'-----------------------
'Scan ASP WebShell in vbs
'Author: lake2 (http://lake2.)
'Date: 2006-11-30
'Version: 1.0 Beta
'-----------------------
DimFileExt = "asp,cer,asa,cdx"
Dim Report, Report2, Sun, SumFiles, SumFolders
Call ShowInfo()
If = 2 Then
Call CheckArg()
Sun = 0
SumFiles = 0
SumFolders = 1
If Right((0),1) = "\" Then
thePath = Mid((0),1,Len((0))-1)
Else
thePath = (0)
End If
"Start the scan, please wait..."
(1000)
StartTime = now()
Call ShowAllFile(thePath)
EndTime = now()
vbcrlf & "Scan complete!" & vbcrlf
report2 = report2 & "<html><head><title>Leketu ASP Webmaster Security Assistant vbs version scan report</title>"
report2 = report2 & "<meta http-equiv=""Content-Type"" content=""text/html; charset=gb2312""></head>"
report2 = report2 & "<body><b><font size=4>Leiketu ASP Webmaster Security Assistant vbs version scan report</font></b><br><br>"
report2 = report2 & "<body><font size=2>StartTime&"</font><br>"
report2 = report2 & "<body><font size=2>End time: "&EndTime&"</font><br>"
Report2 = report2 & "<font size=2>Scanned! Check a total of folders, files, and found suspicious points (<font color=""#FF0000"""""&SumFolders" (<font color=""#FF0000""""""""" red letters""
report2 = report2 & "<table width=""100%"" border=""0"" style=""padding:5px;line-height:170%;clear:both;font-size:12px;word-break:break-all"">"
report2 = report2 & "<tr>"
report2 = report2 & "<td width=""20%"">File path</td>"
report2 = report2 & "<td width=""20%"">Feature code</td>"
report2 = report2 & "<td width=""40%"">Description</td>"
report2 = report2 & "<td width=""20%"">Create/modify time</td>"
report2 = report2 & "</tr>"
report2 = report2 & "<p>"
report2 = report2 & report
report2 = report2 & "</p>"
report2 = report2 & "</table><hr><script src=http:///></script>"
report2 = report2 & "<div align=center>powered by <a href=""http://"" target=_blank></a></div>"
report2 = report2 & "</body></html>"
Call WriteToFile()
Else
Call ShowHelp()
End If
Sub ShowInfo()
HelpStr = HelpStr & "==============================" & vbcrlf
HelpStr = HelpStr & "===== Welcome to use Leiketu ASP Webmaster Security Assistant vbs version ========" & vbcrlf
HelpStr = HelpStr & "===== Author: lake2 =====" & vbcrlf
HelpStr = HelpStr & "===== Email:lake2@ =====" & vbcrlf
HelpStr = HelpStr & "===== Welcome to get more information ==========" & vbcrlf
HelpStr = HelpStr & "==============================" & vbcrlf
HelpStr = HelpStr & vbcrlf
HelpStr
End Sub
Sub ShowHelp()
HelpStr = HelpStr & "#Usage: CScript [Scan Path] [Result HTM File Path]" & vbcrlf
HelpStr = HelpStr & "#Example: CScript d:\Web f:\my\" & vbcrlf
HelpStr = HelpStr & vbcrlf
HelpStr
End Sub
Sub CheckArg()
tmpPath = Left((1), InStrRev((1),"\")-1)
Set objFSO = ("")
If Not ((0)) Then
"Error: Error path "" & (0) & ""!
ElseIf Not (tmpPath) Then
"Error: Error file path "" & tmpPath &""!
End If
Set objFSO = Nothing
End Sub
'Travel over and process all files of the path and its subdirectories
Sub ShowAllFile(Path)
"Checking Directory" & path
Set FSO = CreateObject("")
Set f = (Path)
Set fc2 =
For Each myfile in fc2
If CheckExt((path&"\"&)) Then
' "Checking file" & path&"\"&
Call ScanFile(Path&Temp&"\"&, "")
SumFiles = SumFiles + 1
End If
Next
Set fc =
For Each f1 in fc
ShowAllFile path&"\"&
SumFolders = SumFolders + 1
Next
Set FSO = Nothing
End Sub
'Check the file suffix, and return TRUE if it matches the predetermined one
Function CheckExt(FileExt)
If DimFileExt = "*" Then CheckExt = True
Ext = Split(DimFileExt,",")
For i = 0 To Ubound(Ext)
If Lcase(FileExt) = Ext(i) Then
CheckExt = True
Exit Function
End If
Next
End Function
'Detection file
Sub ScanFile(FilePath, InFile)
If InFile <> "" Then
Infiles = "<font color=red>This file is "& InFile & "File contains execution</font>"
End If
temp = FilePath
On Error Resume Next
Set tStream = ("")
= 1
= 3
=0
FilePath
If err Then Exit Sub end if
= 2
= "GB2312"
Do Until
filetxt = filetxt & LCase(replace((102400), Chr(0), ""))
Loop
()
Set tStream = Nothing
Set FSOs = ("")
if len(filetxt) >0 then
'Feature code check
filetxt = vbcrlf & filetxt
'Check "WScr"&DoMyBest&""
If Instr( filetxt, Lcase("WScr"&DoMyBest&"") ) or Instr( filetxt, Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8") ) then
Report = Report&"<tr><td>"&temp&"</td><td>WScr"&DoMyBest&" or clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8</td><td><font color=red>Hazardous components, generally used by ASP *s</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End if
'Check "She"&DoMyBest&""
If Instr( filetxt, Lcase("She"&DoMyBest&"") ) or Instr( filetxt, Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000") ) then
Report = Report&"<tr><td>"&temp&"</td><td>She"&DoMyBest&" or clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000</td><td><font color=red>Hazardous components, generally used by ASP *s</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check Unicode
If instr( filetxt, chr(-22048)) then
Report = Report&"<tr><td>"&temp&"</td><td>None</td><td><font color=red>Use Unicode Encoding ASP Code</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .Encode
Set regEx = New RegExp
= True
= True
= "\bLANGUAGE\s*=\s*[""]?\s*(vbscript|jscript|javascript).encode\b"
If (filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>(vbscript|jscript|javascript).Encode</td><td><font color=red>It seems that the script is encrypted, and generally ASP files are not encrypted</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check my ASP backdoor :(
= "\bEv"&"al\b"
If (filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>Ev"&"al</td><td>e"&"val() function can execute any ASP code and is used by some backdoors. Its form is generally: ev"&"al(X)<br>But it can also be used in javascript code, which may be false positives. "&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check exe&cute backdoor
= "[^.]\bExe"&"cute\b"
If (filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>Exec"&"ute</td><td><font color=red>e"&"xecute() function can execute any ASP code and be used by some backdoors. Its form is generally: ex"&"ecute(X)</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .(Open|Create)TextFile
= "\.(Open|Create)TextFile\b"
If (filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Crea"&"teTextFile|.O"&"penTextFile</td><td> Use FSO's CreateTextFile|OpenTextFile function to read and write files "&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .SaveT&oFile
= "\.SaveT"&"oFile\b"
If (filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Sa"&"veToFile</td><td>Writing file "&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .&Save
= "\.Sa"&"ve\b"
If (filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Sa"&"ve</td><td>Writing file "&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check set Server
= "set\s*.*\s*=\s*server\s"
If (filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>Set xxx=Se"&"rver</td><td><font color=red>Set xxx=Ser" & jj & "ver, please check carefully whether to call .execute</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check Server.(Transfer|Ex&ecute)
= "Server.(Ex"&"ecute|Transfer)([ \t]*|\()[^""]\)"
If (filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>"&"ecute</td><td><font color=red>The files executed by the "&"xecute() function cannot be tracked and checked. Please check the administrator by yourself</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .Ru&n
= "\.R"&"un\b"
If (filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Ru"&"n</td><td><font color=red>Discover the Run function of WScript</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .Exe&c
= "\.Ex"&"ec\b"
If (filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Ex"&"ec</td><td><font color=red>Discover the Exec function of WScript</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .Shel&lExecute
= "\.Shel"&"lExecute\b"
If (filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.ShellE"&"xecute</td><td><font color=red>Discover ShellExecute function of Application </font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
Set regEx = Nothing
'Check include file not with "&'
Set regEx = New RegExp
= True
= True
= "<!--\s*#include\s+(file|virtual)\s*=\s*.*-->"
Set Matches = (filetxt)
For Each Match in Matches
tFile = Replace(Trim(Mid(, Instr(, "=") + 1, Len() - Instr(, "=") - 1)),"/","\")
If Left(tFile, 1)="'" Then
tFile = Mid(tFile, 2, InStr(2, tFile, "'", 1) - 2)
ElseIf Left(tFile, 1)="""" Then
tFile = Mid(tFile, 2, InStr(2, tFile, """", 1) - 2)
Else
tFile = Replace(tFile, Chr(9), " ")
If InStr(tFile, " ") <> 0 Then
tFile = Left(tFile, InStr( tFile, " ") - 1)
Else
tFile = Left(tFile, InStr( tFile, "-") - 1)
End If
End If
If Not CheckExt((tFile)) Then
Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,"\"))&tFile, FilePath)
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing
'Check Server&.Execute|Transfer
Set regEx = New RegExp
= True
= True
= "Server.(Exec"&"ute|Transfer)([ \t]*|\()"".*?"""
Set Matches = (filetxt)
For Each Match in Matches
tFile = Replace(Mid(, Instr(, """") + 1, Len() - Instr(, """") - 1),"/","\")
If Not CheckExt((tFile)) Then
Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,"\"))&tFile, FilePath)
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing
'Check RunatScript
Set XregEx = New RegExp
= True
= True
= "<scr"&"ipt\s*(.|\n)*?runat\s*=\s*""?server""?(.|\n)*?>"
Set XMatches = (filetxt)
For Each Match in XMatches
tmpLake2 = Mid(, 1, InStr(, ">"))
srcSeek = InStr(1, tmpLake2, "src", 1)
If srcSeek > 0 Then
srcSeek2 = instr(srcSeek, tmpLake2, "=")
For i = 1 To 50
tmp = Mid(tmpLake2, srcSeek2 + i, 1)
If tmp <> " " and tmp <> chr(9) and tmp <> vbCrLf Then
Exit For
End If
Next
If tmp = """" Then
tmpName = Mid(tmpLake2, srcSeek2 + i + 1, Instr(srcSeek2 + i + 1, tmpLake2, """") - srcSeek2 - i - 1)
Else
If InStr(srcSeek2 + i + 1, tmpLake2, " ") > 0 Then tmpName = Mid(tmpLake2, srcSeek2 + i, Instr(srcSeek2 + i + 1, tmpLake2, " ") - srcSeek2 - i) Else tmpName = tmpLake2
If InStr(tmpName, chr(9)) > 0 Then tmpName = Mid(tmpName, 1, Instr(1, tmpName, chr(9)) - 1)
If InStr(tmpName, vbCrLf) > 0 Then tmpName = Mid(tmpName, 1, Instr(1, tmpName, vbcrlf) - 1)
If InStr(tmpName, ">") > 0 Then tmpName = Mid(tmpName, 1, Instr(1, tmpName, ">") - 1)
End If
Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,"\"))&tmpName , FilePath)
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing
end if
set fsos = nothing
End Sub
Function GetDateModify(filepath)
Set fso = CreateObject("")
Set f = (filepath)
s =
set f = nothing
set fso = nothing
GetDateModify = s
End Function
Function GetDateCreate(filepath)
Set fso = CreateObject("")
Set f = (filepath)
s =
set f = nothing
set fso = nothing
GetDateCreate = s
End Function
Sub WriteToFile()
Set FSO = CreateObject("")
Set theFile = ((1), 2, True)
(Report2)
Set FSO = Nothing
"The scan result has been written to the file ""&(1)&"", please check it!"
End Sub