当前位置: 首页 > 图文教程 > 网络编程 > ASP > 淘特ASP木马扫描器的代码

ASP
提高SQL的执行效率的ASP的五种做法
asp的offset的一个go to page
asp中command的在单条记录时,有些字段显示为空的问题
asp,php一句话木马整理方便查找木马
asp 合并记录集并删除的sql语句
asp下循环一行多少个
asp循环行数输出函数
asp access重新开始编号
ASP生成数字相加求和的BMP图片验证码
静态页面利用JS读取cookies记住用户信息
比较详细的Asp伪静态化方法及Asp静态化探讨
asp Response.flush 实时显示进度
Asp高级故障解决以及相关代码
asp智能脏话过滤系统v1.0
ASP文件中的安全问题
Access数据库中“所有记录中均未找到搜索关键字”的解决方法
asp两组字符串数据比较合并相同数据
asp MYSQL出现问号乱码的解决方法
asp文章中随机插入网站版权文字的实现代码
ASP利用XMLHTTP实现表单提交以及cookies的发送的代码

淘特ASP木马扫描器的代码


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-10-12   浏览: 91 ::
收藏到网摘: n/a

+-----------------+
|淘特ASP木马扫描器|
+-----------------+
  本程序可以扫描服务器上的所有指定类型(asp,cer,asa,cdx)的文件,查出可疑的木马程序。系统采用扫描程序与病毒库分离的形式,
以后升级只需像杀毒软件那样升级病毒库就可以了。目前可以查杀所有流行的ASP木马程序。
  系统提供了全站扫描、按文件夹和指定文件扫描三种扫描方式,如果网站文件比较少的话,推荐使用"全站扫描",如果文件比较多,推荐
使用按文件夹扫描。扫描过程,系统会记录被扫描过的文件列表,同时对怀疑是木马程序的文件以列表的形式展现,为了便于比较最近有可能
被上传过ASP木马程序,系统特别对当前时间7日内修改、创建的文件以加红显示;系统会对怀疑是木马的文件作出"级别"判断,并加以颜色区分
;建议对级别为"一般"的程序作手动检查后,再作处理,对级别为"严重"的文件,可以点击"文件名称"下的文件链接,一般打开后木马程序都会
有一个登录提示,这时就点击"文件名称"下的"删除"链接,直接将文件从服务器中删除即可。如果担心会误删除,可以先点击"下载"将文件备份。
使用方法:
将本程序解压后的文件上传至服务器中。执行:http://你的网址/scan.asp
+-----------------+
|登录密码:totscan|
+-----------------+
virus_lib.asp
复制代码 代码如下:

<%
dim virus(1,7),virus_Regx(1,4)
'定义木马组件
virus(0,0)="WScript"
virus(1,0)="级别:<font color=""green"">严重!</font><br>WScript 多为木马关键字"
virus(0,1)="Shell"
virus(1,1)="级别:<font color=""green"">严重!</font><br>Shell 多为木马关键字"
virus(0,2)="Shell.Application"
virus(1,2)="级别:<font color=""green"">严重!</font><br>asp 组件,一般多为木马所用"
'海阳组件
virus(0,3)="clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8"
virus(1,3)="级别:<font color=""green"">严重!</font><br>asp WScript 组件,一般多为木马所用"
virus(0,4)="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"
virus(1,4)="级别:<font color=""green"">严重!</font><br>asp wscript 组件,一般多为木马所用"
virus(0,5)="clsid:093FF999-1EA0-4079-9525-9614C3504B74"
virus(1,5)="级别:<font color=""green"">严重!</font><br>asp net 组件,一般多为木马所用"
virus(0,6)="clsid:F935DC26-1CF0-11D0-ADB9-00C04FD58A0B"
virus(1,6)="级别:<font color=""green"">严重!</font><br>asp net 组件,一般多为木马所用"
virus(0,7)="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"
virus(1,7)="级别:<font color=""green"">严重!</font><br>asp fso 组件,一般多为木马所用"
'定义木马关键字
virus_Regx(0,0)="@\s*LANGUAGE\s*=\s*[""]?\s*(vbscript|jscript|javascript).encode\b"
virus_Regx(1,0)="级别:<font color=""green"">严重!</font><br>脚本被加密了,一般ASP文件是不会加密的。"
virus_Regx(0,1)="\bEval\b"
virus_Regx(1,1)="级别:<font color=""gray"">一般!</font><br>eval()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ev"&"al(X)<br>但是javascript代码中也可以使用,有可能是误报。"
virus_Regx(0,2)="[^.]\bExecute\b"
virus_Regx(1,2)="级别:<font color=""gray"">一般!</font><br>execute()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ex"&"ecute(X)。"
virus_Regx(0,3)="Server.(Execute|Transfer)([ \t]*|\()[^""]\)"
virus_Regx(1,3)="级别:<font color=""gray"">一般!</font><br>不能跟踪检查Server.e"&"xecute()函数执行的文件。请管理员自行检查。"
virus_Regx(0,4)="CreateObject[ |\t]*\(.*\)$[^adodb.recordset]"
virus_Regx(1,4)="级别:<font color=""gray"">一般!</font><br>Crea"&"teObject函数使用了变形技术,仔细复查"
%>

scan.asp
复制代码 代码如下:

<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!--#include file="virus_lib.asp"-->
<%
server.ScriptTimeout =90000
dim act
act=request.QueryString("act")
Const PASSWORD = "totscan"
if act="login" then
if request.Form("pwd") = PASSWORD then session("login")="ok"
end if
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>Asp木马扫描器</title>
<script language="JavaScript" type="text/JavaScript">
function ConfirmDel()
{
if(confirm("确认删除?并且不能恢复!"))
return true;
else
return false;
}
</script>
</head>
<body>
<div align="center"><h2>Asp木马扫描器</h2></div>
<hr>
<%
If Session("login") <> "ok" then
call LoginForm()
else
dim pathStr
if request("path")<>"" then
pathStr=request("path")
else
pathStr=server.MapPath("/")
end if
response.Write("<a href=""javascript:history.back();"">←返回</a><br>"&Chr(10))
if act="scan" then
dim ScanFileType,Suspect,ScanFileNum,ScanFolderNum,BeginTime,EndTime,TmpPath,Report
ScanFileType = "asp,cer,asa,cdx"
Suspect = 0
ScanFileNum = 0
ScanFolderNum =0
BeginTime = timer
response.Write("<textarea name=""textarea"" style=""width:100%"" rows=""5"">"&Chr(10))
response.Write("扫描日志:"&vbcrlf)
if(request.QueryString("file")<>"") then
Call ScanFile(request.QueryString("file"),"")
else
Call ScanFolder(pathStr)
end if
response.Write("</textarea>")
Call ShowResult()
EndTime = timer
response.write "<br><font size=""2"">执行时间:"&cstr(int(((EndTime-BeginTime)*10000 )+0.5)/10)&"毫秒</font>"
elseif act="del" then
Call DelFile(request.QueryString("file"))
response.Write("<br><a href="""&request.ServerVariables("HTTP_REFERER")&""">返回</a>")
elseif act="down" then
Call Download(request.QueryString("file"))
else
call FileList(pathStr)
call ScanForm()
end if
end if
%>
<hr>
</body>
</html>
<%
Sub LoginForm
%>
<form name="form1" method="post" action="?act=login">
<div align="center">Password:
<input name="pwd" type="password" size="15">
<input type="submit" name="Submit" value="提交">
</div>
</form>
<%
end Sub
Sub ScanForm
%>
<form action="?act=scan" method="post">
<input type="submit" value=" 全站扫描 " style="background:#fff;border:1px solid #999;padding:2px 2px 0px 2px;margin:4px;border-width:1px 3px 1px 3px" />
</form>
<%
end sub
'遍历处理path及其子目录所有文件
Sub FileList(Path)
Set FSO = CreateObject("Scripting.FileSystemObject")
if not fso.FolderExists(path) then exit sub
Set folders = FSO.GetFolder(Path)'目录下所有对象
Set files = folders.files
Set subfolders = folders.SubFolders
'列表文件夹
For Each fl in subfolders
response.Write("<a href=""?path="&Path&"\"&fl.name&"""><img src=""/upload/tech/20091012/20091012011936_31fefc0e570cb3860f2a6d4b38c6490d.gif"" border=""0"">"&fl.name&"</a>"&Chr(10))
response.Write("<a href=""?act=scan&path="&Path&"\"&fl.name&""">扫描</a><br>"&Chr(10))
Next
'列表文件
For Each file_f in files
response.Write("<img src=""/upload/tech/20091012/20091012011936_ad61ab143223efbc24c7d2583be69251.gif"">"&file_f.name&""&Chr(10))
response.Write("<a href=""?act=scan&file="&Path&"\"&file_f.name&""">扫描</a><br>"&Chr(10))
Next
set folders=nothing
set files=nothing
set subfolders=nothing
Set FSO = Nothing
End Sub
Sub ShowResult
%>
<table width="100%" border="0" cellpadding="0" cellspacing="0" class="CContent">
<tr>
<td class="CPanel" style="padding:5px;line-height:170%;clear:both;font-size:12px">
扫描完毕!一共检查文件夹<font color="#FF0000"><%=ScanFolderNum%></font>个,文件<font color="#FF0000"><%=ScanFileNum%></font>个,发现可疑点<font color="#FF0000"><%=Suspect%></font>个
</td></tr></table>
<table width="100%" border="0" cellpadding="0" cellspacing="1" style="padding:5px; background-color:#666666;line-height:18px;clear:both;font-size:12px">
<tr>
<td width="30%" bgcolor="#FFFFFF">文件名称</td>
<td width="20%" bgcolor="#FFFFFF">特征码</td>
<td width="30%" bgcolor="#FFFFFF">描述</td>
<td width="20%" bgcolor="#FFFFFF">创建/修改时间</td>
</tr>
<p>
<%=Report%>
<br/>
</p>
</table>
<%
end Sub
'遍历处理path及其子目录所有文件
Sub ScanFolder(Path)
dim folders,files,subfolders
ScanFolderNum = ScanFolderNum + 1
Set FSO = CreateObject("Scripting.FileSystemObject")
if not fso.FolderExists(path) then exit sub
Set folders = FSO.GetFolder(Path)
Set files = folders.files
For Each myfile in files
If CheckExt(FSO.GetExtensionName(path&"\"&myfile.name)) Then
Call ScanFile(Path&"\"&myfile.name, "")
End If
Next
Set subfolders = folders.SubFolders
For Each f1 in subfolders
ScanFolder path&"\"&f1.name
Next
set folders=nothing
set files=nothing
set subfolders=nothing
Set FSO = Nothing
End Sub
'检测文件
Sub ScanFile(FilePath, InFile)
dim FSOs,ofile,filetxt,fileUri,vi
ScanFileNum = ScanFileNum + 1
response.Write("扫描文件:"&FilePath&vbcrlf)
response.Flush()
If InFile <> "" Then
Infiles = "该文件被<a href=""http://"&Request.Servervariables("server_name")&"\"&InFile&""" target=_blank>"& InFile & "</a>文件包含执行"
End If
Set FSOs = CreateObject("Scripting.FileSystemObject")
on error resume next
set ofile = fsos.OpenTextFile(FilePath)
filetxt = Lcase(ofile.readall())
If err Then Exit Sub end if
if len(filetxt)>0 then
'特征码检查
fileUri = "<a href=""http://"&Request.Servervariables("server_name")&":"&Request.ServerVariables("SERVER_PORT")&"\"&replace(FilePath,server.MapPath("\")&"\","",1,1,1)&""" target=_blank>"&replace(FilePath,server.MapPath("\")&"\","",1,1,1)&"</a><br>"
fileUri=fileUri&"操作: <a href=""?act=del&file="&FilePath&""" onClick=""return ConfirmDel()"">删除</a>"
fileUri=fileUri&" <a href=""?act=down&file="&FilePath&""">下载</a>"
for vi=0 to ubound(virus,2)
If instr(filetxt, Lcase(virus(0,vi))) then
Report = Report&"<tr bgcolor=""#FFFFFF""><td>"&fileUri&"</td><td>"&virus(0,vi)&"</td><td>"&virus(1,vi)&infiles&"</td><td>创建:"&GetDateCreate(filepath)&"<br>修改:"&GetDateModify(filepath)&"</td></tr>"
Suspect = Suspect + 1
End if
next
for vi=0 to ubound(virus_Regx,2)
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = virus_Regx(0,vi)
If regEx.Test(filetxt) Then
Report = Report&"<tr bgcolor=""#FFFFFF""><td>"&fileUri&"</td><td>"&virus_Regx(0,vi)&"</td><td>"&virus_Regx(1,vi)&infiles&"</td><td>创建:"&GetDateCreate(filepath)&"<br>修改:"&GetDateModify(filepath)&"</td></tr>"
Suspect = Suspect + 1
End If
next
'Check include file
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "<!--\s*#include\s*file\s*=\s*"".*"""
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
tFile = Replace(Mid(Match.Value, Instr(Match.Value, """") + 1, Len(Match.Value) - Instr(Match.Value, """") - 1),"/","\")
If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,"\"))&tFile, replace(FilePath,server.MapPath("\")&"\","",1,1,1) )
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing
'Check include virtual
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "<!--\s*#include\s*virtual\s*=\s*"".*"""
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
tFile = Replace(Mid(Match.Value, Instr(Match.Value, """") + 1, Len(Match.Value) - Instr(Match.Value, """") - 1),"/","\")
If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
Call ScanFile( Server.MapPath("\")&"\"&tFile, replace(FilePath,server.MapPath("\")&"\","",1,1,1) )
End If
Next
Set Matches = Nothing
Set regEx = Nothing
'Check Server&.Execute|Transfer
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "Server.(Exec"&"ute|Transfer)([ \t]*|\()"".*"""
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
tFile = Replace(Mid(Match.Value, Instr(Match.Value, """") + 1, Len(Match.Value) - Instr(Match.Value, """") - 1),"/","\")
If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,"\"))&tFile, replace(FilePath,server.MapPath("\")&"\","",1,1,1) )
End If
Next
Set Matches = Nothing
Set regEx = Nothing

end if
set ofile = nothing
set fsos = nothing
End Sub
'检查文件后缀,如果与预定的匹配即返回TRUE
Function CheckExt(FileExt)
If ScanFileType = "*" Then CheckExt = True
Ext = Split(ScanFileType,",")
For i = 0 To Ubound(Ext)
If Lcase(FileExt) = Ext(i) Then
CheckExt = True
Exit Function
End If
Next
End Function
'删除文件
Sub DelFile(FilePath)
Set fso = Server.CreateObject("Scripting.FileSystemObject")
if fso.FileExists(FilePath) then
fso.DeleteFile(FilePath)
Response.Write("<h2>成功删除文件:</h2>" &FilePath)
else
response.Write("<h2>删除失败!文件:"&FilePath&"没有找到!</2>")
end if
set fso=nothing
end Sub
'下载文件
sub Download(FilePath)
dim oStream
Set FSO = Server.CreateObject("Scripting.FileSystemObject")
if FSO.FileExists(FilePath) then
set oStream=Server.CreateObject("ADODB.Stream")
oStream.Type=1
oStream.Open
on error resume next
oStream.LoadFromFile(FilePath)
if Err.Number=0 then
Response.AddHeader "Content-Disposition", "attachment; filename=" & FSO.GetFileName(FilePath)
Response.AddHeader "Content-Length", oStream.Size
Response.ContentType="bad/type" 'yeu cau ie hien hop thoai save-as
Response.BinaryWrite oStream.Read
end if
oStream.Close
set oStream=nothing
end if
set FSO=nothing
end sub
Function GetDateModify(filepath)
dim s,days
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(filepath)
s = f.DateLastModified
set f = nothing
set fso = nothing
days=DateDiff("d",Cdate(s),now())
if(days>-7 and days<7) then
s="<font color=""red"">"&s&"</font>"
end if
GetDateModify = s
End Function
Function GetDateCreate(filepath)
dim s,days
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(filepath)
s = f.DateCreated
set f = nothing
set fso = nothing
days=DateDiff("d",Cdate(s),now())
if(days>-7 and days<7) then
s="<font color=""red"">"&s&"</font>"
end if
GetDateCreate = s
End Function
%>