How to block hackers who upload aspxspy

December 6, 2013

This post is geared towards those who manage their own servers (i.e. VPS, Dedicated), or other hosting companies. So ASPXSpy if you didn’t already know is a tool script kiddies, or hackers use to hijack a website, or web server if they are good enough. You can do anything from read IIS entries, to upload a file. The problem is they aren’t always named the same filename so you can’t block things based by filename. You can however block ASPXSpy based on a cookie header that gets set when there is a successful login.

 

So the idea is simple, allow the hacker to upload the file, and try to log into ASPXSpy, they will be able to get in, but after that they will be blocked by URLScan, even if they try to go to another page, as an example the page they used to upload the file, it will automatically block them.

 

Here is the rules, for the most part you should be able to simply copy and paste them, if you already have a RuleList simply append ASPXSpy to your list, if you do not then under your [options] section add the RuleList=ASPXSpy. See below for an example.

[options]
RuleList=ASPXSpy

[ASPXSpy]
AppliesTo=.aspx,.asp,.php,.pl,.cgi,.py,.htm,.html,.css
DenyDataSection=ASPXSpyUrls
ScanAllRaw=0
ScanUrl=1
ScanHeaders=Cookie

[ASPXSpyUrls]
ASPXSpy=
+1 this post if it helped you!

Leave a Reply