The solution to the security of ASP Trojan Webshell

Note: The setting method and environment described in this article: for Microsoft Windows server/win2003 Server | iis5.0/iis6.0 1, first of all, we look at the general ASP Trojan, Webshell the use of ASP components have those? We are listed on the Sea Trojan: <object runat= "Server" id= "ws" Scope= "page" classid= "Clsid:72c24dd5-d70a-438b-8a42-98424b88afb8" > </object><object runat= "Server" id= "ws" Scope= "page" classid= "clsid:f935dc22-1cf0-11d0-adb9-00c04fd58a0b" ></object><object runat= "Server" id= "NET" scope= "page classid=" clsid:0 93ff999-1ea0-4079-9525-9614c3504b74 "></object><object runat=" server "id=" NET "scope=" page "classid=" clsid:f935dc26-1cf0-11d0-adb9-00c04fd58a0b "></object><object runat=" Server "id=" FSO "scope=" page " Classid= "clsid:0d43fe01-f093-11cf-8940-00a0c9054228" ></object>shellstr= "Shell applicationStr=" Creator "If cmdpath=" Wscriptshell "Set Sa=server.createobject (shellstr&".) &APPLICATIONSTR) Set Streamt=server.createobject ("ADODB.stream") Set domainobject = GetObject ("winnt://.") Above is the ocean in the relevant code, from the above code we can see that the general ASP Trojan, Webshell mainly use the following types of ASP components: ①wscript.shell (CLASSID:72C24DD5-D70A-438B-8A42-98424B88AFB8) ②wscript.shell.1 (ClassID: f935dc22-1cf0-11d0-adb9-00c04fd58a0b) ③wscript.network (classid:093ff999-1ea0-4079-9525-9614c3504b74) ④ Wscript.network.1 (classid:093ff999-1ea0-4079-9525-9614c3504b74) ⑤filesystem Object (classid:0 d43fe01-f093-11cf-8940-00a0c9054228) ⑥adodb.stream (classid:{00000566-0000-0010-8000-00aa006d2ea4}) ⑦ Shell.applicaiton ... hehe, we know who is the most responsible for endangering our web SERVER IIS!! Start fencing, come on ... 2: Workaround: ① deletes or renames the following hazardous ASP components: Wscript.Shell, WSCRIPT.SHELL.1, Wscript.Network, Wscript.network.1, ADODB.stream, Shell.Application start-------> Run--------->regedit, open Registry Editor, press CTRL to find, In turn, enter the above Wscript.Shell and other component names and the corresponding ClassID, and then delete or change the name (here we recommend that you rename, if some of the Web page ASP program using the above components, it is only in the ASP code will be written with our changes after the component name can be used normally.) Of course, if you are sure that your ASP program does not use the above components, or directly delete the heart of some ^_^, according to the general generally will not do these components. After you delete or rename it, IISReset restarts IIS. [Note: Because ADODB.stream this component has a lot of web pages will be used, so if your server is open virtual host, it is recommended to deal with the situation. ]② about the security of the FSO, which is commonly said by File System Object (classid:0d43fe01-f093-11cf-8940-00a0c9054228), if yourServer must use the FSO, (part of the virtual host server generally need to open the FSO function) can refer to my another article on the FSO security solution: Microsoft Windows Server FSO security vulnerabilities solution. If you are sure you don't want to use it, you can simply reverse-register the component. ③ Direct counter Registration, uninstall these dangerous components of the method: (Practical to do not want to use ① and ② class such cumbersome method) unload Wscript.Shell object, under cmd or directly run: regsvr32/u%windir%\system32\wshom.ocx Uninstall FSO object, under CMD or directly run: regsvr32.exe/u%windir%\system32\scrrun.dll Uninstall Stream object, under cmd or directly run: regsvr32/s/u "C:\Program Files\Common Files\system\ado\msado15.dll "If you want to recover, just remove/u to re-register the above related ASP components such as: Regsvr32.exe%windir%\system32\ Scrrun.dll④ about Webshell using Set domainobject = GetObject ("winnt://.") To obtain the server's process, service and user information such as prevention, you can workstation[service in the provision of network links and communications] that is, LanmanWorkstation service stopped and disabled. After this processing, Webshell shows that the process will be blank. 3 in accordance with the 1, 2 Methods of ASP class hazardous components processing, with Arjunolic ASP probe test, "Server CPU Details" and "Server operating system" is not found, the content is blank. Then use the ocean Test Wsript.shell to run the cmd command is also a hint that active cannot create an image. Everyone can no longer for ASP Trojan endanger the security of the server system and worry. Of course, server security is far from these, here for you to introduce the only I in the handling of ASP Trojans, Webshell on some experience. In the next article, we will introduce how to simply prevent others from executing commands such as NET user on the server, preventing overflow attacks from being Cmdshell, and performing the simplest and most effective precautions for adding users, changing NTFS settings to terminal logins, and so on. The author of this article: Lee Paolin/leebolin Senior System engineer, professional network security advisor. has successfully for many large and medium-sized enterprises, ISP service providers provide a complete network securitySolution. Especially good at the overall network security program design, large-scale network engineering planning, as well as providing a complete range of server series security overall solutions. Responsible Editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title of the party (0 votes) passing (0 Votes) The original: ASP Trojan Webshell security measures Back to network security home