Server countermeasures made by a web Trojan

Webshell
Secure use of the FSO Host:

A Simple Virtual Host has various WEBSHELL threats. If you open a virtual host space for a friend, the biggest security risk of this virtual host will be the FSO permission problem, in fact, the security risks of FSO are already a headache for network management in the Win2K system. However, in Win2003, the security risks of FSO are still not solved, in a virtual host without security configuration, as long as a hacker uploads a Trojan to the virtual host space, the hacker can use the FSO permission to browse all files on the server, it can also copy and delete all files on the server, and even use Trojans to obtain the server's management right. This shows the importance of FSO security configuration.

If a hacker uploads a trojan in your VM space by some means, it means that the hacker already has a WEBSHELL. The hacker can use this WEBSHELL to control the data on the entire server,

To prevent such attacks, you only need to delete the FSO (Scripting. FileSystemObject) function in asp. to delete the FSO permission, enter the following command at the CMD Command Prompt:

Regsvr32/u c: windowssystem32scrrun. dll

Note: In actual operations, you need to change it to the actual path of the installation directory of your local system. However, this method is also a little too much to delete. If you want to use the FSO permission in the future, that won't work. Therefore, we recommend that you do not use this method to delete the FSO permission,

Obviously, if this is done, no one, including the site system administrator, can use the FileSystemObject object. This is not the result that the site administrator wants, after all, we can use this object to achieve convenient online platform management. If the system administrator cannot use this object, the loss will be worth the candle, however, if you do not prohibit this dangerous object, it will bring security vulnerabilities to your website. Is there a perfect solution? Yes! The specific method is as follows:

We can prevent others from using the FileSystemObject object illegally, but we can still use this object ourselves.

The method is as follows:

Searching Registry

HKEY_CLASSES_ROOTScripting.FileSystemObject key value

Change it to the string you want (right-click --> "RENAME"), for example, change it

HKEY_CLASSES_ROOTScripting.FileSystemObjectadmin123

If you use the usual method to call the FileSystemObject object, you will not be able to use it.

Haha, as long as you don't tell others the name of the modified object, others cannot use the FileSystemObject object. As a site manager, we can prevent others from illegally using the FileSystemObject object, and we can still use this object to conveniently implement online website management and other functions!

ASP Trojan prevention methods that can be used without using FSO:

For the ASP trojan that can be used without FSO, because FSO does not support the image, the function is of course not very powerful. Only by browsing the file directories on the server, copy and move files, and execute program files in the specified path. This trojan is simple, but it is enough to use it to hack a website.

The methods to prevent ASP Trojans supported by FSO-free are as follows:

We only need to find the key value shell in the registry. application and wscript. shell key values, and then delete these key values to prevent this type of ASP Trojan attacks. Deleting these key values will not affect your server and ASP support, therefore, please feel free to delete

Some webshells run by calling the CMD. EXE command in the system.

For this type of webshell, we can change the name of cmd.exe under system32and set a better name so that only you know it. Sorry, it's depressing. It tells you that this is a windows system file protection function, and there is a system file backup directory dllcache in the system, you can't see it, because it is protected by the system. How can I see him? I don't want to talk about it. Here I mention its directory c:/windows/system32/dllcache.change the name of cmd.exe in it, and then I will write c: change cmd.exe under/windows/system32to the same name and check if it is OK.