Prevent web shell attacks)

Source: http://fox.he100.com/

The virtual host Administrator has been working for one year, and has some knowledge about the prevention of web shell in NT. Now we can sort out some articles to explain how to prevent webshells. Common webshells, such as ASP, PHP, and PERL, are written. Popular WEBSHELL on the market, namely Haiyang top net asp Trojan 2005, Guilin veterans's ASP webmaster Assistant (I don't know if it's a WEBSHELL, haha), blue screen ASP Trojan (it seems a bit outdated) phpspy2005 for security angel, PHP File Manager for coffee 1.6, cmd. cgi (I am not familiar with PERL, only know this ). This article aims to prevent these webshells.
To prevent these webshells, you must first set server permissions to prohibit unauthorized access to things. For more information about server permission settings, see the iis faq.
(Http://fox.he100.com/showart.asp? Art_id = 121 & cat_id = 1). I will reference the content of the original article directly here.

9. How can I run iis with the minimum ntfs permission?
Perform the following tasks in sequence:
A. Select the entire hard disk:
System: full control
Administrator: full control
(Allowed to spread inherited permissions from the parent to objects)

B. program filescommon files:
Everyone: Read and run
List file directories
Read
(Allowed to spread inherited permissions from the parent to objects)

C. inetpubwwwroot:
Iusr_machinename: Read and run
List file directories
Read
(Allowed to spread inherited permissions from the parent to objects)

E. winntsystem32:
Select all directories except inetsrv and centsrv,
Remove the select box "allow the inherited permissions from the parent to be propagated to the object" and copy it.
F. winnt:
In addition to downloaded program files, help, iis temporary compressed files,
All directories except offline web pages, system32, tasks, temp, and web
Remove the select box "allow the inherited permissions from the parent to be propagated to the object" and copy it.

G. winnt:
Everyone: Read and run
List file directories
Read
(Allowed to spread inherited permissions from the parent to objects)
　　
H. winntemp: (allow access to the database and display it on the asp page)
Everyone: Modify
(Allowed to spread inherited permissions from the parent to objects)

In addition, the unique Program "cmd.exe net.exe net1.exe ping.exe netstat.exe ftp.exe tftp.exe allow" is used to prevent users from modifying permissions through command lines.
Remove some components required by asp webshell. These components are not used by common VM users.
Many Articles on Prevention of ASP Trojans have mentioned that the FileSystemObject component should be deleted. However, after this component is deleted, many ASP programs may fail to run. In fact, as long as the previous work is completed, the FileSystemObject component can operate only files in its own directory, which constitutes no threat!
Now, Shell is a more threatening component. application and Wscript. shell, Shell. the Application can perform some operations on the file and execute the program, but it cannot contain parameters, while Wscript. shell can operate the registry and execute doscommands.

Methods To prevent Wscript. Shell components:
You can change the component name by modifying the registry.
HKEY_CLASSES_ROOTWScript.Shell and HKEY_CLASSES_ROOTWScript.Shell.1
Change the name to another name, for example, change WScript. Shell_ChangeName or WScript. Shell.1 _ ChangeName to call this component later.
Also change the clsid value.
Value of the HKEY_CLASSES_ROOTWScript.ShellCLSID Project
Value of the HKEY_CLASSES_ROOTWScript.Shell.1CLSID Project
You can also delete the Trojan to prevent its harm.

Methods To prevent Shell. Application components:
You can change the component name by modifying the registry.
HKEY_CLASSES_ROOTShell.Application
And
HKEY_CLASSES_ROOTShell.Application.1
Change the name to another name, for example, Shell. Application_ChangeName or Shell. Application.1 _ ChangeName.
You can call this component normally when you call it later.
Also change the clsid value.
Value of the HKEY_CLASSES_ROOTShell.ApplicationCLSID Project
Value of the HKEY_CLASSES_ROOTShell.ApplicationCLSID Project
You can also delete the Trojan to prevent its harm.
References for building a virtual host from Fso threats
Author: daoxiang jushi

Currently, most virtual hosts disable the standard ASP Component FileSystemObject, which provides ASP with powerful file system access capabilities, you can read, write, copy, delete, and rename any files on the server's hard disk (of course, this is done under the default Windows NT/2000 ). However, if this component is disabled, all ASP nodes that use this component cannot run and cannot meet customers' requirements.
How can we allow the FileSystemObject component without affecting the security of the server (that is, users on different virtual hosts cannot use this component to read or write files from other users? Here is a method I have obtained in my experiment. The following section uses Windows 2000 Server as an example.
Open the resource manager on the server, right-click the drive letter of each hard disk partition or volume, select "properties" in the pop-up menu, and select the "Security" tab, now you can see which accounts can access this partition (volume) and access permissions. After the default installation, "Everyone" has full control permissions. Click "add" to add "Administrators", "Backup Operators", "Power Users", and "Users" groups, and grant "Full Control" or corresponding permissions, note: do not grant the "Guests" group or "IUSR _ machine name" account any permissions. Then, remove the "Everyone" group from the list. In this way, only authorized groups and users can access the hard disk partition. When ASP is executed, access the hard disk as "IUSR _ machine name". ASP cannot read or write files on the hard disk because the user account is not authorized.
The following is to set a separate user account for each VM user, and then assign each account a directory that allows its full control.
As shown in, choose "Computer Management"> "local users and groups"> "users", right-click on the right bar, and select "new user" in the pop-up menu ":
In the pop-up "new user" dialog box, enter "User Name", "Full name", "Description", "password", and "Confirm Password" as needed ", remove the check box before "the user must change the password upon next login", and select "the user cannot change the password" and "the password will never expire ". In this example, create an anonymous built-in account "IUSR_VHOST1" for the first VM user, that is, when all clients use http://xxx.xxx.xxxx/to access this Vm, they are all accessed in this identity. After entering the information, click "CREATE. You can create multiple users as needed. Click "close" after creation ":
Now the newly created user has appeared in the account list. Double-click the account in the list for further settings:
In the pop-up "IUSR_VHOST1" (that is, the new account you just created) attribute dialog box, click the "affiliated" tab:
The created account belongs to the "Users" group by default. Select this group and click "delete ":
As shown in, click "add" again ":
In the pop-up "select group" dialog box, find "Guests" and click "add". The group will appear in the text box below, and click "OK ":
As shown in, click "OK" to close this dialog box:
Open "Internet Information Service" and start setting the virtual host. In this example, the "First Virtual Host" setting is used as an example. Right-click the Host Name, select "properties" in the pop-up menu ":
The "first VM properties" dialog box is displayed. The "F: VHOST1" folder is used by the VM user:
No matter the "First VM properties" dialog box, switch to "Resource Manager", find the "F: VHOST1" folder, right-click, select the "properties"> "security" tab. You can see that the default security setting for this folder is "Everyone" with full control (the content displayed varies with the situation ), first, remove the check mark before "allow spreading the inherited permissions from the parent to this object:
The "security" Warning shown in is displayed. Click "delete ":
In this case, all the groups and users in the Security tab will be cleared (if not, use "delete" to clear it), and then click "add.
Adding the "Administrator" and the newly created account "IUSR_VHOST1" as shown in will grant full control permissions. You can also add other groups or users as needed, but do not add anonymous access accounts such as "Guests" and "IUSR _ machine name!
Switch to the "First VM properties" dialog box that is opened earlier, open the "Directory Security" tab, and click "edit" for anonymous access and verification control ":
In the pop-up "Verification Method" box (as shown in), click "edit ":
The "Anonymous User Account" is displayed. The default value is "IUSR _ machine name". Click "Browse ":
In the "Select User" dialog box, find the newly created account "IUSR_VHOST1" and double-click:
In this case, the anonymous user name has been changed. In the Password box, enter the password set for this account when you created it:
Confirm the password again:
OK. Click OK to close these dialog boxes.
After this setting, users of the "First Virtual Host" can only access the content in their directory F: VHOST1 by using the FileSystemObject component of ASP. when attempting to access other content, an error message is displayed, such as "no permission", "the hard disk is not ready", and "500 internal server error.
In addition, if the user needs to read the partition capacity of the hard disk and the serial number of the hard disk, this setting will make it unreadable. If you want to allow it to read the content related to the entire partition, right-click the partition (volume) of the hard disk and choose "attribute"> "security ", add the user's account to the list and grant at least the "read" permission. Because all subdirectories under the volume have been set to "prohibit the propagation of inherited permissions from the parent class to this object