ASP Trojan Horse Webshell Security and prevention solutions

web| Security | solution | trojan

ASP Trojan Horse, Webshell Security Solutions The main content:

Note: The Setup method and environment described in this article apply to Microsoft Windows server/win2003 Server iis5.0/iis6.0

1, first of all, we take a look at the general ASP Trojan, Webshell the use of ASP components have those? We take the sea Trojan as the column:

Shellstr= "Shell"

Applicationstr= "Application"

If cmdpath= "Wscriptshell"

Set Sa=server.createobject (shellstr& ".") &APPLICATIONSTR)

Set Streamt=server.createobject ("ADODB.stream")

Set domainobject = GetObject ("winnt://.")

Above is the ocean in the relevant code, from the above code we can see that the general ASP Trojan, Webshell mainly use the following types of ASP components:

①wscript.shell (CLASSID:72C24DD5-D70A-438B-8A42-98424B88AFB8)

②WSCRIPT.SHELL.1 (CLASSID:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B)

③wscript.network (CLASSID:093FF999-1EA0-4079-9525-9614C3504B74)

④wscript.network.1 (CLASSID:093FF999-1EA0-4079-9525-9614C3504B74)

⑤filesystem Object (classid:0d43fe01-f093-11cf-8940-00a0c9054228)

⑥adodb.stream (CLASSID:{00000566-0000-0010-8000-00AA006D2EA4})

⑦shell.applicaiton .....

Hehe, we know who is the most responsible for endangering our web SERVER IIS!! Start fencing, come on ...

2: The solution:

① deletes or renames the following hazardous ASP components:

Wscript.Shell, WSCRIPT.SHELL.1, Wscript.Network, Wscript.network.1, ADODB.stream, shell.application

Start-------> run--------->regedit, open Registry Editor, press Ctrl+f to find, enter the name of the component above Wscript.Shell and the corresponding classid, then delete or change the name. If some of the Web page ASP program to use the above components, just write the ASP code when we change the component name can be used normally. Of course if you are sure that your ASP program does not use the above components, or straight

Delete the mind some ^_^, according to the general generally will not do these components. After you delete or rename the IISReset, you can increase the efficiency after restarting IIS. )

[Note: Because ADODB.stream this component has a lot of web pages will be used, so if your server is open virtual host, it is recommended to deal with the situation. ]

② about the security of the FSO that is commonly said for File System Object (classid:0d43fe01-f093-11cf-8940-00a0c9054228), if your server must use the FSO, ( Some virtual host servers generally need to open the FSO function can refer to my another article on the FSO security solution: Microsoft Windows Server FSO security vulnerabilities solution. If you are sure you don't want to use it, you can simply reverse-register the component.

③ Direct counter Registration, uninstall these dangerous components method: (Practical to do not want to use ① and ② class such trivial method)

Uninstall the Wscript.Shell object, under CMD or run directly: regsvr32/u%windir%\system32\wshom.ocx

Uninstall the FSO object, under CMD or run directly: regsvr32.exe/u%windir%\system32\scrrun.dll

Uninstall Stream object, under CMD or run directly: regsvr32/s/u "C:\Program Files\Common Files\system\ado\msado15.dll"

If you want to recover, just remove/u to re-register the above related ASP components such as: Regsvr32.exe%windir%\system32\scrrun.dll

④ about Webshell using Set domainobject = GetObject ("winnt://.") To obtain the server's process, service and user information such as prevention, you can workstation[service in the provision of network links and communications] that is, LanmanWorkstation service stopped and disabled. After this processing, Webshell shows that the process will be blank.

3 in accordance with the 1, 2 Methods of ASP class hazardous components processing, with Arjunolic ASP probe test, "Server CPU Details" and "Server operating system" is not found, the content is blank. Then use the ocean Test Wsript.shell to run the cmd command is also a hint that active cannot create an image. Everyone can no longer for ASP Trojan endanger the security of the server system and worry.

Of course, server security is far from these, here for you to introduce the only I in the handling of ASP Trojans, Webshell on some experience. In the next article, we will introduce how to simply prevent others from executing commands such as NET user on the server, preventing overflow attacks from being Cmdshell, and performing the simplest and most effective precautions for adding users, changing NTFS settings to terminal logins, and so on.

The author of this article: Lee Paolin/leebolin Senior System engineer, professional network security advisor. has successfully for many large and medium-sized enterprises, ISP service providers provide a complete network security solutions. Especially good at the overall network security program design, large-scale network engineering planning, as well as providing a complete range of server series security overall solutions.