Source: PConline first analyzes the invaders to do something! I remember to facilitate it to be installed in his machine. The password is not right. It seems that someone goes up. And the invaders also got the system administrator privilege to run to the computer room. Take out the Erd Commander. Change password. Restart After entering the system, the first step upgrade account. There are more hud $ users. Administrators group. Delete, then see the guest user is disabled, but the content is not right. Take a closer look. Administrators group....................................................................................................................................................................................................................... .. Then look at other users. The group is normal. After the remote connection permissions are removed. The account is calculated. Then look at each hard disk C: / below there is a file SQLHELLO.EXE SQLHELLO2.EXE Result.txt 1.BAT 2. Bat editing 1.BAT, the content is scanning the entire network. It seems that someone takes this machine as a springboard. Move all files to other directories. Then the audit application, consider the use of this machine and The environment is Windows2000 IIS Serv-U first look at the Serv-U audit user. See if there is anyone adding the SYSTEM privilege. View is not. Execution permissions are not. Lock directory status is right. Look now Record the log. Then read the version. 5.0.0.4 ... ft. I have made him upgrade. It is not the first step. It seems to be the first step in the invasion. First upgrade to 6.0.0.2 FTP here. There is no problem. IIS. IIS Aspect: Open a log record. Too good. Waiting for the analysis log to continue to see. Other default configuration. First in the application map, all file types are removed only to reserve .asp and .asa audit files Permissions set permissions for each partition and directory. Then review Trojan situation. Since the system cannot reload. So only the original system has been invaded, considering the case of the user added by this invader, and places the file in C There is also a log all the situation. It is estimated that the level will not be high. It will not be implanted with THRKDEVEVE. It has been used to check it. It seems that there is no known Trojan. Find Webshell, Taking into account the level of intruders. Up to the use of Haiyang. And you will take some copyright information. Search all content containing LCX .asp files. Sure enough .4 files. 2005.asp ok.asp dvbbs7.asp Aki .asp seems to be more accurate. In addition to DVBBS7.asp is a bit creative, move these files to other directories. After the audit is used. Then the network part TCP filter is not open. IPSec unfameted. Turn it off first. Then TCP Only 20, 21, 80, 3389 is allowed to take into account the possibility of reverse Trojans to open the native Sport 20, 21, 80, 3389 to the outside of the external port. Other shields from the inside out. System extraction. Non-related services are closed or uninstalled. The system is patch upgraded. It is still a good patch. Set to automatic installation. The last step is to analyze the log. Look at the place where there is an omission, the log of the system itself is closed. It seems that the intruder is still more careful. Open the audit part. In the key directory. The audit is audited. Make all the success and failure of all C: / Winnt's creation files are recorded in the log. Since the serv-u log is not recorded in the previous mention. Only open IIS logs to find 4 WebShells found Access, found an access IP. Announcement. From a fixed IP address, browse. After the information is obtained, the other party administrator went to the mail to notify them to do safety.
