How to prevent ASP Trojan

ASP Trojan Attack principle is generally through file upload loophole, send Trojan file to the server, and then run can read all the information in your system. The General ASP Trojan file is the use of FSO components to operate, there is no FSO components. For example, how to prevent ASP trojan, you must do the following three aspects:
1, the server's permissions settings
2, do a good job of the ASP program verification function to prevent loopholes are exploited
3, close or change the related component name

1, 22 aspects of the innovation site can be consulted on the article, here is mainly to say that the 3rd aspect

1 for the use of FSO written ASP Trojan prevention method is the best way to prevent the FSO function is turned off
At the beginning--run--Enter: regsvr32/u C:\windows\system32\scrrun.dll
If you want to use this component again, you can enter it at run time
Regsvr32 C:\windows\system32\scrrun.dll can be used again.

There are some articles on the web that are saying
Find in the registry
Hkey_classes_root\scripting.filesystemobject Key value
Change it to the string you want (right---> "rename"), such as changing to
Hkey_classes_root\scripting.filesystemobject2
In this way, the ASP must refer to this object as follows:
Set fso = CreateObject ("Scripting.filesystemobject2")
and cannot be used: Set FSO = CreateObject ("Scripting.FileSystemObject")

This method does not work, because the FSO in addition to using the object call, you can also use the call ClassID
For example: <object runat= "Server" id= "FSO" scope= "page"
Classid= "clsid:0d43fe01-f093-11cf-8940-00a0c9054228" ></object>
This can also call
So said to change the line to find 0d43fe01-f093-11cf-8940-00a0c9054228 this key value, and then get rid of, but this change after the FSO will not be used. So recommend or turn off the components, if you want to upload, you can write a upload component. It will be safer.

(2) Non-FSO to the image can be used on the ASP Trojan prevention method

Through the code above, we can see that the shell of this code is created by shell.application Shell image, we just look up the key values in the registry Shell.application,shell.application.1 and WSCRIPT.SHELL,WSCRIPT.SHELL.1 key values, and then remove these key values, you can prevent this class of ASP Trojan attack, delete these key values for your server and ASP support, etc. will not affect, so please feel free to delete.

The hacker website also has various Webshell downloading, in addition to ASP's Webshell, but also has the CGI, the PHP, the JSP and so on. are basically the same, and some of the Webshell are run by invoking the CMD.EXE command under the system. But these call server system CMD.EXE Webshell Trojan under the Win2003 cannot run, can call CMD.EXE command Webshell only under the Win2K test through, in Win2003, those ASP, CGI, PHP, The Webshell of the JSP can no longer invoke the CMD.EXE command. The reason is simple, because the CMD.EXE command under Win2K is accessible by default with anonymous and guest privileges, and under the Win2003 system, the CMD.EXE command prohibits the "Everyone" Anonymous access and the "Guests" group's access rights, So all kinds of call CMD.EXE Webshell Trojan can not run, this is a Win2003 system security on a little progress bar.
Of course, the first pair has a corresponding ClassID value, the same as to find to delete
Wscript.Shell (CLASSID:72C24DD5-D70A-438B-8A42-98424B88AFB8)
WSCRIPT.SHELL.1 (CLASSID:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B)
Wscript.Network (CLASSID:093FF999-1EA0-4079-9525-9614C3504B74)
Wscript.network.1 (CLASSID:093FF999-1EA0-4079-9525-9614C3504B74)
ADODB.stream (CLASSID:{00000566-0000-0010-8000-00AA006D2EA4})

After processing, even if there is an ASP Trojan to your server, can also prevent some of its destructive behavior.