这两天有一个网站老是被hacker入侵,他入侵后不修改我的任何文件,只是修改我数据库里面的记录,在数据库字段里面挂马(在数据库字段里面加<script src=''></script>),由于他不修改任何文件,IIS日志又是非常多,如果一条条的分析很是急人.
本来我已经对那个表写了触发器,只要对那个表操作了就会记录下操作的SQL语句,但我今天看了触发器产生的表,里面并没能记录他直接操作的语句,只是记录的"sp_cursoropen;1"和"sp_prepexec;1"这样的SQL信息,我也就无法确定什么时候才是真正的hacker在操作数据库挂马.关于触发器的说明,请看:使用SQL触发器对表的所有操作SQL语句.
今天就加了以下代码记录一下网站正常访问的最后时间,及被他入侵修改数据库字段的第一时间,有了这两个时间便可以根据IIS访问日志很容易找到他访问的文件,也就是系统有漏洞的文件.
Function getIP()
Dim strIPAddr
If Request.ServerVariables("HTTP_X_FORWARDED_FOR") = "" OR InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), "unknown") > 0 Then
strIPAddr = Request.ServerVariables("REMOTE_ADDR")
ElseIf InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ",") > 0 Then
strIPAddr = Mid(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), 1, InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ",")-1)
ElseIf InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ";") > 0 Then
strIPAddr = Mid(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), 1, InStr(Request.ServerVariables("HTTP_X_FORWARDED_FOR"), ";")-1)
Else
strIPAddr = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
End If
getIP = Trim(Mid(strIPAddr, 1, 30))
End Function
Function GetUrl()
Dim ScriptAddress,M_ItemUrl,M_item
ScriptAddress = CStr(Request.ServerVariables("SCRIPT_NAME")) '取得当前地址
M_ItemUrl = ""
If (Request.QueryString <> "") Then
ScriptAddress = ScriptAddress & "?"
For Each M_item In Request.QueryString
If M_item = "page_num" Then Exit for
If InStr(page,M_Item)=0 Then
M_ItemUrl = M_ItemUrl & M_Item &"="& Server.URLEncode(Request.QueryString(""&M_Item&""))
else
M_ItemUrl = M_ItemUrl & M_Item &"="& Server.URLEncode(Request.QueryString(""&M_Item&"")) & "&"
End If
Next
Else
ScriptAddress = ScriptAddress & "?"
end if
GetUrl = ScriptAddress & M_ItemUrl
End Function
Function GetForm()
dim thisform,formstr
for each formstr in request.form
thisform=thisform&formstr&"值为:"&request.form(formstr)&" "
next
GetForm=thisform
End function
dim showdetail,fso,ctf
showdetail=showdetail&"处理时间:"&NOW()&vbcrlf
showdetail=showdetail&"来源I P :"&getIP()&vbcrlf
showdetail=showdetail&"URL参数 :"&GetUrl()&vbcrlf
showdetail=showdetail&"Form参数:"&GetForm()&vbcrlf
if 条件判断数据库没被修改 then
Set FSO = Server.CreateObject("Scripting.FileSystemObject")
File = Server.MapPath("noscript.txt")
If FSO.FileExists(File) = True Then '判断该文件是否存在
Set CTF = FSO.OpenTextFile(File,8,False)
CTF.WriteLine showdetail
Set ctf = Nothing
else
Set CTF = FSO.CreateTextFile(File,true, False) '新建文件
CTF.WriteLine showdetail
Set ctf = Nothing
End If
Set FSO = Nothing
else
Set FSO = Server.CreateObject("Scripting.FileSystemObject")
File = Server.MapPath("hasscript.txt")
If FSO.FileExists(File) = false Then '判断该文件是否存在
Set CTF = FSO.CreateTextFile(File,true, False) '新建文件
CTF.WriteLine showdetail
Set ctf = Nothing
else
Set CTF = FSO.OpenTextFile(File,8,False)
CTF.WriteLine showdetail
Set ctf = Nothing
End If
Set FSO = Nothing
end if
订阅