Security Solution: ASP Trojan Webshell Security Solution

Note: The setting method and environment described in this article are applicable to Microsoft Windows 2000 Server/Win2003 SERVER IIS5.0/IIS6.0.

1. First, let's take a look at the ASP components used by ASP Trojans and webshells? We use Marine Trojan as the column:

<Object runat = "server" id = "ws" scope = "page" classid = "clsid: 72c24dd5-d70a-438b-8a42-98366b88afb8"> </object> 〉

<Object runat = "server" id = "ws" scope = "page" classid = "clsid: F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"> </object> 〉

<Object runat = "server" id = "net" scope = "page" classid = "clsid: 093FF999-1EA0-4079-9525-9614C3504B74"> </object> 〉

<Object runat = "server" id = "net" scope = "page" classid = "clsid: F935DC26-1CF0-11D0-ADB9-00C04FD58A0B"> </object> 〉

<Object runat = "server" id = "fso" scope = "page" classid = "clsid: 0D43FE01-F093-11CF-8940-00A0C9054228" ></object> 〉

ShellStr = "Shell"

ApplicationStr = "Application"

If your path = "wscriptShell"

Set sa = server. createObject (shellStr & "." & applicationStr)

Set streamT = server. createObject ("adodb. stream ")

Set domainObject = GetObject ("WinNT ://.")

The above is the related code in the ocean. From the above code, we can easily see that ASP Trojans and webshells mainly use the following ASP components:

① WScript. Shell (classid: 72c24dd5-d70a-438b-8a42-98108b88afb8)

② WScript. Shell.1 (classid: F935DC22-1CF0-11D0-ADB9-00C04FD58A0B)

③ WScript. Network (classid: 093FF999-1EA0-4079-9525-9614C3504B74)

④ WScript. Network.1 (classid: 093FF999-1EA0-4079-9525-9614C3504B74)

⑤ FileSystem Object (classid: 0D43FE01-F093-11CF-8940-00A0C9054228)

⑥ Adodb. stream (classid: {00000566-0000-0010-8000-00AA006D2EA4 })

7. Shell. applicaiton ....

Hehe, now we know who is the most serious threat to our web server iis !! Start to operate. come on...

2: solution:

① Delete or rename the following dangerous ASP components:

WScript. Shell, WScript. Shell.1, Wscript. Network, Wscript. Network.1, adodb. stream, Shell. application

Start -------> RUN ---------> Regedit, open the Registry Editor, press Ctrl + F to search, and enter the preceding Wscript in sequence. shell and other component names and corresponding ClassID, and then delete or change the name (we recommend that you rename the name here, if some Web ASP programs use the above group, you only need to use the changed component name when writing ASP code. Of course, if you are sure that the above components are not used in your ASP program, you still need to delete them directly. ^ _ ^ will not do the above components as usual. After deletion or renaming, iisreset restarts IIS to improve the effect .)

[Note: The Adodb. Stream component will be used in many web pages. Therefore, if your server is running a VM, we recommend that you handle this situation.]

② Regarding File System Object (classid: 0D43FE01-F093-11CF-8940-00A0C9054228), this is a common FSO security issue. If your server must use FSO, (FSO is usually required for some VM servers) refer to another article on FSO security solutions: Microsoft Windows 2000 Server FSO Security Risk Solutions. If you are sure not to use this component, you can directly register this component.

③ Direct anti-registration and uninstall of these dangerous components: (applicable to methods that do not want to use ① or ②)

Uninstall the wscript. shell object and run regsvr32/u % windir % system32WSHom. Ocx in cmd.

Uninstall the FSO object and run regsvr32.exe/u % windir % system32scrrun. dll in cmd.

Uninstall the stream object and run: regsvr32/s/u "C: Program FilesCommon FilesSystemadomsado15.dll" in cmd or directly"

If you want to recover it, you only need to remove/U and then register the above ASP components, for example, regsvr32.exe % windir % system32scrrun. dll.

④ Use set domainObject = GetObject ("WinNT ://. ") to obtain the process, service, and user information of the server, you can [provide network link and communication] In the Workstation service, that is, the Lanmanworkstation service can be stopped and disabled. After this processing, the Webshell display process will be blank.

3. After processing ASP dangerous components according to methods 1 and 2 above, I tested it with the asp probe of ajiang. The "server CPU details" and "server operating system" cannot be found at all, the content is blank. Run the cmd command by testing Wsript. Shell in the ocean, and the prompt is that the image cannot be created in Active state. Everyone can no longer worry about the security of the server system caused by ASP Trojans.

Of course, server security is far from enough. Here we will introduce some experiences in processing ASP Trojans and webshells. In the next article, we will show you how to simply prevent others from executing commands such as net user on the server, and prevent overflow attacks to get mongoshell, as well as the simplest and most effective prevention methods to add users and change NTFS settings to terminal logon.