Wow! Have a hacker! ! ! (on)

xiaoxiao2021-03-06 35

Author: elly Source: Security Focus Forum visions: Last night westerly withered Bishu prelude: the words elly that day finished with everyone chat "hacker trends (interesting)", the tea went down the stairs alone. Take the phoenix, the jade pot is turning, and I am blushing, and I suddenly heard the ringtones. It is a server that is idle and can be used. So I log in and configure it slightly ... pcanywhere is logging in. Fang Shiyu's mother's brother often said, safety first, safety first. After going up, it is of course first to look at the server's service configuration. Run "Services.msc" to open the service manager, look at it, don't you ... How do you have a few new gratia?

Code

I know that the first one is definitely logged in with a fake ID card! check the detail information:

Code

============================================================================================================================================================================================================= ========== Service Name: DCOMSVC Display Name: DCOM Services Description: [Air] Executable Path: C: /Winnt/System32/dcomsvc.exe Start Type: Auto ======= ============================================================================================================================================================================================================= === C: / Winnt / System32 Elly lives there for so many years, I have never seen this brother. Elly began to realize the seriousness of the problem: the system is likely to have been invaded, and the back door is installed! Let's take a look at the status of the current service:

Code

============================================================================================================================================================================================================= ========== C: / Winnt / cmd> SCLIST ... Running DCOMSVC 34567890 DCOMSVC 34567890 DCOMSVIC 34567890 DCOMSVC 34567890 DCOMSVIC 34567890 DCOMSVIC 34567890 DCOMSVC 34567890 DCOMSVC 34567890 DCOMSVC 34567890 DCOMSVC 34567890 DCOMSVC 34567890 DCOMSVC 34567890 DCOMSRES RUNNING SERVER Administrator Secure Port Server Running Windows Event Logger Windows Event Logger ... ======== ============================================================================================================================================================================================================= == Sclist lists all currently running Windows system services. From the list of service, we are the simplest and direct discovery above three exception services. As for how to find it ... First, they have no service instructions (or the right service description), which represents them are not the service self-contained; second, more mainly based on experience, a skilled Windows system administrator The services in the system should be done in the heart, if there is a cavern, when the hand is at least two documents, the first is the list of service lists, functions and status of Windows, and the second is after each server installation is completed. Initialize the list of services in the mirroring state. Use SC Query to see more detailed service information:

Code

============================================================================================================================================================================================================= ========== SERVICE_NAME: dcomsvc34567890DISPLAY_NAME: DCOM Services (null) TYPE: 10 WIN32_OWN_PROCESS STATE: 4 RUNNING (sTOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE: 0 (0x0) SERVICE_EXIT_CODE: 0 (0x0) CHECKPOINT: 0x0 WAIT_HINT : 0x0 ================================================ ============ SERVICE_NAME: Windows Event LoggerDISPLAY_NAME: Windows Event Logger (null) TYPE: 10 WIN32_OWN_PROCESS STATE: 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE: 0 (0x0) SERVICE_EXIT_CODE: 0 (0x0 Checkpoint: 0x0 Wait_HINT: 0x0 ============================================ ==================

SERVICE_NAME: CCProxyDISPLAY_NAME: Dell OpenManage (null) TYPE: 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS STATE: 1 STOPPED (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE: 1077 (0x435) SERVICE_EXIT_CODE: 0 (0x0) CHECKPOINT: 0x0 WAIT_HINT: 0x0 ======= ============================================================================================================================================================================================================= === Code

psservice config ccproxy SERVICE_NAME: ccproxy (null) TYPE: 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS START_TYPE: 3 DEMAND_START ERROR_CONTROL: 1 NORMAL BINARY_PATH_NAME: "C: /WINNT/AppPatch/app/openmange.exe" -service LOAD_ORDER_GROUP: TAG: 0 DISPLAY_NAME: Dell OpenManage DEPENDENCIES : Service_start_name: localsystem ============================================== ==============

Now, the three services expose the fox tail, the first program is located in C: /Winnt/System32/dcomsvc.exe is analyzed by an SOCK5 proxy server SKSERVER V1.0, often being installed by the intruder as an attack other machine Springboard; second program is located in C: /Winnt/System32/TERMSRV.EXE, which is actually the terminal service server of Windows 2000, but why is this name? The third program is CCProxy 6.0, a multi-function application proxy server, it is clear that it is not the administrator to install it. Obviously, the server has now been invaded, and there is also a back door and two proxy servers used as a springboard or other illegal use, then there is something that is not discovered? Request to break back ... This chapter conclusions: 1. This host has been infiltrated; 2. This host has been installed back door: c: /winnt/system32/dcomsvc.exe (SKSERVER 1.0) C: / Winnt / System32 /TERMSRV.EXE (TERMINALSERVER) C: /WINNT/AppPatch/app/openMange.exe (ccProxy 6.0) This chapter left the problem: 1. Why is TerminalServer changed? 2. Which back-door channels may there be existed in the system now? 3. Why check DCOMSRV service information failed? What you have to do: what you have to do means that at every stage, we need to work under normal circumstances. In this section, it is mainly to find abnormal conditions. In the Windows 2000 system, when the system may be invaded, there will be some abnormal conditions, and the system administrator needs to have enough alerts, and the reason is rapidly positioned when the exception event occurs. There are several cases: 1. Process exception 2. Service exception 3. Account exception 5. Log exception 6. Network abnormal approach: According to the situation that may happen above, there may be some Common and optional means for inspection. Process check. Task Manager: This is the most commonly used process management method in the Windows 2000 series system. But there are some defects. It must also be running under the graphical interface, and maybe we can only work in the command, such as now - when I only have 56K kittens when I am online. PS series tool: This is a series of command line tools from Sysinternal, where PS and PSLIS can list all processes in the system under the command line; there is also a similar command in Windows -2000 Resourcekit, TSLIST. The most powerful feature of the PS series is to do not only in the local execution, but also remotely executed through the IPC $ anonymous sharing connecting pipe. Windows Reskit Series Tools: Windows NT / 2000 Resourcekit contains a range of very powerful tools such as TSLIST and PTREE. The Ptree is also a powerful tool that includes two versions of the graphical interface and the mandatory line, which can list process trees and dependencies in a tree format, and it can also be managed by connecting the remote server. The disadvantage is - On the remote server, you must first install the PTree service.

2. Service Check: Service Manager: Similarly, a service manager has built in the Windows2000 system, which can only run under the graphical interface. It can be found in [Control Panel] -> [Administrative Tools] -> [Service], or open it through the command line shortcut "Services.msc". It can view, stop, start the service, and can modify some of the service parameters. Net.exe: NET is a very powerful management command built in the Windows 2000 series, including service management features. NET Start is used to view and start the service; and NET STOP is used to stop the service. The NET Start command without parameters will list all services that are running on the current system. Its biggest shortcomings are relatively simple in service management, such as unable to know all services installed in the system, and also need administrators to be very familiar with Win2000's service itself. Sc.exe: SC is the earliest is a more powerful service management tool that appears in Winnt Reskit. It has become a built-in command in Windows 2003. It can do almost all operations for Windows services: code

SC Query Query Service Status, list all services without parameters; SC config configuration service parameters; SC START launches a service; SCSTOP stops a service; SC DELETE delete service; SC CREATE Create a service; You can also connect and execute directly on the remote machine. Use: SC [Hostname] [Command] to connect the remote host.

PSService: PSService.exe is one of the Sysinternal PS series commands, and its functions are basically uniform and SCs, and the specific difference is helpful. 4. Account Anomaly: Computer Management: Computer Management is a system management tool built in Windows system, we can view system user information here. Net.exe: Net user commands manage system user accounts and passwords in command line mode.

Code

NET User does not list all user accounts; NET user [username] is reviewed a user detailed information; NET user [username] [password] Modify user password; net user [username] / add add users; net user [username] / delete deletes the user; Net user ... / domain executes in domain mode.

Note that when unfamiliar usernames are found in the system, or the normal user account password is modified, abuse and other incidents need to pay attention. 5. Log Exception When the system's services (system logs, web logs, FTP logs, etc.) have an exception log information. Use the system command eventvwr.msc to open the log viewer; IIS log defaults in the% systemroot% / system32 / logfiles directory. 3/6. System Resources and Network When a large number of CPUs, memory, disk space, and network bandwidth are abnormal, the system can be used to detect exception reasons. This chapter TIPS: 1. There is also a sister SCList, which can list all the list of services as simple as PSList. 2. When using the NET START / STOP command to manage the service, you can use the "quotation marks" to include the service name containing spaces. 3. The service name in Windows 2000 has two forms, namely the service name (short-term) and the display service name (a long name with spaces). In most cases, both names are effective, and thus also have excellent disadvantages, long-name readily, but it is difficult to write; You can query the service name control using the SC command. SC getDisplayName Query DisplayName SC getKeyname Query Keyname (Short Name) When using a long name containing space, it is possible that shell cannot correctly resolve, you can use "" quotation marks. 4. The services of the Windows series have dependencies. For example, RPC Server is the pre-condition for many services. Although the stopped service may cause unpredictable consequences, you can use the SC command to view the command-dependent relationship. SC ENUMDEPEND [Service Name] View Service Dependencies or PSService Depend [Service Name] 5. The final service management tool is ... Registry Editor Regedit.exe. All services in the system exist a mapping database in the registry, and you can view and modify the corresponding parameters by modifying the corresponding values. For example IIS WWW service code

... say too much ... Detailed Detail "Windows 2000 Service Management". ######################################################################################################################################################################################################################################################################################################## ######### 踪: The crowd is looking for him a thousand Baidu scene: saying that the ELLY machine discovers several Trojans on this machine, the heart is shocked: This Troy is really good, there is no sound, actually It has been infiltrated. Waiting for me to think, try to kill them, take one of them, then take one of them ... Elly take a break, and poured a cup of tea, ready for the tool, and start to discover information. Finally, we briefly read the procedure of the system check, then in the Windows system, you need to investigate some information in the Windows system: Process >> System Process >> System Services >> User Process In Process Information Investigation, It is mainly to find abnormal information by viewing the system drive module, system processes, services, user processes. Network >> Network Port >> Network Connection >> Named Pipe Network Information Survey, contains an abnormal network driver, protocol filter, interface status, network connection, open port, and nomenclature information query. Account >> User Account >> User Password >> User Environment File Account Check is mainly for the configuration information of the system account and various application accounts. Log >> System Logs >> Application Log Log Check is a system log, security log, and an application log. System Environment >> System Launch Item >> Registry Launch Item >> File Information System Environment Survey on system launch and operational environments, initialization running programs, key key values of the registry, and file system information, file system surveys include MAC access Record, exceptions, and hidden files, file system privileges and stream file checks. Application >> Application Configuration This part of this is mainly to do audit and analysis of the configuration of various applications. Then look at the information we have obtained on this machine (excerpt section): 1. Process in the process check section, we run multiple process check tools in turn, and redirect the output to the log file to complete the system image Current status copy: code

Code

[System Process] (0) System (8) Smss.exe (192) CSRSS.exe (216) Winlogon.exe (240) LSASS.EXE (280) Services.exe (268) AWHOST32.EXE (652) Dcevt32.exe (700) DCOMSVC.EXE (744) DCStor32.exe (756) Defwatch.exe (804) fsshd2.exe (1776) fsshd2srv.exe (2056) fssh2console.ex (2416) cmd.exe (2456) PTree.exe (2484 ) FSSHSFTPD.EXE (2432) inetinfo.exe (1196) llssrv.exe (856) msdtc.exe (488) msiexec.exe (2540) MStask.exe (976) Omaws32.exe (1052) Diagorb.exe (1732) Ptreesvc (2640) RTVSCAN.EXE (936) Servud ~ 1.exe (1008) snmp.exe (1068) svchost.exe (1216) svchost.exe (1856) sv Chost.exe (1176) svchost.exe (436) Dllhost.exe (2576) Dllhost.exe (1804) Termsrv.exe (2128) Winmgmt.exe (1164) Explorer.exe (1832) AtipTaxx. EXE (1752) Bacstray.exe (2004) cmd.exe (2236) mmc.exe (2256) Msiexec.exe (1804) Terminated conime.exe (2120) Daemon.exe (2024) ipplore.exe (2496) IExplore.exe (2140) Flashget.exe (1888) INTERNAT.EXE (2040) MagentProc.exe (2064) servut ~ 1.exe (2048) VPTRAY.EXE (2016) =============== =====================================================================================================================================================

======================= PS output

Code

============================================================================================================================================================================================================= ========== Pslist v1.12 - Process Information ListerCopyright (C) 1999-2000 Mark Russinovichsystems Internals - _BLANK>

http://www.sysinternals.comProcess Information for CJL-NMS: Name PID Pri THD MEM User Time Kernel Time Elapsed TimeIdle 0 0 4 0 16 0: 24.750 211: 18: 24.375System 8 8 52 159 300 0: 45.92 211: 18: 24.375SMSS 192 11 6 38 412 0: 00: 00.015 0: 03: 24.828 211: 18: 24.375CSRS226 13 15 677 2232 0: 00: 31.500 0: 02: 18.609Winlogon 240 13 17 442 248 0: 00:00.453 0: 11: 11.859 211: 18: 17.703 Services 268 9 28 530 5960 0: 0: 03.750 0: 05: 22.546 211: 18 : 16.812LSASS 280 9 19 315 6364 0: 06.015 211: 18: 16.796422436 8 12 349 5672 0: 01: 08.687 0: 08: 15.671MSDTC 488 8 36 228 6708 0: 04: 49.671 211: 18: 15.140awhost32 652 8 19 375 9124 0: 01: 15.281 0: 15: 17.203 211: 18: 14.500DCEVT32 700 8 4 104 3688 0: 00:00.093 0:14 : 31.796 211: 18 : 04.843dcomsvc 744 8 5 110 3872 0: 04.343 211: 18: 04.703dcstor32 756 8 8 126 4704 0: 0: 47.812 0: 06: 46.765 211: 18: 04.640defwatch 804 8 4 49 2740 0: 05: 56.546 211: 17: 56.546SVCHOST 824 8 20 419 9936 0: 00: 42.093 0: 06: 35.453 211: 17: 56.484llssrv 856 9 9 82 2580 0: 00: 00.156 0:09 : 22.390 211: 17: 56.046rtvscan 936 8 35 301 16112 2: 16: 39.390 11: 58: 04.312 211: 17: 55.859mstask 976 8 6 127 3980 0: 00:00.062 0: 04: 30.781 211: 17: 55.593serve ~ 1 1008 8 10 131 7484 0: 04: 03.921 0: 04: 26.546 211: 17: 55.4373232 1052 8 47 453 23656 0: 12: 32.093 0: 06: 14.609 211: 17:

55.250SNMP 1068 8 11 266 6452 0: 00: 00.281 0: 06: 14.640 211: 17: 55.640 211: 17: 55.640 211: 0: 00: 00.09 0: 04: 00.312 211: 17: 55.031winmgmt 1164 8 5 177 512 0 : 00: 05.046 0: 06: 32.046 211: 17: 54.843SVCHOST 1176 8 7 381 13416 0: 00: 06.406 0: 24: 42.015 211: 17: 54.671inetinfo 1196 8 21 514 8904 0: 02: 42.968 0:28: 18.281 211: 17: 54.609Diagorb 1732 8 2 84 4004 0: 00: 01.062 0: 02: 13.312 211: 17: 46.421SVCHOST 1856 8 14 177 3856 0: 49.890 211: 17: 24.812SVCHOST 1216 8 7 211 7808 0: 17: 22.593 189: 17: 22.078Explorer 1832 8 13 605 5236 0: 00: 20.234 0: 01: 33.156 10: 36: 36.453AtipTaxx 1752 8 2 87 3848 0:00: 00.046 0: 00: 34.484 10: 36: 34.109Bacstray 2004 8 1 18 1972 0: 00: 00.046 0: 00: 00.105 10: 36: 33.984VPTRAY 2016 8 3 138 6112 0: 00.093 0: 00: 00.093 0: 00:671 10: 36: 33.875Daemon 2024 8 2 72 4724 0:00:00 .015 10: 36: 33.843INTERNAT 2040 8 1 28 2152 0: 00.031 0: 00: 0071 10: 36: 33.750 Servut ~ 1 2048 8 1 30 396 0: 00:00.046 0:00: 00.046 10: 36: 33.656MAgentproc 2064 8 4 154 4928 0: 01.140 10: 36: 33.437Conime 2120 8 1 19 1388 0: 00.031 0: 00:00.062 6: 57: 40.312CMD 2236 8 2 48 124 0: 00.531 2: 49: 29.328MMC 2256 8 6 154 4600 0: 00: 02.218 0: 00: 05.937 2: 49: 24.468Termsrv 2128 10 38 65 3392 0:36: 39.750 2: 27: 58.125 2: 48: 38.343 100plore 2140 8 7 361 10040 0: 00: 13.640 0: 00: 33.046 2: 41: 03.859Flashget 1888 8 8 327 6060 0: 00: 05.531 0: 00: 02.843 2: 16:

59.796fsshd2 1776 8 3 91 3908 0: 00: 00.125 0: 23.812Fsshd2SRV 2056 8 3 141 6124 0: 01.296 0: 00: 01.281 1: 35: 53.093FSSH2Consol 2416 8 1 30 1920 0 : 00: 14.031 0: 00: 38.125 1: 35: 36.531CMD 2456 8 1 29 1572 0: 00: 00.078 0: 00: 01.000 1: 35: 36.421FSSHSFTPD 2432 8 1 63 2956 0: 00:00.296 0:00: 01.046 1: 07: 11.453PS 2488 8 2 96 1692 0: 00.046 0: 00.062 ======================== ============================================== kProccHeck -P output

Code

============================================================================================================================================================================================================= ========== kProccHeck Version 0.1 Proof-of-Concept by Sig ^ 2 (_BLANK> www.security.org.sg) Process List by Traversal of ActiveProcessLinks8 - System 192 - SMSS.EXE 220 - CSRSS. EXE 240 - Winlogon.exe 268 - Services.exe 288 - LSAss.exe 444 - Svchost.exe 468 - Spoolsv.exe - [Hidden] - 488 - MSDTC.EXE 656 - AWHOST32.EXE 704 - DCEVT32.EXE 748 - DCOMSVC.EXE 760 - DCSTOR32.EXE 808 - DEFWATCH.EXE 828 - SVCHOST.EXE 840 - fsshd2.exe 848 - fsshd2srv.exe 880 - llssrv.exe 960 - rtvscan.exe 996 - ptreesvc.exe 1016 - mstask.exe 1052 Servud ~ 1.exe 1104 - omaws32.exe 1116 - SNMP.EXE 1136 - Syinfo.exe - [Hidden] - 1172 - Termsrv.exe 1208 - Winmgmt.exe 1232 - Svchost.exe 1252 - inetinfo.exe 1744 - daemon .exe 1788 - VPTRAY.EXE 1800 - BACSTRAY.EXE 1824 - AtipTaxx.exe 1832 - Diagorb.exe 1920 - Svchost.exe 1996 - Explorer.exe 2000 - KPROCCHECK.EXE 2044 - Internat.exe 2052 - Servut ~ 1.exe 2060 - MagentProc.exe 2096 - FSSH2CONSOLE.EX 2108 - cmd.exe 2116 - fsshsftpd.exe total number of processes = 44 =============================

=============================== In PTREE and PS, we have seen these two exception processes:

Code

DCOMSVC.EXE (744) Termsrv.exe (2128)

That is, the SKSERVER and the back door we discovered in the first section; then we found two hidden processes in KPROCCHECK:

Code

468 - Spoolsv.exe - [Hidden] - 1136 - SYINFO.EXE - [Hidden] -

And these two processes can't see in PS! Obviously in this system except TerminalServer except TerminalServer! Then let's take a look at what they have done. As a back door (Trojan, Troy), its ultimate goal is to obtain control of the corresponding host and create an unexpected pathway. So, as long as there is a motive, you will definitely find the roots, we will start from its way to analyze the two backsmen. 2. Network invaders should use the back door, they must be connected through the network, and whether SKSERVER is still Termserv, they must be connected to them. We run such a script to check the network status:

Code

Explain the tools we use here. NetStat is a command built in the Windows system, and the -NA parameter can list all TCP / UDP connections. Fport is a very useful third-party tool that lists all ports and the offset table that opens their processes. PromiscDete is a third-party tool that detects a network interface status, whether there is a SNIFFER class program run. PIPELIST is a tool in Windows Reskit, listing all pipes in the system, checking to whether there is a back door connected to the Windows pipeline. FPORT output

Code

============================================================================================================================================================================================================= ========== fport v2.0 - TCP / IP process to port mappercopyright 2000 by Foundstone, Inc._blank> http://www.foundstone.comPid Process Port Proto Path 1008 Servud ~ 1 -> 21 TCP C: /PROGRA ~ 1/SERV-U /SERVUD ~ 1.EXE1776 FSSHD2 -> 22 TCP C: / Program Files / F-Secure / SSH Server / FssHD2.EXE2056 FSSHD2SRV -> 22 TCP C: / Program Files / F -Secure / ssh server / fsshd2srv.exe436 svchost -> 135 TCP C: /WINNT/system32/svchost.exe 2064 magentproc -> 443 TCP C: / Program Files / Mercury Interactive / LoadRunner / launch_service / bin / magentproc.exe8 System - > 445 TCP 488 MSDTC -> 1025 TCP C: /Winnt/System32/msdtc.exe 976 MStask -> 1029 TCP C: /Winnt/System32/mstask.exe 1196 inetinfo -> 1030 TCP C: / Winnt / System32 / InetSRV / inetinfo.exe1052 omaws32 -> 1031 TCP C: / Program Files / Dell / OpenMA NAGE / IWS32.EXE1732 DIAGORB -> 1032 TCP C: /Progra ~ 1/dell/openma ~ 1/oldiags/vendor/pcdoctor/bin/diagorb.exe1732 Diagorb -> 1033 TCP C: / Program 1 / Dell / OpenMA ~ 1 / Oldiags / vendor / pcdoctor / bin / diagorb.exe1732 Diagorb -> 1034 TCP C: /PrOGRA ~ 1/dell/openma ~ 1/oldiags/ndor/pcdoctor/bin/diagorb.exe1052 OMAWS32 - > 1035 TCP C: / Program Files / Dell / OpenManage / IWS / BIN / WIN32 / OMAWS32.EXE8 SYSTEM ->

1036 TCP 1052 Omaws32 -> 1311 TCP C: / Program Files / Dell / OpenManage / IWS / BIN / WIN32 / OMAWS32.EXE1176 SVCHOST -> 1407 TCP C: /WINNT/SYSTEM32/SVCHOST.EXE 1176 SVCHOST -> 1409 TCP C: /WINNT/system32/svchost.exe 8 System -> 1421 TCP 488 msdtc -> 3372 TCP C: /WINNT/System32/msdtc.exe 2064 magentproc -> 5001 TCP C: / Program Files / Mercury Interactive / LoadRunner / launch_service / bin /magentproc.exe2064 magentproc -> 5002 TCP C: / Program Files / Mercury Interactive / LoadRunner / launch_service / bin / magentproc.exe2064 magentproc -> 5003 TCP C: / Program Files / Mercury Interactive / LoadRunner / launch_service / bin / magentproc.exe652 awhost32 -> 5631 TCP C: / Program Files / Symantec / pcAnywhere / awhost32.exe1052 omaws32 -> 8000 TCP C: / Program Files / Dell / OpenManage / iws / bin / win32 / omaws32.exe1196 inetinfo -> 8222 TCP C: / Winnt / system32 / inets RV / inetinfo.exe1196 inetinfo -> 8333 TCP C: /WINNT/System32/inetsrv/inetinfo.exe1008 Servud ~ 1 -> 43958 TCP C: /PROGRA ~ 1/SERV-U /SERVUD ~ 1.EXE2064 MAGENTPROC -> 50500 TCP C: / Program Files / Mercury Interactive / LoadRunner / launch_service / bin / magentproc.exe2064 magentproc -> 54345 TCP C: / Program Files / Mercury Interactive / LoadRunner / launch_service / bin / magentproc.exe1068 snmp -> 161 UDP C: / WINNT /System32/snmp.exe 8 system -> 445 udp 280 lsass -> 500 udp c: /winnt/system32/lsass.exe 2140 ipplore ->

1367 UDP C: / Program Files / Internet Explorer / IEXPLORE.EXE1888 flashget -> 1399 UDP C: / Program Files / FlashGet / flashget.exe1196 inetinfo -> 3456 UDP C: /WINNT/System32/inetsrv/inetinfo.exe652 awhost32 -> 5632 UDP C: / Program Files / Symantec / Pcanywhere / AWHOST32.EXE ===================================== ================================================================== PromiscDete

Code

============================================================================================================================================================================================================= ========== PromiscDetect 1.0 - (c) 2002, arne.vidstrom (arne.vidstrom@ntsecurity.nu) - _BLANK> http://ntsecurity.nu/toolbox/promiscdtetect/adapter name: - Broadcom NetXtreme Gigabit EthernetActive filter for the adapter: - Directed (capture packets directed to this computer) - multicast (capture multicast packets for groups the computer is a member of) - Broadcast (capture broadcast packets) - Promiscuous (capture all packets on the network) WARNING : Since this adapter is in promiscuous mode there could be a sniffer running on this computer Adapter name: -! Broadcom NetXtreme Gigabit EthernetActive filter for the adapter: - Directed (capture packets directed to this computer) - multicast (capture multicast packets for groups the Computer is a member of) - Broadcast (Capture Broadcast Packet) ===================================== ======================== pipelist output

Code

============================================================================================================================================================================================================= ========== Pipelist v1.01by mark russinovich_blank> http://www.sysinternals.compipe name instances max instances ----------------- ----------- INITSHUTDOWN 2 -1 LSASS 3 -1 NTSVCS 58 -1 Scerpc 2 -1 Net / NTControlPipe1 1 1 Sshpipe.000006F0.00000006 1 1 SSHPIPE.000006F0.00000007 1 Sshconsolepipe.00000808.00000000 1 1 sshpipe.00000808.00000000 1 1 SSHPIPE.00000808.00000001 1 1 sshpipe.00000808.00000002 1 1 =============================================== ================

The result is soon coming out, but here we have also discovered the most frightened things! We didn't see DCOMSVC.EXE (744) and Termsrv.exe (2128) listening to any network port! In combination with the problem of two system hidden processes in the previous section, we can conclude that in this system, it is currently hidden with a deeper back door. Then we do a small test to see if TerminalServer does not have listening ports. Use the terminal service client to connect to the host's 3389 port - this is the port of the terminal service regular listener. Failed. But I don't believe it is really a good people - after all, it is just a routine situation, and now - this program is existing as a back door being invaded. In addition, in the output of PromiscDetect, we can see that the status of the first network card is Promiscuous which represents the current network interface and mixed mode at the current network interface, and the mixed mode will only exist when there is a Sniffer program in the system, and the current There is no visible network analysis program in the system, that is only one possible - intruder also installed Sniffer to eaveise the user password transmitted in the network! BTW: The FTP is running on the current host, and the passwords of these users are dangerous; in addition, there is an exception event, that is, when I use PCANywhere to log in to the system, PCANywhere prompts, the current connection encryption is set to None! This is obviously not the system administrator ... 3. System environment Check Next, we have systematic environmental inspection, mainly manually checking several system startup items - Windows system automatically runs and loads when starting Place of programs, including several key values and "launch" program groups for the registry. No exception programs have been found. Tips: You can use the MSConfig program to view the system loaded by the system startup item; or use the Registry Editor to view the [HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run] equality, view the correlation value; of course, the registry can hide the load There are still many places where the program is slightly not. In the checkpoint of the registry, I specially checked this one: code

============================================================================================================================================================================================================= ========== C: / Winnt / cmd> Reg Query "HKLM / System / CurrentControlSet / Control / Terminal Server / WinStations / RDP-TCP / Portnumber" REG_DWORD Portnumber 4652 ======== ============================================================================================================================================================================================================= == This is the key value of the TerminalServer service specifies the number of listening service ports, haha, revealing the fox tail. The rear door TERMINALRERVER service on this machine is changed to TCP: 4652, not normal TCP: 3389, of course, can not connect! Change the port to use the terminal service client to connect, success! Log in, lose the pcanywhere of the garbage, the end service speed is really a lot of time - running questions, at 56k modem connection speed, the PCANywhere refresh window can only refresh, each action is> 5 seconds to respond, The speed of the terminal service 256 color mode is still acceptable, and the at least can return and respond to my operation immediately. The bird gun replaces the gun, which reminds me of the Red Army grandfather when the anti-Japanese war - no gun, no gun, devil give us! Is it alive here ... hackers give us? After 5 seconds, we continue. Analyze the file system. Since there is a Sniffer in the current system in front of the current system, it also doubts that there may be a Keylogger program in the system, and these two types of programs need to record log files at any time, then we look at the latest files in the system. : Using the System Command DIR / S / O: D / T: C [Directory Name] You can list all files in the directory by creating time; and you can use the / T: W parameter to use the modified time. Let's first see the recently modified documents:

Code

转载请注明原文地址:https://www.9cbs.com/read-53126.html

9cbs

New Post(0)