ASP Trojan and webshell:
Note: The setting method and environment described in this article are applicable to microsoftwindows2000server/win2003server iis5.0/iis6.0.
1. First, let's take a look at the ASP components used by ASP Trojans and webshells? We use Marine senma as the column:
<Objectrunat = "server" id = "ws" Scope = "page" classid = "CLSID: 72c24dd5-d70a-438b-8a42-98417b88afb8">
</Object>
<Objectrunat = "server" id = "ws" Scope = "page" classid = "CLSID: F935DC22-1CF0-11D0-ADB9-00C04FD58A0B">
</Object>
<Objectrunat = "server" id = "Net" Scope = "page" classid = "CLSID: 093ff999-1ea0-4079-9525-9614c3504b74">
</Object>
<Objectrunat = "server" id = "Net" Scope = "page" classid = "CLSID: F935DC26-1CF0-11D0-ADB9-00C04FD58A0B">
</Object>
<Objectrunat = "server" id = "FSO" Scope = "page" classid = "CLSID: 0d43fe01-f093-11cf-8940-00a0c9054228">
</Object>
Shellstr = "shell"
Applicationstr = "application"
Ifcmdpath = "wscriptshell"
Setsa = server. Createobject (shellstr & "." & applicationstr)
Setstreamt = server. Createobject ("ADODB. Stream ")
Setdomainobject = GetObject ("winnt ://.")
The above is the related code in the ocean. From the above code, we can easily see that ASP Trojans and webshells mainly use the following ASP components:
① Wscript. Shell (classid: 72c24dd5-d70a-438b-8a42-98108b88afb8)
② Wscript. shell.1 (classid: F935DC22-1CF0-11D0-ADB9-00C04FD58A0B)
③ Wscript. Network (classid: 093ff999-1ea0-4079-9525-9614c3504b74)
④ Wscript. network.1 (classid: 093ff999-1ea0-4079-9525-9614c3504b74)
⑤ FileSystemObject (classid: 0d43fe01-f093-11cf-8940-00a0c9054228)
⑥ ADODB. Stream (classid: {00000566-0000-0010-8000-00aa006d2ea4 })
7. Shell. applicaiton ....
Hehe, now we know who is the most serious threat to our webserveriis !! Start to operate, comeon...
2: solution:
① Delete or rename the following dangerous ASP components:
WScript. Shell, WScript. Shell.1, Wscript. Network, Wscript. Network.1, adodb. stream, Shell. application
Start -------> RUN ---------> Regedit, open the Registry Editor, press Ctrl + F to search, and enter the preceding Wscript in sequence. shell and other component names and corresponding ClassID, and then delete or change the name (we recommend that you rename the name here, if some Web ASP programs use the above components, you only need to use the changed component name when writing ASP code. If you are sure that the above components are not used in your ASP program
Follow these steps to delete these components. After deletion or renaming, iisreset restarts IIS to improve the effect .)
[Note: The Adodb. Stream component will be used in many web pages. Therefore, if your server is running a VM, we recommend that you handle this situation.]
② Regarding FileSystemObject (classid: 0D43FE01-F093-11CF-8940-00A0C9054228), this is a common FSO security issue. If your server must use FSO, (FSO is usually required for some VM servers) you can refer to another article on FSO security solutions: Microsoft windows2000serverfso Security Risk Solutions. If you are sure not to use this component, you can directly register this component.
③ Direct anti-registration and uninstall of these dangerous components: (applicable to methods that do not want to use ① or ②)
Uninstall the wscript. shell object and run regsvr32/u % windir %/system32/WSHom. Ocx in cmd.
Uninstall the FSO object and run regsvr32.exe/u % windir %/system32/scrrun. dll in cmd.
Uninstall the stream object and run: regsvr32/S/u "C:/ProgramFiles/commonfiles/system/ADO/msado15.dll" in cmd or directly"
If you want to recover it, you only need to remove/U and then register the above ASP components, for example, regsvr32.exe % WINDIR %/system32/scrrun. dll.
④ Use setdomainobject = GetObject ("winnt ://. ") to obtain the process, service, and user information of the server, you can [provide network link and communication] In the workstation service, that is, the lanmanworkstation service can be stopped and disabled. After this processing, the webshell display process will be blank.
3. After processing ASP dangerous components according to methods 1 and 2 above, I tested it with the ASP probe of ajiang. The "server CPU details" and "server operating system" cannot be found at all, the content is blank. Run the CMD command by testing wsript. shell in the ocean, and the prompt is that the image cannot be created in active state. Everyone can no longer worry about the security of the server system caused by ASP Trojans.
Of course, server security is far from enough. Here we will introduce some experiences in processing ASP Trojans and webshells. In the next article, we will show you how to simply prevent others from executing commands such as netuser on the server, and prevent overflow attacks to get mongoshell, as well as the simplest and most effective prevention methods to add users and change NTFS settings to terminal logon.
If you feel a little messy, I will give you a list below:
1. Delete the following registry primary keys:
Wscript. Shell
Wscript. shell.1
Shell. Application
Shell. application.1
Wscript. Network
Wscript. network.1
2. Cancel the following components:
Regsvr32/u wshom. ocx press ENTER
Regsvr32/u wshext. dll press ENTER
3. Windows 2003 hard disk Security Settings
C :/
All administrators
System all
Iis_wpg only has this folder
List folders/read data
Read attributes
Read extension attributes
Read Permission
C:/inetpub/mailroot
All administrators
System all
Service all
C:/inetpub/ftproot
Read-only and run everyone
C:/windows
All administrators
Creator owner
Not inherited
Only subfolders and files are available.
Complete
Power Users
Modify, read, and run, list folder directories, read, and write
System all
IIS_WPG reads and runs, lists folder directories, and reads
Users read and run (this permission can be canceled after being adjusted)
C:/WINDOWS/Microsoft. Net
All administrators
Creator owner
Not inherited
Only subfolders and files are available.
Complete
Power Users
Modify, read, and run, list folder directories, read, and write
System all
Users reads and runs, lists folder directories, and reads
C:/Windows/Microsoft. NET
All administrators
Creator Owner
Not inherited
Only subfolders and files are available.
Complete
Power Users
Modify, read, and run, list folder directories, read, and write
System all
Users reads and runs, lists folder directories, and reads
C:/Windows/Microsoft. NET/Temporary ASP. NET files
All administrators
Creator Owner
Not inherited
Only subfolders and files are available.
Complete
Power Users
Modify, read, and run, list folder directories, read, and write
System all
Users all
