保存为XX.vbs,然后运行即可。

查杀WIN2003服务器webshell与恶意链接的VBS脚本

'本程序可以直接双击,主要作用是扫描网站中的木马、病毒程序,发现后会对其自动更名为xxx.w3bak,或将指定的内容替换为空。

'2011-7-19

On Error Resume Next

Dim ScanType,FolderPath,fso,virCode,isScanSub,logfile

Set fso=createobject("scripting.filesystemobject")

Set objShell = CreateObject("Shell.Application")

set WshShell = CreateObject("wscript.Shell"):init

S_MixSize = 0 : S_MaxSize = 200 '扫描文件大写限制

Dim iframeCode(20) '这个表示替换为空的部分,自己可添

iframeCode(0)=""

iframeCode(1)=""

iframeCode(2)=""

'病毒特征码,用|分隔。

virCodes =chr(17) & chr(32) & chr(1) & "|DZNHkqNIAADv85HpDg4tTGFidrYDCRBOOOEvG|):EvaL(|批量挂马|桂林老兵|专用ASP小马|后门名字|Serv-u提权|海阳顶端网|清马路径|批量清马|" & _

"89625866|执行CMD命令|72C24DD5-D70A-438B-8A42-98424B88AFB8|13709620-C279-11CE-A49E-444553540000|F935DC26-1CF0-11D0-ADB9-00C04FD58A0B|限权升提|门后入插|写入注" &_

"册表健值成功|php eval($_POST|马挂定指|round($packets/$exec_time|血腥DDOS|oooo0o00o0o0o0o0o0o0o00000o0o0o0o0o0oo0o0o0o0o0oo0"

ScanType =".asa/.asp/.html/.aspx/.php/.cgi/.pl" '扫描的文件类型。

isScanSub=True

FolderPath= selectFolder() '选择要扫描的网站目录, 如:FolderPath = "D:\wwwroot"

Echo "现在时间" & Now() & ",扫描 " & FolderPath :time1=Now()

If Not fso.folderexists(FolderPath) Then WScript.Quit

Set folder = fso.GetFolder(FolderPath)

CountFolder=1

Call doscan(folder)

If isScanSub Then scan(folder)

Echo "扫描结束 " & Now & ",耗时 " & DateDiff("s",Time1,Now()) & "秒"

WScript.Echo "日志文件存放于 " & logfile

Sub doscan(byval folder)

For each myfile in folder.Files

filesize = myfile.Size/1024

filepath = myfile.Path

filename = myfile.Name

if instr(filename,".")>0 then

filetype = Mid(filename,InStrRev(filename,"."))

'WScript.Echo filename & Chr(9) & filesize

if filesize>s_MixSize And filesize<=s_MaxSize then If InStr(ScanType,filetype)>0 and filetype<>"" Then

'wscript.echo "正在查:" & filepath

txtBody = readfile(filepath)

flag = False : txtBody=lcase(txtBody)

for each vCode in Split(virCodes,"|")

If vCode<>"" And instr(txtBody,vCode)>0 And binaryCheck(vCode,txtBody) then

Echo "发现该文件 " & filename & " 有问题"

if fso.FileExists (filepath&".w3bak") then

fso.DeleteFile filepath&".w3bak",True

Echo "删除" & filepath&".w3bak"

End If

Set f=fso.getfile(filepath)

f.name= filename&".w3bak"

Set f=Nothing

filepath = filepath&".w3bak"

tmpstr=" " & vbCrLf & txtBody

Call writefile(filepath,tmpstr,True)

Echo "文件名已改为 " & filepath

flag = True
exit for

end if

Next

'

If Not flag And InStr(LCase(txtbody),"vbscript.encode")=0 Then
txtbody2=txtbody : flag=False

For each iframeStr in iframeCode

If iframeStr<>"" and instr(txtbody,iframeStr)>0 then

txtbody2 =replace(txtbody2,iframeStr,"")

Echo "发现恶意代码" & filepath & "已被替换成空" & iframeStr

flag=True

end if

Next

If flag Then Call writefile(filepath,txtbody2,True)

End If

'

End If

End If

end if

Next
End Sub

Function binaryCheck(VirCodePart,GetFiles)

on error resume next

binaryCheck=true

bincode=chr(17) & chr(32) & chr(1)

if VirCodePart=bincode then

if left(GetFiles,3)<>bincode then

binaryCheck=false

end if

end if

End Function

Sub writefile(filepath,strng,isover)

If Not fso.FileExists(filepath) Then Exit Sub

If isover Then mode=2 Else mode=8

Dim f:Set f=fso.OpenTextFile(filepath,mode,True)

f.write strng

Set f=Nothing

End Sub

Function readfile(filepath)

On Error Resume Next

Dim f:Set f=fso.OpenTextFile(filepath)

readfile=f.ReadAll()

If readfile&""="" Then readfile=""

Err.Clear

End Function

Function selectFolder()

On Error Resume Next

Set objFolder=objshell.BrowseForFolder(&H0,"请选择要扫描的目录",NO_OPTIONS)

selectFolder = objFolder.Self.path

Set objFolder=Nothing

End Function

Sub Echo(strng)

WScript.Echo strng

Dim f:Set f = fso.OpenTextFile(logfile,8,True)

f.writeline strng

Set f=Nothing

End Sub

Sub init()

logfile = Left(WScript.ScriptFullName,InStrRev(WScript.ScriptFullName,"\")) & "scanLog.txt"

If WScript.Arguments.Count=0 Then
WshShell.Run "cmd /k cscript """ & WScript.ScriptFullName & """ -dos",1,False

WScript.Quit

End If

virCodes=lcase(virCodes)

End Sub

sub scan(objfolder)

dim subfolder

For Each subfolder In objfolder.SubFolders

CountFolder=CountFolder+1

wscript.echo CountFolder & chr(9) & subfolder.path

Call scan(subfolder)

Call doscan(subfolder)

Next

end sub

目前有0条回应
Comment
Trackback
你好,欢迎光临!