A brief introduction to the repair process after the operating system was invaded _ Web surfing

Because of the particularity of the work, we are exposed to these things. This article only for a simple intrusion analysis, does not have rootki such as kernel-class Trojan! Master laughed, only for reference

Text: Just when the school station of the system administrator, responsible for 3 host, first check, found a host skin directory suspicious files exist. Oh, just post on the discovery of problems, Xi hee, good performance.

To be sure, this host was compromised.

Operation:

1 system uses 2003+iis6.0, NTFS partition format, permissions set up normally. Pcanywhere10.0 remote Management. The page uses the Power article system, the version 3.51 revises. Hook up another Web site, the use of dynamic network modified version.

2 Test found that the former administrator did not pay attention to web security. Power article has a serious upload loophole, but not patched. Dynamic network version 7.00sp2, but does not exclude has been invaded. Immediately, the thorough examination system, did not discover the Trojan horse. Determine the host system security. However, a large number of Webshell found on the web, to be cleared. Iis6.0 No log record! Corona

3 Check Repair (back up the current web system.) ）

A Time Lookup method: Based on the earliest creation time of the above file, search for all files created and modified after this time. Also found many unknown gif,jpg,asp,cer and other format files. Use Notepad to open the discovery, the ASP Trojan Horse. Backup, delete.

B Tool Search method: After manual search, install antivirus software, a comprehensive anti-virus, in addition to killing a small number of ASP Trojan, there is no other discovery. Check the user, no exceptions. Check c disk, no clear documents. Indicates that the intruder has not further elevated permissions after obtaining Web permissions, but does not rule out the installation of more discreet Trojans. Fever

C According to the time lookup method, found that some of the normal ASP files have been modified. Among them, the Power Article System Management page is inserted into the code, the administrator password is saved in clear text. Code and dynamic Network forum plaintext get password code similar.

In other modified ASP files, found that there are movable shark webpage Trojan Horse, icefox a word trojan, sea Trojan, etc., are encrypted processing.

D repair; Back up this web system and extract the database. Delete! Restore a few months ago to backup the system, check, no Trojan! Import the current database. Delete the Power article upload software asp file, add the anti-injection code. Modify all Web administrator passwords and modify all system administrator passwords. Upgrade Pcanywhere to 11.0 to modify the pcanywhere password and restrict IP. Open the iis6.0 log record. Due to the linked web site, has not been updated for a long time, the Web administrator can not contact, change the path, remove the connection, spare!

Analysis: The intruder may not be able to elevate permissions due to a host permissions setting problem. (The pcanywhere password may have been obtained, but the host remains locked for a long time.) It is estimated that the intruder technology is still shallow. ) analysed by the documents he had left behind. In the case of obtaining Webshell, he uploaded the cmd file, but the permissions are set better, estimated to be able to get too much information. Upload 2003.bat Xp3389.exe and other files, want to open the server 3389 port. However, it is still due to permission problems and cannot be promoted. Ps: A host if installed pcanywhere, will not be able to open 3389 service, its main file is pcanywhere replaced. Not open. Other files to view the process, install services, and other tools, estimating that without higher permissions, the information received is insufficient to obtain administrator rights. The only thing to note is that the pcanywhere password file is for everyone to see, *:\documents and Settings\All Users\Application Data\symantec, This directory is visible to everyone, including pcanywhere password file *.cif, online password viewer, but 11.0 version can not see. Oh, upgrade it.