An attacker invades a system, always driven by a primary purpose. For example, flaunting technology, obtaining confidential corporate data, undermining the normal business processes of the enterprise, etc., sometimes it is possible that after the invasion, the attacker’s attack behavior has changed from a certain purpose to another purpose, for example, it is a display technology. However, after entering the system, some important confidential data was discovered. Due to the interests, the attacker eventually stealed the confidential data.
And the attacker's purpose of invading the system is different, the attack method used will be different, and the scope and loss caused will not be the same. Therefore, when dealing with different system intrusion events, it is necessary to prescribe the right medicine. Different types of system intrusion should be solved by different treatment methods. In this way, it is possible to achieve targeted treatment and achieve the best treatment effect.
I. System Intrusion Recovery for the purpose of showing off technology
There are some attackers who invade the system for the purpose of showing off their superb network technology to peers or others, or for experimentation. System intrusion activity caused by a system vulnerability. For such system intrusion events, the attacker will generally leave some evidence in the compromised system to prove that he has successfully invaded the system, and sometimes publish his intrusion results in a forum on the Internet, such as an attack. The intruder is a WEB server, they will change the home page information of this WEB site to indicate that they have invaded the system, or they will install the back door to make the invaded system into his broiler and then openly sell it. Or published in some forums to announce that they have invaded a system. In other words, we can subdivide this type of system intrusion into system intrusion for the purpose of controlling system intrusion and modifying service content.
For system intrusion activities aimed at modifying the content of the service, the system recovery can be completed without downtime.
1. The processing method that should be used
(1), establish a snapshot of the current complete system of the compromised system, or save only the snapshot of the modified part for later analysis and evidence.
(2), immediately restore the modified web page through backup.
(3) Under Windows, use the network monitoring software or "netstat -an" command to check the current network connection of the system. If an abnormal network connection is found, it should be disconnected immediately. connection. Then check the system files, services, and analysis of the system and service log files to check what actions the system attacker has done in the system to perform the corresponding recovery.
(
Todays servers pseudo-static life and death cant be loaded, and many reasons cant
On the article about script intrusion, the Internet is already flooding. Although there are many ori
In the era of VMware ESX 3, many IT staff have reservations about the use of thin
In the work, we often encounter a server in order to meet the needs of business access, there are tw
Solution for MySQL service not starting properly (1053 error)
How to make Windows 2003 system more secure
Web server purchase considerations
Top 10 Reasons to Upgrade Win 2000 to 2003
Server remote exceeds the maximum number of connections
Web.config security related configuration
Apache 301 will turn the domain name with www to the domain without www
Mail server software MDaemon uses skill
Solve the problem that the Exchange server can't send information
How to manage your backup server?
Ubuntu/Mint can't add a solution for PPA source
Win8 system to view application size issues
Talking about the hardware requirements of Windows Vista
How to add a printer to Win7? Win7 add printer graphic tutorial
The whole process of a DC time synchronization fault case
IIS FAQ for creating a secure IIS server
Win7 screen refresh rate how to set