Server | tricks | Trojan Horse
If your server is being plagued by an ASP Trojan, then hopefully this article will help you solve the problem you are facing.
At present, the most popular ASP Trojan horse mainly through three kinds of technology to carry out the relevant operation of the server.
first, use the FileSystemObject component
FileSystemObject can be normal operation of the file, you can modify the registry, the component renamed to prevent the harm of such Trojans.
Rename the hkey_classes_root/scripting.filesystemobject/to another name, such as: Change to Filesystemobject_changename. You can call this component normally using this when you call it later.
Also need to change the CLSID value, the value of the Hkey_classes_root/scripting.filesystemobject/clsid/item can also be deleted, to prevent the harm of such Trojans.
Unregister this component command:
Regsvr32/u C:/winnt/system32/scrrun.dll
|
Prevents the guest user from using Scrrun.dll to prevent calls to this component.
To use the command:
cacls c:/winnt/system32/scrrun.dll/e/d Guests
|
Ii. Use of Wscript.Shell components
Wscript.Shell can call the system kernel to run the DOS basic commands, you can change the registry, the component renamed to prevent the harm of such Trojans.
Hkey_classes_root/wscript.shell/and HKEY_CLASSES_ROOT/WSCRIPT.SHELL.1/renamed to other names, such as: Change to Wscript.shell_ ChangeName or Wscript.shell.1_changename. Use this to call this component when you call it later, and also change the CLSID value.
Hkey_classes_root/wscript.shell/clsid/the value of the project Hkey_classes_root/wscript.shell.1/clsid/the value of the project
|
It can also be deleted to prevent the harm of such Trojans.
Iii. Use of shell.application components
Shell.Application can call the system kernel to run the DOS basic commands, you can change the registry, the component renamed to prevent the harm of such Trojans.
hkey_classes_root/shell.application/and HKEY_CLASSES_ROOT/SHELL.APPLICATION.1/
|
Change to a different name, such as: Shell.application_changename or Shell.application.1_changename. You can call this component normally when you call it later, and also change the CLSID value:
Hkey_classes_root/shell.application/clsid/the value of the project Hkey_classes_root/shell.application/clsid/the value of the project
|
It can also be deleted to prevent the harm of such Trojans.
Prevents the guest user from using Shell32.dll to prevent calls to this component.
To use the command:
cacls c:/winnt/system32/shell32.dll/e/d Guests
|
Note: The operation will not take effect until the Web service is restarted.
Iv. Call Cmd.exe
Disable Guests group user call Cmd.exe,
cacls c:/winnt/system32/cmd.exe/e/d Guests
|
Through the above four steps to set the basic can prevent the current more popular Trojans, but the most effective way or through comprehensive security settings, the server, the security of the program to achieve a certain standard, the security level may be set higher to prevent more illegal intrusion.