

EXEC master ... Sp_dropextendedproc Xp_dirtree

EXEC master ... Sp_dropextendedproc xp_fileexist

EXEC master ... Sp_dropextendedproc xp_terminate_process

EXEC master ... Sp_dropextendedproc sp_OAMethod

EXEC master ... Sp_dropextendedproc sp_OACreate

EXEC master ... Sp_dropextendedproc xp_regaddmultistring

EXEC master ... Sp_dropextendedproc Xp_regdeletekey

EXEC master ... Sp_dropextendedproc Xp_regdeletevalue

EXEC master ... Sp_dropextendedproc Xp_regenumkeys

EXEC master ... Sp_dropextendedproc xp_regenumvalues

EXEC master ... Sp_dropextendedproc Sp_add_job

EXEC master ... Sp_dropextendedproc sp_addtask

EXEC master ... Sp_dropextendedproc Xp_regread

EXEC master ... Sp_dropextendedproc xp_regwrite

EXEC master ... Sp_dropextendedproc Xp_readwebtask

EXEC master ... Sp_dropextendedproc Xp_makewebtask

EXEC master ... Sp_dropextendedproc xp_regremovemultistring

Database in the case of the discovery of D99_TMP datasheet, please notify the site administrator to fix the SQL injection vulnerability, the table for a SQL injection tool default Self Add table, the content of the C disk directory all the files and folder names, server management should check the Xp_dirtree extended stored procedure permissions, Setting the public group unreadable prevents malicious visitors from reading local file information, or deleting xp_dirtree stored procedures or deleting Xpstar.dll files, which are located under the SQL installation directory.

This article original from www.shouji263.com Webmaster