Foreword: Due to the particularity of work, contact with these things. This article only analyzes a simple invasion, does not have a kernel-level Trojan like rootki! Master laughed, for reference purposes only
text: just when a station on the system administrator of the school, responsible for three hosts, check first to find a host skin directory under suspicious files exist. Oh, just found a problem when you are on the job, hey, perform well.
It is certain that this host has been compromised.
Operation:
1 The system adopts 2003+iis6.0, NTFS partition format, and the permission settings are normal. Pcanywhere10.0 remote management. The page is powered by the Power Article System, version 3.51. Attach another website and use the modified version of the network.
2 Discover the test, the former administrator does not pay attention to web security. Powered articles have serious upload vulnerabilities and are not patched. Dynamic network version 7.00sp2, but does not rule out that it has been hacked. Immediately, the system was thoroughly inspected and no Trojan was found. Determine the security of the host system. But a lot of webshells were found in the web, to be cleared. Iis6.0 no logging!
3 Check and repair (back up the current web system.)
A Time search method: Search and create and modify this time according to the earliest creation time of the above file. All files. Also found many unknown gif, jpg, asp, cer and other format files. Open it with Notepad and find it as an asp trojan. Backup, delete.
B Tool search method: After manually find, install anti-virus software, a comprehensive anti-virus, except for a small part of asp Trojan blaze, no other findings. Check the user, no exceptions. Check the C drive, no files are missing. Explain that the intruder did not further enhance the permissions after obtaining the web permissions, but did not rule out the installation of more hidden Trojans. To be checked.
C search method based on time, find some normal asp file has been modified. Among them, the dynamic article system management page is inserted into the code, and the administrator password is saved in plain text. The code is similar to the password text code in the clear text forum. In other
asp modified file found in shark movable Trojan, icefox word horse, sea horse, are encrypted.
D Repair; back up this web system and extract the database. delete! Restore the system backed up a few months ago, check, no Trojan! Import the current database. Delete the asp file of the dynamic article uploading software and add the anti-injection code. Modify all webmaster passwords and modify all system administrator passwords. Upgrade pcanywhere to 11.0 to modify pcanywhere passwords and limit ip. Open the iis6.0 log record. Since the linked website has not been updated for a long time, the web administrator cannot contact, change the path, remove the connection, and spare!
Analysis: Due to host permissions settings, intruders may not be able to escalate permissions. (The pcanywhere password may have been obtained, but the host remains locked for a long time. It is estimated that the intruder's technology is still shallow.) It is analyzed by the documents he left. In the case of webshell, he uploaded the cmd file, but the permissions are set better, which is estimated to be too much information. Upload 2003.bat xp3389.exe and other files, want to open the server port 3389. However, due to permission issues, it cannot be improved. Ps: If a host installs pcanywhere, it will not be able to open the 3389 service, and its main file will be replaced by pcanywhere. Can't open it. Other files are tools such as viewing processes, installing services, etc. It is estimated that without obtaining higher privileges, the information obtained is not sufficient to obtain administrator rights. The only thing to note is that the password file of pcanywhere is available for everyone. In *:Documents and SettingsAll UsersApplication DataSymantec, this directory is visible to everyone, including pcanywhere password file *.cif, there is a password viewer on the network, but version 11.0 Unable to see. Oh, upgrade it.