Reprinted:
http://fox.he100.com/
It has been a virtual host administrator for 1 year, and it is probably a certain understanding of the Web Shell of the Web Shell in NT. Now how to prevent WebShell by organizing some masters of articles. Common WebShell is also ASP, PHP, Perl, which is written by these scripts. The popular WebShell, which is more popular, is also the ASP Trojan 2005, Guilin veterans (I don't know if it is not WebShell, huh, blue screen ASP Trojan (seems to be a little over time), the PHPSPY2005 of the security angel, Coffee PHP Document Manager 1.6, cmd.cgi (I am not familiar with Perl, only knowing this). The purpose of this article is to prevent these WebShells.
Prevent these WebShells, first of all, set the server's permissions, prohibiting them from accessing things. Server permission settings can refer to IIS FAQ that is not awake
(
http://fox.he100.com/showart.asp?art_id=121&cat_id=1), I will directly quote the content of the original text here.
9. How do I make IIS's minimum NTFS permission?
Do the following work in turn:
a. Choose the entire hard drive:
System: Fully control
Administrator: Full control
(Allows inherited weightable permissions from the parent to the object)
B./Program Files / Common Files:
Everyone: reading and running
List the file directory
Read
(Allows inherited weightable permissions from the parent to the object)
C./inetpub/wwwroot:
IUSR_MACHINENAME: Reading and running
List the file directory
Read
(Allows inherited weightable permissions from the parent to the object)
E./winnt/system32:
Select all directories other than Ipensrv and CentSRV,
Remove "Allows the transfer of the succession of the inheritability from the parent to the object" check box, copy.
F./winnt:
Choose Downloaded Program Files, Help, Iis Temporary Compressed Files,
All directories other than Web Pages, System32, Tasks, Temp, Web
Remove "Allows the transfer of the succession of the inheritability from the parent to the object" check box, copy.
G./winnt:
Everyone: reading and running
List the file directory
Read
(Allows inherited weightable permissions from the parent to the object)
H./Winnt/Temp: (Allow access to the database and display on the ASP page)
Everyone: Modify
(Allows inherited weightable permissions from the parent to the object)
The cmd.exe net.exe net1.exe ping.exe net1.exe ping.exe net1.exe ping.exe net1.exe ping is set to only allowed Administrators group access, so that you can prevent the local improved permission vulnerability through Serv-U These critical programs, then delete the cacls.exe program, prevent someone from modifying permissions through the command line, huh.
Remove some of the components that some of the ASP Webshells need to use, these components are actually a common virtual host user.
Many articles that prevent ASP Trojans will refer to the FileSystemObject component, but after deleting this component, many ASP programs may not run, in fact, as long as they do the previous work, FileSystemObject components can operate, can only be their own directory The next document will not be threatened! Now, there is a threatful component is the two components of shell.application and wscript.shell. Shell.Application can do some operations, but also execute the program, but not with parameters, and WScript.Shell can operate Registry and execute the dos command.
Methods to prevent WScript.Shell components:
This component can be renamed by modifying the registry.
HKEY_CLASS_ROOT / WScript.Shell / and HKEY_CLASS_ROOT / WScript.Shell.1 /
The name is changed to other names, such as: Change to wscript.shell_changename or wscript.shell.1_changename you can use this component normally when you call it.
Also change the CLSID value
HKEY_CLASS_ROOT / WScript.Shell / CLSID / item value
HKEY_CLASES_ROOT / WScript.Shell.1 / CLSID / project value
It can also be deleted to prevent the harm of such Trojans.
Method for preventing shell.Application components:
This component can be renamed by modifying the registry.
HKEY_CLASS_ROOT / shell.Application /
and
HKEY_CLASS_ROOT / shell.Application.1 /
Renamed other names, such as: change to shell.Application_changename or shell.application.1_changename
This component can be called normally when you call it later.
Also change the CLSID value
HKEY_CLASSES_ROOT / SHELL.Application / CLSID / item value
HKEY_CLASSES_ROOT / SHELL.Application / CLSID / item value
It can also be deleted to prevent the harm of such Trojans.
Additional reference "Construction from the FSO threat virtual host"
Author: Tao Heung lay
Most of the virtual hosts are now disabled: FileSystemObject, because this component provides powerful file system access capabilities for ASP, read, write, copy, delete, rename, etc. Operation (of course, this means to do it under Windows NT / 2000 using the default setting). But after prohibiting this component, the consequences caused by all ASPs that use this component will not be able to run, and cannot meet the needs of customers.
How to allow both FileSystemObject components, do not affect the security of the server (ie: Different virtual host users can not use the component to read and write the files)? Here is a method that I have obtained in the experiment, which is described below with Windows 2000 Server as an example.
Open the resource manager on the server, right-click the drive letter of each hard disk partition or volume, select "Properties" in the pop-up menu, select the Security tab, you can see which accounts can be accessed to access this partition Volumes and access rights. After the default installation, "Everyone" has full control. Add "Administrators", "Backup Operators", "Power Users", "Users", etc., and give "full control" or corresponding permissions, pay attention, do not give "Guests" group, "IUSR_ machine name" these accounts any permissions. Then, "Everyone" group is then deleted from the list, so that only authorized groups and users can access this hard disk partition, and when the ASP is executed, it is access to the hard disk as "IUSR_ machine name", this is not given here User account permissions, ASP can also read and write files on the hard disk. The following is to set a separate user account to each virtual host user, and then assign each account to a directory that allows its fully controlled.
As shown in the figure below, open "Computer Management" → "Local User and Group" → "User", click the right mouse button in the right column, select "New User" in the pop-up menu:
In the "New User" dialog box in the pop-up, "User Name", "Full Name", "Description", "Password", "Confirm Password" are entered according to actual needs, and the "user must change the password next time" The right pair is removed, and "the user cannot change the password" and "password never expire". This example is a built-in account "IUSR_VHOST1" that creates an anonymous access Internet information service to the user of the first virtual host, ie: all clients use
Http: //xxx.xxx.xxxx/ When accessing this virtual host, it is accessed in this identity. Enter the completion of the "creation". You can create multiple users according to actual needs, and after the creation is complete, "Close":
Now the newly established user has appeared in the account list, double-click the account in the list to further set:
In the pop-up "IUSR_VHOST1" (ie, the new account that is just created) Properties dialog box is "belonging to" tab:
The original account is default that belongs to the "User" group, selecting the group, point "delete":
Now, as shown in the figure below, then "Add" again:
Find "Guests" in the "Select Group" dialog box that pops up, click "Add", this group will appear in the text box below, then click "OK":
The appearance is the content shown below, click "OK" to close this dialog box:
Open the Internet Information Services, start setting the virtual host, in this case to explain the "first virtual host" setting as an example, right-click the host name, select "Properties" in the pop-up menu:
A "first virtual host property" dialog box is popped, which can see the "F: / Vhost1" folder from the dialog box: Temporarily "First Virtual Host Properties" The dialog box, switch to "F: / Vhost1" folder, right click, select the "Properties" → "Security" tab, you can see the default security setting of the folder is " EVERYONE "full control (depending on the content displayed by different situations), first" allow the inheritance of the inheritance from the parent to the object to the object "to remove:
At this point, "Security" warning as shown below is popped, click "Delete":
All groups and users in the Security tab will be empty (if not clear, use "Delete" to empty it), then click the "Add" button.
Add "administrator" as shown in the figure, add the new account "IUSR_VHOST1" created in the previous, will give full control permissions, but also add other groups or users according to actual needs, but must not put "guests" group , "IUSR_ machine name" these anonymous access to the account added!
Switch to the previously opened "First Virtual Host Properties" dialog, open the "Directory Security" tab, "edit": "Edit":
In the "Verification Method" other box (shown below), click "Edit":
The "Anonymous User Account" popped up, the default is "IUSR_Merical Name", click "Browse":
Find the new account "IUSR_VHOST1" created in the "Select User" dialog box, double click:
At this point, the anonymous username is changed, and when entering the previous creation in the password box, the password set for the account:
Determine the password again:
OK, complete, click OK to close these dialogs.
After this setting, the "first virtual host" user uses the ASP's FileSystemObject component to access its own directory: F: / vhost1, when trying to access other content, there will be, such as "no permissions", "The hard disk is not ready", "500 server internal error" and other errors prompts.
Another: If the user needs to read the partition capacity of the hard disk and the serial number of the hard disk, the setting will not be read. If you want to read these and the entire partition related content, right click on the partition (volume) of the hard disk, select "Properties" → "Security", add this user's account to the list, and give at least "read "Permissions. Since the subdirectory under this volume has been set to "Prohibit the transfer of the inheritance rights from the parent to this object", the permission settings of the subdirectory below are not affected.
appendix:
Reference article:
"Construction from the FSO threat virtual host"
http://fox.he100.com/showart.asp?art_id=106&cat_id=1
IIS FAQ
Http://fox.he100.com/showart.asp?art_id=121&cat_id=1 How to prevent ASP Trojans from running on the server
http://fox.he100.com/showart.asp?art_id=120&cat_id=1
Windows2000 virtual host basic permissions set incomplete version
http://www.icylife.net/blog/show.php?id=40
Postscript nonsense:
First, I have finished the article, and I have fun, I seem to be very chaotic, I will take a look --_-!
By Blackfox
QQ: 6858849
2/17/2005 10:16:31 PM
