The operating system is invaded, and several methods are easy to repair.


Today I will share with you the repair process after the operating system is invaded. This tutorial only provides a brief introduction to the post-intrusion repair. I hope to use the system. Friends are a little reference and reference.


Just as a system administrator at a school station, responsible for 3 hosts, check first, found a host in the skin directory is suspicious The file exists. Oh, just found a problem when you are on the job, hey, perform well. To be sure, this host is compromised.


1 The system adopts 2003+iis6.0, NTFS partition format, and the permission settings are normal. Pcanywhere10.0 remote management. The page is powered by the Power Article System, version 3.51. Attach another website and use the modified version of the network.

2 The test found that the former administrator did not pay attention to web security. Powered articles have serious upload vulnerabilities and are not patched. Dynamic network version 7.00sp2, but does not rule out that it has been hacked. Immediately, the system was thoroughly inspected and no Trojan was found. Determine the security of the host system. But a lot of webshells were found in the web, to be cleared. Iis6.0 no logging!

3 Checking the repair (backing up the current web system.)

A Time lookup method: Search and create after the time according to the earliest creation time of the above file. All files. Also found many unknown gif, jpg, asp, cer and other format files. Open it with Notepad and find it as an asp trojan. Backup, delete.

B Tool search method: After manual search, install anti-virus software, comprehensive anti-virus, in addition to killing a small number of asp Trojans, no other findings. Check the user, no exceptions. Check the C drive, no files are missing. Explain that the intruder did not further enhance the permissions after obtaining the web permissions, but did not rule out the installation of more hidden Trojans. To be checked.

C According to the time search method, some normal asp files have been modified. Among them, the dynamic article system management page is inserted into the code, and the administrator password is saved in plain text. The code is similar to the password text code in the clear text forum.

In other modified asp files, it was found that there are moving shark web Trojans, icefox's words Trojans, marine Trojans, etc., all encrypted.

D Repair; back up this web system and extract the database. Delete! Restore the system backed up several months ago, check, no Trojan! Import the current database. Delete the asp file of the dynamic article uploading software and add the anti-injection code. Modify all webmaster passwords and modify all system administrator passwords. Upgrade pcanywhere to 11.0 to modify pcanywhere passwords and limit ip. Open the iis6.0 log record. Because the linked website has not been updated for a long time, the web administrator can't contact, change the path, remove the connection, and spare!

Analysis: Due to host permission settings, the intruder may not be able to increase the permissions. (The pcanywhere password may have been obtained, but the host remains locked for a long time. It is estimated that the intruder's technology is still shallow.) It is analyzed by the documents he left. In the case of webshell, he uploaded the cmd file, but the permissions are set better, which is estimated to be too much information. Upload 2003.bat xp3389.exe and other files, want to open the server port 3389. However, due to permission issues, it cannot be improved. Ps: If a host installs pcanywhere, it will not be able to open the 3389 service, and its main file will be replaced by pcanywhere. Can't open it. Other files are tools such as viewing processes, installing services, etc. It is estimated that without obtaining higher privileges, the information obtained is not sufficient to obtain administrator rights. The only thing to note is that the password file of pcanywhere is available for everyone. In *:Documents and SettingsAll UsersApplication DataSymantec, this directory is visible to everyone, including pcanywhere password file *.cif, there is a password viewer on the network, but version 11.0 Unable to see. Oh, upgrade it.

Copyright © Windows knowledge All Rights Reserved