Prevention and detection of webshell Trojans

After hackers use the script technology to intrude into the server, they often place webpage Trojans and backdoors on the website. Therefore, we must ensure the security of the website and prevent various Trojans and backdoors, detection and Prevention is an important aspect.

1. delete various Script objects to prevent ASP trojans from running.

Common marine top Trojan Horse, ice Fox prodigal son, ASP webmaster Management Assistant, etc. To implement some functions during use, you generally need to call FSO object, ADODB. STREAM. If these objects are deleted on the server, they can also prevent further penetration by attackers.

(1) disable the FSO object

FSO objects are File System Objects (File System Objects). The replication and propagation of common network script viruses are inseparable. When preventing SQL injection attacks, we can also disable FSO objects. The procedure is simple:

Click Start> Run, Enter CMD, and press enter to open the Command Prompt window. In the Command Prompt window, enter the following command:

Regsvr32/u scrrun. dll

After the command is executed, you can disable the FSO object. To restore the FSO object, use the following command:

Regsvr32 scrrun. dll

After the command is executed, the FSO function can be restored.

(2) disable the ADODB. STREAM Object

In addition, many web Trojans use "ADODB. STREAM "is used to list the server file directories. Some ASP Trojans use CLASSID to create Script objects. Therefore, this script object can be banned, in this way, ASP Trojans can be blocked to a certain extent.

Enter "regedit" in "start" -- "run" to open the Registry Editor. Expand the registry project "HKEY_CLASSES_ROOT \ ADODB. stream \ CLSID, You can see "ADODB. stream "CLASSID is a string of hexadecimal values, such as" {00000566-0000-0010-8000-00AA006D2EA4 }".

Write down this value and find the registry project "HKEY_CLASSES_ROOT \ CLSID \ {00000566-0000-0010-8000-00AA006D2EA4} \ InprocServer32". Find the dll file path corresponding to this ActiveX file. Here is "c: \ program files \ common files \ system \ ado \ msado15.dll ".

Run Regsvr32 again to uninstall the file and enter the following command in the "Start" -- "run" window:

Regsvr32/u "c: \ program files \ common files \ system \ ado \ msado15.dll"

After the command is executed, the ADODB. STREAM can be detached. You can use regsvr32 to restore it if needed. Of course, you can also change the name of the "msado15.dll" file or delete the "HKEY + CLASSES_ROOT \ ADODB. Stream \ CLSID" project in the registry.

In addition, rising, a famous antivirus software company in China, provides a tool specifically used to delete ADODB. STREAM objects.

After running the software, click the isolate Stream object button on the interface, the software automatically completes the ADODB. disables a STREAM object. If you need to use this object again, you can click Restore Steamd object to restore it.

2. webshell search tools

If no Script attack or intrusion vulnerability is found on the website, the website may be attacked by intruders and the webpage Trojan and backdoor are uploaded to the website. How can we find the ASP Trojan backdoor hidden by attackers?

To prevent intruders from embedding web Trojans, you can use a program called "Siyi ASP Trojan hunting for v2.0. This tool is an ASP Web page file that is uploaded to the website space and then opened on the web page.

There are two input boxes on the webpage. You can select the webpage file to be checked in "Checked file type". By default, all types are checked; you can enter keywords to search in "add search custom keywords", for example, "execute request, execute session, eval", and click OK, you can detect specified types of files under the current website directory to list webpages with detection code.