Windows Server ASP Trojan cannot delete solution

You cannot name files/folders under Windows by following these words:
Aux|prn|con|nul|com1|com2|com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt9
But through the copy command cmd can be implemented:

The code is as follows	Copy Code
D:\wwwroot>copy rootkit.asp\\.\d:\wwwroot\lpt6.80sec.asp Front must have \\.\ 1 files have been copied. D:\wwwroot>dir 2010-04-25 14:41 2010-04-25 14:41 2010-03-08 22:50 42,756 aux.asp 2005-05-02 03:02 9,083 index.asp 2010-03-08 22:50 42,756 rootkit.asp

This type of file cannot be deleted in the graphical interface.

Solutions

The code is as follows	Copy Code
Can only be deleted at the command line: d:\wwwroot>del\\.\d:\wwwroot\lpt6.80sec.asp

However, in IIS, this file can be resolved successfully

Here are some Webshell security precautions.

① deletes or renames the following hazardous ASP components:

Wscript.Shell, WSCRIPT.SHELL.1, Wscript.Network, Wscript.network.1, ADODB.stream, shell.application

Start-------> Run--------->regedit, open Registry Editor, press Ctrl+f, and then enter the name of the component above Wscript.Shell and the corresponding classid, then delete or change the name ( Here suggest that you rename, if there are some of the Web page ASP program to use the above components, just write the ASP code when we change the component name can be used normally. Of course, if you are sure that your ASP program does not use the above components, or directly delete the heart of some ^_^, according to the general generally will not do these components. After you delete or rename the IISReset, you can increase the efficiency after restarting IIS. )

[Note: Because ADODB.stream this component has a lot of web pages will be used, so if your server is open virtual host, it is recommended to deal with the situation. ]

② about the security of the FSO that is commonly said for File System Object (classid:0d43fe01-f093-11cf-8940-00a0c9054228), if your server must use the FSO, ( Some virtual host servers generally need to open the FSO function can refer to my another article on the FSO security solution: Microsoft Windows Server FSO security vulnerabilities solution. If you are sure you don't want to use it, you can simply reverse-register the component.

③ Direct counter Registration, uninstall these dangerous components method: (Practical to do not want to use ① and ② class such trivial method)

Uninstall the Wscript.Shell object, under CMD or run directly: regsvr32/u%windir%\system32\wshom.ocx

Uninstall the FSO object, under CMD or run directly: regsvr32.exe/u%windir%\system32\scrrun.dll

Uninstall Stream object, under CMD or run directly: regsvr32/s/u "C:\Program Files\Common Files\system\ado\msado15.dll"

If you want to recover, just remove/u to re-register the above related ASP components such as: Regsvr32.exe%windir%\system32\scrrun.dll

④ about Webshell using Set domainobject = GetObject ("winnt://.") To obtain the server's process, service and user information such as prevention, you can workstation[service in the provision of network links and communications] that is, LanmanWorkstation service stopped and disabled. After this processing, Webshell shows that the process will be blank.