######################################################################################################################################################################################################################################################################################################## ##########
Vision: Yesterday, the West is witty
prelude:
That's that, Elly tanded with everyone, after the hacker trend (interesting) ", drinking tea alone alone. Tits
Sound, jade pot is turning, it is blushing, and I suddenly heard the ringtones. It is a server that is idle.
For use. So I log in, make a little configured ...
Pcanywhere is logging in.
Fang Shiyu's mother's brother often said, safety first, safety first. After going up, of course, look at the service first.
Service configuration of the server. Run "Services.msc" to open the service manager, look at it, don't you ...
How do you get strangers here?
Code
============================================================================================================================================================================================================= ========== DCOM Services [Description: Null] Automatic LocalsystemSecure Port Server [同] Windows Event Logger [同] ================== =================================================================================================================================================================================
I know that the first one is definitely logged in with a fake ID card! check the detail information:
Code
============================================================================================================================================================================================================= ========== Service Name: DCOMSVC Display Name: DCOM Services Description: [Air] Executable Path: C: /Winnt/System32/dcomsvc.exe Start Type: Auto ======= ============================================================================================================================================================================================================= === C: / Winnt / System32 Elly lives there for so many years, I have never seen this brother. Elly began to realize the seriousness of the problem: the system is likely to have been invaded, and the back door is installed! Let's take a look at the status of the current service:
Code
============================================================================================================================================================================================================= ========== C: / Winnt / cmd> SCLIST ... Running DCOMSVC 34567890 DCOMSVC 34567890 DCOMSVIC 34567890 DCOMSVC 34567890 DCOMSVIC 34567890 DCOMSVIC 34567890 DCOMSVC 34567890 DCOMSVC 34567890 DCOMSVC 34567890 DCOMSVC 34567890 DCOMSVC 34567890 DCOMSVC 34567890 DCOMSRES RUNNING SERVER Administrator Secure Port Server Running Windows Event Logger Windows Event Logger ... ======== ============================================================================================================================================================================================================= == Sclist lists all currently running Windows system services. From the list of service, we are the simplest and direct discovery above three exception services. As for how to find it ... First, they have no service instructions (or the right service description), which represents them are not the service self-contained; second, more mainly based on experience, a skilled Windows system administrator The services in the system should be done in the heart, if there is a cavern, when the hand is at least two documents, the first is the list of service lists, functions and status of Windows, and the second is after each server installation is completed. Initialize the list of services in the mirroring state. Use SC Query to see more detailed service information:
Code
============================================================================================================================================================================================================= ========== SERVICE_NAME: dcomsvc34567890DISPLAY_NAME: DCOM Services (null) TYPE: 10 WIN32_OWN_PROCESS STATE: 4 RUNNING (sTOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE: 0 (0x0) SERVICE_EXIT_CODE: 0 (0x0) CHECKPOINT: 0x0 WAIT_HINT : 0x0 ================================================ ============ SERVICE_NAME: Windows Event LoggerDISPLAY_NAME: Windows Event Logger (null) TYPE: 10 WIN32_OWN_PROCESS STATE: 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE: 0 (0x0) SERVICE_EXIT_CODE: 0 (0x0 Checkpoint: 0x0 Wait_HINT: 0x0 ============================================ ==================
SERVICE_NAME: CCProxyDISPLAY_NAME: Dell OpenManage (null) TYPE: 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS STATE: 1 STOPPED (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE: 1077 (0x435) SERVICE_EXIT_CODE: 0 (0x0) CHECKPOINT: 0x0 WAIT_HINT: 0x0 ======= ============================================================================================================================================================================================================= === Code
============================================================================================================================================================================================================= ========== C: / Winnt / cmd> psservice config dCOMSVC ERROR OPENING DCOMSVC ON // CJL-NMS: The specified service does not exist with the installed service.
============================================================================================================================================================================================================= ========== C: / WINNT / cmd> psservice config "Windows Event Logger" SERVICE_NAME: Windows Event Logger (null) TYPE: 10 WIN32_OWN_PROCESS sTART_TYPE: 2 aUTO_START ERROR_CONTROL: 0 IGNORE BINARY_PATH_NAMEE: C: / WINNT /system32/termsrv.exe loading_order_group: Tag: 0 Display_name: Windows Event Logger Dependencies: WINDOWS EVENT LOGGER Dependencies: Service_start_name: localsystem ================================================= ============== C: / WinNT / CMD>
psservice config ccproxy SERVICE_NAME: ccproxy (null) TYPE: 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS START_TYPE: 3 DEMAND_START ERROR_CONTROL: 1 NORMAL BINARY_PATH_NAME: "C: /WINNT/AppPatch/app/openmange.exe" -service LOAD_ORDER_GROUP: TAG: 0 DISPLAY_NAME: Dell OpenManage DEPENDENCIES : Service_start_name: localsystem ============================================== ==============
Now, the three services expose the fox tail, the first program is located in C: /Winnt/System32/dcomsvc.exe is analyzed by an SOCK5 proxy server SKSERVER V1.0, often being installed by the intruder as an attack other machine Springboard; second program is located in C: /Winnt/System32/TERMSRV.EXE, which is actually the terminal service server of Windows 2000, but why is this name? The third program is CCProxy 6.0, a multi-function application proxy server, it is clear that it is not the administrator to install it. Obviously, the server has now been invaded, and there is also a back door and two proxy servers used as a springboard or other illegal use, then there is something that is not discovered? Request to break back ... This chapter conclusions: 1. This host has been infiltrated; 2. This host has been installed back door: c: /winnt/system32/dcomsvc.exe (SKSERVER 1.0) C: / Winnt / System32 /TERMSRV.EXE (TERMINALSERVER) C: /WINNT/AppPatch/app/openMange.exe (ccProxy 6.0) This chapter left the problem: 1. Why is TerminalServer changed? 2. Which back-door channels may there be existed in the system now? 3. Why check DCOMSRV service information failed? What you have to do: what you have to do means that at every stage, we need to work under normal circumstances. In this section, it is mainly to find abnormal conditions. In the Windows 2000 system, when the system may be invaded, there will be some abnormal conditions, and the system administrator needs to have enough alerts, and the reason is rapidly positioned when the exception event occurs. There are several cases: 1. Process exception 2. Service exception 3. Account exception 5. Log exception 6. Network abnormal approach: According to the situation that may happen above, there may be some Common and optional means for inspection. Process check. Task Manager: This is the most commonly used process management method in the Windows 2000 series system. But there are some defects. It must also be running under the graphical interface, and maybe we can only work in the command, such as now - when I only have 56K kittens when I am online. PS series tool: This is a series of command line tools from Sysinternal, where PS and PSLIS can list all processes in the system under the command line; there is also a similar command in Windows -2000 Resourcekit, TSLIST. The most powerful feature of the PS series is to do not only in the local execution, but also remotely executed through the IPC $ anonymous sharing connecting pipe. Windows Reskit Series Tools: Windows NT / 2000 Resourcekit contains a range of very powerful tools such as TSLIST and PTREE. The Ptree is also a powerful tool that includes two versions of the graphical interface and the mandatory line, which can list process trees and dependencies in a tree format, and it can also be managed by connecting the remote server. The disadvantage is - On the remote server, you must first install the PTree service.
2. Service Check: Service Manager: Similarly, a service manager has built in the Windows2000 system, which can only run under the graphical interface. It can be found in [Control Panel] -> [Administrative Tools] -> [Service], or open it through the command line shortcut "Services.msc". It can view, stop, start the service, and can modify some of the service parameters. Net.exe: NET is a very powerful management command built in the Windows 2000 series, including service management features. NET Start is used to view and start the service; and NET STOP is used to stop the service. The NET Start command without parameters will list all services that are running on the current system. Its biggest shortcomings are relatively simple in service management, such as unable to know all services installed in the system, and also need administrators to be very familiar with Win2000's service itself. Sc.exe: SC is the earliest is a more powerful service management tool that appears in Winnt Reskit. It has become a built-in command in Windows 2003. It can do almost all operations for Windows services: code
SC Query Query Service Status, list all services without parameters; SC config configuration service parameters; SC START launches a service; SCSTOP stops a service; SC DELETE delete service; SC CREATE Create a service; You can also connect and execute directly on the remote machine. Use: SC [Hostname] [Command] to connect the remote host.
PSService: PSService.exe is one of the Sysinternal PS series commands, and its functions are basically uniform and SCs, and the specific difference is helpful. 4. Account Anomaly: Computer Management: Computer Management is a system management tool built in Windows system, we can view system user information here. Net.exe: Net user commands manage system user accounts and passwords in command line mode.
Code
NET User does not list all user accounts; NET user [username] is reviewed a user detailed information; NET user [username] [password] Modify user password; net user [username] / add add users; net user [username] / delete deletes the user; Net user ... / domain executes in domain mode.
Note that when unfamiliar usernames are found in the system, or the normal user account password is modified, abuse and other incidents need to pay attention. 5. Log Exception When the system's services (system logs, web logs, FTP logs, etc.) have an exception log information. Use the system command eventvwr.msc to open the log viewer; IIS log defaults in the% systemroot% / system32 / logfiles directory. 3/6. System Resources and Network When a large number of CPUs, memory, disk space, and network bandwidth are abnormal, the system can be used to detect exception reasons. This chapter TIPS: 1. There is also a sister SCList, which can list all the list of services as simple as PSList. 2. When using the NET START / STOP command to manage the service, you can use the "quotation marks" to include the service name containing spaces. 3. The service name in Windows 2000 has two forms, namely the service name (short-term) and the display service name (a long name with spaces). In most cases, both names are effective, and thus also have excellent disadvantages, long-name readily, but it is difficult to write; You can query the service name control using the SC command. SC getDisplayName Query DisplayName SC getKeyname Query Keyname (Short Name) When using a long name containing space, it is possible that shell cannot correctly resolve, you can use "" quotation marks. 4. The services of the Windows series have dependencies. For example, RPC Server is the pre-condition for many services. Although the stopped service may cause unpredictable consequences, you can use the SC command to view the command-dependent relationship. SC ENUMDEPEND [Service Name] View Service Dependencies or PSService Depend [Service Name] 5. The final service management tool is ... Registry Editor Regedit.exe. All services in the system exist a mapping database in the registry, and you can view and modify the corresponding parameters by modifying the corresponding values. For example IIS WWW service code
============================================================================================================================================================================================================= ========== C: /> reg query HKLM / SYSTEM / CurrentControlSet / Services / W3SVC Listing of [SYSTEM / CurrentControlSet / Services // W3SVC] REG_DWORD Type 32 REG_DWORD Start 2 REG_DWORD ErrorControl 1 EXPAND_SZ ImagePath C: /WINNT/system32/inetsrv/inetinfo.exe REG_SZ DisplayName World Wide Web Publishing Service MULTI_SZ DependOnService IISADMIN; MULTI_SZ DependOnGroup REG_SZ ObjectName LocalSystem REG_SZ Description [ASP] [Parameters] [Performance] [Security] [Enum] ======= ============================================================================================================================================================================================================= ===
... say too much ... Detailed Detail "Windows 2000 Service Management". ######################################################################################################################################################################################################################################################################################################## ######### 踪: The crowd is looking for him a thousand Baidu scene: saying that the ELLY machine discovers several Trojans on this machine, the heart is shocked: This Troy is really good, there is no sound, actually It has been infiltrated. Waiting for me to think, try to kill them, take one of them, then take one of them ... Elly take a break, and poured a cup of tea, ready for the tool, and start to discover information. Finally, we briefly read the procedure of the system check, then in the Windows system, you need to investigate some information in the Windows system: Process >> System Process >> System Services >> User Process In Process Information Investigation, It is mainly to find abnormal information by viewing the system drive module, system processes, services, user processes. Network >> Network Port >> Network Connection >> Named Pipe Network Information Survey, contains an abnormal network driver, protocol filter, interface status, network connection, open port, and nomenclature information query. Account >> User Account >> User Password >> User Environment File Account Check is mainly for the configuration information of the system account and various application accounts. Log >> System Logs >> Application Log Log Check is a system log, security log, and an application log. System Environment >> System Launch Item >> Registry Launch Item >> File Information System Environment Survey on system launch and operational environments, initialization running programs, key key values of the registry, and file system information, file system surveys include MAC access Record, exceptions, and hidden files, file system privileges and stream file checks. Application >> Application Configuration This part of this is mainly to do audit and analysis of the configuration of various applications. Then look at the information we have obtained on this machine (excerpt section): 1. Process in the process check section, we run multiple process check tools in turn, and redirect the output to the log file to complete the system image Current status copy: code
============================================================================================================================================================================================================= ==========; Process.cmdps> log / ps.logsclist> log / ps.logpsclist -r> log / ps.logpsservice> log / ps.logptree> log / ps.logkproccheck -d> log /ps.logkproccheck -p> log / ps.log ======================================= ====================== In this script, the programs we run are: PS lists all current processes; SCLIST lists all services; SCLIST -R columns There is a service that is currently running; PSService lists the service details; PTREE lists the current process tree (derived relationship); KPROCCHECK -D lists all kernel processes (module); kproccheck -p lists all user processes; there are two The command is relatively special, and Ptree can list all process derived relationships, which is helpful for our abnormal process analysis; kProccHeck is a third-party tool that can read information more deeper from the kernel process table to explore some hidden information. PTree output
Code
============================================================================================================================================================================================================= ==========
[System Process] (0) System (8) Smss.exe (192) CSRSS.exe (216) Winlogon.exe (240) LSASS.EXE (280) Services.exe (268) AWHOST32.EXE (652) Dcevt32.exe (700) DCOMSVC.EXE (744) DCStor32.exe (756) Defwatch.exe (804) fsshd2.exe (1776) fsshd2srv.exe (2056) fssh2console.ex (2416) cmd.exe (2456) PTree.exe (2484 ) FSSHSFTPD.EXE (2432) inetinfo.exe (1196) llssrv.exe (856) msdtc.exe (488) msiexec.exe (2540) MStask.exe (976) Omaws32.exe (1052) Diagorb.exe (1732) Ptreesvc (2640) RTVSCAN.EXE (936) Servud ~ 1.exe (1008) snmp.exe (1068) svchost.exe (1216) svchost.exe (1856) sv Chost.exe (1176) svchost.exe (436) Dllhost.exe (2576) Dllhost.exe (1804) Termsrv.exe (2128) Winmgmt.exe (1164) Explorer.exe (1832) AtipTaxx. EXE (1752) Bacstray.exe (2004) cmd.exe (2236) mmc.exe (2256) Msiexec.exe (1804) Terminated conime.exe (2120) Daemon.exe (2024) ipplore.exe (2496) IExplore.exe (2140) Flashget.exe (1888) INTERNAT.EXE (2040) MagentProc.exe (2064) servut ~ 1.exe (2048) VPTRAY.EXE (2016) =============== =====================================================================================================================================================
======================= PS output
Code
============================================================================================================================================================================================================= ==========
PsList v1.12 - Process Information ListerCopyright (C) 1999-2000 Mark RussinovichSystems Internals - http: //www.sysinternals.comProcess information for CJL-NMS: Name Pid Pri Thd Hnd Mem User Time Kernel Time Elapsed TimeIdle 0 0 4 0 16 0: 51: 39.000 811: 18: 24.375System 8 8 52 159 300 0: 45.000 4: 45: 45.921 211: 18: 24.375SMSS 192 11 6 38 412 0: 00: 00.015 0:03 : 26.828 211: 18: 24.375CSRSS 216 13 15 677 2232 0: 14 677 2232 0: 24.796 211: 18: 18.609winlogon 240 13 17 442 2488 0: 00: 00.453 0: 11: 11.859 211: 18: 17.703 Services 268 9 28 530 5960 0: 05: 03.750 0: 05: 22.546 211: 18: 16.812LSASS 280 9 19 315 6364 0: 00: 01.484 0: 12: 06.015 211: 18: 16.796svchost 436 8 12 349 5672 0:01 : 08.687 0: 08: 35.265 211: 18: 15.671MSDTC 488 8 36 228 6708 0: 49.672 0: 04: 49.671 211: 18: 15.140awhost32 652 8 19 375 9124 0: 01: 15.281 0: 15: 17.203 211: 18: 14.500DCEVT32 700 8 4 104 3688 0: 00:00.093 0: 14: 31.796 211: 18: 04.843dcomsvc 744 8 5 110 3872 0: 0: 38.343 211: 18 : 04.703dcStor32 756 8 8 126 4704 0: 00: 47.812 0: 06: 46.765 211: 18: 04.640Defwatch 804 8 4 49 2740 0: 00:00.015 0: 05: 47.046 211: 17: 56.546SVCHOST 824 8 20 419 9936 0: 06: 56.453 211: 17: 56.484LLSRV 856 9 9 82 2580 0: 00: 00.156 0: 09: 22.390 211: 17: 56.046RTVSCAN 936 8 35 301 16112 2: 16: 39.390 11:58 : 04.312 211: 17: 55.859mstask 976 8 6 127 3980 0: 30.78.062 0: 04: 30.781 211: 17: 55.593 Servud ~ 1 1008 8 10 131 7484 0: 0: 03.921 0: 04: 26.546 211: 17:
55.437 453 23656 0: 12: 32.093 0: 06: 14.609 211: 17: 55.250SNMP 1068 8 11 266 6452 0: 00: 00.281 0: 06: 14.640 211: 17: 55.640 211: 17: 55.218Termsrv 1124 10 12 118 4220 0 00: 0012 21: 17: 55.031winmgmt 1164 8 5 177 512 0: 00: 05.046 0: 06: 32.046 211: 17: 54.843SVCHOST 1176 8 7 381 13416 0: 00: 06.406 0:24: 42.015 211: 17: 54.67 514 8904 0: 02: 42.968 0: 28: 0281 211: 17: 54.609diagorb 1732 8 2 84 4004 0: 02: 01.062 0: 02: 13.312 211: 17: 46.421svchost 1856 8 14 177 3856 0: 11: 49.890 211: 17: 24.890 211: 17: 24.046 0: 17: 24.593 189: 17: 22.078Explorer 1832 8 13 605 5236 0:00: 20.234 0: 01: 33.156 10: 36: 36.453 0: 3: 00.484 10: 36: 34.109Bacstray 2004 8 1 18 1972 0: 00: 00.046 0: 00: 00.125 10: 36: 33.984VPTRAY 2016 8 3 138 6112 0:00:00 .093 0: 36: 33.875daemon 2024 8 2 72 4724 0: 00:00.015 0: 00: 0075 10: 36: 33.843internat 2040 8 1 28 2152 0: 00.171 10 0: 00: 00.171 10 : 36: 33.750 Servut ~ 1 2048 8 1 30 396 0: 00:00.046 0: 00: 00.046 10: 36: 33.656MagentProc 2064 8 4 154 4928 0: 00: 00.125 0: 00: 01.140 10: 36: 33.437conime 2120 8 1 19 1388 0: 00.062 6: 57: 40.312CMD 2236 8 2 48 124 0: 00.062 0: 00: 00.531 2: 49: 29.328MMC 2256 8 6 154 4600 0:00: 02.218 0: 49: 24.937 2: 49: 24.468Termsrv 2128 10 38 65 3392 0: 36: 39.750 2: 27: 58.125 2: 48: 38.643 IXPLORE 2140 8 7 361 10040 0: 00: 13.640 0: 00: 33.046 2: 41:
03.859FlashGet 1888 8 8 327 6060 0: 02.85.531 0: 00: 02.843 2: 16: 59.796Fsshd2 1776 8 3 91 3908 0: 00: 00.125 0: 23.812FSSHD2SRV 2056 8 3 141 6124 0 : 00: 01.296 0: 00: 01.281 1: 35: 53.093fssh2consol 2416 8 1 30 1920 0: 00: 14.031 0: 00: 38.125 1: 35: 36.531CMD 2456 8 1 29 1572 0: 00:00.078 0:00: 01.000 1: 35: 36.421FSSHSFTPD 2432 8 1 63 2956 0: 01.046 1: 07: 11.453PS 2488 8 2 96 1692 0: 00.046 0: 00:00.281 0: 00:00.062 == ============================================================================================================================================================================================================= ======== kProccHeck -P output
Code
============================================================================================================================================================================================================= ========== kProccHeck Version 0.1 Proof-of-Concept by Sig ^ 2 (www.security.org.sg) Process List by Traversal of ActiveProcessLinks8 - System 192 - Smss.exe 220 - CSRSS.EXE 240 - Winlogon.exe 268 - Services.exe 288 - LSAss.exe 444 - Svchost.exe 468 - Spoolsv.exe - [Hidden] - 488 - MSDTC.EXE 656 - AWHOST32.EXE 704 - DCEVT32.EXE 748 - DCOMSVC. EXE 760 - DCSTOR32.EXE 808 - DEFWATCH.EXE 828 - SVCHOST.EXE 840 - fsshd2.exe 848 - fsshd2srv.exe 880 - llssrv.exe 960 - rtvscan.exe 996 - ptreesvc.exe 1016 - MStask.exe 1052 - servud ~ 1.EXE 1104 - OMAWS32.EXE 1116 - SNMP.EXE 1136 - SYINFO.EXE - [Hidden] - 1172 - Termsrv.exe 1208 - Winmgmt.exe 1232 - Svchost.exe 1252 - inetinfo.exe 1744 - daemon.exe 1788 - VPTRA Y.exe 1800 - Bacstray.exe 1824 - AtipTaxX.exe 1832 - Diagorb.exe 1920 - Svchost.exe 1996 - Explorer.exe 2000 - KPROCCHECK.EXE 2044 - INTERNAT.EXE 2052 - Servut ~ 1.exe 2060 - MagentProc.exe 2096 - FSSH2CONSOLE.EX 2108 - cmd.exe 2116 - fsshsftpd.exe total number of processes = 44 ============================= ==
============================= In PTREE and PS, we have seen these two exception processes:
Code
DCOMSVC.EXE (744) Termsrv.exe (2128)
That is, the SKSERVER and the back door we discovered in the first section; then we found two hidden processes in KPROCCHECK:
Code
468 - Spoolsv.exe - [Hidden] - 1136 - SYINFO.EXE - [Hidden] -
And these two processes can't see in PS! Obviously in this system except TerminalServer except TerminalServer! Then let's take a look at what they have done. As a back door (Trojan, Troy), its ultimate goal is to obtain control of the corresponding host and create an unexpected pathway. So, as long as there is a motive, you will definitely find the roots, we will start from its way to analyze the two backsmen. 2. Network invaders should use the back door, they must be connected through the network, and whether SKSERVER is still Termserv, they must be connected to them. We run such a script to check the network status:
Code
============================================================================================================================================================================================================= ==========; network.cmdnetstat -na> log / netstat.logfport> log / fport.logpromiscdtect> Promisc.logpipelist> pipelist.log ============== ==============================================
Explain the tools we use here. NetStat is a command built in the Windows system, and the -NA parameter can list all TCP / UDP connections. Fport is a very useful third-party tool that lists all ports and the offset table that opens their processes. PromiscDete is a third-party tool that detects a network interface status, whether there is a SNIFFER class program run. PIPELIST is a tool in Windows Reskit, listing all pipes in the system, checking to whether there is a back door connected to the Windows pipeline. FPORT output
Code
============================================================================================================================================================================================================= ========== fport v2.0 - TCP / IP process to port mappercopyright 2000 by Foundstone, Inc.http://www.foundstone.compid Process Port Proto Path 1008 Servud ~ 1-> 21 TCP C : /Progra ~1.exe1776 fsshd2 -> 22 TCP C: / Program Fisshd2.exe2056 fsshd2srv -> 22 TCP C: / Program FILES / F-Secure / ssh server / fsshd2srv.exe436 svchost -> 135 TCP C: /WINNT/system32/svchost.exe 2064 magentproc -> 443 TCP C: / Program Files / Mercury Interactive / LoadRunner / launch_service / bin / magentproc.exe8 System -> 445 TCP 488 MSDTC -> 1025 TCP C: /Winnt/System32/msdtc.exe 976 MStask -> 1029 TCP C: /Winnt/System32/mstask.exe 1196 inetinfo -> 1030 TCP C: / WinNT / System32 / InetSrv / InetInfo. EXE1052 OMAWS32 -> 1031 TCP C: / Program Files / Dell / OpenManage / IW S / BIN / WIN32 / OMAWS32.EXE1732 Diagorb -> 1032 TCP C: /PrOGRA ~ 1/dell/openma ~ 1/oldiags/vendor/pcdoctor/bin/diagorb.exe1732 Diagorb -> 1033 TCP C: / Program ~ 1 / Delliags / vendor / pcdoctor / bin / diagorb.exe1732 Diagorb -> 1034 TCP C: /PROGRA ~ 1/Dell/openma ~ 1/oldiags/ndor/pcdoctor/bin/diagorb.exe1052 OMAWS32-> 1035 TCP C: / Program Files / Dell / OpenManage / IWS / BIN / WIN32 / OMAWS32.EXE8 System ->
1036 TCP 1052 Omaws32 -> 1311 TCP C: / Program Files / Dell / OpenManage / IWS / BIN / WIN32 / OMAWS32.EXE1176 SVCHOST -> 1407 TCP C: /WINNT/SYSTEM32/SVCHOST.EXE 1176 SVCHOST -> 1409 TCP C: /WINNT/system32/svchost.exe 8 System -> 1421 TCP 488 msdtc -> 3372 TCP C: /WINNT/System32/msdtc.exe 2064 magentproc -> 5001 TCP C: / Program Files / Mercury Interactive / LoadRunner / launch_service / bin /magentproc.exe2064 magentproc -> 5002 TCP C: / Program Files / Mercury Interactive / LoadRunner / launch_service / bin / magentproc.exe2064 magentproc -> 5003 TCP C: / Program Files / Mercury Interactive / LoadRunner / launch_service / bin / magentproc.exe652 awhost32 -> 5631 TCP C: / Program Files / Symantec / pcAnywhere / awhost32.exe1052 omaws32 -> 8000 TCP C: / Program Files / Dell / OpenManage / iws / bin / win32 / omaws32.exe1196 inetinfo -> 8222 TCP C: / Winnt / system32 / inets RV / inetinfo.exe1196 inetinfo -> 8333 TCP C: /WINNT/System32/inetsrv/inetinfo.exe1008 Servud ~ 1 -> 43958 TCP C: /PROGRA ~ 1/SERV-U /SERVUD ~ 1.EXE2064 MAGENTPROC -> 50500 TCP C: / Program Files / Mercury Interactive / LoadRunner / launch_service / bin / magentproc.exe2064 magentproc -> 54345 TCP C: / Program Files / Mercury Interactive / LoadRunner / launch_service / bin / magentproc.exe1068 snmp -> 161 UDP C: / WINNT /System32/snmp.exe 8 system -> 445 udp 280 lsass -> 500 udp c: /winnt/system32/lsass.exe 2140 ipplore ->
1367 UDP C: / Program Files / Internet Explorer / IEXPLORE.EXE1888 flashget -> 1399 UDP C: / Program Files / FlashGet / flashget.exe1196 inetinfo -> 3456 UDP C: /WINNT/System32/inetsrv/inetinfo.exe652 awhost32 -> 5632 UDP C: / Program Files / Symantec / Pcanywhere / AWHOST32.EXE ===================================== ================================================================== PromiscDete
Code
============================================================================================================================================================================================================= ========== PromiscDetect 1.0 - (c) 2002, Arne Vidstrom (arne.vidstrom@ntsecurity.nu) - http://ntsecurity.nu/toolbox/promiscdetect/Adapter name: - Broadcom NetXtreme Gigabit EthernetActive filter for the adapter: - Directed (capture packets directed to this computer) - multicast (capture multicast packets for groups the computer is a member of) - Broadcast (capture broadcast packets) - Promiscuous (capture all packets on the network) WARNING: Since this adapter is in promiscuous mode there could be a sniffer running on this computer Adapter name: -! Broadcom NetXtreme Gigabit EthernetActive filter for the adapter: - Directed (capture packets directed to this computer) - multicast (capture multicast packets for groups the computer is A meMber of) - Broadcast (Capture Broadcast Packet) ======================================= ===================== Pipelist output
Code
============================================================================================================================================================================================================= ========== Pipelist v1.01by mark russinovichhttp://www.sysinternals.compipe name instances max instances -------------------- --------- INITSHUTDOWN 2 -1 LSASS 3 -1 NTSVCS 58 -1 Scerpc 2 -1 Net / NTControlPiPE1 1 1 SSHPIPE.000006F0.00000006 1 1 sshpipe.000006F0.00000007 1 1 sshconsolepipe.00000808.00000000 1 1 SSHPIPE.00000808.00000000 1 1 SSHPIPE.00000808.00000001 1 1 sshpipe.00000808.00000002 1 1 =============================================== ================
The result is soon coming out, but here we have also discovered the most frightened things! We didn't see DCOMSVC.EXE (744) and Termsrv.exe (2128) listening to any network port! In combination with the problem of two system hidden processes in the previous section, we can conclude that in this system, it is currently hidden with a deeper back door. Then we do a small test to see if TerminalServer does not have listening ports. Use the terminal service client to connect to the host's 3389 port - this is the port of the terminal service regular listener. Failed. But I don't believe it is really a good people - after all, it is just a routine situation, and now - this program is existing as a back door being invaded. In addition, in the output of PromiscDetect, we can see that the status of the first network card is Promiscuous which represents the current network interface and mixed mode at the current network interface, and the mixed mode will only exist when there is a Sniffer program in the system, and the current There is no visible network analysis program in the system, that is only one possible - intruder also installed Sniffer to eaveise the user password transmitted in the network! BTW: The FTP is running on the current host, and the passwords of these users are dangerous; in addition, there is an exception event, that is, when I use PCANywhere to log in to the system, PCANywhere prompts, the current connection encryption is set to None! This is obviously not the system administrator ... 3. System environment Check Next, we have systematic environmental inspection, mainly manually checking several system startup items - Windows system automatically runs and loads when starting Place of programs, including several key values and "launch" program groups for the registry. No exception programs have been found. Tips: You can use the MSConfig program to view the system loaded by the system startup item; or use the Registry Editor to view the [HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run] equality, view the correlation value; of course, the registry can hide the load There are still many places where the program is slightly not. In the checkpoint of the registry, I specially checked this one: code
============================================================================================================================================================================================================= ========== C: / Winnt / cmd> Reg Query "HKLM / System / CurrentControlSet / Control / Terminal Server / WinStations / RDP-TCP / Portnumber" REG_DWORD Portnumber 4652 ======== ============================================================================================================================================================================================================= == This is the key value of the TerminalServer service specifies the number of listening service ports, haha, revealing the fox tail. The rear door TERMINALRERVER service on this machine is changed to TCP: 4652, not normal TCP: 3389, of course, can not connect! Change the port to use the terminal service client to connect, success! Log in, lose the pcanywhere of the garbage, the end service speed is really a lot of time - running questions, at 56k modem connection speed, the PCANywhere refresh window can only refresh, each action is> 5 seconds to respond, The speed of the terminal service 256 color mode is still acceptable, and the at least can return and respond to my operation immediately. The bird gun replaces the gun, which reminds me of the Red Army grandfather when the anti-Japanese war - no gun, no gun, devil give us! Is it alive here ... hackers give us? After 5 seconds, we continue. Analyze the file system. Since there is a Sniffer in the current system in front of the current system, it also doubts that there may be a Keylogger program in the system, and these two types of programs need to record log files at any time, then we look at the latest files in the system. : Using the System Command DIR / S / O: D / T: C [Directory Name] You can list all files in the directory by creating time; and you can use the / T: W parameter to use the modified time. Let's first see the recently modified documents:
Code
============================================================================================================================================================================================================= ========== C: / WinNT / System32> DIR / S / O: D / T: W Drive C is the serial number of the Dell Server volume is B4C7-DFC5C: / Winnt / System32 Directory 1996-10-15 09:53 78,848 Inliner.dll1998-03-20 18:14 1,927 Axctrnm.h1998-06-19 21:31 344 Pintlpad.cnt1998-09-16 19:08 5,523 nntpctrs.h1998-11-05 13:21 154,487 Pintlpad.hlp1999-02-26 19:30 773 ntfsdrct.h1999-02-28 02:31 69,120 msdbg.dll1999-02-28 02:32 183,574 pdm.dll ... ... 2004-03 -31 12:02 16,384 Perflib_Perfdata_414.dat2004-04-02 16:24 16,384 Perflib_Perfdata_41c.dat * 2004-04-07 11:52 55,296 List.gif * 2004-04-07 11:53 45,056 Finder.gif * 2004-04 -07 11:53 28, 160 nlog.gif * 2004-04-07 11:53 77,824 kill.gif * 2004-04-07 11:53 131,072 info.gif * 2004-04-07 11:53 14,747 TINJECT.DLL * 2004 -04-07 11:53 69,632 spinfo.dll * 2004-04-07 11:57 8,464 sporder.dll * 2004-04-07 11:57 49 mslsp.dat * 2004-04-07 12:01 16,384 perflib_Perfdata_450.dat * 2004-04-07 12 : 06 62,048 perfc009.dat * 2004-04-07 12:06 376,760 Perfh009.dat * 2004-04-07 12:11 20,480 DCOMSVC.EXE * 2004-04-07 12:11 93 nt.bat2004-04-13 17 : 05 16,384 Perflib_Perfdata_45c.dat ... ... 2005-02-10 03:00
Drivers * 2005-02-10 03:03 405 svclog.log2005-02-10 03:04
Code
============================================================================================================================================================================================================= ========== C: / Winnt / System32> Type SvClog.logperforming Time: 2/19/2005 3: 11: 0 -> Start Okperforming Time: 2/19/2005 3: 11: 0 -> The system is onlineperforming time: 2/19/2005 3: 11: 0 -> Read setting okperforming time: 2/19/2005 3: 11: 0-> InitBackDoor () Okperforming Time: 2/19 / 2005 3: 11: 0-> INITSOCKET () OKPERFORMING TIME: 2/19/2005 3: 11: 0 -> probably static ipperforming time: 2/19/2005 3: 11: 0 -> Start Sniffing On 61 ***. ***. *** Performing Time: 2/19/2005 3:19:35 -> The service is stoppingPerforming Time: 2/19/2005 3:19:36 -> The service is Stopped surcess, ================================================ ============ 呔! It is now. Then we followed the hub, looked at the creation time of this document, turned out to April 7, 2004? Take a look at other files, it is also that day, including the DCOMSVC.exe found at the beginning. Let's take a look at another file left on April 7, 2004 nt.bat
Code
============================================================================================================================================================================================================= ========== C: / Winnt / System32> type nt.batdcomsvc -installdcomsvc -config port 1432dcomsvc -config startType 2Net Start dCOMSVC ================== =============================================== this is initially installed and launched DCOMSVC (Really skserver) script, but also points out its listening port TCP: 1432. The test connection is successful, but it is not visible as Termserv. We summarize all the files created this day:
Code
============================================================================================================================================================================================================= ========== C: / WinNT / System32> DIR / S / O: D / T: c | Findstr 2004-04-072004-04-07 11:52 55, 296 list.gif2004-04-07 11:52 45,056 Finder.gif2004-04-07 11:53 28, 160 nlog.gif2004-04-07 11:53 77,824 kill.gif2004-04-07 11:53 131,072 info.gif2004-04-07 11:53 76,288 svchostdll. DLL2004-04-07 11:53 62,464 sysinfo.dll2004-04-07 11:53 14,747 reginfo.exe2004-04-07 11:53 69,632 spinfo.dll2004-04-07 11:54 944 ms29.ini2004-04-07 11 : 55 14,747 TINJECT.DLL2004-04-07 11:55 412 svclog.log2004-04-07 11:57 8,464 sporder.dll2004-04-07 11:57 49 mslsp.dat2004-04-07 12:01 16,384 perflib_Perfdata_450.dat2004 -04-07 12:11 93 nt.bat ======================================= ===================== 4. User account hackers often leave the back door with a simplest direct and direct approach, then That is to add a user account. We can use the [Control Panel] -> [Administrative Tools] -> [Computer Management] to view the system user account, or like the NET USER command line tool below to view the user property directly. Net user output
Code
============================================================================================================================================================================================================= =================== Username Administrator Full Note Management Computer (Domain) Built-in Account User Note Country Code 000 (System Default) Account Enabled YES Account expires never last setting password 2003/10/30 afternoon 04:20 password expiration never password can be changed 2003/10/30 afternoon 04:20 Requirement Password YES users can change the password YES allowed workstation All Login Script User Profile Profile Last Login 2005/2/20 10:01 Allowable Login Horses All Local Group Member * Administrators Global Group Members * none command successfully completed. ============================================================================================================================================================================================================= =================== User name GUEST full name comment supplied to the guest or access to the built-in account user's annotation country (regional) code 000 (system default) account Enabling YES account expiration never last setting password 2004/4 11:52 Password expiration never password Change 2004/4/7 11:52 Requires password NO users can change the password NO Allowing workstation All Login Script User Profile Profile Last Login Endless Login Horses All ALL Local Group Member * Administrators * Guests Global Group Members * none command successfully completed.
============================================================================================================================================================================================================= =================== User name Monitor full name Monitor Note Special Account for Remote Performance Monitor users Note Country (System Default) Account Enable Yes Account Expiration Never last setting Password 2004/6/1 04:32 Password expired never password can be changed 2004/6/1 04:32 Requirements Password YES users can change the password NO Allowed workstation All login script user configuration The file main directory last time login never allowable login hours ALL local group member * Administrators global group member * none command successfully completed. ============================================================================================================================================================================================================= =================== User name TSINTERNETUSER full name TSINTERNETUSER Note This user account is used by the terminal service.
User's annotation Country (System Default) Account Enable Yes Account Expired Never last setting Password 2005/2/18 AM 03:03 Password expires never password can be changed 2005/2/18 AM 03 : 03 Requires a password NO user can change the password NO Allowed workstation All Login Script User Profile Main Directory Last Login Endless Login Horses All All Group Members * Guests Global Group Members * none command successfully completed. ============================================================================================================================================================================================================= =================== Here we list four more important users, which contain some important data related to this intrusion event. The most important information in user account is about guest account:
Code
============================================================================================================================================================================================================= =================== * User name guest full name comment supplied to the guest access computer or access to the area's built-in account * account enabled YES account expiration never * last set password 2004/4/7 at 11:52 Morning Password NOTEL * Password can be changed 2004/4/7 11:52 Requires password NO users can change the password no * Last login never allowable login hours ALL * local group Member * administrators * guests ============================================= ======================== Note * These few lines of these lines have leaked important information, by default, guest users are members of the guests group, and it is impossible to use To log in to the system. The Guest on this machine is added to the Administrators group, which means it and the system super user administrator is equivalent! Look at its activation time, the last change password is at 11:52 am 2004/4, this is almost the exact time of the system being invaded. Combined with the file system Mac analysis, it can verify the exact time of the system intrusion. So what is the relationship between other accounts and the intrusion event? Let's take a look at the password information of the local user password crack:
Code
============================================================================================================================================================================================================= =================== USERNAME LANMAN_PASSWORD PASSWORD __vmware_user__ * empty * * empty * Administrator Guest * empty * * empty * monitor 123456 123456 IUSR_CXL IWAM_CXL TsInternetUser ======= ============================================================================================================================================================================================================= ============ Here, more information is displayed, __ vmware_user__ and guest users' passwords are empty! And guest users have administrator privileges and can be logged in to this unit from any location; in addition, there is a Monitor user on the current system, the password is 123456, obviously this password is also extremely unsafe, crack it for a second Needless. Although this is an additional user for the system administrator, it also has the same privilege, and this password I believe that the invader wants to get it is not difficult. The last is about Administrator users. The password length of the Administrator user is 12. It should be said enough to be safe, but as long as others can enter this machine, there is no privacy for invasive people, we look at the hacker One of the tools below C: /Winnt/System32/Finder.gif
Code
============================================================================================================================================================================================================= =================== C: /> Finder.exe to find password in the Winlogon Processusage: a.exe domainname Username Pid-of-Winlogonthe debug privilege has been added to PasswordReminder.The WinLogon process id is 216 (0x000000d8) .To find CXL / Administrator password in process 216 ... The encoded password is found at 0x010f0800 and has a length of 12.The logon information is: CXL / Administrator / @ rigen2000x # .The hash byte is: 0x7e. ========================================== ===========================
Windows2000 has a feature that will express the password of the current login user in the cache space of the Winlogon process, and the Finder is a hacking tool that discovers the current login user password from the Winlogon cache. 5. Logs, Network, and Other In this section, there is actually made many other forensics, using EventDMP and EventLog analysis and backups for system log information. However, because of the current system, the application service is basically normal, and as for the event log - Windows 2000, the security log is not remembered by default, and the information that other logs can provide is too small, so I have slightly these parts. In addition, in the output of the Pipelist, no abnormal pipe is found, so this portion is skilled. This chapter conclusions: 1. This host has been inflated; 2. This host has been installed as follows: c: /winnt/system32/dcomsvc.exe (SKSERVER 1.0) c: /winnt/system32/termsrv.exe (TerminalServer) C : /WinnT/AppPatch/app/openMange.exe (ccProxy 6.0) 3. Discover Hidden Backdoor: 468 - Spoolsv.exe - [Hidden] - 1136 - SYINFO.EXE - [Hidden] - 4. System The Sniffer program is running, which may be used to eavesdrop the password; 5. System guest users are activated, the password is empty, and is added to the Administrators group; __VMware_user__ User password is empty; Monitor users and Administrator user passwords have been leaked. 6. Connection encryption of PCANywhere is set to NONE. 7. Make sure the terminal service port is modified as the back door, the working port TCP: 4652; SKSERVER work port TCP: 1432. At the same time, these processes and ports are hidden, which means having a deeper back door in the system. 8. Basic determination system is invading time on April 7, 2004, noon 12:00. This chapter left the problem: Although in this chapter, some issues have been found through some conventional system management means, but some have some hidden locusts. Where are they hidden? 1. Terminal will stealth? 2. Grab the Ninja! What you have to do: In this chapter, it is mainly to initially analyze the abnormal conditions. By analyzing the information in the system, find out the trace of intruders and hiding, this process may be simple, only the simple tools such as FPORT can be cleared; it may be very complicated, welcome you, will be A black hole leading to a broader-minded region ... What you have to do this chapter is that there are more tools, as fast, comprehensive, detailed and redundant, more information in the current state of the system. Specific aspects and steps, such as six aspects described in this chapter, no longer repeat it. Correct way: In the actual emergency response, forensic and analytical processes, the steps needed more rigorous, unlike this chapter, it is so fast and simple. The correct step should start from finding problems. When the system is found to be invaded, the step of analyzing should be: 1. Determine the processing policy according to the situation and the system, is it a grab, or block? 1.1 If it is blocked, then it is very good to disconnect the network cable, then continue the second step; 1.2 If it is grabbing ... This is directly jumped directly to the second step in the normal order of this article, the next step process.
2. Rapid to establish the current state mirror image of the system, mainly disk mirror, memory mirroring, and current system information collection. The acquisition process of system information is as described in this chapter, but you need to pay attention to your own emergency kits, including system information collection and analysis tools. At the same time, it is best to automate the script, and is stored directly on the remote computer. This ensures the correctness, integrity, and the purity and stability of the system image - remember this, and the pure stability of the on-site situation is the most important point. TIPS: In order not to be affected by the system invaders, Elly in this case has installed an SSH server (out of bandwidth restrictions and two aspects of safety), and then upload a toolkit to system information. checking. The next step is to complete the system disk, and the memory is fully clean mirror backup according to the possibility and the environment. DD under UNIX is a best choice, but when Windows is sometimes very likely that your system cannot restart or offline, then at this time, I personally recommend a good tool, Acronis Truimage, although it does not necessarily be completely complete Complete to ensure that mirror is pure (may not comply with the judicial appraisal procedure), for a general situation, it is a good choice on the online Windows platform. The main features are: support online (Windows this unit is running) mirror, supports remote mirroring, supports direct reduction of mirror files as virtual hard drives. These three points are all I think it is an irreplaceable choice. BTW: In this example, Elly has only 56K cat, so stealing a lazy, directly analyzing on the host, which does not meet the principle of extreme security, don't learn from me - lazy. 3. Load your backup image is read-only. And analyze and forensic operations. If it is a mirror image of TrueImage, it can be directly loaded as a virtual disk; if it is a DD image, you may need to return to a physical disk, or rebuild the virtual field environment in the VMware virtual machine, or you can use a variety of times when you do not need to run the program. UNIX's Loopback FS feature performs loading of virtual file systems. 4. In-depth analysis, continue to see the next chapter. This chapter TIPS: 1. Try to go offline analysis, in order not to destroy the current status of the system and causing invasive attention, pay attention to the system's static offline mirror, and then operate on the mirror copy, keep the scene to be the most important. 2. The world is martial arts, no gang, and it is not broken. In the invasion analysis and forensics, the level of knowledge and reaction speed of the system are most important. The faster you can collect more information, the greater the grasp of your victory. In the war with hackers, it is often a dealt between success or not. Therefore, it is best to quickly prepare the processing program, and use scripts to collect and analyze to speed up the speed of manual analysis and shorten the response time. 3. Mac is an important evidence in the file system analysis, named the M (last modification time) A (last access time) C (creation time). Each of them contains a very important hidden meaning, reasonable use of MAC information, combined with other evidence such as system logs, and good reasoning can engage a flow chart of a hacker behavior! However, MAC information is very fragile and vulnerable, and it is not a way to fake, so the system affects the system as soon as possible, keep MAC evidence, pay attention to read-only load when using a copy, because A (last accessed time), As long as reading files may cause changes, read-only loading can avoid this problem. Once again, pay attention to keep the scene, your chance is only once.
######################################################################################################################################################################################################################################################################################################## ########## 难 觅: 蓦 蓦 回 回, 却 景 景 景 景 景 逐 逐 逐 逐 逐 逐 着 着 着 着 微 着 微 着 着 着 着 着 着 着 着 着 着 着 着 着 着 着 着 着 斗 着 着 斗 斗 斗 斗Elly finally looked at the weak light, holding the sword in hands - That is the "ice" that Cuiste gave him, which made his heart quietly. Elly returned, waiting for the darkness of this darkness, tightening the spirit, the leopard's general righteousness, the unlocked, the dark, the dark, the bottomless cave. The world's side, watching the black terminal window on the screen, the flashing green alphabet is arranged in the mystery, ELL is a slight flavor, and it is easy to enter: rkdetector.exerkdetector output: code
============================================================================================================================================================================================================= =========== C: / WinNT / System32>
RKDETECTOR.EXE. .. ...: rootkit detetector profesional 2004 v0.62: ... .. .rootkit Detector Profesional 2004Programmed by Andres TraSco AcunacopyRight (C) 2004 - 3wdesign Security URL: http://www.3wdesign.es -Gathering service list information ... (Found: 48 Process) -search for Hidden Process Handles (Found: 0 Hidden Process) -Checking Visible Process .... ......... c: /winnt/system32/sms.exec: /winnt/system32/csrss.exec: /winnt/system32/winlogon.exec: /winnt/system32/services.exec: / WinNT / system32 / lsass.exec: /winnt/system32/svchost.exec: /winnt/system32/msdtc.exec: / program files / symantec / pcanywhere / awhost32.exec: / program files / dell / openmanage / omsa / bin / dcevt32. exec: /winnt/system32/dcomsvc.exec: / program files / dell / openmanage / omsa / bin / dcstor32.exec: / program files / symantec_client_security / symantec antivirus / defwatch.exec: /winnt/system32/svchost.exec: / Winnt / System32 / Llssrv.exec: / Program Files / Symantec_Client_security / SYMA Ntec antivirus / rtvscan.exec: /winnt/system32/mstask.exec: /progras ~ 1/serv-u/servud ~1.exec: / program files / dell / openmanage / IWS / bin / win32 / omaws32.exec: / Winnt / system32 / snmp.exec: /winnt/system32/TERMSRV.EXEC: /WINNT/System32/wbem/winmgmt.exec: /winnt/system32/svchost.exec: /winnt/system32/inetsrv/inetinfo.exec: / WinNT /system32/svchost.exec:/progra ~ 1/Dell/openma ~ 1/oldiags/ndor/pcdoctor/bin/diagorb.exec:/winnt/system32/atiptaxx.exec:/program files / f-secure / ssh server / Fsshd2.exec: /winnt/cmd/explorector.exec: /winnt/explorer.exec: /winnt/system32/svchost.exec: / program files / flashget / flashget.exec: /winnt/system32/bacstray.exec: / progra ~ 1 / Symant ~ 1 / Symant ~ 1 / VPTRAY.EXEC: / Program Files / D-Tools / Daemon.exec: /winnt/system32/internat.exec:
/progra~1/serv-u/servut~1.exec:/program files / f-secure / ssh server / fsshd2srv.exec: / program files / mercury interactive / loadrunner / launch_service / bin / magentproc.exec: / winnt / System32 / conime.exec: /winnt/system32/EMMSRV.EXEC: / Program files / Internet explorer / ipplore.exec: /winnt/system32/cmd.exec: /winnt/system32/mmc.exec: / program files / f- secure / ssh server / fssh2console.exec: / program files / f-secure / ssh server / fsshsftpd.exec: /winnt/system32/cmd.exec: / program files / internet explorer / iexplore.exe-Searching again for Hidden Services. . -------------------------------------------------- ------------ * SV: DCOMSVC [Color = Red] 34567890 (DCOM Services) Path: c: /winnt/system32/dcomsvc.exe [/ color] -------- -------------------------------------------------- --------------------- [Color = Red] * SV: MSDefenderDRV (MSDOSCDefenderDRV) Path: c: /winnt/system32/msdosdrv.sys [/ color] ---------------------------------------------- --------------------------------- [Color = Red] * SV: PCDR Helper Driver PATH: C : /progra ~1/oldiags/ndor/pcdoctor/modules/pcdrdrv.sys [/ color] ----------------------- -------------------------------------------------- ------- Searching for rootkit modules ........ ------------------------------- ------------------------------------------------ [Color = Red] * Suspicious Module !! C: /Winnt/System32/Imm32.dll [/ color] ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------------- - [Color = Red] * Suspicious Module !! C: /Winnt/System32/lpk.dll [/ color] ------------------------- -------------------------------------------------- ---- [Color =
Red] * suspicious module !! c: /winnt/system32/usp10.dll [/ color] ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- -Trying to detect hxdef with tcp data .. (Found: 1 Running rootkits) ------------------------------- ---------------------------------------------- [Color = Red ] * Rootkit Hacker Defender V1.0.0 Is Installed in Your Host. [/ Color] -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------- Searching for HXDef hooks ............ (Found: 1 Running rootkits) ----------------------------- -------------------------------------------------- [color = red] * rootkit HACKER Defender> = V0.82 Found. Path Not Available [/ color] --------------------------- -------------------------------------------------- --- Searching for other rootkits ......... (Found: 0 Running Rootkits) ============================= ================================= rkdetector and KPROCCHECK are a powerful tool, they all from the system kernel space Read data, while RKDetector's function, more, just as its name R (OOT) K (IT) Detector, it can automatically analyze a variety of ROOTKIT in the Windows system. A collection of hacker lattime and toolkit). Just like the output above, some false positives are excluded, and there is a few lines below:
Code
-------------------------------------------------- ----------------------------- * SV: DCOMSVC34567890 (DCOM Services) Path: c: /winnt/system32/dcomsvc.exe- -------------------------------------------------- ---------------------------- * SV: MSDOSCDefenderdrv (MSDefenderDRV) Path: c: /winnt/system32/msdosdrv.sys --- -------------------------------------------------- --------------------------- Trying to detect hxdef with tcp data .. (Found: 1 Running rootkits) ------- -------------------------------------------------- ---------------------- * Rootkit Hacker Defender V1.0.0 is Installed in Your Host. --------------- -------------------------------------------------- --------------- Searching for hxdef hooks ............ (Found: 1 Running rootkits) ------------ -------------------------------------------------- ----------------- * Rootkit Hacker Defender> = V0.82 Found. Path Not Available ------------------- -------------------------------------------------- ----------- Searching for other rootkits ......... (Foun D: 0 Running rootkits ------------------------------------------ -----------------------------------
It can be seen that it detects two exception service DCOMSVC and MSDOSDRV.SYS, and a rootkit --hacker defender v1.0.0 (referred to as HXDEF100). And hxdef100, I am afraid it is the biggest BOSS in this chapter - is also the most difficult to deal with it. This is an extremely successful rootkit under the Windows system. It runs in a Windows system as a system service, and then intercepts the user program through the HOOK-related system call, and completes the functions. It hides files, directories, processes, services, registry key values, network ports, and other information such that users cannot see this information through regular query methods (SC or PS, etc.). At the same time, he can also directly listen to a TCP port (in this unit is not visible), or then run and hide other back door programs to create a path used for remote control, and the Titlo people's Trojans are too much, it is simply Home travel, murdereous must have a good medicine! The HXDEF100 is not only hidden, but also makes other backmen (processes, services, documents) hidden. The only way to show it is to call its name: Net Stop HXDEF100 stops the service, it will temporarily invalid, and then you can use hxdef100.exe -: uninstall to uninstall itself. But there are two problems, first, we don't know its service name, and don't know if the service name cannot stop; second, we don't know where its executable files and configuration files are put there so that we are instant. Stop, you can't uninstall it, you can't find more backdoor it hidden, isn't that death? I had to die, I'm trying to take a living horse doctor first, try to use the previous possible service name: Code
ELLY: Sesame Open ... (Net Stop HXDef100) HXDef: ... ELLY: Watermelon Opening ... (Net Stop DCOMSVC) HXDef: ... ELLY: Potato opening ... (Net Stop ccProxy) HXDef: .. .elly: Banana opens ... (Net Stop Msdoscdefenderdrv) hxdef: ... ELLY: HXDEF opens ... (Net Stop Spoolsv) HXDEF: ...
It seems that hxdef is dead and refuses to respond me. So, just ... find the soft persimmon to pinch, analyze the bodies that have been caught, see what can be forced to say. First pull all the abnormal files that have been found to this machine, including MSDRV.sys found, of course, some files know that they exist, but the system is still not found, don't want to be HXDEF . The files intercepted above are:
Code
* 2004-04-07 11:52 55,296 List.gif * 2004-04-07 11:53 45,056 Finder.gif * 2004-04-07 11:53 28, 160 nlog.gif * 2004-04-07 11:53 77,824 Kill .gif * 2004-04-07 11:53 131,072 info.gif * 2004-04-07 11:53 14,747 TINJECT.DLL * 2004-04-07 11:53 69, 632 spinfo.dll * 2004-04-07 11:57 8,464 sporder.dll * 2004-04-07 11:57 49 mslsp.dat * 2004-04-07 12:11 20,480 DCOMSVC.EXE * 2004-04-07 12:11 93 nt.bat * 2005-02-10 03 : 03 405 SvClog.log The basic function analysis is based on the information analysis of document information and the anti-assessment.
Code
* 2004-04-07 11:52 55,296 List.gif * 2004-04-07 11:53 45,056 Finder.gif * 2004-04-07 11:53 28, 160 nlog.gif * 2004-04-07 11:53 77,824 Kill .gif * 2004-04-07 11:53 131,072 Info.gif
The above five are called the named hacker tools, features: List.gif: PSList, Sysinternal PSList, used to list all processes; Finder.gif: A tool directly from the Winlogon process directly to the current login user password; nlog. GIF: In fact, NC (NETCAT.EXE), a multi-function network program; Kill.gif: Sysinternal Kill, used to kill a process; info.gif: sysinternal psinfo, is used to see the current host system information. * 2004-04-07 11:53 14,747 TINJECT.DLL This is a tool for thread-inserted tools to perform and hide the latte programs. Creating a parasite in other processes space without processed Trojan, requiring RUNDLL32 to run, parameters are unknown. * 2004-04-07 11:53 69, 632 spinfo.dll A Trojan without a process (possibly no port), using the system SPI (network service provider) interface, hook itself in the system network stack, as a network The protocol filter exists, and when all data flows through this layer, it will be analyzed and executed. The network interface status detected in the second chapter is that the mixed mode should be spinfo.dll. * 2004-04-07 11:57 8,464 Sporder.dll is used to insert a support library of the module in the system SPI, which is a link library on spinfo.dll. * 2004-04-07 12:11 20,480 DCOMSVC.EXESKSERVER 1.0, a SOCK5 proxy server. * 2004-04-07 12:11 93 NT.BAT Installs the initialization script of SKSERVER. * 2005-02-10 03:03 405 SvClog.log * 2004-04-07 11:57 49 mslsp.dat is the log file of Spinfo.dll back door and another back door. After analyzing, let's take a look at HXDEF. Just now, there is no way, but I forgot that there is still the same thing in the hand - Ice. I don't say I, I will upload an ICESWORD, which is also a good tool for checking the information hidden information, almost forgot him. After running, four hidden services are found in the service: SpoolerSpoolersiPripnetDee stops them one by one, and now the system should be clean. Use netstat -na and fport to view the system status, everything is normal, and the display is also displayed. Find 2004-04-07 Related Files: Code
============================================================================================================================================================================================================= ========== C: /> DIR / o: D / T: C / SC: | FINDSTR 2004-04-072004-04-04-04-072004-04-07 12:05 280 Administrator@www.hanzify [1]. TXT2004-04-07 12:03
======================== This time has more files:
Code
C: /winnt/spoolsv.exec: /winnt/admdll.dllc: /winnt/raddrv.dllc: /winnt/system32/svchostdll.dllc: /winnt/system32/sysinfo.dllc: /winnt/system32/reginfo.exec: /Winnt/System32/ms29.ini
The analysis is as follows: c: /winnt/system32/spoolsv.exe The original name R_Server2.exe, after the housing RADMIN 2.0, a remote management control program. C: /winnt/admdll.dllc: /winnt/raddrv.dllradmin Run the desired support dynamic link library. C: /winnt/system32/svchostdll.dllc: /winnt/system32/sysinfo.dllsvchost lattime, used to inject thread into the SVCHOST - system service master process, and create no process back door. SVCHOSTDLL.DLL is its support library. C: /Winnt/System32/reginfo.exeremote DLL INJECTOR V1.6 Private Version BY Wineggdrop, huh, huh, an execution remote thread to inject hidden processes, possibly a bit related to the previous TINJECT.DLL. After running in the system, these processes around the Trojan team headed by HXDef100, which disguised themselves into Spooles, IPrip, NetDDee, etc., which seems to be a good job in the system ... The whole back door gang has basically arrested Finally, we will review their findings. What review? Of course, I have already remembered the whitelist! HXDEF100 configuration file: ms29.inims20.ini (original hxdef [*]. ini) full text excerpts
Code
============================================================================================================================================================================================================= ========== [h "I / d << D ============================================================================================================================================================================================================= Ok, let's reort the case's scene ... generation. This chapter conclusion: 1. On April 7, 2004, it is a black paint ~~ night ... Oh, sorry, it is daytime. In a rainy day, a "haval" called Domybest or Ahai, inadvertently came to this network segment, (may also be a long time ...) He first took the tool Nmap and RPCScan, suddenly It was found that this server has opened TCP: 21 and TCP: 135 ports, and running the most FTP server serv-u 5.0.0.4 and IIS 5, which is known as the vulnerability under Windows, which is not helpful to make him jealous! This machine is likely to have an RPC-DCOM remote overflow vulnerability! And I didn't let the shock wave worms have been infected. This hacker GG is browed, and the semi-annual intrusion experience made him quickly and successfully entered the system with RPC attack programs, and got a system privilege, maybe someone should ask, why he is not likely to use Serv-U Remote overflow? The reason is that there will be no history, and its vulnerabilities have not come yet. 2. After the hacker GG enters the system, first upload a few tools, he uses a very skilled PS series, after Pslist and NetStat, he is very assured to believe in this machine, except that he does not have someone else. And it is likely that the system administrator has not seen it for a few months. After psinfo, I found that this machine is not bad, can be used to do ftp oh ^^ But he is not rare, because he already has hundreds of broilers. So he began to upload some of his back door, such as the modified Termserv, in order not to find it, he also trimmed its port to TCP: 4652.3. After the terminal service logs in, then He thought, what did he do? Just do a proxy server. I heard that there is a proxy server called ccProxy, so he has installed a ccProxy, and it is only installed with a serv-u of Chinese package. From Luoda. It seems that he has another FTP server and attack. After a few days later, he found that ccProxy or SKSERVER he used to be used. The hacker used the most SOCK5 agent, so he stopped ccProxy and installed a SKSERVER. 4. But the hacker GG is still unreliable to his status, so he has started with more eyeliner, installing more back door, such as Wineggdrop's non-process back door, a SPI back door called Spishell, RADMIN2 Remote control server, inserting SVCHOST hidden back door, may be called portless backdoor, of course, some of whom have been modified by itself, and a slightly, according to the situation of this machine, some information is made corresponding to some information, this is enough to prove He is at least an old-fashioned intruder, can be called Cracker, and it is not ordinary scriptkids. 5. Finally, in order to prove his level, he also didn't forget to install a whisper of Windows backdoor. New version! 6. Stroll in the system, see if there is any administrator's agent existed, and then rubbed some EventLog. However, Win2000 is also a dish. The default connection is not remembering. The hacker GG can rest assured that the gallbladder from TerminalServer or any back door login; installed NORTON CE? More food! The latter door of the hacker GG did not check it out. After upgrading for half a year, he reported again ... Discovery DCOMSVC, it may be a back door, but the clearance failed, the hacker GG saw he had no fear; Finally, hacker GG Add a piece of broiler database: code XX.xx.xx.xx: 1432, 1442, 4652, 4653 hxdef, spishell, svchost, radmin, termserv @ 4652 SKSERVER @ 1432, ccProxy user: by ahai pass: domybest @ # @ # @ # [The above is purely fictitious, if there is similarity, it is not responsible. ] [BTW: In the process of finding information, see this, everyone can take care of it. ] [http://hehe26.blogchina.com/blog/Article_150251.788458.html] This chapter legacy question: The final analysis is over. However, there are still a few legacy issues: 1. If you are a system administrator, what should I do now? 2. So many backmen and Trojans, those weaknesses and anti-virus software can't find, how to clear it? 3. Is he still? Will it come? 4. If you come, what is you? If you want to know how to follow, please decompose. ######################################################################################################################################################################################################################################################################################################## ########## Treatment: The lamp is in dim, and it is found out, slightly set, restore the normal state of the system. 1. Uninstall hxdefC: / hxdef100> hxdef100 -:. Uninstall2 remove the service C: / Documents and Settings / Administrator> sc delete CCProxy [SC] DeleteService SUCCESSC: / Documents and Settings / Administrator> sc delete IPRIP [SC] DeleteService SUCCESSC: / Documents and Settings / Administrator> SC DELETE SPOOLERS [SC] OpenService Failed 1060: The specified service does not exist with the installed service. C: / Documents and Settings / Administrator> sc delete Spooler [SC] DeleteService SUCCESSC: / Documents and Settings / Administrator> sc delete netddee [SC] DeleteService SUCCESSC: / Documents and Settings / Administrator> sc delete DCOMsvc34567890 [SC] OpenService FAILED 1060 : The specified service does not exist with the installed service. C: / Documents and Settings / Administrator> sc delete "Windows Event Logger" [SC] DeleteService SUCCESSC: / Documents and Settings / Administrator> sc delete NntpSvc [SC] DeleteService SUCCESS2.1 some services because it contains illegal characters may not be from The command line is deleted, you can use the registry editor regedit.exe to find the primary key corresponding to the HKLM / System / CurrentControlSet / Services / Delete service. 3. Remove the program del C: /winnt/spoolsv.exedel c: /winnt/admdll.dllDel C: /Winnt/Raddrv.dllDel C: /winnt/system32/dcomsvc.exedel c: /winnt/system32/list.gifdel C : /winnt/system32/finder.gifdel c: /winnt/system32/nlog.gifdel c: /winnt/system32/kill.gifdel c: /winnt/system32/info.gifdel c: /winnt/system32/svchostdll.dllDel C : /winnt/system32/sysinfo.dlldel c: /winnt/system32/reginfo.exedel c: /winnt/system32/spinfo.dlldel c: /winnt/system32/ms29.iniDel c: /winnt/system32/tinject.dllDel C : /winnt/system32/svclog.logdel c: /winnt/system32/sporder.dlldel C: / Winnt / System32 / MSLSP.DATDEL C: /WINNT/System32/msdos*.exedel C: /Winnt/System32/msdosdrv.srd / s / qc: / winnt / apppatch4. Terminal service adjusts the terminal service, the fake has been unloaded, I really need to change the port: "HKLM / System / CurrentControlset / Control / Terminal Server / WinStations / RDP-TCP / Portnumber "REG_DWORD portNumber 4652 is changed to normal 3389, and TermNALRVER can restore normal ports, which can then be turned on or disabled as needed. 5. User account first, it is recommended that all users modify the system login password, and the password of the Serv-U and other application services. After that, do the following settings: Modify your password, lock your account, and remove the administrators group privilege. After doing these settings, you can check the current situation at the tools such as RKDETECTOR and KPROCCHECK. -Searching Again for Hidden Services ..- Gathering Service List Information ... (Found: 1 Wrong Services) --Trying to Detect HXDef with TCP Data .. (Found: 0 running rootkits) -search for hxdef hooks ............ (Found: 0 Running Rootkits) --Searching for other rootkits ......... (Found: 0 Running Rootkits) HXDEF and other latte should have been successfully cleared what else is there? Delete, custom port, patch, firewall, change anti-virus software, can also ... rename the Administrator and Guest account, establish two low permissions users, named Administrator and Guest, set Cancel your login privilege for the guest group.
