Windows Server Prevent ASP Trojan detailed tutorial

cacls c:winntsystem32cmd.exe/e/d guests cmd

cacls c:winntsystem32shell32.dll/e/d guests shell.application

cacls c:winntsystem32scrrun.dll/e/d guests FSO

Removing Wcript.shell components

How to prevent ASP Trojans from running on the server

Just a simple look, personal feeling is good, share with you, but the site's security configuration problems, so like some of the formation can be directly restored.

If your server is being plagued by an ASP Trojan, then hopefully this article will help you solve the problem you are facing.

At present, the most popular ASP Trojan horse mainly through three kinds of technology to carry out the relevant operation of the server.

First, use the FileSystemObject component

FileSystemObject can perform general operations on files

This can be prevented by modifying the registry to rename this component.

Hkey_classes_rootscripting.filesystemobject

Renamed to other names, such as: Change to Filesystemobject_changename

You can call this component normally using this when you call it later.

Also change the CLSID value

Hkey_classes_rootscripting.filesystemobjectclsid the value of the project

Hkey_classes_rootscripting.filesystemobjectclsid the value of the project

It can also be deleted to prevent the harm of such Trojans.

Unregister this component command: regsrv32/u c:winntsystemscrrun.dll

Prevents the guest user from using Scrrun.dll to prevent calls to this component.

Use command: cacls c:winntsystem32scrrun.dll/e/d Guests

Ii. Use of Wscript.Shell components

Wscript.Shell can invoke the system kernel to run DOS basic commands

This can be prevented by modifying the registry to rename this component.

Hkey_classes_rootwscript.shell and HKEY_CLASSES_ROOTWSCRIPT.SHELL.1

Change to a different name, such as: Wscript.shell_changename or Wscript.shell.1_changename

You can call this component normally using this when you call it later.

Also change the CLSID value

Hkey_classes_rootwscript.shellclsid the value of the project

Hkey_classes_rootwscript.shell.1clsid the value of the project

It can also be deleted to prevent the harm of such Trojans.

Iii. Use of shell.application components

Shell.Application can invoke the system kernel to run DOS basic commands

This can be prevented by modifying the registry to rename this component.

Hkey_classes_rootshell.application

and Hkey_classes_rootshell.application.1

Change to a different name, such as: Shell.application_changename or Shell.application.1_changename

You can call this component normally using this when you call it later.

Also change the CLSID value

Hkey_classes_rootshell.applicationclsid the value of the project

Hkey_classes_rootshell.applicationclsid the value of the project

It can also be deleted to prevent the harm of such Trojans.

Prevents the guest user from using Shell32.dll to prevent calls to this component.

　　

Use command: cacls c:winntsystem32shell32.dll/e/d Guests

Note: The operation will not take effect until the Web service is restarted.

Iv. Call Cmd.exe

Disable Guests group user call Cmd.exe

cacls c:winntsystem32cmd.exe/e/d Guests

through the above four steps to set the basic to prevent the current more popular Trojans, but the most effective way or through comprehensive security settings, the server, the security of the program to achieve a certain standard, the security level may be set higher to prevent more illegal intrusion.