First of all, thank you for gratitude to "hackers", and the development of the mobile network does not have to wipe them out. The reason why the quotation is not degraded, but refers to those who really proficiently passing, with their own experience and use the procedure vulnerability, they generally don't do anything, just find fun in the study. I personally think is that their existence has promoted the rapid development of technology. For the universal "tool users" family, most of them do not have some people who are more disgusted for hacking, destroying and self-sealing the other people who are hateful for hackers.
The collapse is directly transmitted. Recently, some hacker research network forum code finds that it can bypass a program to go to the program, and then use the malicious code uploaded almost everything he wants to do. The version of this vulnerability impact is all the previous versions of 7.0sp2, which also affects all sites developed by any similar program development. For this vulnerability, the mobile network strongly recommends that you will upgrade to the latest version immediately, the relevant addresses are as follows:
http://bbs.dvbbs.net/dispbbs.asp?boardid=8&page=704362&page=1
If you are unfortunate, I will provide some simple killing malicious code (Trojan) methods for the mobile network forum, and the effect of killing is proportional to the level of care, ready for your patience, follow I will go step away.
As the saying goes, you know each other, the hundred stops. To check Tama, you must first understand your own website structure, follow you to understand the Trojan. A good website structure can quickly determine illegal documents, a bad structure will make you all dizzy, simply, the file classification is returned, and the expiration and test files are deleted. This topic is not our focus today. Interested friends, please look it back. The constitution of the Trojans is complicated and more, which generally appears in various forms depending on the function, and a small point can be done. It is necessary to check the Tama does not need a lot of tools, and an FTP software adds a Windows self-contained search feature, and a text editor is completely available, such as the notepad of Windows. FTP software is recommended to use flashfxp, and he has some functions in Chamma.
2004-5-26 21:10:36, Xiao Black told me that his forum homepage was changed, I immediately landed his website, discovered that the forum home file file was changed, find him to come to FTP account password, log in to FTP carefully . His space only puts a mobile network forum. According to the case, the analysis should be modified by the Trojan program, so I open FlashFXP, select the tool, and choose to find files on the FTP server, Figure 1.
General Trojans should be an ASP file, I am in the name of * .asp, and find now, Figure 2.
Waiting for a while, the result came out, I have some "in the folder" to let the lookups arrange the folder. Due to the use of the mobile network forum, the website structure is relatively clear, in addition to the root directory and Inc directory, other directories should not have any ASP files, now there is a suspicious file in the UPLoadFace directory, I have some "to modify Time "Take the last modification time, found that this file is the latest modified, it is really suspicious, in order to delete, I chose it, choose the view, use the way to view the source code to determine it is really a Trojan, since it is determined Don't hesitate, delete! image 3.
Thinking that IIS also maps other types of files to be interpreted by ASP.dll, I just search * .cer, *. Cdx, *. Asa, *. Htr, these files are deleted, because the program Can't use them at all. Hey, I didn't expect to solve the problem in 2 minutes. I am proud, I suddenly think of if hacker has modified normal files to add malicious code? The file content can not be checked with FTP. It can only be checked. UPLOAD has been a few hundred m, I can't make it, just make sure there is no ASP to execute files, the database is not available. Other files are turned back. Figure 4.
Xiao Black is reminding me, he wants the forum as soon as possible, he uses the official original program, I will first delete the old program, Figure 5, download the latest mobile network forum 7.0sp2, or put the root directory and just deleted those Upload it uploaded by the directory, do not upload the database, soon after the recovery forum, then he don't want to install plugins or other programs, I concentrate on the document that downloaded back.
Open Windows search function, write * .asp, you want to search for * .asp, I think that many Trojans have this line of code "Language = VBScript.Encode", and the mobile network forum does not have this line of code, so I entered "vbscript.encode "To find all ASP files with" vbscript.encode ", hey, really find a few, Figure 6. Of course, not all Trojans must use this line of code, continue to search keywords to determine whether Trojans. List some keywords for reference.
The keywords I provide are not necessarily the most comprehensive. I hope that some friends who have experience will continue, I will update the list of keywords at any time.
Key words
possibility
Solution
Move network contains this
Keyword file
VBScript.Encode100% Delete No ocean 100% Delete no rice 100% Delete free ice point 100% delete no 0D43FE01-F093-11CF-8940-00A0C9054228100% delete no 093FF999-1EA0-4079-9525-9614C3504B74100% delete no 72C24DD5-D70A- 438B-8A42-98424B88AFB8100% Delete Unable EVAL EVAL (R100% Delete No EXECUTE REQUEST100% Delete or Alternative None General is to add EXECUTE REQUEST ("X") to execute unpacute session100% remove or replace no, no ditto OpenTextFile100% WriteLine100% delete delete delete WSCRIPT100% None None None Scripting.Dictionary100% 5xSoft100% delete delete delete Request.BinaryRead100% None None DeleteFile90% removed or replaced admin_bbsface.aspadmin_data.aspadmin_postings.aspadmin_uploadlist.aspadmin_upUserface.aspupfile .aspmovefile90% delete or replaceregs Reg.aspGetFile90% Delete or replaced reg.aspShowimg.aspViewFile.asp = VBS90% Delete or replaced DV_UBBCODE.ASP
If you have an operation right to the server, it is recommended that you set the following: enter the site attribute, select the main directory, point configuration, and the unwanted script maps all delete, usually only reserved .asp, you can delete, Figure 7.
Select UPLoadFace, attribute in IIS, set the execution license to no, but also set up the uploadfile, the previewImage two directories, if you like, you can set all the other directory except the Inc Directory to be set to no. At this time, Chapher's work can be told, and then summarize the method 1. In the case of the website structure, the browsing directory can quickly determine the Trojan, and the document that does not appear, and the tube is not a Trojan. delete.
2, time comparison method, remember that the time of our final update file, the executable script after this time must have a problem, but attention, the database's update time is always the latest, don't delete it.
3, the contrast method, this method did not do a detailed description, in fact, local reserved a full backup, and the comparison function of the FTP tool is compared when needed.
4. Keyword search method, search for the keywords I provide, basically determine Trojan.
Let's talk, prevent it to win, often pay attention to the official website http://bbs.dvbbs.net, hit the latest tacks in a timely, try to make an uneasy or less insert, is to ensure that your forum is running normally Two laws.
Haikou Move Network Pioneer Network Technology Co., Ltd. 2004-5-26
Netizen SigPorsson added: One thing should be noted that if the Trojan is really discovered, after processing, you should modify the various accounts with administrative privileges. Including the account, database account, and server operating system account, FTP account, etc. ~
Netizen NETGUEST Supplement: If you have similar code:
