Of Stack

Prevent aspxspy Trojan line service iis information from performing operations such as command extract

  • 2020-05-07 20:42:53
  • OfStack

Environment: windows2003 + iis6 +. net2. 0

For security reasons, set the server security. Upload aspxspy test.

ASPXSPY probe

1. aspxspy trojans are not allowed to execute command fetches and read the registry

test method 1:

The < pre > class = "brush: xml; gutter: true"> first open :C:\WINDOWS\ Microsoft.NET \Framework\ v2.0.50727 \config\ web.config After finding < trust level="Full" originUrl="" / > Instead of < trust level="High" originUrl="" / > < / pre > < pre > class = "brush: xml; gutter: true"> then open C:\WINDOWS\ Microsoft.NET \Framework\ v2.0.50727 \config\ web_hightrust.config There is a sentence in it: < SecurityClass Name="RegistryPermission" Description="System.Security.Permissions.RegistryPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/ > Delete this to prevent reading the registry After testing, the permission of the website oledb was lost after the above operation, resulting in the database of access could not be accessed.
test method 2 :(do not use)

%SystemRoot%/ServicePackFiles/i386/activeds.dll
%SystemRoot%/system32/activeds.dll
%SystemRoot%/system32/activeds.tlb
Search for these files and remove the USER and POWERS groups, leaving only the administrators and system permissions

After testing, port 3389,80,1433 and other ports cannot be connected remotely after restart. I had to contact the computer room staff to solve the problem.

method 3 (not tested) : The < pre > class = "brush: shell; gutter: true"> disables adsiis :\WINDOWS\system32\inetsrv directory dll user permission can disallow traversal IIS But listing server details and all processes is not the solution! It is said to have had a side effect: a conflict with the sqlserver installation, resulting in an inability to connect to the server remotely (this issue has not been tested, and the personal feeling is that mssql was not properly configured) method 4: 
class="brush: xml; gutter: true">
<
system.web
>


<
identity impersonate="true" /
>


<
/system.web
>

Copy the above code to C:\WINDOWS\ Microsoft.NET \Framework\ v2.0.50727 \CONFIG\ web.config
This method has been tested to effectively prevent [execute command] from listing [system information] [user information] [service]. Reproduced indicate the source: http: / / www freethy. cn /? p = 481
Related articles: