Today I will share with you the repair process after the operating system is invaded. This tutorial only provides a brief introduction to the post-intrusion repair. I hope to use the system. Friends are a little reference and reference.
Text:
Just as a system administrator at a school station, responsible for 3 hosts, check first, found a host in the skin directory is suspicious The file exists. Oh, just found a problem when you are on the job, hey, perform well. To be sure, this host is compromised.
Operation:
1 The system adopts 2003+iis6.0, NTFS partition format, and the permission settings are normal. Pcanywhere10.0 remote management. The page is powered by the Power Article System, version 3.51. Attach another website and use the modified version of the network.
2 The test found that the former administrator did not pay attention to web security. Powered articles have serious upload vulnerabilities and are not patched. Dynamic network version 7.00sp2, but does not rule out that it has been hacked. Immediately, the system was thoroughly inspected and no Trojan was found. Determine the security of the host system. But a lot of webshells were found in the web, to be cleared. Iis6.0 no logging!
3 Checking the repair (backing up the current web system.)
A Time lookup method: Search and create after the time according to the earliest creation time of the above file. All files. Also found many unknown gif, jpg, asp, cer and other format files. Open it with Notepad and find it as an asp trojan. Backup, delete.
B Tool search method: After manual search, install anti-virus software, comprehensive anti-virus, in addition to killing a small number of asp Trojans, no other findings. Check the user, no exceptions. Check the C drive, no files are missing. Explain that the intruder did not further enhance the permissions after obtaining the web permissions, but did not rule out the installation of more hidden Trojans. To be checked.
C According to the time search method, some normal asp files have been modified. Among them, the dynamic article system management page is inserted into the code, and the administrator password is saved in plain text. The code is similar to the password text code in the clear text forum.
In other modified asp files, it was found that there are moving shark web Trojans, icefox's words Trojans, marine Trojans, etc., all encrypted.
D Repair; back up this web system and extract the database. Delete! Restore the system backed up several months ago, check, no Trojan! Import the current database. Delete the asp file of the dynamic article uploading software and add the anti-injection code. Modify all webmaster passwords and modify all system administrator passwords. Upgrade pcanywhere to 11.0 to modify pcanywhere passwords and limit ip. Open the iis6.0 log record. Because the linked website has not been updated for a long time, the web administrator can't contact, change the path, remove the connection, and spare!
Analysis: Due to host permission settings, the intruder may not be able to increase the permissions. (The pcanywhere password may have been obtained, but the host remains locked for a long time. It is estimated that the intruder's technology is still shallow.) It is analyzed by the documents he left. In the case of webshell, he uploaded the cmd file, but the permissions are set better, which is estimated to be too much information. Upload 2003.bat xp3389.exe and other files, want to open the server port 3389. However, due to permission issues, it cannot be improved. Ps: If a host installs pcanywhere, it will not be able to open the 3389 service, and its main file will be replaced by pcanywhere. Can't open it. Other files are tools such as viewing processes, installing services, etc. It is estimated that without obtaining higher privileges, the information obtained is not sufficient to obtain administrator rights. The only thing to note is that the password file of pcanywhere is available for everyone. In *:Documents and SettingsAll UsersApplication DataSymantec, this directory is visible to everyone, including pcanywhere password file *.cif, there is a password viewer on the network, but version 11.0 Unable to see. Oh, upgrade it.
Using NAT to achieve network sharing This is a method that many enterprises are keen on. Windows 200
In simple terms, Exchange servers can be used to architect email systems for busine
All along, Windows 2003 system is recognized as a relatively good operating system
Group Policy is the primary tool for administrators to define and control programs, network resource
Efficient management of system logs under win2003
Win2003 to eliminate illegal application access methods
Tip: Manual Optimization of Windows 2003
Teach you how to start your computer in safe mode
Easily set up a mail server in win2003
Two major steps to create a security system for win2003
Listed in the Win 2003 operating system wonderful question and answer four
How to implement DNS configuration Internet access in win2003
Setting of ASP.net environment under win2003
Steps for the Win7 system to retrieve the translucent effects function
Microsoft pushes Win10 quasi-official version 10240 hot fix patch KB3074674
Win7 Ultimate version always has a duplicate character solution when it is typed
Windows 7 must know the system problem
Three file hiding tips in Windows system
The fresh usage of the four IE browsers
Win10 China is selling at a high price? You can try to switch the system area to buy
Win8 changed the library of the taskbar to the operation method of the computer