Disable dangerous wscript. shell, Shell. application, and WScript. Network. FS of the website.

Save the following code as a. BAT file (the following uses WIN2000 as an example. If 2003 is used, the system folder should be C: \ WINDOWS \)
 
Regsvr32/u C: \ WINNT \ System32 \ wshom. ocx
Del C: \ WINNT \ System32 \ wshom. ocx
Regsvr32/u C: \ WINNT \ system32 \ shell32.dll
Del C: \ WINNT \ system32 \ shell32.dll
 
Run wscript. shell, Shell. application, and WScript. Network. You may be prompted that the file cannot be deleted, so you don't have to worry about it. Restart the server and you will find that all three prompts "X Security.
 
How to uninstall objects such as Wscript. Shell
 
 
1. Uninstall the wscript. shell object
Run regsvr32 WSHom. Ocx/u in cmd.
 
 
2. Uninstall the FSO object
Run: regsvr32.exe scrrun. dll/u in cmd.
 
 
3. Unload stream objects
Run the following command in cmd:
 
Regsvr32/s/u "C: \ Program Files \ Common Files \ System \ ado \ msado15.dll" if you want to re-enable it: Correct the/u parameter!
 
Disable WScript. Shell
To prevent such viruses, uninstall the Windows scripting host,
The specific method is: My computer → Control Panel → Add/delete programs → install WINDOWS → accessories → details → Windows scripting host → OK. In fact, there is another method that is simpler. type the following two commands in sequence: regsvr32/u wshom. ocx press enter, regsvr32/u wshext. dll press enter to go to the Registry. delete the registration value of the wsh object. In this way, viruses that must rely on objects cannot run because they cannot find objects.
 
 
 
Methods To prevent Wscript. Shell components:
 
You can change the component name by modifying the registry.
HKEY_CLASSES_ROOT \ WScript. shell \ and HKEY_CLASSES_ROOT \ WScript. shell.1 \ is renamed to another name, for example, changed to WScript. shell_ChangeName or WScript. shell.1 _ ChangeName can be used to call this component normally when it is called by itself later.
 
Also change the clsid value.
HKEY_CLASSES_ROOT \ WScript. Shell \ CLSID \ project value, HKEY_CLASSES_ROOT \ WScript. Shell.1 \ CLSID \ project value
You can also delete the Trojan to prevent its harm.
 
Methods To prevent Shell. Application components:
You can change the component name by modifying the registry.
HKEY_CLASSES_ROOT \ Shell. Application \ and HKEY_CLASSES_ROOT \ Shell. Application.1 \
Change the name to another name, for example, Shell. Application_ChangeName or Shell. Application.1 _ ChangeName.
You can call this component normally when you call it later.
 
Also change the clsid value.
HKEY_CLASSES_ROOT \ Shell. Application \ CLSID \ project value, HKEY_CLASSES_ROOT \ Shell. Application \ CLSID \ project value
You can also delete the Trojan to prevent its harm.
 
<Object runat = "server" id = "ws" scope = "page" classid = "clsid: 72c24dd5-d70a-438b-8a42-98417b88afb8"> </object>
<Object runat = "server" id = "ws" scope = "page" classid = "clsid: F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"> </object>
<Object runat = "server" id = "net" scope = "page" classid = "clsid: 093FF999-1EA0-4079-9525-9614C3504B74"> </object>
<Object runat = "server" id = "net" scope = "page" classid = "clsid: F935DC26-1CF0-11D0-ADB9-00C04FD58A0B"> </object>
<Object runat = "server" id = "fso" scope = "page" classid = "clsid: 0D43FE01-F093-11CF-8940-00A0C9054228"> </object>
ShellStr = "Shell" applicationStr = "Application" if your path = "wscriptShell" set sa = server. createObject (shellStr &". "& applicationStr) set streamT = server. createObject ("adodb. stream ") set domainObject = GetObject (" WinNT ://. ")

The above is the related code in the ocean. From the above code, we can easily see that ASP Trojans and webshells mainly use the following ASP components:
 
① WScript. Shell (classid: 72c24dd5-d70a-438b-8a42-98108b88afb8)
② WScript. Shell.1 (classid: F935DC22-1CF0-11D0-ADB9-00C04FD58A0B)
③ WScript. Network (classid: 093FF999-1EA0-4079-9525-9614C3504B74)
④ WScript. Network.1 (classid: 093FF999-1EA0-4079-9525-9614C3504B74)
⑤ FileSystem Object (classid: 0D43FE01-F093-11CF-8940-00A0C9054228)
⑥ Adodb. stream (classid: {00000566-0000-0010-8000-00AA006D2EA4 })
7. Shell. applicaiton ....
 
Hehe, now we know who is the most serious threat to our web server iis !! Start to operate. come on...
 
 
 
2: solution:
 
 
① Delete or rename the following dangerous ASP components:
 
WScript. Shell, WScript. Shell.1, Wscript. Network, Wscript. Network.1, adodb. stream, Shell. application
Start -------> RUN ---------> Regedit, open the Registry Editor, press Ctrl + F to search, and enter the preceding Wscript in sequence. shell and other component names and corresponding ClassID, and then delete or change the name (we recommend that you rename the name here, if some Web ASP programs use the above components, you can use the changed component name when writing ASP code. Of course, if you are sure that the above components are not used in your ASP program, you still need to delete them directly. ^ _ ^ will not do the above components as usual. After deletion or renaming, iisreset restarts IIS to improve the effect .)
 
[Note: The Adodb. Stream component will be used in many web pages. Therefore, if your server is running a VM, we recommend that you handle this situation.]
 
② Regarding File System Object (classid: 0D43FE01-F093-11CF-8940-00A0C9054228), this is a common FSO security issue. If your server must use FSO, (FSO is usually required for some VM servers) refer to another article on FSO security solutions: Microsoft Windows 2000 Server FSO Security Risk Solutions. If you are sure not to use this component, you can directly register this component.
 
③ Direct anti-registration and uninstall of these dangerous components: (applicable to methods that do not want to use ① or ②)
Uninstall the wscript. shell object and run regsvr32/u % windir %/system32/WSHom. Ocx in cmd.
Uninstall the FSO object and run regsvr32.exe/u % windir %/system32/scrrun. dll in cmd.
Uninstall the stream object and run: regsvr32/s/u "C:/Program Files/Common Files/System/ado/msado15.dll" in cmd or directly"
If you want to recover it, you only need to remove/U and then register the above ASP components, for example, regsvr32.exe % windir %/system32/scrrun. dll.
 
④ Use set domainObject = GetObject ("WinNT ://. ") to obtain the process, service, and user information of the server, you can [provide network link and communication] In the Workstation service, that is, the Lanmanworkstation service can be stopped and disabled. After this processing, the Webshell display process will be blank.
 
3. After processing ASP dangerous components according to methods 1 and 2 above, I tested it with the asp probe of ajiang. The "server CPU details" and "server operating system" cannot be found, the content is blank. Run the cmd command by testing Wsript. Shell in the ocean, and the prompt is that the image cannot be created in Active state. Everyone can never worry about the security of the server system caused by ASP Trojans.
 
 
Author: guanwei blog