Emergency Remedy Resolving Enterprise Server Post-Intrusion Measures

An attacker invades a system, always driven by a primary purpose. For example, flaunting technology, obtaining confidential corporate data, undermining the normal business processes of the enterprise, etc., sometimes it is possible that after the invasion, the attacker’s attack behavior has changed from a certain purpose to another purpose, for example, it is a display technology. However, after entering the system, some important confidential data was discovered. Due to the interests, the attacker eventually stealed the confidential data. An attacker invades a system, always driven by a major purpose. For example, flaunting technology, obtaining confidential corporate data, undermining the normal business processes of the enterprise, etc., sometimes it is possible that after the invasion, the attacker’s attack behavior has changed from a certain purpose to another purpose, for example, it is a display technology. However, after entering the system, some important confidential data was discovered. Due to the interests, the attacker eventually stealed the confidential data.

And the attacker's purpose of invading the system is different, the attack method used will be different, and the scope and loss caused will not be the same. Therefore, when dealing with different system intrusion events, it is necessary to prescribe the right medicine. Different types of system intrusion should be solved by different treatment methods. In this way, it is possible to achieve targeted treatment and achieve the best treatment effect.

System Intrusion Recovery for the Purpose of Showcasing Technology

There are a number of attackers who invade the system for the sole purpose of showing off their superior network technology to peers or others, or to experiment with one System intrusion activity caused by system vulnerabilities. For such system intrusion events, the attacker will generally leave some evidence in the compromised system to prove that he has successfully invaded the system, and sometimes publish his intrusion results in a forum on the Internet, such as an attack. The intruder is a WEB server, they will change the home page information of this WEB site to indicate that they have invaded the system, or they will install the back door to make the invaded system into his broiler and then openly sell it. Or published in some forums to announce that they have invaded a system. In other words, we can subdivide this type of system intrusion into system intrusion for the purpose of controlling system intrusion and modifying service content.

For system intrusion activities aimed at modifying the content of the service, the system recovery can be completed without downtime.

1. The processing method that should be used

(1), establish a snapshot of the current complete system of the compromised system, or save only the snapshot of the modified part for later analysis and evidence.

(2), immediately restore the modified web page through backup.

(3) Under Windows, use the network monitoring software or "netstat -an" command to check the current network connection of the system. If an abnormal network connection is found, it should be disconnected immediately. connection. Then check the system files, services, and analysis of the system and service log files to check what actions the system attacker has done in the system to perform the corresponding recovery.

(4), through the analysis of system log files, or through the vulnerability detection tool to understand the vulnerability exploited by the attacker to invade the system. If an attacker exploits a vulnerability in a system or network application to compromise the system, then it should look for a corresponding system or application vulnerability patch to fix it. If there are no related patches for these vulnerabilities, we should use other Means to temporarily prevent intrusions that exploit these vulnerabilities again. If the attacker uses other methods, such as social engineering to invade the system, and there are no new vulnerabilities in the inspection system, then it is not necessary to do this step, but the object of social engineering attack implementation must be understood and trained.

(5), after repairing system or application vulnerabilities, you should also add corresponding firewall rules to prevent such events from happening again. If IDS/IPS and anti-virus software are installed, they should also be upgraded. Library.

(6) Finally, use the system or the corresponding application detection software to perform a thorough vulnerability detection on the system or service, and ensure that the detection signature database is up-to-date before testing. After all the work is completed, the system should be arranged to monitor the system in real time to ensure that the system will not be attacked by such an intrusion again.

If an attacker attacks the system to control the system as a broiler, then in order to be able to control the system for a long time, they will install the corresponding backdoor program in the system. At the same time, in order to prevent the system user or administrator from discovering, the attacker will try to hide his traces of operation in the system and hide the back door he installed.

Therefore, we can only know whether the system has been controlled by the attacker by checking the system process, network connection status and port usage. If it is determined that the system has become the attacker's broiler, then it should be as follows To carry out intrusion recovery:
<1> (1), immediately analyze the specific time of the system being invaded, the scope and severity of the current impact, and then create a snapshot of the invaded system, save the current damage, to more Post-mortem analysis and retention of evidence.

(2), use the network connection monitoring software or port monitoring software to detect the network connection and port usage currently established by the system. If an illegal network connection is found, immediately disconnect them all, and Add a disable rule for this IP or port to the firewall.

(3), through the Windows Task Manager, to check whether an illegal process or service is running, and immediately end all illegal processes found. However, some special backdoor processes will not appear in the Windows Task Manager. At this point, we can use the tool software such as Icesword to find these hidden processes, services and loaded kernel modules, and then put them End the task all.

However, sometimes we can't terminate the process of some backdoors in these ways, then we can only suspend the business and go to safe mode. If you can't end the running of these backdoor processes in safe mode, you can only restore the service data to a certain period of time after restoring the service data, and then restore the service data.

This will result in a business interruption event. Therefore, the speed should be as fast as possible to reduce the impact and loss caused by business interruption. Sometimes, we should also check whether there are illegally registered backdoor services in the system service. This can be checked by opening the "Services" in the "Control Panel" - "Administrative Tools", and all illegal services found will be disabled.

(4) When looking for backdoor processes and services, you should record all the found processes and service names, and then search for these files in the system registry and system partition, which will be found related to this backdoor. All data is deleted. You should also delete all the contents of the Start Menu - All Programs - Startup menu item.

(5) Analyze the system log to understand how the attacker invaded the system and what operations he did in the system. Then all the changes made by the attacker in the system are corrected. If he exploits the system or application vulnerability to invade the system, you should find the corresponding vulnerability patch to fix the vulnerability.

If there are no related patches for this vulnerability, you should use other security methods, such as firewalls to block the network connection of certain IP addresses, to temporarily prevent intrusion attacks through these vulnerabilities, and continue to Pay attention to the latest state of this vulnerability, and it should be modified immediately after the relevant patch is released. Patching systems and applications, we can automate them with the appropriate software.
(6) After the system repair work is completed, the vulnerability detection tool should also be used to perform a comprehensive vulnerability detection on the system and the application to ensure that no existing system or application weaknesses occur. We also use a manual method to check whether a new user account has been added to the system, and the corresponding installation settings have been modified by the attack, such as modifying the firewall filtering rules, IDS/IPS detection sensitivity, enabling the attacker to disable it. Service and security software.

2. Further guarantee the results of intrusion recovery Kz6 China Red Guest Alliance - the world's largest red guest organization

(1), modify the system administrator or other user account name and login password;

(2), modify the database and other application administrator and user account name and login password;

(3), check firewall rules; Kz6 China Red Guest Alliance - the world's largest Red Guest Organization
<4> (4) If anti-virus software and IDS/IPS are installed in the system, update their virus database and attack signature database respectively;

(5), reset user rights ;

(6), reset the access control rules of the file;

(7), reset the access control rules of the database;

(8), modify the system The name and login password of all accounts related to network operations.

Once we have completed all of the system recovery and patching tasks shown above, we can perform a full backup of the system and services and save the new full backup separately from the old full backup.