Author: elly Source: Security Focus Forum attention to see playing in front of those documents asterisk, saying they do not file the intruder left the back door like I do not believe. First open a recent revised (just before it) svclog see:
Code
============================================================================================================================================================================================================= ========== C: / Winnt / System32> Type SvClog.logperforming Time: 2/19/2005 3: 11: 0 -> Start Okperforming Time: 2/19/2005 3: 11: 0 -> The system is onlineperforming time: 2/19/2005 3: 11: 0 -> Read setting okperforming time: 2/19/2005 3: 11: 0-> InitBackDoor () Okperforming Time: 2/19 / 2005 3: 11: 0-> INITSOCKET () OKPERFORMING TIME: 2/19/2005 3: 11: 0 -> probably static ipperforming time: 2/19/2005 3: 11: 0 -> Start Sniffing On 61 ***. ***. *** Performing Time: 2/19/2005 3:19:35 -> The service is stoppingPerforming Time: 2/19/2005 3:19:36 -> The service is Stopped surcess, ================================================ ============
呔! It is now. Then we followed the hub, looked at the creation time of this document, turned out to April 7, 2004? Take a look at other files, it is also that day, including the DCOMSVC.exe found at the beginning. Let's take a look at another file left on April 7, 2004 nt.bat
Code
============================================================================================================================================================================================================= ========== C: / Winnt / System32> type nt.batdcomsvc -installdcomsvc -config port 1432dcomsvc -config startType 2Net Start dCOMSVC ================== =============================================== this is initially installed and launched DCOMSVC (Really skserver) script, but also points out its listening port TCP: 1432. The test connection is successful, but it is not visible as Termserv. We summarize all the files created this day:
Code
============================================================================================================================================================================================================= ========== C: / WinNT / System32> DIR / S / O: D / T: c | Findstr 2004-04-072004-04-07 11:52 55, 296 list.gif2004-04-07 11:52 45,056 Finder.gif2004-04-07 11:53 28, 160 nlog.gif2004-04-07 11:53 77,824 kill.gif2004-04-07 11:53 131,072 info.gif2004-04-07 11:53 76,288 svchostdll. DLL2004-04-07 11:53 62,464 sysinfo.dll2004-04-07 11:53 14,747 reginfo.exe2004-04-07 11:53 69,632 spinfo.dll2004-04-07 11:54 944 ms29.ini2004-04-07 11 : 55 14,747 TINJECT.DLL2004-04-07 11:55 412 svclog.log2004-04-07 11:57 8,464 sporder.dll2004-04-07 11:57 49 mslsp.dat2004-04-07 12:01 16,384 perflib_Perfdata_450.dat2004 -04-07 12:11 93 nt.bat ======================================= ===================== 4. User account hackers often leave the back door with a simplest direct and direct approach, then That is to add a user account. We can use the [Control Panel] -> [Administrative Tools] -> [Computer Management] to view the system user account, or like the NET USER command line tool below to view the user property directly. Net user output
Code
============================================================================================================================================================================================================= =================== Username Administrator Full Note Management Computer (Domain) Built-in Account User Note Country Code 000 (System Default) Account Enabled YES Account expires never last setting password 2003/10/30 afternoon 04:20 password expiration never password can be changed 2003/10/30 afternoon 04:20 Requirement Password YES users can change the password YES allowed workstation All Login Script User Profile Profile Last Login 2005/2/20 10:01 Allowable Login Horses All Local Group Member * Administrators Global Group Members * none command successfully completed. ============================================================================================================================================================================================================= =================== User name GUEST full name comment supplied to the guest or access to the built-in account user's annotation country (regional) code 000 (system default) account Enabling YES account expiration never last setting password 2004/4 11:52 Password expiration never password Change 2004/4/7 11:52 Requires password NO users can change the password NO Allowing workstation All Login Script User Profile Profile Last Login Endless Login Horses All ALL Local Group Member * Administrators * Guests Global Group Members * none command successfully completed.
============================================================================================================================================================================================================= =================== User name Monitor full name Monitor Note Special Account for Remote Performance Monitor users Note Country (System Default) Account Enable Yes Account Expiration Never last setting Password 2004/6/1 04:32 Password expired never password can be changed 2004/6/1 04:32 Requirements Password YES users can change the password NO Allowed workstation All login script user configuration The file main directory last time login never allowable login hours ALL local group member * Administrators global group member * none command successfully completed. ============================================================================================================================================================================================================= =================== User name TSINTERNETUSER full name TSINTERNETUSER Note This user account is used by the terminal service.
User's annotation Country (System Default) Account Enable Yes Account Expired Never last setting Password 2005/2/18 AM 03:03 Password expires never password can be changed 2005/2/18 AM 03 : 03 Requires a password NO user can change the password NO Allowed workstation All Login Script User Profile Main Directory Last Login Endless Login Horses All All Group Members * Guests Global Group Members * none command successfully completed. ============================================================================================================================================================================================================= =================== Here we list four more important users, which contain some important data related to this intrusion event. The most important information in user account is about guest account:
Code
============================================================================================================================================================================================================= =================== * User name guest full name comment supplied to the guest access computer or access to the area's built-in account * account enabled YES account expiration never * last set password 2004/4/7 at 11:52 Morning Password NOTEL * Password can be changed 2004/4/7 11:52 Requires password NO users can change the password no * Last login never allowable login hours ALL * local group Member * administrators * guests ============================================= ======================== Note * These few lines of these lines have leaked important information, by default, guest users are members of the guests group, and it is impossible to use To log in to the system. The Guest on this machine is added to the Administrators group, which means it and the system super user administrator is equivalent! Look at its activation time, the last change password is at 11:52 am 2004/4, this is almost the exact time of the system being invaded. Combined with the file system Mac analysis, it can verify the exact time of the system intrusion. So what is the relationship between other accounts and the intrusion event? Let's take a look at the password information of the local user password crack:
Code
============================================================================================================================================================================================================= =================== USERNAME LANMAN_PASSWORD PASSWORD __vmware_user__ * empty * * empty * Administrator Guest * empty * * empty * monitor 123456 123456 IUSR_CXL IWAM_CXL TsInternetUser ======= ============================================================================================================================================================================================================= ============ Here, more information is displayed, __ vmware_user__ and guest users' passwords are empty! And guest users have administrator privileges and can be logged in to this unit from any location; in addition, there is a Monitor user on the current system, the password is 123456, obviously this password is also extremely unsafe, crack it for a second Needless. Although this is an additional user for the system administrator, it also has the same privilege, and this password I believe that the invader wants to get it is not difficult. The last is about Administrator users. The password length of the Administrator user is 12. It should be said enough to be safe, but as long as others can enter this machine, there is no privacy for invasive people, we look at the hacker One of the tools below C: /Winnt/System32/Finder.gif
Code
============================================================================================================================================================================================================= =================== C: /> Finder.exe to find password in the Winlogon Processusage: a.exe domainname Username Pid-of-Winlogonthe debug privilege has been added to PasswordReminder.The WinLogon process id is 216 (0x000000d8) .To find CXL / Administrator password in process 216 ... The encoded password is found at 0x010f0800 and has a length of 12.The logon information is: CXL / Administrator / @ rigen2000x # .The hash byte is: 0x7e. ========================================== ===========================
Windows2000 has a feature that will express the password of the current login user in the cache space of the Winlogon process, and the Finder is a hacking tool that discovers the current login user password from the Winlogon cache. 5. Logs, Network, and Other In this section, there is actually made many other forensics, using EventDMP and EventLog analysis and backups for system log information. However, because of the current system, the application service is basically normal, and as for the event log - Windows 2000, the security log is not remembered by default, and the information that other logs can provide is too small, so I have slightly these parts. In addition, in the output of the Pipelist, no abnormal pipe is found, so this portion is skilled. This chapter conclusions: 1. This host has been inflated; 2. This host has been installed as follows: c: /winnt/system32/dcomsvc.exe (SKSERVER 1.0) c: /winnt/system32/termsrv.exe (TerminalServer) C : /WinnT/AppPatch/app/openMange.exe (ccProxy 6.0) 3. Discover Hidden Backdoor: 468 - Spoolsv.exe - [Hidden] - 1136 - SYINFO.EXE - [Hidden] - 4. System The Sniffer program is running, which may be used to eavesdrop the password; 5. System guest users are activated, the password is empty, and is added to the Administrators group; __VMware_user__ User password is empty; Monitor users and Administrator user passwords have been leaked. 6. Connection encryption of PCANywhere is set to NONE. 7. Make sure the terminal service port is modified as the back door, the working port TCP: 4652; SKSERVER work port TCP: 1432. At the same time, these processes and ports are hidden, which means having a deeper back door in the system. 8. Basic determination system is invading time on April 7, 2004, noon 12:00. This chapter left the problem: Although in this chapter, some issues have been found through some conventional system management means, but some have some hidden locusts. Where are they hidden? 1. Terminal will stealth? 2. Grab the Ninja! What you have to do: In this chapter, it is mainly to initially analyze the abnormal conditions. By analyzing the information in the system, find out the trace of intruders and hiding, this process may be simple, only the simple tools such as FPORT can be cleared; it may be very complicated, welcome you, will be A black hole leading to a broader-minded region ... What you have to do this chapter is that there are more tools, as fast, comprehensive, detailed and redundant, more information in the current state of the system. Specific aspects and steps, such as six aspects described in this chapter, no longer repeat it. Correct way: In the actual emergency response, forensic and analytical processes, the steps needed more rigorous, unlike this chapter, it is so fast and simple. The correct step should start from finding problems. When the system is found to be invaded, the step of analyzing should be: 1. Determine the processing policy according to the situation and the system, is it a grab, or block? 1.1 If it is blocked, then it is very good to disconnect the network cable, then continue the second step; 1.2 If it is grabbing ... This is directly jumped directly to the second step in the normal order of this article, the next step process.
2. Rapid to establish the current state mirror image of the system, mainly disk mirror, memory mirroring, and current system information collection. The acquisition process of system information is as described in this chapter, but you need to pay attention to your own emergency kits, including system information collection and analysis tools. At the same time, it is best to automate the script, and is stored directly on the remote computer. This ensures the correctness, integrity, and the purity and stability of the system image - remember this, and the pure stability of the on-site situation is the most important point. TIPS: In order not to be affected by the system invaders, Elly in this case has installed an SSH server (out of bandwidth restrictions and two aspects of safety), and then upload a toolkit to system information. checking. The next step is to complete the system disk, and the memory is fully clean mirror backup according to the possibility and the environment. DD under UNIX is a best choice, but when Windows is sometimes very likely that your system cannot restart or offline, then at this time, I personally recommend a good tool, Acronis Truimage, although it does not necessarily be completely complete Complete to ensure that mirror is pure (may not comply with the judicial appraisal procedure), for a general situation, it is a good choice on the online Windows platform. The main features are: support online (Windows this unit is running) mirror, supports remote mirroring, supports direct reduction of mirror files as virtual hard drives. These three points are all I think it is an irreplaceable choice. BTW: In this example, Elly has only 56K cat, so stealing a lazy, directly analyzing on the host, which does not meet the principle of extreme security, don't learn from me - lazy. 3. Load your backup image is read-only. And analyze and forensic operations. If it is a mirror image of TrueImage, it can be directly loaded as a virtual disk; if it is a DD image, you may need to return to a physical disk, or rebuild the virtual field environment in the VMware virtual machine, or you can use a variety of times when you do not need to run the program. UNIX's Loopback FS feature performs loading of virtual file systems. 4. In-depth analysis, continue to see the next chapter. This chapter TIPS: 1. Try to go offline analysis, in order not to destroy the current status of the system and causing invasive attention, pay attention to the system's static offline mirror, and then operate on the mirror copy, keep the scene to be the most important. 2. The world is martial arts, no gang, and it is not broken. In the invasion analysis and forensics, the level of knowledge and reaction speed of the system are most important. The faster you can collect more information, the greater the grasp of your victory. In the war with hackers, it is often a dealt between success or not. Therefore, it is best to quickly prepare the processing program, and use scripts to collect and analyze to speed up the speed of manual analysis and shorten the response time. 3. Mac is an important evidence in the file system analysis, named the M (last modification time) A (last access time) C (creation time). Each of them contains a very important hidden meaning, reasonable use of MAC information, combined with other evidence such as system logs, and good reasoning can engage a flow chart of a hacker behavior! However, MAC information is very fragile and vulnerable, and it is not a way to fake, so the system affects the system as soon as possible, keep MAC evidence, pay attention to read-only load when using a copy, because A (last accessed time), As long as reading files may cause changes, read-only loading can avoid this problem. Once again, pay attention to keep the scene, your chance is only once. It's hard to look back, it looks back, the man is in the scene: watching the brightness of the body gradually, the cold wind tears Elly's cloak, as if the darkness is not good.
Elly finally looked at the weak light, holding the sword in hands - That is the "ice" that Cuiste gave him, which made his heart quietly. Elly returned, waiting for the darkness of this darkness, tightening the spirit, the leopard's general righteousness, the unlocked, the dark, the dark, the bottomless cave. The world's side, watching the black terminal window on the screen, the flashing green alphabet is arranged in the mystery, ELL is a slight flavor, and it is easy to enter: rkdetector.exerkdetector output: code
============================================================================================================================================================================================================= ========== C: / Winnt / System32> rkdetector.exe. .. ...: rootkit detetector profesional 2004 v0.62: ..... ROOTKIT Detector Profesional 2004Programmed by Andres Tarasco AcunacopyRight ( c) 2004 - 3wdesign Security URL: _BLANK>
Http://www.3wdesign.es -gathering service list information ... (Found: 253 Services) -gathering process list information ... (Found: 48 Process) -search for Hidden Process Handles. (Found: 0 Hidden Process) ) -Checking visible process ............. c: /winnt/system32/sms.exec: /winnt/system32/csrss.exec: /winnt/system32/winlogon.exec: / Winnt / system32 / services.exec: /winnt/system32/lsass.exec: /winnt/system32/svchost.exec: /winnt/system32/msdtc.exec: / program files / symantec / pcanywhere / awhost32.exec: / program files / dell /openmanage/omsa/bin/dcevt32.exec:/winnt/system32/dcomsvc.exec:/program files / dell / openmanage / omsa / bin / dcstor32.exec: / program files / symantec_client_security / symantec antivirus / defwatch.exec: / winnt / system32 / svchost.exec: /winnt/system32/llssrv.exec: / program files / symantec_client_security / symantec antivirus / rtvscan.exec: /winnt/system32/mstask.exec: / progra ~ 1 / serv-u / servud ~ 1.Exec: / program files / Dell / OpenManage / IWS / BIN / WIN32 / OMAWS32.EXEC: /WINNT/SYSTEM32/Snmp.exec: / Winnt / System32 / TerMSRV .exec: /winst/system32/wbem/winmgmt.exec: /winnt/system32/svchost.exec: /winnt/system32/inetsrv/inetinfo.exec: /winnt/system32/svchost.exec: / progra ~ 1 / Dell / OpenMA ~ 1 / Oldiags / vendor / pcdoctor / bin / diagorb.exec: /winnt/system32/ATIPTAX.EXEC: / Program files / f-secure / ssh server / fsshd2.exec: /winnt/cmd/rkdetector.exec: / Winnt / Explorer.exec: /winnt/system32/svchost.exec: / program files / flashget / flashget.exec: /winnt/system32/bacstray.exec: /program ~1/ssymant ~ 1/symant ~ 1/vptray.exec : / program files / d-tools / daemon.exec: /winnt/system32/internat.exec: /progra ~ 1/serv-u/servut ~1.exec: / program files / f-secure / ssh server / fsshd2srv. Exec: / program files / mercury interactive / loadrunner / launch_service / bin / MagentProc.exec: /winnt/system32/conime.exec: /winnt/system32/EMMSRV.EXEC:
/ PROGRAM FILES / Internet Explorer / IExplore.exec: /winnt/system32/cmd.exec: /winnt/system32/mmc.exec: / program files / f-secure / ssh server / fssh2console.exec: / program files / f- secure / ssh server / fsshsftpd.exec: /winnt/system32/cmd.exec: / program files / internet explorer / iexplore.exe-Searching again for Hidden Services .. -Gathering Service list Information ... (Found: 0 Hidden Services ) -Search: 3 Wrong Services -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------- * SV: DCOMSVC [color = red] 34567890 (DCOM Services) Path: c: /winnt/system32/dcomsvc.exe [/ color] ----------------------- -------------------------------------------------- ------ [Color = Red] * SV: MSDOSCDefenderDRV (MSDOSCDefenderDRV) Path: C: /Winnt/System32/msdosdrv.sys [/ color] ------------------------------------------------------------------------------------ -------------------------------------------------- ------------- [Color = Red] * SV: PCDRDRV (PCDR Helper Driver) PATH: C: / Progra ~ 1 / Dell / OpenMA ~ 1 / Oldiags / Vendor / PCDoctor / Modules / PCDRDRV.SYS [/ color] --- -------------------------------------------------- --------------------------- Searching for rootkit modules ........ ----------- -------------------------------------------------- ------------------ [color = red] * suspicious module !! c: /winnt/system32/imm32.dll [/ color] -------- -------------------------------------------------- --------------------- [Color = Red] * Suspicious Module !! C: /Winnt/System32/lpk.dll [/ color] ----- -------------------------------------------------- ------------------------ [Color =
Red] * suspicious module !! c: /winnt/system32/usp10.dll [/ color] ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- -Trying to detect hxdef with tcp data .. (Found: 1 Running rootkits) ------------------------------- ---------------------------------------------- [Color = Red ] * Rootkit Hacker Defender V1.0.0 Is Installed in Your Host. [/ Color] -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------- Searching for HXDef hooks ............ (Found: 1 Running rootkits) ----------------------------- -------------------------------------------------- [color = red] * rootkit HACKER Defender> = V0.82 Found. Path Not Available [/ color] --------------------------- -------------------------------------------------- --- Searching for other rootkits ......... (Found: 0 Running Rootkits) ============================= ================================= rkdetector and KPROCCHECK are a powerful tool, they all from the system kernel space Read data, while RKDetector's function, more, just as its name R (OOT) K (IT) Detector, it can automatically analyze a variety of ROOTKIT in the Windows system. A collection of hacker lattime and toolkit). Just like the output above, some false positives are excluded, and there is a few lines below:
Code
-------------------------------------------------- ----------------------------- * SV: DCOMSVC34567890 (DCOM Services) Path: c: /winnt/system32/dcomsvc.exe- -------------------------------------------------- ---------------------------- * SV: MSDOSCDefenderdrv (MSDefenderDRV) Path: c: /winnt/system32/msdosdrv.sys --- -------------------------------------------------- --------------------------- Trying to detect hxdef with tcp data .. (Found: 1 Running rootkits) ------- -------------------------------------------------- ---------------------- * Rootkit Hacker Defender V1.0.0 is Installed in Your Host. --------------- -------------------------------------------------- --------------- Searching for hxdef hooks ............ (Found: 1 Running rootkits) ------------ -------------------------------------------------- ----------------- * Rootkit Hacker Defender> = V0.82 Found. Path Not Available ------------------- -------------------------------------------------- ----------- Searching for other rootkits ......... (Foun D: 0 Running rootkits ------------------------------------------ -----------------------------------
It can be seen that it detects two exception service DCOMSVC and MSDOSDRV.SYS, and a rootkit --hacker defender v1.0.0 (referred to as HXDEF100). And hxdef100, I am afraid it is the biggest BOSS in this chapter - is also the most difficult to deal with it. This is an extremely successful rootkit under the Windows system. It runs in a Windows system as a system service, and then intercepts the user program through the HOOK-related system call, and completes the functions. It hides files, directories, processes, services, registry key values, network ports, and other information such that users cannot see this information through regular query methods (SC or PS, etc.). At the same time, he can also directly listen to a TCP port (in this unit is not visible), or then run and hide other back door programs to create a path used for remote control, and the Titlo people's Trojans are too much, it is simply Home travel, murdereous must have a good medicine! The HXDEF100 is not only hidden, but also makes other backmen (processes, services, documents) hidden. The only way to show it is to call its name: Net Stop HXDEF100 stops the service, it will temporarily invalid, and then you can use hxdef100.exe -: uninstall to uninstall itself. But there are two problems, first, we don't know its service name, and don't know if the service name cannot stop; second, we don't know where its executable files and configuration files are put there so that we are instant. Stop, you can't uninstall it, you can't find more backdoor it hidden, isn't that death? I had to die, I'm trying to take a living horse doctor first, try to use the previous possible service name: Code
ELLY: Sesame Open ... (Net Stop HXDef100) HXDef: ... ELLY: Watermelon Opening ... (Net Stop DCOMSVC) HXDef: ... ELLY: Potato opening ... (Net Stop ccProxy) HXDef: .. .elly: Banana opens ... (Net Stop Msdoscdefenderdrv) hxdef: ... ELLY: HXDEF opens ... (Net Stop Spoolsv) HXDEF: ...
It seems that hxdef is dead and refuses to respond me. So, just ... find the soft persimmon to pinch, analyze the bodies that have been caught, see what can be forced to say. First pull all the abnormal files that have been found to this machine, including MSDRV.sys found, of course, some files know that they exist, but the system is still not found, don't want to be HXDEF . The files intercepted above are:
Code
* 2004-04-07 11:52 55,296 List.gif * 2004-04-07 11:53 45,056 Finder.gif * 2004-04-07 11:53 28, 160 nlog.gif * 2004-04-07 11:53 77,824 Kill .gif * 2004-04-07 11:53 131,072 info.gif * 2004-04-07 11:53 14,747 TINJECT.DLL * 2004-04-07 11:53 69, 632 spinfo.dll * 2004-04-07 11:57 8,464 sporder.dll * 2004-04-07 11:57 49 mslsp.dat * 2004-04-07 12:11 20,480 DCOMSVC.EXE * 2004-04-07 12:11 93 nt.bat * 2005-02-10 03 : 03 405 SvClog.log The basic function analysis is based on the information analysis of document information and the anti-assessment.
Code
* 2004-04-07 11:52 55,296 List.gif * 2004-04-07 11:53 45,056 Finder.gif * 2004-04-07 11:53 28, 160 nlog.gif * 2004-04-07 11:53 77,824 Kill .gif * 2004-04-07 11:53 131,072 Info.gif
The above five are called the named hacker tools, features: List.gif: PSList, Sysinternal PSList, used to list all processes; Finder.gif: A tool directly from the Winlogon process directly to the current login user password; nlog. GIF: In fact, NC (NETCAT.EXE), a multi-function network program; Kill.gif: Sysinternal Kill, used to kill a process; info.gif: sysinternal psinfo, is used to see the current host system information. * 2004-04-07 11:53 14,747 TINJECT.DLL This is a tool for thread-inserted tools to perform and hide the latte programs. Creating a parasite in other processes space without processed Trojan, requiring RUNDLL32 to run, parameters are unknown. * 2004-04-07 11:53 69, 632 spinfo.dll A Trojan without a process (possibly no port), using the system SPI (network service provider) interface, hook itself in the system network stack, as a network The protocol filter exists, and when all data flows through this layer, it will be analyzed and executed. The network interface status detected in the second chapter is that the mixed mode should be spinfo.dll. * 2004-04-07 11:57 8,464 Sporder.dll is used to insert a support library of the module in the system SPI, which is a link library on spinfo.dll. * 2004-04-07 12:11 20,480 DCOMSVC.EXESKSERVER 1.0, a SOCK5 proxy server. * 2004-04-07 12:11 93 NT.BAT Installs the initialization script of SKSERVER. * 2005-02-10 03:03 405 SvClog.log * 2004-04-07 11:57 49 mslsp.dat is the log file of Spinfo.dll back door and another back door. After analyzing, let's take a look at HXDEF. Just now, there is no way, but I forgot that there is still the same thing in the hand - Ice. I don't say I, I will upload an ICESWORD, which is also a good tool for checking the information hidden information, almost forgot him. After running, four hidden services are found in the service: SpoolerSpoolersiPripnetDee stops them one by one, and now the system should be clean. Use netstat -na and fport to view the system status, everything is normal, and the display is also displayed. Find 2004-04-07 Related Files: Code
============================================================================================================================================================================================================= ========== C: C / SC: | FINDSTR 2004-04-072004-04-04-04-072004-04-07 12:05 280 Administrator @ _blank> www.hanzify [1 ] .txt2004-04-07 12:03
========================== This time has more files:
Code
C: /winnt/spoolsv.exec: /winnt/admdll.dllc: /winnt/raddrv.dllc: /winnt/system32/svchostdll.dllc: /winnt/system32/sysinfo.dllc: /winnt/system32/reginfo.exec: /Winnt/System32/ms29.ini
The analysis is as follows: c: /winnt/system32/spoolsv.exe The original name R_Server2.exe, after the housing RADMIN 2.0, a remote management control program. C: /winnt/admdll.dllc: /winnt/raddrv.dllradmin Run the desired support dynamic link library. C: /winnt/system32/svchostdll.dllc: /winnt/system32/sysinfo.dllsvchost lattime, used to inject thread into the SVCHOST - system service master process, and create no process back door. SVCHOSTDLL.DLL is its support library. C: /Winnt/System32/reginfo.exeremote DLL INJECTOR V1.6 Private Version BY Wineggdrop, huh, huh, an execution remote thread to inject hidden processes, possibly a bit related to the previous TINJECT.DLL. After running in the system, these processes around the Trojan team headed by HXDef100, which disguised themselves into Spooles, IPrip, NetDDee, etc., which seems to be a good job in the system ... The whole back door gang has basically arrested Finally, we will review their findings. What review? Of course, I have already remembered the whitelist! HXDEF100 configuration file: ms29.inims20.ini (original hxdef [*]. ini) full text excerpts
Code
============================================================================================================================================================================================================= ========== [h "I / d << D ============================================================================================================================================================================================================= Ok, let's reort the case's scene ... generation. This chapter conclusion: 1. On April 7, 2004, it is a black paint ~~ night ... Oh, sorry, it is daytime. In a rainy day, a "haval" called Domybest or Ahai, inadvertently came to this network segment, (may also be a long time ...) He first took the tool Nmap and RPCScan, suddenly It was found that this server has opened TCP: 21 and TCP: 135 ports, and running the most FTP server serv-u 5.0.0.4 and IIS 5, which is known as the vulnerability under Windows, which is not helpful to make him jealous! This machine is likely to have an RPC-DCOM remote overflow vulnerability! And I didn't let the shock wave worms have been infected. This hacker GG is browed, and the semi-annual intrusion experience made him quickly and successfully entered the system with RPC attack programs, and got a system privilege, maybe someone should ask, why he is not likely to use Serv-U Remote overflow? The reason is that there will be no history, and its vulnerabilities have not come yet. 2. After the hacker GG enters the system, first upload a few tools, he uses a very skilled PS series, after Pslist and NetStat, he is very assured to believe in this machine, except that he does not have someone else. And it is likely that the system administrator has not seen it for a few months. After psinfo, I found that this machine is not bad, can be used to do ftp oh ^^ But he is not rare, because he already has hundreds of broilers. So he began to upload some of his back door, such as the modified Termserv, in order not to find it, he also trimmed its port to TCP: 4652.3. After the terminal service logs in, then He thought, what did he do? Just do a proxy server. I heard that there is a proxy server called ccProxy, so he has installed a ccProxy, and it is only installed with a serv-u of Chinese package. From Luoda. It seems that he has another FTP server and attack. After a few days later, he found that ccProxy or SKSERVER he used to be used. The hacker used the most SOCK5 agent, so he stopped ccProxy and installed a SKSERVER. 4. But the hacker GG is still unreliable to his status, so he has started with more eyeliner, installing more back door, such as Wineggdrop's non-process back door, a SPI back door called Spishell, RADMIN2 Remote control server, inserting SVCHOST hidden back door, may be called portless backdoor, of course, some of whom have been modified by itself, and a slightly, according to the situation of this machine, some information is made corresponding to some information, this is enough to prove He is at least an old-fashioned intruder, can be called Cracker, and it is not ordinary scriptkids. 5. Finally, in order to prove his level, he also didn't forget to install a whisper of Windows backdoor. New version! 6. Stroll in the system, see if there is any administrator's agent existed, and then rubbed some EventLog. However, Win2000 is also a dish. The default connection is not remembering. The hacker GG can rest assured that the gallbladder from TerminalServer or any back door login; installed NORTON CE? More food! The latter door of the hacker GG did not check it out. After upgrading for half a year, he reported again ... Discovery DCOMSVC, it may be a back door, but the clearance failed, the hacker GG saw he had no fear; Finally, hacker GG Add a piece of broiler database: code XX.xx.xx.xx: 1432, 1442, 4652, 4653 hxdef, spishell, svchost, radmin, termserv @ 4652 SKSERVER @ 1432, ccProxy user: by ahai pass: domybest @ # @ # @ # [The above is purely fictitious, if there is similarity, it is not responsible. ] [BTW: In the process of finding information, see this, everyone can take care of it. ] [150251.788458.html "rel =" NOFOLLOW "target = _blank> http://hehe26.blogchina.com/blog/Article_150251.788458.html] This chapter legacy issues: The final analysis is over. However, there are several legacy issues : 1. If you are a system administrator, what should I do below? 2. So many backmen and Trojans, those mentally anti-virus software can't find it, how to clear? 3. He is still? Will it come? 4. If Come, what kind of entertaining? If you want to know how to learn, please return to the break. ################################################################################################################################################################################################################################################################################## ####################### Treatment: The lamp is in dim, and the check is found, slightly set, restore the system the normal state it .1 unloading hxdefC: / hxdef100> hxdef100 -: uninstall2 remove the service C: / Documents and Settings / Administrator> sc delete CCProxy [SC] DeleteService SUCCESSC: / Documents and Settings / Administrator> sc delete IPRIP [SC. ] DeleteService SUCCESSC: / Documents and Settings / Administrator> sc delete Spoolers [SC] OpenService FAILED 1060: the specified service does not exist .C to an installed service: / Documents and Settings / Administrator> sc delete Spooler [SC] DeleteService SUCCESSC : / Documents and Settings / Administrator> SC DELETE NET, DDEE [SC] deleteService Success> SC DELETE DCOMSVC34567890 [SC] OpenService Failed 1060: The specified service does not exist with installed services .c: / Documents and Settings / Administrator> sc delete "Windows Event Logger" [SC] deletese RVICE SUCCESSC: / Documents and Settings / Administrator> SC DELETESERVICE SUCCESS2.1 Some services may not be deleted from the command line, you can use the registry editor regedit.exe in the following location: HKLM / System / CurrentControlSet / Services / Delete Service Corresponding primary key. 3. Remove the program del C: /winnt/spoolsv.exedel c: /winnt/admdll.dllDel C: /Winnt/Raddrv.dllDel C: /winnt/system32/dcomsvc.exedel c: /winnt/system32/list.gifdel C : /winnt/system32/finder.gifdel c: /winnt/system32/nlog.gifdel c: /winnt/system32/kill.gifdel c: /winnt/system32/info.gifdel c: /winnt/system32/svchostdll.dllDel C : /winnt/system32/sysinfo.dlldel c: /winnt/system32/reginfo.exedel c: /winnt/system32/spinfo.dlldel c: /winnt/system32/ms29.iniDel c: /winnt/system32/tinject.dllDel C : /winnt/system32/svclog.logdel c: /winnt/system32/sporder.dlldel C: / Winnt / System32 / MSLSP.DATDEL C: /WINNT/System32/msdos*.exedel C: /Winnt/System32/msdosdrv.srd / s / qc: / winnt / apppatch4. Terminal service adjusts the terminal service, the fake has been unloaded, I really need to change the port: "HKLM / System / CurrentControlset / Control / Terminal Server / WinStations / RDP-TCP / Portnumber "REG_DWORD portNumber 4652 is changed to normal 3389, and TermNALRVER can restore normal ports, which can then be turned on or disabled as needed. 5. User account first, it is recommended that all users modify the system login password, and the password of the Serv-U and other application services. After that, do the following settings: Modify your password, lock your account, and remove the administrators group privilege. After doing these settings, you can check the current situation at the tools such as RKDETECTOR and KPROCCHECK. -Searching Again for Hidden Services ..- Gathering Service List Information ... (Found: 1 Wrong Services) --Trying to Detect HXDef with TCP Data .. (Found: 0 running rootkits) -search for hxdef hooks ............ (Found: 0 Running Rootkits) --Searching for other rootkits ......... (Found: 0 Running Rootkits) HXDEF and other latte should have been successfully cleared what else is there? Delete, off, patch , Named Administrator and Guest, set to guest group privilege, cancel the mutual login privilege.
