#该脚本是批量挂马程序的逆向,用于批量清除被添加到文件中的恶意代码。记事本打开文件可以修改pattern参数指定要处理的文件名,文件名之间用|隔开(也支持vbs正则表达式)。由于要修改文件,请谨慎的使用(最好先备份文件)
'-----------------------
'scan asp webshell in vbs
'author: lake2 (http://lake2.0x54.org)
'date: 2007-7-29
'version: 1.1
'-----------------------
dimfileext = "asp,cer,asa,cdx"
dim report, report2, sun, sumfiles, sumfolders
call showinfo()
if wscript.arguments.count = 2 then
sun = 0
sumfiles = 0
sumfolders = 1
if right(wscript.arguments.item(0),1) = "\" then
thepath = mid(wscript.arguments.item(0),1,len(wscript.arguments.item(0))-1)
else
thepath = wscript.arguments.item(0)
end if
call checkarg(thepath)
wscript.echo "开始扫描,请稍候……"
wscript.sleep(1000)
starttime = now()
call showallfile(thepath)
endtime = now()
wscript.echo vbcrlf & "扫描完成!" & vbcrlf
report2 = report2 & "<html><head><title>雷客图 asp 站长安全助手vbs版扫描报告</title>"
report2 = report2 & "<meta http-equiv=""content-type"" content=""text/html; charset=gb2312""></head>"
report2 = report2 & "<body><b><font size=4>雷客图 asp 站长安全助手vbs版扫描报告</font></b><br><br>"
report2 = report2 & "<font size=2>开始时间:"&starttime&"</font><br>"
report2 = report2 & "<font size=2>结束时间:"&endtime&"</font><br>"
report2 = report2 & "<font size=2>扫描完毕!一共检查文件夹<font color=""#ff0000"">"&sumfolders&"</font>个,文件<font color=""#ff0000"">"&sumfiles&"</font>个,发现可疑点<font color=""#ff0000"">"&sun&"</font>个(<font color=""#ff0000"">红字</font>显示的为严重可疑)</font><br/>"
report2 = report2 & "<table width=""100%"" border=""1"" bordercolor=""blue"" style=""padding:5px;line-height:170%;clear:both;font-size:12px;word-break:break-all"">"
report2 = report2 & "<tr>"
report2 = report2 & "<td width=""20%"">文件路径</td>"
report2 = report2 & "<td width=""20%"">特征码</td>"
report2 = report2 & "<td width=""40%"">描述</td>"
report2 = report2 & "<td width=""20%"">创建/修改时间</td>"
report2 = report2 & "</tr>"
report2 = report2 & "<p>"
report2 = report2 & report
report2 = report2 & "</p>"
report2 = report2 & "</table><hr><script src=http://www.0x54.org/announce.js></script>"
report2 = report2 & "<div align=center>powered by <a href=""http://www.0x54.org"" target=_blank>0x54.org</a></div>"
report2 = report2 & "</body></html>"
call writetofile()
else
call showhelp()
end if
sub showinfo()
helpstr = helpstr & "==============================" & vbcrlf
helpstr = helpstr & "===== 欢迎使用雷客图 asp 站长安全助手vbs版 =====" & vbcrlf
helpstr = helpstr & "===== 之 检查asp木马 =====" & vbcrlf
helpstr = helpstr & "===== author: lake2 =====" & vbcrlf
helpstr = helpstr & "===== email:lake2@mail.csdn.net =====" & vbcrlf
helpstr = helpstr & "===== 欢迎访问 www.0x54.org 得到更多信息 =====" & vbcrlf
helpstr = helpstr & "==============================" & vbcrlf
helpstr = helpstr & vbcrlf
wscript.echo helpstr
end sub
sub showhelp()
helpstr = helpstr & "#用法: cscript scan.vbs [扫描路径] [结果htm文件路径]" & vbcrlf
helpstr = helpstr & "#例子: cscript scan.vbs d:\web f:\my\report.html" & vbcrlf
helpstr = helpstr & vbcrlf
wscript.echo helpstr
end sub
sub checkarg(arg)
tmppath = arg
tmppath2 = left(wscript.arguments.item(1), instrrev(wscript.arguments.item(1),"\")-1)
set objfso = wscript.createobject ("scripting.filesystemobject")
if not objfso.folderexists(tmppath2) then
wscript.echo "error:错误的路径“" & tmppath2 & "”!"
wscript.quit
elseif not objfso.folderexists(tmppath) then
wscript.echo "error:错误的路径“" & tmppath & "”!"
wscript.quit
end if
set objfso = nothing
end sub
'遍历处理path及其子目录所有文件
sub showallfile(path)
wscript.echo "正在检查目录" & path
set fso = createobject("scripting.filesystemobject")
set f = fso.getfolder(path)
set fc2 = f.files
for each myfile in fc2
if checkext(fso.getextensionname(path&"\"&myfile.name)) then
'wscript.echo "正在检查文件" & path&"\"&myfile.name
call scanfile(path&temp&"\"&myfile.name, "")
sumfiles = sumfiles + 1
end if
next
set fc = f.subfolders
for each f1 in fc
showallfile path&"\"&f1.name
sumfolders = sumfolders + 1
next
set fso = nothing
end sub
'检查文件后缀,如果与预定的匹配即返回true
function checkext(fileext)
if dimfileext = "*" then checkext = true
ext = split(dimfileext,",")
for i = 0 to ubound(ext)
if lcase(fileext) = ext(i) then
checkext = true
exit function
end if
next
end function
'检测文件
sub scanfile(filepath, infile)
if infile <> "" then
infiles = "<font color=red>该文件被"& infile & "文件包含执行</font>"
end if
temp = filepath
on error resume next
set tstream = wscript.createobject("adodb.stream")
tstream.type = 1
tstream.mode = 3
tstream.open
tstream.position=0
tstream.loadfromfile filepath
if err then exit sub end if
tstream.type = 2
tstream.charset = "gb2312"
do until tstream.eos
filetxt = filetxt & lcase(replace(tstream.readtext(102400), chr(0), ""))
loop
tstream.close()
set tstream = nothing
set fsos = wscript.createobject("scripting.filesystemobject")
if len(filetxt) >0 then
'特征码检查
filetxt = vbcrlf & filetxt
'check "wscr"&domybest&"ipt.shell"
if instr( filetxt, lcase("wscr"&domybest&"ipt.shell") ) or instr( filetxt, lcase("clsid:72c24dd5-d70a"&domybest&"-438b-8a42-98424b88afb8") ) then
report = report&"<tr><td>"&temp&"</td><td>wscr"&domybest&"ipt.shell 或者 clsid:72c24dd5-d70a"&domybest&"-438b-8a42-98424b88afb8</td><td><font color=red>危险组件,一般被asp木马利用</font>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check "she"&domybest&"ll.application"
if instr( filetxt, lcase("she"&domybest&"ll.application") ) or instr( filetxt, lcase("clsid:13709620-c27"&domybest&"9-11ce-a49e-444553540000") ) then
report = report&"<tr><td>"&temp&"</td><td>she"&domybest&"ll.application 或者 clsid:13709620-c27"&domybest&"9-11ce-a49e-444553540000</td><td><font color=red>危险组件,一般被asp木马利用</font>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check .encode
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "\blanguage\s*=\s*[""]?\s*(vbscript|jscript|javascript).encode\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>(vbscript|jscript|javascript).encode</td><td><font color=red>似乎脚本被加密了,一般asp文件是不会加密的</font>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check my asp backdoor :(
regex.pattern = "\bev"&"al\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>ev"&"al</td><td>e"&"val()函数可以执行任意asp代码,被一些后门利用。其形式一般是:ev"&"al(x)<br>但是javascript代码中也可以使用,有可能是误报。"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check exe&cute backdoor
regex.pattern = "[^.]\bexe"&"cute(global)?\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>exec"&"ute()或者exe"&"cuteglobal()</td><td><font color=red>该函数可以执行任意asp代码,被一些后门利用。其形式一般是:ex"&"ecute(x)</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check script.control
regex.pattern = "\.execu"&"testatement\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>.exec"&"utestatement</td><td><font color=red>发现msscriptcontrol.scriptcontrol的.execut"&"estatement函数</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check .(open|create)textfile
regex.pattern = "\.(open|create)textfile\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>.crea"&"tetextfile|.o"&"pentextfile</td><td>使用了fso的createtextfile|opentextfile函数读写文件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check .savet&ofile
regex.pattern = "\.savet"&"ofile\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>.sa"&"vetofile</td><td>使用了stream或者jmail的savetofile函数写文件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check .&save|.&saveas
regex.pattern = "\.sa"&"ve(as)?\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>.sa"&"ve或者.sa"&"veas</td><td>使用了save或saveas函数写文件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check set server
regex.pattern = "set\s*.*\s*=\s*server\s"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>set xxx=se"&"rver</td><td><font color=red>发现set xxx=ser" & jj & "ver,请管理员仔细检查是否调用.execute</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check server.(transfer|ex&ecute)
regex.pattern = "server.(ex"&"ecute|transfer)([ \t]*|\()[^""]\)"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>server.ex"&"ecute</td><td><font color=red>不能跟踪检查server.e"&"xecute()函数执行的文件。请管理员自行检查</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check .ru&n
regex.pattern = "\.r"&"un\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>.ru"&"n</td><td><font color=red>发现 wscript 的 run 函数</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check .exe&c
regex.pattern = "\.ex"&"ec\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>.ex"&"ec</td><td><font color=red>发现 wscript 的 exec 函数</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check .shel&lexecute
regex.pattern = "\.shel"&"lexecute\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>.shelle"&"xecute</td><td><font color=red>发现 application 的 shellexecute 函数</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
'check .&create
regex.pattern = "\.cre"&"ate\b"
if regex.test(filetxt) then
report = report&"<tr><td>"&temp&"</td><td>.crea"&"te</td><td>发现 create 函数<br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
sun = sun + 1
end if
set regex = nothing
'check include file not with "&'
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "<!--\s*#include\s+(file|virtual)\s*=\s*.*-->"
set matches = regex.execute(filetxt)
for each match in matches
tfile = replace(trim(mid(match.value, instr(match.value, "=") + 1, len(match.value) - instr(match.value, "=") - 1)),"/","\")
if left(tfile, 1)="'" then
tfile = mid(tfile, 2, instr(2, tfile, "'", 1) - 2)
elseif left(tfile, 1)="""" then
tfile = mid(tfile, 2, instr(2, tfile, """", 1) - 2)
else
tfile = replace(tfile, chr(9), " ")
if instr(tfile, " ") <> 0 then
tfile = left(tfile, instr( tfile, " ") - 1)
else
tfile = left(tfile, instr( tfile, "-") - 1)
end if
end if
if not checkext(fsos.getextensionname(tfile)) then
call scanfile( mid(filepath,1,instrrev(filepath,"\"))&tfile, filepath)
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
'check server&.execute|transfer
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = "server.(exec"&"ute|transfer)([ \t]*|\()"".*?"""
set matches = regex.execute(filetxt)
for each match in matches
tfile = replace(mid(match.value, instr(match.value, """") + 1, len(match.value) - instr(match.value, """") - 1),"/","\")
if not checkext(fsos.getextensionname(tfile)) then
call scanfile( mid(filepath,1,instrrev(filepath,"\"))&tfile, filepath)
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
'check runatscript
set xregex = new regexp
xregex.ignorecase = true
xregex.global = true
xregex.pattern = "<scr"&"ipt\s*(.|\n)*?runat\s*=\s*""?server""?(.|\n)*?>"
set xmatches = xregex.execute(filetxt)
for each match in xmatches
tmplake2 = mid(match.value, 1, instr(match.value, ">"))
srcseek = instr(1, tmplake2, "src", 1)
if srcseek > 0 then
srcseek2 = instr(srcseek, tmplake2, "=")
for i = 1 to 50
tmp = mid(tmplake2, srcseek2 + i, 1)
if tmp <> " " and tmp <> chr(9) and tmp <> vbcrlf then
exit for
end if
next
if tmp = """" then
tmpname = mid(tmplake2, srcseek2 + i + 1, instr(srcseek2 + i + 1, tmplake2, """") - srcseek2 - i - 1)
else
if instr(srcseek2 + i + 1, tmplake2, " ") > 0 then tmpname = mid(tmplake2, srcseek2 + i, instr(srcseek2 + i + 1, tmplake2, " ") - srcseek2 - i) else tmpname = tmplake2
if instr(tmpname, chr(9)) > 0 then tmpname = mid(tmpname, 1, instr(1, tmpname, chr(9)) - 1)
if instr(tmpname, vbcrlf) > 0 then tmpname = mid(tmpname, 1, instr(1, tmpname, vbcrlf) - 1)
if instr(tmpname, ">") > 0 then tmpname = mid(tmpname, 1, instr(1, tmpname, ">") - 1)
end if
call scanfile( mid(filepath,1,instrrev(filepath,"\"))&tmpname , filepath)
sumfiles = sumfiles + 1
end if
next
set matches = nothing
set regex = nothing
end if
set fsos = nothing
end sub
function getdatemodify(filepath)
set fso = createobject("scripting.filesystemobject")
set f = fso.getfile(filepath)
s = f.datelastmodified
set f = nothing
set fso = nothing
getdatemodify = s
end function
function getdatecreate(filepath)
set fso = createobject("scripting.filesystemobject")
set f = fso.getfile(filepath)
s = f.datecreated
set f = nothing
set fso = nothing
getdatecreate = s
end function
sub writetofile()
set fso = createobject("scripting.filesystemobject")
set thefile = fso.opentextfile(wscript.arguments.item(1), 2, true)
thefile.write(report2)
thefile.close
set fso = nothing
wscript.echo "扫描结果已经写入文件“"&wscript.arguments.item(1)&"”,请查看之!"
end sub
如对本文有疑问,请在下面进行留言讨论,广大热心网友会与你互动!!
点击进行留言回复
我要评论
网友评论