What have the invasive person is done first!
I remember to facilitate the machine to log in. I haven't been right. The password is not right. It seems that someone goes up. And invaders also got system administrator privileges
Run to the computer room. Take out the Erd Commander. Restart, the first step upgrade account after entering the system. There are more hud $ users. Administrators group. Delete, then seeing the guest users Although the status is disabled, the explanation is wrong. Look carefully. Administrators group. Similarly delete. Then I look at other users. The group is normal. After the remote connection permissions are removed. The account is completed.
Then look at each hard drive C: / below there is a file
SQLHELLO.EXE
SQLHELLO2.EXE
Result.txt
Bat
2.bat
Edited 1.bat, inside the content is scanning the entire network segment. It seems that someone takes this machine as a springboard. Move all files to other directories.
Then the audit application, consider the use and environment of this machine.
WINDOWS2000 IIS Serv-U
See the SERV-U audit user first. See if there is any FTP user who adds SYSTEM privileges. See the following.
There is no permission. The locking directory status is correct.
I didn't record the log.
Then I saw the version.
5.0.0.4 ... ft. I have long upgraded. It is not rising. It seems to be the first step in invading. First upgrade to 6.0.0.2
FTP should have no problem here.
IIS analysis:
Open a log record. Too good. Waiting for the analysis log
Continue to see. Others are default. First delete all file types in the application map, only keep .asp and .asa
Audit file permission
Set permissions for each partition and directory.
Then review Trojan situations. Since the system cannot reload. So only the original system has been invaded, considering the case of this invader added by the invaders, and the log of the root directory is also open, etc., It is estimated that the level will not be high. It will not be implanted with Trojans yourself.
I used a friend thrkdev compiled ATE to check it. It seems that there is no known Trojan.
Then look for WebShell, considering the level of intruders. Up to the use of Haiyang. And you will take some copyright information, search all content containing LCX .asp files.
Sure enough .4 files.
2005.asp
Ok.asp
Dvbbs7.asp
Aki.asp
It seems that the analysis is still more accurate. In addition to dvbbs7.asp is a bit creative, mobile these files to other directories. Audit is used later.
Then it is part of the network
TCP filtration is not open. IPSec univalative.
Turn off NetBIOS first. Then TCP only allows 20, 21, 80, 3389
Considering the possibility of reverse Trojans
Turn this unit Sport 20, 21, 80, 3389 to the outside in IPSec. Other shielded from the inside.
System extraction. Some unrelated services are turned off or uninstalled.
Patch upgrades the system. It is still no shortage of patch. Set the automatic update to automatic installation.
The last step is to analyze the log. Look at the place where there is no omission, the log of the system itself is closed. It seems that the invaders are more careful.
Open the part of the audit. In the key directory. For example, the system catalog has an audit. Make all the success and failure of all C: / Winnt creation files recorded within the log.
Since the Serv-U log is not recorded earlier. You can only open the IIS log to find the access to the four WebShells found, find the IP. Announcement. From a fixed IP address, browse. Get information The other party administrators will notify them to do safety work.
In fact, some content should be done and limited to some conditions.
1. Replace the system default user name
Because the brothers are not familiar with the computer. There is no replacement. However, they ask them to use a more strong password.
2. Finding for encrypted WebShell
In the above, only one of WebShell is only found. And only the page program encoded for the plain text, should be added to the Search for the ASP Webshell for encoding.
There are also search contents that should be extended by simple LCX to wscript.shell, etc., more extensive and matching keywords
3. Find the Trojan
Since the estimated invasive level is not high. So this is only relying on the killing Trojan software. If there is time. Still handle it 4. Evaluate the page program.
There is also a time relationship. No time to check the original website program.
5. Intrusion test
Since intrusion detection is likely to be overwhelmed by invaders, other weak links are ignored.
So the test should be perfectly tested. Ensure that other paths are equally strong.
