淘特ASP木馬掃描器的代碼

＋-----------------＋
｜淘特ASP木馬掃描器｜
＋-----------------＋
　　本程式可以掃描伺服器上的所有指定類型(asp,cer,asa,cdx)的檔案，查出可疑的木馬程式。系統採用掃描程式與病毒庫分離的形式，
以後升級只需像殺毒軟體那樣升級病毒庫就可以了。目前可以查殺所有流行的ASP木馬程式。

　　系統提供了全站掃描、按檔案夾和指定檔案掃描三種掃描方式，如果網站檔案比較少的話，推薦使用"全站掃描",如果檔案比較多，推薦
使用按檔案夾掃描。掃描過程，系統會記錄被掃描過的檔案清單，同時對懷疑是木馬程式的檔案以列表的形式展現，為了便於比較最近有可能
被上傳過ASP木馬程式，系統特別對目前時間7日內修改、建立的檔案以加紅顯示；系統會對懷疑是木馬的檔案作出"層級"判斷，並加以顏色區分
；建議對層級為"一般"的程式作手動檢查後，再作處理，對層級為"嚴重"的檔案，可以點擊"檔案名稱"下的檔案連結，一般開啟後木馬程式都會
有一個登入提示，這時就點擊"檔案名稱"下的"刪除"連結，直接將檔案從伺服器中刪除即可。如果擔心會誤刪除，可以先點擊"下載"將檔案備份。
使用方法：
將本程式解壓後的檔案上傳至伺服器中。執行:http://你的網址/scan.asp

＋-----------------＋
｜登入密碼：totscan｜
＋-----------------＋
virus_lib.asp複製代碼 代碼如下:<%
dim virus(1,7),virus_Regx(1,4)
'定義木馬組件
virus(0,0)="WScript"
virus(1,0)="層級：<font color=""green"">嚴重!</font><br>WScript 多為木馬關鍵字"
virus(0,1)="Shell"
virus(1,1)="層級：<font color=""green"">嚴重!</font><br>Shell 多為木馬關鍵字"
virus(0,2)="Shell.Application"
virus(1,2)="層級：<font color=""green"">嚴重!</font><br>asp 組件,一般多為木馬所用"
'海陽組件
virus(0,3)="clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8"
virus(1,3)="層級：<font color=""green"">嚴重!</font><br>asp WScript 組件,一般多為木馬所用"
virus(0,4)="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"
virus(1,4)="層級：<font color=""green"">嚴重!</font><br>asp wscript 組件,一般多為木馬所用"
virus(0,5)="clsid:093FF999-1EA0-4079-9525-9614C3504B74"
virus(1,5)="層級：<font color=""green"">嚴重!</font><br>asp net 組件,一般多為木馬所用"
virus(0,6)="clsid:F935DC26-1CF0-11D0-ADB9-00C04FD58A0B"
virus(1,6)="層級：<font color=""green"">嚴重!</font><br>asp net 組件,一般多為木馬所用"
virus(0,7)="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"
virus(1,7)="層級：<font color=""green"">嚴重!</font><br>asp fso 組件,一般多為木馬所用"

'定義木馬關鍵字
virus_Regx(0,0)="@\s*LANGUAGE\s*=\s*[""]?\s*(vbscript|jscript|javascript).encode\b"
virus_Regx(1,0)="層級：<font color=""green"">嚴重!</font><br>指令碼被加密了，一般ASP檔案是不會加密的。"
virus_Regx(0,1)="\bEval\b"
virus_Regx(1,1)="層級：<font color=""gray"">一般!</font><br>eval()函數可以執行任意ASP代碼，被一些後門利用。其形式一般是：ev"&"al(X)<br>但是javascript代碼中也可以使用，有可能是誤判。"
virus_Regx(0,2)="[^.]\bExecute\b"
virus_Regx(1,2)="層級：<font color=""gray"">一般!</font><br>execute()函數可以執行任意ASP代碼，被一些後門利用。其形式一般是：ex"&"ecute(X)。"
virus_Regx(0,3)="Server.(Execute|Transfer)([ \t]*|\()[^""]\)"
virus_Regx(1,3)="層級：<font color=""gray"">一般!</font><br>不能跟蹤檢查Server.e"&"xecute()函數執行的檔案。請管理員自行檢查。"
virus_Regx(0,4)="CreateObject[ |\t]*\(.*\)$[^adodb.recordset]"
virus_Regx(1,4)="層級：<font color=""gray"">一般!</font><br>Crea"&"teObject函數使用了變形技術，仔細複查"
%>

scan.asp複製代碼 代碼如下:<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!--#include file="virus_lib.asp"-->
<%
server.ScriptTimeout =90000
dim act
act=request.QueryString("act")
Const PASSWORD = "totscan"
if act="login" then
if request.Form("pwd") = PASSWORD then session("login")="ok"
end if
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>Asp木馬掃描器</title>
<script language="JavaScript" type="text/JavaScript">

function ConfirmDel()
{
if(confirm("確認刪除？並且不能恢複！"))
return true;
else
return false;

}
</script>
</head>

<body>
<div align="center"><h2>Asp木馬掃描器</h2></div>
<hr>
<%
If Session("login") <> "ok" then
call LoginForm()
else
dim pathStr
if request("path")<>"" then
pathStr=request("path")
else
pathStr=server.MapPath("/")
end if
response.Write("<a href=""javascript:history.back();"">←返回</a><br>"&Chr(10))
if act="scan" then
dim ScanFileType,Suspect,ScanFileNum,ScanFolderNum,BeginTime,EndTime,TmpPath,Report
ScanFileType = "asp,cer,asa,cdx"
Suspect = 0
ScanFileNum = 0
ScanFolderNum =0
BeginTime = timer
response.Write("<textarea name=""textarea"" style=""width:100%"" rows=""5"">"&Chr(10))
response.Write("掃描日誌："&vbcrlf)
if(request.QueryString("file")<>"") then
Call ScanFile(request.QueryString("file"),"")
else
Call ScanFolder(pathStr)
end if
response.Write("</textarea>")
Call ShowResult()
EndTime = timer
response.write "<br><font size=""2"">執行時間："&cstr(int(((EndTime-BeginTime)*10000 )+0.5)/10)&"毫秒</font>"
elseif act="del" then
Call DelFile(request.QueryString("file"))
response.Write("<br><a href="""&request.ServerVariables("HTTP_REFERER")&""">返回</a>")
elseif act="down" then
Call Download(request.QueryString("file"))
else
call FileList(pathStr)
call ScanForm()
end if
end if

%>
<hr>
</body>
</html>
<%
Sub LoginForm
%>
<form name="form1" method="post" action="?act=login">
<div align="center">Password:
<input name="pwd" type="password" size="15">
<input type="submit" name="Submit" value="提交">
</div>
</form>
<%
end Sub
Sub ScanForm
%>
<form action="?act=scan" method="post">
<input type="submit" value=" 全站掃描 " style="background:#fff;border:1px solid #999;padding:2px 2px 0px 2px;margin:4px;border-width:1px 3px 1px 3px" />
</form>
<%
end sub
'遍曆處理path及其子目錄所有檔案
Sub FileList(Path)
Set FSO = CreateObject("Scripting.FileSystemObject")
if not fso.FolderExists(path) then exit sub
Set folders = FSO.GetFolder(Path)'目錄下所有對象
Set files = folders.files
Set subfolders = folders.SubFolders
'列表檔案夾
For Each fl in subfolders
response.Write("<a href=""?path="&Path&"\"&fl.name&"""><img src=""images/folder.gif"" border=""0"">"&fl.name&"</a>"&Chr(10))
response.Write("<a href=""?act=scan&path="&Path&"\"&fl.name&""">掃描</a><br>"&Chr(10))
Next
'列表檔案
For Each file_f in files
response.Write("<img src=""images/file.gif"">"&file_f.name&""&Chr(10))
response.Write("<a href=""?act=scan&file="&Path&"\"&file_f.name&""">掃描</a><br>"&Chr(10))
Next
set folders=nothing
set files=nothing
set subfolders=nothing
Set FSO = Nothing
End Sub
Sub ShowResult
%>
<table width="100%" border="0" cellpadding="0" cellspacing="0" class="CContent">
<tr>
<td class="CPanel" style="padding:5px;line-height:170%;clear:both;font-size:12px">
掃描完畢！一共檢查檔案夾<font color="#FF0000"><%=ScanFolderNum%></font>個，檔案<font color="#FF0000"><%=ScanFileNum%></font>個，發現可疑點<font color="#FF0000"><%=Suspect%></font>個
</td></tr></table>
<table width="100%" border="0" cellpadding="0" cellspacing="1" style="padding:5px; background-color:#666666;line-height:18px;clear:both;font-size:12px">
<tr>
<td width="30%" bgcolor="#FFFFFF">檔案名稱</td>
<td width="20%" bgcolor="#FFFFFF">特徵碼</td>
<td width="30%" bgcolor="#FFFFFF">描述</td>
<td width="20%" bgcolor="#FFFFFF">建立/修改時間</td>
</tr>
<p>
<%=Report%>
<br/>
</p>
</table>
<%
end Sub
'遍曆處理path及其子目錄所有檔案
Sub ScanFolder(Path)
dim folders,files,subfolders
ScanFolderNum = ScanFolderNum + 1
Set FSO = CreateObject("Scripting.FileSystemObject")
if not fso.FolderExists(path) then exit sub
Set folders = FSO.GetFolder(Path)
Set files = folders.files
For Each myfile in files
If CheckExt(FSO.GetExtensionName(path&"\"&myfile.name)) Then
Call ScanFile(Path&"\"&myfile.name, "")
End If
Next
Set subfolders = folders.SubFolders
For Each f1 in subfolders
ScanFolder path&"\"&f1.name
Next
set folders=nothing
set files=nothing
set subfolders=nothing
Set FSO = Nothing
End Sub

'檢測檔案
Sub ScanFile(FilePath, InFile)
dim FSOs,ofile,filetxt,fileUri,vi
ScanFileNum = ScanFileNum + 1
response.Write("掃描檔案:"&FilePath&vbcrlf)
response.Flush()
If InFile <> "" Then
Infiles = "該檔案被<a href=""http://"&Request.Servervariables("server_name")&"\"&InFile&""" target=_blank>"& InFile & "</a>檔案包含執行"
End If
Set FSOs = CreateObject("Scripting.FileSystemObject")
on error resume next
set ofile = fsos.OpenTextFile(FilePath)
filetxt = Lcase(ofile.readall())
If err Then Exit Sub end if
if len(filetxt)>0 then
'特徵碼檢查
fileUri = "<a href=""http://"&Request.Servervariables("server_name")&":"&Request.ServerVariables("SERVER_PORT")&"\"&replace(FilePath,server.MapPath("\")&"\","",1,1,1)&""" target=_blank>"&replace(FilePath,server.MapPath("\")&"\","",1,1,1)&"</a><br>"
fileUri=fileUri&"操作： <a href=""?act=del&file="&FilePath&""" onClick=""return ConfirmDel()"">刪除</a>"
fileUri=fileUri&" <a href=""?act=down&file="&FilePath&""">下載</a>"
for vi=0 to ubound(virus,2)
If instr(filetxt, Lcase(virus(0,vi))) then
Report = Report&"<tr bgcolor=""#FFFFFF""><td>"&fileUri&"</td><td>"&virus(0,vi)&"</td><td>"&virus(1,vi)&infiles&"</td><td>建立:"&GetDateCreate(filepath)&"<br>修改:"&GetDateModify(filepath)&"</td></tr>"
Suspect = Suspect + 1
End if
next
for vi=0 to ubound(virus_Regx,2)
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = virus_Regx(0,vi)
If regEx.Test(filetxt) Then
Report = Report&"<tr bgcolor=""#FFFFFF""><td>"&fileUri&"</td><td>"&virus_Regx(0,vi)&"</td><td>"&virus_Regx(1,vi)&infiles&"</td><td>建立:"&GetDateCreate(filepath)&"<br>修改:"&GetDateModify(filepath)&"</td></tr>"
Suspect = Suspect + 1
End If
next

'Check include file
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "<!--\s*#include\s*file\s*=\s*"".*"""
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
tFile = Replace(Mid(Match.Value, Instr(Match.Value, """") + 1, Len(Match.Value) - Instr(Match.Value, """") - 1),"/","\")
If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,"\"))&tFile, replace(FilePath,server.MapPath("\")&"\","",1,1,1) )
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing

'Check include virtual
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "<!--\s*#include\s*virtual\s*=\s*"".*"""
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
tFile = Replace(Mid(Match.Value, Instr(Match.Value, """") + 1, Len(Match.Value) - Instr(Match.Value, """") - 1),"/","\")
If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
Call ScanFile( Server.MapPath("\")&"\"&tFile, replace(FilePath,server.MapPath("\")&"\","",1,1,1) )
End If
Next
Set Matches = Nothing
Set regEx = Nothing

'Check Server&.Execute|Transfer
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "Server.(Exec"&"ute|Transfer)([ \t]*|\()"".*"""
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
tFile = Replace(Mid(Match.Value, Instr(Match.Value, """") + 1, Len(Match.Value) - Instr(Match.Value, """") - 1),"/","\")
If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,"\"))&tFile, replace(FilePath,server.MapPath("\")&"\","",1,1,1) )
End If
Next
Set Matches = Nothing
Set regEx = Nothing

end if
set ofile = nothing
set fsos = nothing
End Sub

'檢查檔案尾碼，如果與預定的匹配即返回TRUE
Function CheckExt(FileExt)
If ScanFileType = "*" Then CheckExt = True
Ext = Split(ScanFileType,",")
For i = 0 To Ubound(Ext)
If Lcase(FileExt) = Ext(i) Then
CheckExt = True
Exit Function
End If
Next
End Function
'刪除檔案
Sub DelFile(FilePath)
Set fso = Server.CreateObject("Scripting.FileSystemObject")
if fso.FileExists(FilePath) then
fso.DeleteFile(FilePath)
Response.Write("<h2>成功刪除檔案:</h2>" &FilePath)
else
response.Write("<h2>刪除失敗!檔案:"&FilePath&"沒有找到!</2>")
end if
set fso=nothing
end Sub
'下載檔案
sub Download(FilePath)
dim oStream
Set FSO = Server.CreateObject("Scripting.FileSystemObject")
if FSO.FileExists(FilePath) then
set oStream=Server.CreateObject("ADODB.Stream")
oStream.Type=1
oStream.Open
on error resume next
oStream.LoadFromFile(FilePath)
if Err.Number=0 then
Response.AddHeader "Content-Disposition", "attachment; filename=" & FSO.GetFileName(FilePath)
Response.AddHeader "Content-Length", oStream.Size
Response.ContentType="bad/type" 'yeu cau ie hien hop thoai save-as
Response.BinaryWrite oStream.Read
end if
oStream.Close
set oStream=nothing
end if
set FSO=nothing
end sub
Function GetDateModify(filepath)
dim s,days
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(filepath)
s = f.DateLastModified
set f = nothing
set fso = nothing
days=DateDiff("d",Cdate(s),now())
if(days>-7 and days<7) then
s="<font color=""red"">"&s&"</font>"
end if
GetDateModify = s
End Function

Function GetDateCreate(filepath)
dim s,days
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(filepath)
s = f.DateCreated
set f = nothing
set fso = nothing
days=DateDiff("d",Cdate(s),now())
if(days>-7 and days<7) then
s="<font color=""red"">"&s&"</font>"
end if
GetDateCreate = s
End Function

%>