Virtual Host protection for script Trojans

-------------------------------------------
Attack Process:

A friend just finished a website a few days ago and asked me to perform a security check on him. After a brief look, I found that ASP and PHP scripts exist on the website.
I know that FSO is required by the Space Provider, so my friend used the PHP script upload program for member upload.
The PHP Upload program gave me the chance to access this server. Thanks to ing ....

The Upload Vulnerability was used to upload a PHP Trojan. To prove the ASP Trojan protection capability of the server, a PHP trojan was written to test FSO. asp.
The error message "invalid progid..." is displayed on the page and "80%" is changed to the progid value. Therefore, I will immediately use the write permission of the PHP Trojan to set "fso. asp ".
The set fso = server. createobject ("scripting. filesystemobject") of is deleted, and an <object
Runat = server id = fso scope = page classid = "clsid: 0D43FE01-F093-11CF-8940-00A0C9054228"> </object>.

After the write is successful, open fso. asp, haha! The basic information of all disks on the server is clear.

It seems that there is no problem in executing the ASP Trojan. ASP security is done, but it is not completely done, and it is enough to beat the server down with a PHP horse alone. although nearly a thousand websites with D Drive and G drive on the server have made backups on the I drive, they are not used at all! You have full permission to read and write operations. You have no temper when you want to deal with it! You can also execute webshell. if you upgrade the permission to your server disk. I can't restore the garbage data if I want to restore it. although it is impossible for me to do this kind of indecent thing for my fellow citizens, I have all the birds! Another such attack is as simple as an alien intrusion. A very common station can control the entire server with an old one! Alas!

 

------------------------------------------------------------------

Protection Method
Method 1: script monitoring

Implementation environment: windows OS
Implementation Method: Install anti-virus software that monitors scripts! Example: kaspersky (kaspersky). digression: My script is often killed by him... sometimes I can only turn off his monitoring time!

Personal Opinion: it is easy to implement. you can install a good anti-virus software. This method is used for 263 hosts! However, it is not very helpful, not all horses can be scanned and killed, and when I add a secret to the program, anti-virus software cannot recognize it. It can only be used as a primary line of defense!

----------------------------------------------------------------
Method 2:
Implementation environment: windows operating system, in IIS Mode
Implementation Method: ASP Trojans cannot run by invalidating the call of the FSO (filesystemobject) component!

This method can be divided into two moves:
----------------------------------------------------------------
Step 1: modify the program id (PorgID) in the Registry)
Tip: click "start --> Run", enter "regedit" in the run dialog box, and change "HKEY_CLASSES_ROOTScripting.FileSystemObject" to "HKEY_CLASSES_ROOTScripting.FileSystemObjectcn90" in the Registry Editor"
Note: This operation only calls the FSO statement "set object name = server. createobject ("Scripting. filesystemobject ")" changed to: set object name = server. createobject ("scripting. filesystemobjectcn90 ")", so that people who do not know why the default ProgID value is changed cannot call the FSO component, so that ASP Trojans cannot run. finally, I would like to remind you that some people think that scripting. modify filesystemobject to scripting. filesystemobjectcn90 is the string value (on the right), which is useless. the string value should be explained. It doesn't matter if it is changed. it is mainly to change the item value on the left (Folder rename ).

Personal Opinion: This action looks useful, but if some proficient users use the <object> FSO class id <clsid) of html to call components on the webpage, after half a day, the progID is equal to the white one! In fact, the method of changing the clsid value has been circulating on the Internet to improve this trick, but I will tell you through experience! This does not work. The default CLSID string value is {0D43FE01-F093-11CF-8940-00A0C9054228}. An error occurred when I changed it to {signature} or another ending number to implement CLSID calling. I perform operations on multiple operating systems, which is invalid. as for why, I am not very proficient in Microsoft's CLSID settings, but as far as I know, CLSID is the only value necessary for Microsoft's allocation, when FSO's scrrun. when the dll component is called, it is in fact to go to the Registry to find instructions, depending on CLSID may cause a value conflict or FSO can not be called at all.

-----------------------------------------------------------------
Step 2: Disable the FSO component

Tip: Click Start> Run. In the run dialog box, enter regsvr32/u % systemroot % system32scrrun. dll. Click OK!

Note: It is convenient to use the regsvr32 tool that comes with Microsoft to log out of the FSO component. To enable it again, enter "regsvr32% systemroot % system32scrrun. dll" in the run dialog box.

Personal Opinion: this action is convenient and effective. Generally, the system administrator seldom uses FSO for management. If there are not many FSO components required, it is recommended to log out of this component directly!

----------------------------------------------------------------

Third: the role of internal functions against PHP Trojans.

Implementation environment: various operating systems supporting and running PHP
Implementation Method: Disable some powerful internal functions by modifying the PHP core configuration file PHP. ini! Okay, let's get started!

Step 1: Open the php. ini file (the default path for windows is "% systemroot % php. ini", and the default path for linux is "etc/php. ini ").

Step 2: Find "safe_mode = off" and change it to "safe_mode = on" (skip this step if it has been enabled)

Step 3: Find "disable_functions =" and change to "disable_functions = phpinfo, system, exec, passthru, shell_exec, popen, is_dir ".

Step 4: Change "display_errors = on" to "display_errors = off"

Step 5: Save and exit.

Note: After the php security mode (safe_mode) is enabled, "disable_functions =" is followed by all disabled internal PHP functions. "phpinfo"
The function is not disabled to prevent PHP Trojans. However, it can return all basic PHP information. We recommend that you disable the function as never before.
"System, exec, passthru, shell_exec, popen," these are command execution functions. disabling them can prevent PHP trojans from executing webshell; "is_dir, this prevents you from returning the Server Directory and file name to your browser even if you have the everyone readable permission.
But at this time, the PHP error prompt will tell you which functions are wrong. So we have to turn off the error prompt, which is our fourth step.
Hackers of common tools will give up without permission!

My opinion: I found that the specific function settings that are disabled in a PHP Trojan defense article published on the Internet
"Disable_functions = passthru, exec, shell_exec, system, fopen, mkdir, rmdir, chmod, unlink, dir, fopen, fread, f
Close, fwrite, file_exists, closedir, is_dir, readdir, opendir, fileperms. copy, unlink, delfile ",
Delfile is also listed as a disabled PHP function with an oversized question mark. Again, PHP itself provides a large number of functions to achieve a function comparison.
It is easy to get popular with many PHP programmers. If so many functions are disabled, messages and forums running in a text database cannot be used normally.
Trojans are forbidden, and PHP's capabilities are also lost, even if many customers can only leave this virtual host.

In fact, I don't even want to close is_dir. I prefer to only close phpinfo, system, exec, passthru, shell-exec, popen, and then configure it with the correct permission settings.

---------------------------------------------------------------

Method 4: directory permission verification to prevent cross-site intrusion

Implementation environment: windows operating system NTFS format, linux operating system

Implementation Method: by controlling the access permissions of directories, users of different levels can only perform operations according to law (permission. this method is designed for windwos and linux!

--------------------------------------
First: directory access permission control in apache (windwos) Server Mode

TIPS: 1. delete all the authorization groups or users except the administrators and system in the security options of all partitions.

2. Add an ev-eryone read, write, and list directory permissions to the user directory of each VM.

Note: The above method is attributed to the apache server class. It is not only applicable to appche, but is better to have another permission configuration scheme under IIS. It can be said that in the windows operating system, if you do not need IIS, use this method in other web Server modes! Set permissions in this way. Because the corresponding Virtual Host Guest users only have permissions in the authorized directory, they are not authorized at the upper level, so they will not be able to see others' directories, of course, it is impossible to enter other people's directories in disorder, and thus it is impossible to form cross-site intrusion! Unless that person knows the directory settings of your website very well. but I think this kind of person is internal, and it's hard to defend against family thieves. here we will not consider these individual factors. however, I have found that many web hosting vendors use the website name as their directories. to facilitate memory and management. however, there is an additional security factor. In fact, you only need to randomly add a few characters after the name of the directory you want to set when setting the directory, no one can guess the name of each directory. give up your hand. why not?

Personal Opinion: when talking about script Trojan protection in apache mode, it usually refers to PHP Trojan defense. I have never seen anyone who uses apache to work with ASP. Apart from compatibility issues, I have never configured apache to support ASP in recent years, I have never seen anyone else succeed (except when apache and IIS coexist through port ing ). as a secure server, permissions must be configured. However, depending on the actual situation of different servers, you need to combine multiple methods to ensure security and effectiveness.

In fact, for the apache server, you can go to httpd. add "php_admin_value open_basedir your website directory" to the conf file. However, based on my actual experience, I personally think that internal use or personal use of this file is not suitable for VM users, there is no way to do this. I just want to mention it. If you are interested, study it yourself!

---------------------------------------------------

Method 2: directory access permission control in IIS server mode

Trick: first create a guests group user, and then add the directory of the corresponding website to the read and run permissions of the newly set Guests group user. edit the Directory Security in IIS. change the default anonymous user to your corresponding Guests user.
Click "OK" and you will be prompted to enter the password again. If the password is correct, it will be OK.

NOTE: If your IIS not only supports ASP, but also PHP, users who are licensed to use PHP should also be given the read and run permissions in the PHP program directory based on the corresponding users. the % systemroot % directory is read-only and cannot run PHP without permission. therefore, we recommend that you install
PHP