Website Security: A brief talk on "net" horse

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

People see this headline will be very feeling it, whether some doubt it? First of all, let me explain the meaning of the title.

The first "net horse" refers to the Web Trojan, is the hacker's mouth called Webshell. Then what is Webshell? In fact, Wenshell is the end of the hacker invasion of a website in the directory left behind the back door, but this backdoor is a Web page, Webshell function is very powerful, you can list all the directories of the site, you can arbitrarily change the new or even delete the file on the site. Often the site is hanging horse through the back door to achieve, of course, Webshell there are more powerful features, such as scanning the port, connect the database, and even through the door to get the highest server privileges and so on. And the title of the second "net horse" means to live a trojan, is to pull out the meaning of the Web Trojan.

Believe that a lot of stationmaster have been hanged horse's experience, that is let a person despise behavior, more all stationmaster hates. It's really a headache to be hanged. Home is hung horse also forget, the most unbearable is that all the pages are hung horse. Do we have to look for each other? We cannot have the kind of stupidity of the foolish man. Next I will tell you how to use the Net Horse (Webshell) to pull out the Web site backdoor Trojan.

I was young and frivolous for the pursuit of hackers made great efforts, although nothing but also how many learned something. First of all, I never hung a horse. Cut to the chase. In fact very simple, a lot of backdoor nets horse has such a function, is the bulk of the horse and look for Nets horse, the hacker developed this Trojan is to remove other hackers left behind the Trojan can monopolize this site. and to our webmaster hands into the removal of all the tools of the net horse.

I will take one of my ASP's website to do experiments. First I uploaded two nets in the root directory, one is the big horse (powerful) a pony (only upload function), for the moment named Dama.asp and xiaoma.asp. This is to simulate a hacker to invade your website and leave behind the back door. See how I net live these two Trojans.

I put a net horse (Webshell, named 520.asp) on the website, and enter this webpage Trojan, as shown below

　　

See the above function? There's a file.-Trojan, point in

　　

Direct Click to start scan, wait a moment will list the results as follows

　

file Relative path signature Description Create/Modify Time D:\www\15946\520.ASP


Edit down Del Copy Move (vbscript|jscript|javascript). Encode It seems the script was encrypted 2009-4-21 12:40:39


2009-4-21 12:40:43 D:\www\15946\adminggb.asp


Edit down Del Copy Move execute execute () function to execute arbitrary ASP code


2009-4-19 1:04:48


2009-4-19 1:04:50 D:\www\15946\dama.asp


Edit down Del Copy Move (vbscript|jscript|javascript). Encode It seems the script was encrypted 2009-4-21 12:40:48


2009-4-21 12:40:55 D:\www\15946\xiaoma.asp


Edit down Del Copy move. createtextfile|. OpenTextFile used the FSO's createtextfile| OpenTextFile Read and Write file 2009-4-21 12:43:57


2009-4-21 12:43:58-Ibid-createobject createobject function used variant technology 2009-4-21 12:43:57


2009-4-21 12:43:58 D:\www\15946\class\dbconn.asp


Edit down Del Copy Move execute execute () function to execute arbitrary ASP code


2009-4-19 1:00:27


2009-4-19 1:00:27 D:\www\15946\class\upload.asp


Edit down Del Copy move. SaveToFile used the SaveToFile function of the stream to write a file 2009-4-19 1:00:37


2009-4-19 1:00:38 D:\www\15946\lang\admingg.asp


Edit down Del Copy Move execute execute () function to execute arbitrary ASP code


2009-4-19 1:00:50


2009-4-19 1:00:51 D:\www\15946\source\src_admin.asp


Edit down Del Copy move createobject createobject function used variant technology 2009-4-19 1:01:02


2009-4-19 1:01:08 D:\www\15946\source\src_adminggb.asp


Edit down Del Copy move createobject createobject function used variant technology 2009-4-19 1:01:09


2009-4-19 1:01:11

The results came out, but it seems that the script is encrypted, such a look is known to be a trojan, because we do the Web site of these dynamic Web pages we simply can not encrypt, hackers encrypt it is to prevent the anti-virus software killed to play the purpose of killing. That is dama.asp and I uploaded the horse of the net Trojan 520.asp. In addition, Xiaoma.asp's description is "using the FSO's createtextfile| OpenTextFile Read and Write file ", this is pony characteristics."

Web Trojan is through the FSO createtextfile| OpenTextFile to create a file on the open Web site. Of course, we do not exclude our own web page will have this function, which requires us to go in concrete view, of course, there are shortcuts. Let's see, it's not a list of documents. Look at the creation of the later time, the other files are April 19 and three of them are April 21, new, it is easy to determine that the net horse, the other files are some systematic files, it is impossible to be the new date.

Hackers also have a means to the existing Web page to insert a word trojan, this judgment is the same reason, is a word trojan has executive function will have execute function, but our website background files will have this function, how different? or look at the time, but if the server permissions are bad enough to get home, Can be used by hackers to run EXE file to modify the creation of time, this situation I do not say. Because in that case, you can immediately transfer the server, suspend the venture capital at this time.

There are lots of horse-cleaning problems, a lot of web pages were hung horse, as long as find the network Horse code, and then click on the batch Qing horse in order to clear the horse behind the box to fill in the Web page to find the Trojan code, click to start execution, you can. As shown below

　　

The general hacker in the page hangs the horse is by invokes the IFRAME frame to have the width and height and the border and so on set to 0, namely hides to achieve hangs the horse purpose. Use this trick can let net horse vanish.

Well, here's the end of the article. If you have any questions, you can ask me. qq:22622467.