贴心猫(imcat) v5.4 --- 极轻、极简通用PHP网站系统!
扫描木马的vbs --- 用于扫描网站中的木马、病毒程序
''本程序可以直接双击,主要作用是扫描网站中的木马、病毒程序,发现后会对其自动更名为xxx.w3bak,或将指定的内容替换为空。
''
''2011-7-19
On Error Resume Next
Dim ScanType,FolderPath,fso,virCode,isScanSub,logfile
Set fso=createobject("scripting.filesystemobject")
Set objShell = CreateObject("Shell.Application")
set WshShell = CreateObject("wscript.Shell"):init
S_MixSize = 0 : S_MaxSize = 200 ''扫描文件大写限制
Dim iframeCode(20) ''这个表示替换为空的部分,自己可添
iframeCode(0)=""
iframeCode(1)=" "
''病毒特征码,用|分隔。
virCodes =chr(17) & chr(32) & chr(1) & "|DZNHkqNIAADv85HpDg4tTGFidrYDCRBOOOEvG|):EvaL(|批量挂马|桂林老兵|专用ASP小马|后门名字|Serv-u提权|海阳顶端网|清马路径|批量清马|" & _
"89625866|执行CMD命令|72C24DD5-D70A-438B-8A42-98424B88AFB8|13709620-C279-11CE-A49E-444553540000|F935DC26-1CF0-11D0-ADB9-00C04FD58A0B|限权升提|门后入插|写入注" &_
"册表健值成功|php eval($_POST|马挂定指|round($packets/$exec_time|血腥DDOS|oooo0o00o0o0o0o0o0o0o00000o0o0o0o0o0oo0o0o0o0o0oo0"
ScanType =".asa/.asp/.html/.aspx/.php/.cgi/.pl" ''扫描的文件类型。
isScanSub=True
FolderPath= selectFolder() ''选择要扫描的网站目录, 如:FolderPath = "D:\wwwroot"
Echo "现在时间" & Now() & ",扫描 " & FolderPath :time1=Now()
If Not fso.folderexists(FolderPath) Then WScript.Quit
Set folder = fso.GetFolder(FolderPath)
CountFolder=1
Call doscan(folder)
If isScanSub Then scan(folder)
Echo "扫描结束 " & Now & ",耗时 " & DateDiff("s",Time1,Now()) & "秒"
WScript.Echo "日志文件存放于 " & logfile
Sub doscan(byval folder)
For each myfile in folder.Files
filesize = myfile.Size/1024
filepath = myfile.Path
filename = myfile.Name
if instr(filename,".")>0 then
filetype = Mid(filename,InStrRev(filename,"."))
''WScript.Echo filename & Chr(9) & filesize
if filesize>s_MixSize And filesize<=s_MaxSize then
If InStr(ScanType,filetype)>0 and filetype<>"" Then
''wscript.echo "正在查:" & filepath
txtBody = readfile(filepath)
flag = False : txtBody=lcase(txtBody)
for each vCode in Split(virCodes,"|")
If vCode<>"" And instr(txtBody,vCode)>0 And binaryCheck(vCode,txtBody) then
Echo "发现该文件 " & filename & " 有问题"
if fso.FileExists (filepath&".w3bak") then
fso.DeleteFile filepath&".w3bak",True
Echo "删除" & filepath&".w3bak"
End If
Set f=fso.getfile(filepath)
f.name= filename&".w3bak"
Set f=Nothing
filepath = filepath&".w3bak"
tmpstr="<!--提示:该文件怀疑是木马程序,已经被杀毒软件自动更名. "& now()&"--> " & vbCrLf & txtBody
Call writefile(filepath,tmpstr,True)
Echo "文件名已改为 " & filepath
flag = True
exit for
end if
Next
''
If Not flag And InStr(LCase(txtbody),"vbscript.encode")=0 Then
txtbody2=txtbody : flag=False
For each iframeStr in iframeCode
If iframeStr<>"" and instr(txtbody,iframeStr)>0 then
txtbody2 =replace(txtbody2,iframeStr,"")
Echo "发现恶意代码" & filepath & "已被替换成空" & iframeStr
flag=True
end if
Next
If flag Then Call writefile(filepath,txtbody2,True)
End If
''
End If
End If
end if
Next
End Sub
Function binaryCheck(VirCodePart,GetFiles)
on error resume next
binaryCheck=true
bincode=chr(17) & chr(32) & chr(1)
if VirCodePart=bincode then
if left(GetFiles,3)<>bincode then
binaryCheck=false
end if
end if
End Function
Sub writefile(filepath,strng,isover)
If Not fso.FileExists(filepath) Then Exit Sub
If isover Then mode=2 Else mode=8
Dim f:Set f=fso.OpenTextFile(filepath,mode,True)
f.write strng
Set f=Nothing
End Sub
Function readfile(filepath)
On Error Resume Next
Dim f:Set f=fso.OpenTextFile(filepath)
readfile=f.ReadAll()
If readfile&""="" Then readfile=""
Err.Clear
End Function
Function selectFolder()
On Error Resume Next
Set objFolder=objshell.BrowseForFolder(&H0,"请选择要扫描的目录",NO_OPTIONS)
selectFolder = objFolder.Self.path
Set objFolder=Nothing
End Function
Sub Echo(strng)
WScript.Echo strng
Dim f:Set f = fso.OpenTextFile(logfile,8,True)
f.writeline strng
Set f=Nothing
End Sub
Sub init()
logfile = Left(WScript.ScriptFullName,InStrRev(WScript.ScriptFullName,"\")) & "scanLog.txt"
If WScript.Arguments.Count=0 Then
WshShell.Run "cmd /k cscript """ & WScript.ScriptFullName & """ -dos",1,False
WScript.Quit
End If
virCodes=lcase(virCodes)
End Sub
sub scan(objfolder)
dim subfolder
For Each subfolder In objfolder.SubFolders
CountFolder=CountFolder+1
wscript.echo CountFolder & chr(9) & subfolder.path
Call scan(subfolder)
Call doscan(subfolder)
Next
end sub
''
''2011-7-19
On Error Resume Next
Dim ScanType,FolderPath,fso,virCode,isScanSub,logfile
Set fso=createobject("scripting.filesystemobject")
Set objShell = CreateObject("Shell.Application")
set WshShell = CreateObject("wscript.Shell"):init
S_MixSize = 0 : S_MaxSize = 200 ''扫描文件大写限制
Dim iframeCode(20) ''这个表示替换为空的部分,自己可添
iframeCode(0)=""
iframeCode(1)=" "
''病毒特征码,用|分隔。
virCodes =chr(17) & chr(32) & chr(1) & "|DZNHkqNIAADv85HpDg4tTGFidrYDCRBOOOEvG|):EvaL(|批量挂马|桂林老兵|专用ASP小马|后门名字|Serv-u提权|海阳顶端网|清马路径|批量清马|" & _
"89625866|执行CMD命令|72C24DD5-D70A-438B-8A42-98424B88AFB8|13709620-C279-11CE-A49E-444553540000|F935DC26-1CF0-11D0-ADB9-00C04FD58A0B|限权升提|门后入插|写入注" &_
"册表健值成功|php eval($_POST|马挂定指|round($packets/$exec_time|血腥DDOS|oooo0o00o0o0o0o0o0o0o00000o0o0o0o0o0oo0o0o0o0o0oo0"
ScanType =".asa/.asp/.html/.aspx/.php/.cgi/.pl" ''扫描的文件类型。
isScanSub=True
FolderPath= selectFolder() ''选择要扫描的网站目录, 如:FolderPath = "D:\wwwroot"
Echo "现在时间" & Now() & ",扫描 " & FolderPath :time1=Now()
If Not fso.folderexists(FolderPath) Then WScript.Quit
Set folder = fso.GetFolder(FolderPath)
CountFolder=1
Call doscan(folder)
If isScanSub Then scan(folder)
Echo "扫描结束 " & Now & ",耗时 " & DateDiff("s",Time1,Now()) & "秒"
WScript.Echo "日志文件存放于 " & logfile
Sub doscan(byval folder)
For each myfile in folder.Files
filesize = myfile.Size/1024
filepath = myfile.Path
filename = myfile.Name
if instr(filename,".")>0 then
filetype = Mid(filename,InStrRev(filename,"."))
''WScript.Echo filename & Chr(9) & filesize
if filesize>s_MixSize And filesize<=s_MaxSize then
If InStr(ScanType,filetype)>0 and filetype<>"" Then
''wscript.echo "正在查:" & filepath
txtBody = readfile(filepath)
flag = False : txtBody=lcase(txtBody)
for each vCode in Split(virCodes,"|")
If vCode<>"" And instr(txtBody,vCode)>0 And binaryCheck(vCode,txtBody) then
Echo "发现该文件 " & filename & " 有问题"
if fso.FileExists (filepath&".w3bak") then
fso.DeleteFile filepath&".w3bak",True
Echo "删除" & filepath&".w3bak"
End If
Set f=fso.getfile(filepath)
f.name= filename&".w3bak"
Set f=Nothing
filepath = filepath&".w3bak"
tmpstr="<!--提示:该文件怀疑是木马程序,已经被杀毒软件自动更名. "& now()&"--> " & vbCrLf & txtBody
Call writefile(filepath,tmpstr,True)
Echo "文件名已改为 " & filepath
flag = True
exit for
end if
Next
''
If Not flag And InStr(LCase(txtbody),"vbscript.encode")=0 Then
txtbody2=txtbody : flag=False
For each iframeStr in iframeCode
If iframeStr<>"" and instr(txtbody,iframeStr)>0 then
txtbody2 =replace(txtbody2,iframeStr,"")
Echo "发现恶意代码" & filepath & "已被替换成空" & iframeStr
flag=True
end if
Next
If flag Then Call writefile(filepath,txtbody2,True)
End If
''
End If
End If
end if
Next
End Sub
Function binaryCheck(VirCodePart,GetFiles)
on error resume next
binaryCheck=true
bincode=chr(17) & chr(32) & chr(1)
if VirCodePart=bincode then
if left(GetFiles,3)<>bincode then
binaryCheck=false
end if
end if
End Function
Sub writefile(filepath,strng,isover)
If Not fso.FileExists(filepath) Then Exit Sub
If isover Then mode=2 Else mode=8
Dim f:Set f=fso.OpenTextFile(filepath,mode,True)
f.write strng
Set f=Nothing
End Sub
Function readfile(filepath)
On Error Resume Next
Dim f:Set f=fso.OpenTextFile(filepath)
readfile=f.ReadAll()
If readfile&""="" Then readfile=""
Err.Clear
End Function
Function selectFolder()
On Error Resume Next
Set objFolder=objshell.BrowseForFolder(&H0,"请选择要扫描的目录",NO_OPTIONS)
selectFolder = objFolder.Self.path
Set objFolder=Nothing
End Function
Sub Echo(strng)
WScript.Echo strng
Dim f:Set f = fso.OpenTextFile(logfile,8,True)
f.writeline strng
Set f=Nothing
End Sub
Sub init()
logfile = Left(WScript.ScriptFullName,InStrRev(WScript.ScriptFullName,"\")) & "scanLog.txt"
If WScript.Arguments.Count=0 Then
WshShell.Run "cmd /k cscript """ & WScript.ScriptFullName & """ -dos",1,False
WScript.Quit
End If
virCodes=lcase(virCodes)
End Sub
sub scan(objfolder)
dim subfolder
For Each subfolder In objfolder.SubFolders
CountFolder=CountFolder+1
wscript.echo CountFolder & chr(9) & subfolder.path
Call scan(subfolder)
Call doscan(subfolder)
Next
end sub