雷客图ASP站长安全助手的ASP木马查找功能

　　可以在线查找空间里的asp木马
复制代码 代码如下:
<%@LANGUAGE=VBSCRIPTCODEPAGE=936%>
<%
设置密码
PASSWORD=jb51net

dimReport

ifrequest.QueryString(act)=loginthen
ifrequest.Form(pwd)=PASSWORDthensession(pig)=1
endif
%>
<!DOCTYPEHTMLPUBLIC-//W3C//DTDHTML4.01Transitional//EN
<html>
<head>
<metahttp-equiv=Content-Typecontent=text/html;charset=gb2312>
<title>ASPSecurityforHacking</title>
</head>

<body>
<%IfSession(pig)<>1then%>
<formname=form1method=postaction=?act=login>
<divalign=center>Password:
<inputname=pwdtype=passwordsize=15>
<inputtype=submitname=Submitvalue=提交>
</div>
</form>
<%
else
ifrequest.QueryString(act)<>scanthen
%>
<formaction=?act=scanmethod=post>
<b>填入你要检查的路径：</b>
<inputname=pathtype=textstyle=border:1pxsolid#999value=.size=30/>
<br>
*网站根目录的相对路径，填“\”即检查整个网站；“.”为程序所在目录
<br>
<br>
<inputtype=submitvalue=开始扫描style=background:#fff;border:1pxsolid#999;padding:2px2px0px2px;margin:4px;border-width:1px3px1px3px/>
</form>
<%
else
server.ScriptTimeout=600
DimFileExt=asp,cer,asa,cdx
Sun=0
SumFiles=0
SumFolders=1
ifrequest.Form(path)=then
response.Write(NoHack)
response.End()
endif
timer1=timer
ifrequest.Form(path)=\then
TmpPath=Server.MapPath(\)
elseifrequest.Form(path)=.then
TmpPath=Server.MapPath(.)
else
TmpPath=Server.MapPath(\)&\&request.Form(path)
endif
CallShowAllFile(TmpPath)
%>
<tablewidth=100%border=0cellpadding=0cellspacing=0class=CContent>
<tr>
<th>ASPSecurityForHacking
</tr>
<tr>
<tdclass=CPanelstyle=padding:5px;line-height:170%;clear:both;font-size:12px>
<divid=updateInfostyle=background:ffffe1;border:1pxsolid#89441f;padding:4px;display:none></div>
扫描完毕！一共检查文件夹<fontcolor=#FF0000><%=SumFolders%></font>个，文件<fontcolor=#FF0000><%=SumFiles%></font>个，发现可疑点<fontcolor=#FF0000><%=Sun%></font>个
<tablewidth=100%border=0cellpadding=0cellspacing=0>
<tr>
<tdvalign=top>
<tablewidth=100%border=1cellpadding=0cellspacing=0style=padding:5px;line-height:170%;clear:both;font-size:12px>
<tr>
<tdwidth=20%>文件相对路径</td>
<tdwidth=20%>特征码</td>
<tdwidth=40%>描述</td>
<tdwidth=20%>创建/修改时间</td>
</tr>
<p>
<%=Report%>
<br/></p>
</table></td>
</tr>
</table>
</td></tr></table>
<%
timer2=timer
thetime=cstr(int(((timer2-timer1)*10000)+0.5)/10)
response.write<br><fontsize=2>本页执行共用了&thetime&毫秒</font>
endif
endif

%>
<hr>
<divalign=center>本程序取自<ahref=雷客图ASP站长安全助手</a>的ASP木马查找功能<br>
poweredby<ahref=
</div>
</body>
</html>
<%

遍历处理path及其子目录所有文件
SubShowAllFile(Path)
SetFSO=CreateObject(Scripting.FileSystemObject)
ifnotfso.FolderExists(path)thenexitsub
Setf=FSO.GetFolder(Path)
Setfc2=f.files
ForEachmyfileinfc2
CallScanFile(Path&Temp&\&myfile.name,)
SumFiles=SumFiles+1
EndIf
Next
Setfc=f.SubFolders
ForEachf1infc
ShowAllFilepath&\&f1.name
SumFolders=SumFolders+1
Next
SetFSO=Nothing
EndSub

检测文件
SubScanFile(FilePath,InFile)
IfInFile<>Then
Infiles=该文件被<ahref=文件包含执行
EndIf
SetFSOs=CreateObject(Scripting.FileSystemObject)
onerrorresumenext
setofile=fsos.OpenTextFile(FilePath)
filetxt=Lcase(ofile.readall())
IferrThenExitSubendif
iflen(filetxt)>0then
特征码检查
temp=<ahref=
CheckWScr&DoMyBest&ipt.Shell
Ifinstr(filetxt,Lcase(WScr&DoMyBest&ipt.Shell))orInstr(filetxt,Lcase(clsid:72C24DD5-D70A&DoMyBest&-438B-8A42-98424B88AFB8))then
Report=Report&<tr><td>&temp&</td><td>WScr&DoMyBest&ipt.Shell或者clsid:72C24DD5-D70A&DoMyBest&-438B-8A42-98424B88AFB8</td><td>危险组件，一般被ASP木马利用。&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
Endif
CheckShe&DoMyBest&ll.Application
Ifinstr(filetxt,Lcase(She&DoMyBest&ll.Application))orInstr(filetxt,Lcase(clsid:13709620-C27&DoMyBest&9-11CE-A49E-444553540000))then
Report=Report&<tr><td>&temp&</td><td>She&DoMyBest&ll.Application或者clsid:13709620-C27&DoMyBest&9-11CE-A49E-444553540000</td><td>危险组件，一般被ASP木马利用。&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
EndIf
Check.Encode
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=@\s*LANGUAGE\s*=\s*[]?\s*(vbscriptjscriptjavascript).encode\b
IfregEx.Test(filetxt)Then
Report=Report&<tr><td>&temp&</td><td>(vbscriptjscriptjavascript).Encode</td><td>似乎脚本被加密了，一般ASP文件是不会加密的。&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
EndIf
CheckmyASPbackdoor:(
regEx.Pattern=\bEv&al\b
IfregEx.Test(filetxt)Then
Report=Report&<tr><td>&temp&</td><td>Ev&al</td><td>e&val()函数可以执行任意ASP代码，被一些后门利用。其形式一般是：ev&al(X)<br>但是javascript代码中也可以使用，有可能是误报。&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
EndIf
Checkexe&cutebackdoor
regEx.Pattern=[^.]\bExe&cute\b
IfregEx.Test(filetxt)Then
Report=Report&<tr><td>&temp&</td><td>Exec&ute</td><td>e&xecute()函数可以执行任意ASP代码，被一些后门利用。其形式一般是：ex&ecute(X)。<br>&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
EndIf
SetregEx=Nothing

Checkincludefile
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=<!--\s*#include\s*file\s*=\s*.*
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
tFile=Replace(Mid(Match.Value,Instr(Match.Value,)+1,Len(Match.Value)-Instr(Match.Value,)-1),/,\)
IfNotCheckExt(FSOs.GetExtensionName(tFile))Then
CallScanFile(Mid(FilePath,1,InStrRev(FilePath,\))&tFile,replace(FilePath,server.MapPath(\)&\,,1,1,1))
SumFiles=SumFiles+1
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing

Checkincludevirtual
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=<!--\s*#include\s*virtual\s*=\s*.*
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
tFile=Replace(Mid(Match.Value,Instr(Match.Value,)+1,Len(Match.Value)-Instr(Match.Value,)-1),/,\)
IfNotCheckExt(FSOs.GetExtensionName(tFile))Then
CallScanFile(Server.MapPath(\)&\&tFile,replace(FilePath,server.MapPath(\)&\,,1,1,1))
SumFiles=SumFiles+1
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing

CheckServer&.ExecuteTransfer
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=Server.(Exec&uteTransfer)([\t]*\().*
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
tFile=Replace(Mid(Match.Value,Instr(Match.Value,)+1,Len(Match.Value)-Instr(Match.Value,)-1),/,\)
IfNotCheckExt(FSOs.GetExtensionName(tFile))Then
CallScanFile(Mid(FilePath,1,InStrRev(FilePath,\))&tFile,replace(FilePath,server.MapPath(\)&\,,1,1,1))
SumFiles=SumFiles+1
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing

CheckServer&.ExecuteTransfer
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=Server.(Exec&uteTransfer)([\t]*\()[^]\)
IfregEx.Test(filetxt)Then
Report=Report&<tr><td>&temp&</td><td>Server.Exec&ute</td><td>不能跟踪检查Server.e&xecute()函数执行的文件。请管理员自行检查。<br>&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
EndIf
SetMatches=Nothing
SetregEx=Nothing

CheckCrea&teObject
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=CreateO&bject[\t]*\(.*\)
SetMatches=regEx.Execute(filetxt)
ForEachMatchinMatches
IfInstr(Match.Value,&)orInstr(Match.Value,+)orInstr(Match.Value,)=0orInstr(Match.Value,()<>InStrRev(Match.Value,()Then
Report=Report&<tr><td>&temp&</td><td>Creat&eObject</td><td>Crea&teObject函数使用了变形技术，仔细复查。&infiles&</td><td>&GetDateCreate(filepath)&<br>&GetDateModify(filepath)&</td></tr>
Sun=Sun+1
exitsub
EndIf
Next
SetMatches=Nothing
SetregEx=Nothing
endif
setofile=nothing
setfsos=nothing
EndSub

检查文件后缀，如果与预定的匹配即返回TRUE
FunctionCheckExt(FileExt)
IfDimFileExt=*ThenCheckExt=True
Ext=Split(DimFileExt,,)
Fori=0ToUbound(Ext)
IfLcase(FileExt)=Ext(i)Then
CheckExt=True
ExitFunction
EndIf
Next
EndFunction

FunctionGetDateModify(filepath)
Setfso=CreateObject(Scripting.FileSystemObject)
Setf=fso.GetFile(filepath)
s=f.DateLastModified
setf=nothing
setfso=nothing
GetDateModify=s
EndFunction

FunctionGetDateCreate(filepath)
Setfso=CreateObject(Scripting.FileSystemObject)
Setf=fso.GetFile(filepath)
s=f.DateCreated
setf=nothing
setfso=nothing
GetDateCreate=s
EndFunction

%>