B. Change the name of the insecure component. Note that the component name and Clsid must be modified completely.
Start → run → regedit → press enter to open the Registry Editor.
Then [edit → search → fill in Shell. application → find next]
Two registry keys can be found using this method:
{13709620-C279-11CE-A49E-444553540000} and Shell. application.
Step 1:
To ensure that the two registry keys are safe, export them and save them as the xxxx. reg file.
Step 2: for example, we want to make such a change.
13709620-C279-11CE-A49E-444553540000 renamed 13709620-C279-11CE-A49E-444553540001
Shell. application is renamed as Shell. application_nohack.
Step 3: Click Export. the contents in the reg file are replaced by the above correspondence, and modified. import the reg file to the Registry (double-click it). After importing the renamed registry key, do not forget to delete the original two items. Note that the Clsid can only contain ten numbers and six ABCDEF letters.
In fact, you only need to export the corresponding registry key for backup and directly change the key name,
For example, we suggest you make a successful change:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}]
@ = "Shell Automation Service"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/InProcServer32]
@ = "C: // WINNT // system32 // shell32.dll"
"ThreadingModel" = "Apartment"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/ProgID]
@ = "Shell. Application_nohack.1"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/TypeLib]
@ = "{50a7e9b0-70ef-11d1-b75a-00a0c90564fe }"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/Version]
@ = "1.1"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/VersionIndependentProgID]
@ = "Shell. Application_nohack"
[HKEY_CLASSES_ROOT/Shell. Application_nohack]
@ = "Shell Automation Service"
[HKEY_CLASSES_ROOT/Shell. Application_nohack/CLSID]
@ = "{13709620-C279-11CE-A49E-444553540001 }"
[HKEY_CLASSES_ROOT/Shell. Application_nohack/CurVer]
@ = "Shell. Application_nohack.1"
Comment: WScript. shell and Shell. the application component is an important part of improving permissions during the script intrusion process. the uninstallation and modification of the two components can greatly improve the Script Security performance of the VM, in general, ASP and php scripts cannot be implemented to improve permissions. In addition, with some system services, hard disk access permissions, port filtering, and Local Security Policy settings, the VM should say, security can be greatly improved, and the possibility of hacker intrusion is very low. After the Shell component is deregistered, the possibility of the attacker running the lifting tool is very small, but other script languages such as prel also have shell capabilities. It is better to set it to prevent attacks. The following is another setting, which is similar.
1. You are prohibited from using the FileSystemObject component FileSystemObject to perform regular operations on files. You can modify the registry and rename the component to prevent dangers of such Trojans.
HKEY_CLASSES_ROOT/Scripting. FileSystemObject/
Change the name to another name, for example, FileSystemObject_ChangeName.
You can call this component normally when you call it later.
Also change the clsid value.
HKEY_CLASSES_ROOT/Scripting. FileSystemObject/CLSID/project value
You can also delete the Trojan to prevent its harm.
2000 unregister this component command: RegSrv32/u C:/WINNT/SYSTEM/scrrun. dll
2003 unregister this component command: RegSrv32/u C:/WINDOWS/SYSTEM/scrrun. dll
How does one Prevent Guest users from using scrrun. dll to prevent calling this component?
Use this command: cacls C:/WINNT/system32/scrrun. dll/e/d guests
Ii. Do not use the WScript. Shell component
WScript. Shell can call the system kernel to run basic dos Commands
You can modify the registry and rename this component to prevent the dangers of such Trojans.
HKEY_CLASSES_ROOT/WScript. Shell/and HKEY_CLASSES_ROOT/WScript. Shell.1/
Change the name to another name, for example, WScript. Shell_ChangeName or WScript. Shell.1 _ ChangeName.
You can call this component normally when you call it later.
Also change the clsid value.
HKEY_CLASSES_ROOT/WScript. Shell/CLSID/project value
HKEY_CLASSES_ROOT/WScript. Shell.1/CLSID/project value
You can also delete the Trojan to prevent its harm.
3. prohibit the use of the Shell. Application Component
Shell. Application can call the system kernel to run basic dos commands.
You can modify the registry and rename this component to prevent the dangers of such Trojans.
HKEY_CLASSES_ROOT/Shell. Application/
And
HKEY_CLASSES_ROOT/Shell. Application.1/
Change the name to another name, for example, Shell. Application_ChangeName or Shell. Application.1 _ ChangeName.
You can call this component normally when you call it later.
Also change the clsid value.
HKEY_CLASSES_ROOT/Shell. Application/CLSID/project value
HKEY_CLASSES_ROOT/Shell. Application/CLSID/project value
You can also delete the Trojan to prevent its harm.
Disable Guest users from using shell32.dll to prevent calling this component.
2000 run the command cacls C:/WINNT/system32/shell32.dll/e/d guests.
2003 run the command cacls C:/WINDOWS/system32/shell32.dll/e/d guests.
Note: All operations take effect only after the WEB Service is restarted.
Use cmd.exe
Disable the use of cmd.exe for guests
2000 run the command cacls C:/WINNT/system32/Cmd.exe/e/d guests.
2003 run the command cacls C:/WINDOWS/system32/Cmd.exe/e/d guests.
The above four steps can be used to prevent several popular Trojans, but the most effective method is to achieve the server and program security standards through comprehensive security settings, to prevent more illegal intrusions.
C. Prevent Serv-U Privilege Escalation (applicable to earlier versions of the Serv-U6.0, after which you can directly set a password)
Stop the Serv-U service first
Use ultraeditto open servudaemon.exe
Search for Ascii: LocalAdministrator and # l @ $ ak #. lk; 0 @ P
You can modify the parameter value to an equal length, and the process of servuadmin.exe is the same.
In addition, pay attention to setting the ACL for the folder where Serv-U is located. do not grant anonymous IIS users the permission to read the files. Otherwise, the files you modified will be stored, you can also analyze your Administrator name and password. You can use the ASP probe to check the security status of the system.
Security Settings for WindowsServer2003 + IIS6.0 + ASP servers-component Security Settings A. Uninstall WScript. shell and Shell. application Component, save the following code as. BAT file execution (in 2000 and 2003 systems) windows2000.bat
Regsvr32/u C:/WINNT/System32/wshom. ocx
Del C:/WINNT/System32/wshom. ocx
Regsvr32/u C:/WINNT/system32/shell32.dll
Del C:/WINNT/system32/shell32.dll
Windows2003.bat
Regsvr32/u C:/WINDOWS/System32/wshom. ocx
Del C:/WINDOWS/System32/wshom. ocx
Regsvr32/u C:/WINDOWS/system32/shell32.dll
Del C:/WINDOWS/system32/shell32.dll
B. Change the name of the insecure component. Note that the component name and Clsid must be modified completely.
Start → run → regedit → press enter to open the Registry Editor.
Then [edit → search → fill in Shell. application → find next]
Two registry keys can be found using this method:
{13709620-C279-11CE-A49E-444553540000} and Shell. application.
Step 1:
To ensure that the two registry keys are safe, export them and save them as the xxxx. reg file.
Step 2: for example, we want to make such a change.
13709620-C279-11CE-A49E-444553540000 renamed 13709620-C279-11CE-A49E-444553540001
Shell. application is renamed as Shell. application_nohack.
Step 3: Click Export. the contents in the reg file are replaced by the above correspondence, and modified. import the reg file to the Registry (double-click it). After importing the renamed registry key, do not forget to delete the original two items. Note that the Clsid can only contain ten numbers and six ABCDEF letters.
In fact, you only need to export the corresponding registry key for backup and directly change the key name,
For example, we suggest you make a successful change:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}]
@ = "Shell Automation Service"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/InProcServer32]
@ = "C: // WINNT // system32 // shell32.dll"
"ThreadingModel" = "Apartment"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/ProgID]
@ = "Shell. Application_nohack.1"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/TypeLib]
@ = "{50a7e9b0-70ef-11d1-b75a-00a0c90564fe }"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/Version]
@ = "1.1"
[HKEY_CLASSES_ROOT/CLSID/{13709620-C279-11CE-A49E-444553540001}/VersionIndependentProgID]
@ = "Shell. Application_nohack"
[HKEY_CLASSES_ROOT/Shell. Application_nohack]
@ = "Shell Automation Service"
[HKEY_CLASSES_ROOT/Shell. Application_nohack/CLSID]
@ = "{13709620-C279-11CE-A49E-444553540001 }"
[HKEY_CLASSES_ROOT/Shell. Application_nohack/CurVer]
@ = "Shell. Application_nohack.1"
Comment: WScript. shell and Shell. the application component is an important part of improving permissions during the script intrusion process. the uninstallation and modification of the two components can greatly improve the Script Security performance of the VM, in general, ASP and php scripts cannot be implemented to improve permissions. In addition, with some system services, hard disk access permissions, port filtering, and Local Security Policy settings, the VM should say, security can be greatly improved, and the possibility of hacker intrusion is very low. After the Shell component is deregistered, the possibility of the attacker running the lifting tool is very small, but other script languages such as prel also have shell capabilities. It is better to set it to prevent attacks. The following is another setting, which is similar.
1. You are prohibited from using the FileSystemObject component FileSystemObject to perform regular operations on files. You can modify the registry and rename the component to prevent dangers of such Trojans.
HKEY_CLASSES_ROOT/Scripting. FileSystemObject/
Change the name to another name, for example, FileSystemObject_ChangeName.
You can call this component normally when you call it later.
Also change the clsid value.
HKEY_CLASSES_ROOT/Scripting. FileSystemObject/CLSID/project value
You can also delete the Trojan to prevent its harm.
2000 unregister this component command: RegSrv32/u C:/WINNT/SYSTEM/scrrun. dll
2003 unregister this component command: RegSrv32/u C:/WINDOWS/SYSTEM/scrrun. dll
How does one Prevent Guest users from using scrrun. dll to prevent calling this component?
Use this command: cacls C:/WINNT/system32/scrrun. dll/e/d guests
Ii. Do not use the WScript. Shell component
WScript. Shell can call the system kernel to run basic dos Commands
You can modify the registry and rename this component to prevent the dangers of such Trojans.
HKEY_CLASSES_ROOT/WScript. Shell/and HKEY_CLASSES_ROOT/WScript. Shell.1/
Change the name to another name, for example, WScript. Shell_ChangeName or WScript. Shell.1 _ ChangeName.
You can call this component normally when you call it later.
Also change the clsid value.
HKEY_CLASSES_ROOT/WScript. Shell/CLSID/project value
HKEY_CLASSES_ROOT/WScript. Shell.1/CLSID/project value
You can also delete the Trojan to prevent its harm.
3. prohibit the use of the Shell. Application Component
Shell. Application can call the system kernel to run basic dos commands.
You can modify the registry and rename this component to prevent the dangers of such Trojans.
HKEY_CLASSES_ROOT/Shell. Application/
And
HKEY_CLASSES_ROOT/Shell. Application.1/
Change the name to another name, for example, Shell. Application_ChangeName or Shell. Application.1 _ ChangeName.
You can call this component normally when you call it later.
Also change the clsid value.
HKEY_CLASSES_ROOT/Shell. Application/CLSID/project value
HKEY_CLASSES_ROOT/Shell. Application/CLSID/project value
You can also delete the Trojan to prevent its harm.
Disable Guest users from using shell32.dll to prevent calling this component.
2000 run the command cacls C:/WINNT/system32/shell32.dll/e/d guests.
2003 run the command cacls C:/WINDOWS/system32/shell32.dll/e/d guests.
Note: All operations take effect only after the WEB Service is restarted.
Use cmd.exe
Disable the use of cmd.exe for guests
2000 run the command cacls C:/WINNT/system32/Cmd.exe/e/d guests.
2003 run the command cacls C:/WINDOWS/system32/Cmd.exe/e/d guests.
The above four steps can be used to prevent several popular Trojans, but the most effective method is to achieve the server and program security standards through comprehensive security settings, to prevent more illegal intrusions.
C. Prevent Serv-U Privilege Escalation (applicable to earlier versions of the Serv-U6.0, after which you can directly set a password)
Stop the Serv-U service first
Use ultraeditto open servudaemon.exe
Search for Ascii: LocalAdministrator and # l @ $ ak #. lk; 0 @ P
You can modify the parameter value to an equal length, and the process of servuadmin.exe is the same.
In addition, pay attention to setting the ACL for the folder where Serv-U is located. do not grant anonymous IIS users the permission to read the files. Otherwise, the files you modified will be stored, you can also analyze your Administrator name and password. You can use the ASP probe to check the security status of the system.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
