A, uninstall the Wscript.Shell and Shell.Application components, and save the following code as one. BAT file Execution (minutes 2000 and 2003 systems)
Windows2000.bat regsvr32/u C:\WINNT\System32\wshom.ocx del C:\WINNT\System32\wshom.ocx regsvr32/u C:\WINNT\system32\ Shell32.dll del C:\WINNT\system32\shell32.dll
Windows2003.bat regsvr32/u C:\WINDOWS\System32\wshom.ocx del C:\WINDOWS\System32\wshom.ocx regsvr32/u C:\WINDOWS\ System32\shell32.dll del C:\WINDOWS\system32\shell32.dll
B, renamed unsafe Components, it is necessary to note that the name of the component and CLSID must be changed, and to change thoroughly, do not copy, to change their own
"Start → run →regedit→ carriage return" Open Registry Editor
Then "edit → find → fill shell.application→ Find Next"
You can find two registry entries in this way:
{13709620-c279-11ce-a49e-444553540000} and shell.application.
The first step: to ensure foolproof, export these two registry keys to save as a Xxxx.reg file.
Step two: For example, we want to make this change
13709620-c279-11ce-a49e-444553540000 renamed as 13709620-c279-11ce-a49e-444553540001
Shell.Application renamed as Shell.application_nohack
Step three: So, replace the contents of the. reg file that you just exported with the corresponding relationship above, and then import the modified. reg file into the registry (double-click), and after you import the renamed registry key, don't forget to delete the original two items. It should be noted here that the CLSID can only be 10 digits and abcdef six letters.
In fact, just export the corresponding registry keys to back up, and then directly change the key name on it,
Example of a good change
Suggest that you change
Should be successful once Windows Registry Editor Version 5.00 [hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}] @= " Shell automation Service "[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\inprocserver32] @=" C:\\ Winnt\\system32\\shell32.dll "" ThreadingModel "=" Apartment "[hkey_classes_root\clsid\{13709620- C279-11ce-a49e-444553540001}\progid] @= "Shell.application_nohack.1" [hkey_classes_root\clsid\{13709620- C279-11ce-a49e-444553540001}\typelib] @= "{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}" [hkey_classes_root\clsid\{ 13709620-c279-11ce-a49e-444553540001}\version] @= "1.1" [hkey_classes_root\clsid\{13709620- C279-11ce-a49e-444553540001}\versionindependentprogid] @= "Shell.application_nohack" [HKEY_CLASSES_ROOT\ Shell.application_nohack] @= "Shell automation Service" [Hkey_classes_root\shell.application_nohack\clsid] @= "{ 13709620-C279-11CE-A49E-444553540001} "[Hkey_classes_root\shell.application_nohack\curver] @=" Shell.Application_ Nohack.1 "
Lao du commented: Wscript.Shell and shell.application components are the key to the process of scripting intrusion, the two components of the uninstall and modify the corresponding registry key, can greatly improve the virtual host of the script security performance, in general, ASP and PHP class script elevation of the function is not possible, coupled with some system services, hard disk access, port filtering, local Security policy settings, the virtual host should say, security can have a very big increase, the possibility of hacking is very low. After the shell component is logged off, the intruder is less likely to run the promotion tool, but Prel and other scripting languages also have shell capabilities, which is better for protection. Here is another setting, which is very similar.
First, prohibit the use of FileSystemObject components
FileSystemObject can be normal operation of the file, you can modify the registry, the component renamed to prevent the harm of such Trojans.
Hkey_classes_root\scripting.filesystemobject\
Renamed to other names, such as: Change to Filesystemobject_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root\scripting.filesystemobject\clsid\ the value of the project
It can also be deleted to prevent the harm of such Trojans.
2000 Unregister this component command: regsrv32/u C:\WINNT\SYSTEM\scrrun.dll
2003 Unregister this component command: regsrv32/u C:\WINDOWS\SYSTEM\scrrun.dll
How do I prevent the guest user from using Scrrun.dll to avoid calling this component?
Use this command: cacls c:\winnt\system32\scrrun.dll/e/d Guests
Ii. prohibit the use of Wscript.Shell components
Wscript.Shell can invoke the system kernel to run DOS basic commands
This can be prevented by modifying the registry to rename this component.
Hkey_classes_root\wscript.shell\ and Hkey_classes_root\wscript.shell.1\
Change to a different name, such as: Wscript.shell_changename or Wscript.shell.1_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root\wscript.shell\clsid\ the value of the project
Hkey_classes_root\wscript.shell.1\clsid\ the value of the project
It can also be deleted to prevent the harm of such Trojans.
Third, prohibit the use of shell.application components
Shell.Application can invoke the system kernel to run DOS basic commands
This can be prevented by modifying the registry to rename this component.
hkey_classes_root\shell.application\
And
Hkey_classes_root\shell.application.1\
Change to a different name, such as: Shell.application_changename or Shell.application.1_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root\shell.application\clsid\ the value of the project
Hkey_classes_root\shell.application\clsid\ the value of the project
It can also be deleted to prevent the harm of such Trojans.
Prevents the guest user from using Shell32.dll to prevent calls to this component.
2000 use command: cacls c:\winnt\system32\shell32.dll/e/d Guests
2003 use command: cacls c:\windows\system32\shell32.dll/e/d Guests
Note: The operation will not take effect until the Web service is restarted.
Iv. Call Cmd.exe
Disable Guests group user call Cmd.exe
2000 use command: cacls c:\winnt\system32\cmd.exe/e/d Guests
2003 use command: cacls c:\windows\system32\cmd.exe/e/d Guests
Through the above four steps to set the basic can prevent the current more popular Trojans, but the most effective way or through comprehensive security settings, the server, the security of the program to achieve a certain standard, the security level may be set higher to prevent more illegal intrusion.
C, prevent serv-u privilege elevation (applicable to previous version of serv-u6.0, then you can set the password directly)
Stop the Serv-u service first.
Open ServUDaemon.exe with UltraEdit
Find Ascii:localadministrator and #l @ $ak #.lk;0@p
Change to equal length of other characters on it, ServUAdmin.exe also deal with the same.
Also note that you set the permissions of the folder in which Serv-u is located, and do not let IIS anonymous users have read permissions, or else you may be able to analyze your administrator name and password as you modify the file.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
