ASP hack scripts stop

Hello there :)

I have windows 2k3 server running ASP classic script

and there's upload option for users and some hackers do bypass the security and upload asp scripts like ( php-shell c99 )

and can managed all the server

is there away to limit asp functions like what we do on php.ini under Linux

or anything to stop those scripts from managed everything on the server ?

script example is zehir4.asp.txt

Who is Participating?
G_HConnect With a Mentor Commented:
I Agree with mrGreen, but I want to add how I prevent this.

Uploads should be uploaded to a non-accessible folder (outside the published root). Theses are then moved to the final destination ONLY if the files match the criteria which the script allows. Example: they are an image/pdf etc. Otherwise they are deleted.



In the folder where the files are being uploaded you can disable script execution if you are running IIS 6

For IIS 7 you need to set the handler mapping for .asp files for the folder.

Here's a link to some screenshots:

I would also disable uploading of .asp files unless you have some legitimate need for it?

buzakiAuthor Commented:
how to do this G_H ?

I am not sure which part you mean. I will list the basic steps below, and maybe you can let me know what you are struggling with.

1. User completes form to upload file.
2. Receiving Script saves the file to a location outside the published directory.
3. Receiving Script tests the file for correct file extension.
4. If it is a correct extension, then the file is moved to the proper location,
5. If it is not the correct extension, then is is deleted.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.