How much do you know about the program to find ASP Trojans? Friends who are interested in ASP Trojans, please follow the editor of Foxin to check out the specific content. I hope it will be helpful to you.
Source code, save as an asp file to use:
<%@LANGUAGE=VBSCRIPTCODEPAGE=936%>
<%
'Set password
PASSWORD=security
dimReport
ifrequest.QueryString(act)=loginthen
ifrequest.Form(pwd)=PASSWORDthensession(pig)=1
endif
%>
<%IfSession(pig)<>1then%>
Password:
<%
else
ifrequest.QueryString(act)<>scanthen
%>
Fill in the path you want to check:
*The relative path to the root directory of the website, fill in/ that is, check the entire website;. It is the directory where the program is located
What are you going to do:
Check ASP Trojans
Search for files that meet the criteria
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Find content:
*If you want to find the string, just check the date if you don't fill it in.
Date of modification:
size=20>
* Use multiple dates; separate, fill in ALL on any date
File Type:
*Separate between types, * means all types
<%
else
server.ScriptTimeout=600
ifrequest.Form(path)=then
response.Write(NoHack)
response.End()
endif
ifrequest.Form(path)=/then
TmpPath=Server.MapPath(/)
elseifrequest.Form(path)=.then
TmpPath=Server.MapPath(.)
else
TmpPath=Server.MapPath(/)&/&request.Form(path)
endif
timer1=timer
Sun=0
SumFiles=0
SumFolders=1
Ifrequest.Form(radiobutton)=swsThen
DimFileExt=asp,cer,asa,cdx
CallShowAllFile(TmpPath)
Else
Ifrequest.Form(path)=orrequest.Form(Search_Date)=orrequest.Form(Search_FileExt)=Then
response.Write(The arrest conditions are not complete, I will not be able to obey my life
Please return to re-enter)
response.End()
EndIf
DimFileExt=request.Form(Search_fileExt)
CallShowAllFile2(TmpPath)
EndIf
%>
ScanWebShell--ASPSecurityForHacking
Scanning is complete! Check a total of <%=SumFolders%> files, and find suspicious points.
<%Ifrequest.Form(radiobutton)=swsThen%>
File relative path
Feature Code
describe
Creation/modification time
<%else%>
File relative path
File creation time
Modification time
<%endif%>
<%=Report%>
<%
timer2=timer
thetime=cstr(int(((timer2-timer1)*10000)+0.5)/10)
response.write
This page has been executed in a shared &thetime&ms
endif
endif
%>
This program is taken from the ASP Trojan search and suspicious file search functions of Leiketu ASP webmaster security assistant
poweredbylake2(Build20060615)
<%
'Travel over and process all files of the path and its subdirectories
SubShowAllFile(Path)
SetFSO=CreateObject(Scripting.FileSystemObject)
ifnotfso.FolderExists(path)thenexitsub
Setf=FSO.GetFolder(Path)
Setfc2=f.files
ForEachmyfileinfc2
IfCheckExt(FSO.GetExtensionName(path&/&myfile.name)) Then
CallScanFile(Path&Temp&/&myfile.name,)
SumFiles=SumFiles+1
EndIf
Next
Setfc=f.SubFolders
ForEachf1infc
ShowAllFilepath&/&f1.name
SumFolders=SumFolders+1
Next
SetFSO=Nothing
EndSub
'Detection file
SubScanFile(FilePath,InFile)
IfInFile<>Then
Infiles=This file is executed by &InFile& file containing
EndIf
SetFSOs=CreateObject(Scripting.FileSystemObject)
onerrorresumenext
setofile=fsos.OpenTextFile(FilePath)
filetxt=Lcase(ofile.readall())
IferrThenExitSubendif
iflen(filetxt)>0then
'Feature code check
filetxt=vbcrlf&filetxt
temp=&replace(FilePath,server.MapPath(/)&/,,1,1,1)&
'CheckWScr&DoMyBest&ipt.Shell
Ifinstr(filetxt,Lcase(WScr&DoMyBest&ipt.Shell)) orInstr(filetxt,Lcase(clsid:72C24DD5-D70A&DoMyBest&-438B-8A42-98424B88AFB8))then
Report=Report&&temp&WScr&DoMyBest&ipt.Shell or clsid:72C24DD5-D70A&DoMyBest&-438B-8A42-98424B88AFB8 hazardous components are generally used by ASP Trojans&infiles&&GetDateCreate(filepath)&
&GetDateModify(filepath)&
Sun=Sun+1
Endif
'CheckShe&DoMyBest&ll.Application
Ifinstr(filetxt,Lcase(She&DoMyBest&ll.Application)) orInstr(filetxt,Lcase(clsid:13709620-C27&DoMyBest&9-11CE-A49E-444553540000))then
Report=Report&&temp&She&DoMyBest&ll.Application or clsid:13709620-C27&DoMyBest&9-11CE-A49E-444553540000 Dangerous components, generally used by ASP Trojans&infiles&&GetDateCreate(filepath)&
&GetDateModify(filepath)&
Sun=Sun+1
EndIf
'Check.Encode
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=/bLANGUAGE/s*=/s*[]?/s*(vbscript|jscript|javascript).encode/b
IfregEx.Test(filetxt)Then
Report=Report&&temp&(vbscript|jscript|javascript).Encode seems to be encrypted&infiles&&GetDateCreate(filepath)&
&GetDateModify(filepath)&
Sun=Sun+1
EndIf
'CheckmyASPbackdoor:(
regEx.Pattern=/bEv&al/b
IfregEx.Test(filetxt)Then
Report=Report&&temp&Ev&ale&val() function can execute any ASP code and is used by some backdoors. Its form is generally: ev&al(X)
But it can also be used in javascript code, which may be false positives. &infiles&&GetDateCreate(filepath)&
&GetDateModify(filepath)&
Sun=Sun+1
EndIf
'Checkexe&cutebackdoor
regEx.Pattern=[^.]/bExe&cute/b
IfregEx.Test(filetxt)Then
Report=Report&&temp&Exec&ute&xecute() function can execute any ASP code and is used by some backdoors. Its form is generally: ex&ecute(X)
&infiles&&GetDateCreate(filepath)&
&GetDateModify(filepath)&
Sun=Sun+1
EndIf
'-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
'Check.Create&TextFileand.OpenText&File
regEx.Pattern=/.(Open|Create)TextFile/b
IfregEx.Test(filetxt)Then
Report=Report&&temp&.CreateTextFile|.OpenTextFile uses FSO's CreateTextFile|OpenTextFile function to read and write files&infiles&&GetDateCreate(filepath)&
&GetDateModify(filepath)&
Sun=Sun+1
EndIf
'Check.SaveT&oFile
regEx.Pattern=/.SaveToFile/b
IfregEx.Test(filetxt)Then
Report=Report&&temp&.SaveToFile uses Stream's SaveToFile function to write files&infiles&&GetDateCreate(filepath)&
&GetDateModify(filepath)&
Sun=Sun+1
EndIf
'Check.&Save
regEx.Pattern=/.Save/b
IfregEx.Test(filetxt)Then
Report=Report&&temp&.Save uses the XMLHTTP Save function to write files&infiles&&GetDateCreate(filepath)&
&GetDateModify(filepath)&
Sun=Sun+1
EndIf
'-----------------------------------------------------------------------------------------------------------------------------
SetregEx=Nothing
'Checkincludefile
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=
The above is the program for finding ASP Trojans. Have you learned it?