First, the space server is the IIs7.0 script of win2008 system that supports asp asp.net (aspx)
First, we assume that the Bypass Station is intruded and try to escalate the permission. Of course, I am saving a lot of things myself. ftp transfers an asp script and I am used to setting it up first.
All related components have been cut off, especially the ws build is disabled, at least 60% of the request for Elevation of Privilege can be blocked. I uploaded the cmd command and re-executed the command. This gives you peace of mind.
After being reminded by the Black WolfShell. UsersThe formation is also critical. The user control panel file nusrmgr. cpl is called by Shell. Users. It also calls the wscript. shell, Shell. Application, and Shell. LocalMachine components. However, if you add a user, this Shell. Users is enough. In this case, net.exe and adsi are deleted, which may be a new method for adding users. Js, and vbs code will not be sent out to understand their own baidu
Then scan the website program to see if any testers have come in.
No malicious code or backdoor programs are found.
Check Port
Usually all ports are closed.
Check drive letter permission Discovery C, G disk can browse, also found some sensitive directories including mysql and phpmyadmin installation directory, ftpflash configuration file is kept on the hard disk.
When browsing the C: ProgramData directory of drive C, which hacker's Elevation of Privilege file (amazing) was found? C: vbs that read IIS user information in dosh
Iisvbs: Mainly reads IIS. External VM is commonly used to find executable directories.
This C: dosh upload CMD. EXE cscript. exe iis. VBS
C: doshcmd.exe
C: doshcscript.exe
Uploaded
Use cscript.exe to run IIS. VBS read
The space also supports aspx, which usually has higher permissions. I am not doing the test. The security risks of the server can only be solved by notifying the server technical management personnel.
So I submitted the inspection report to an idc technical customer service. The following sections
-----------------------------------------------------------------------
The person who left Dongdong on the server this time can escalate the right to avoid damages. Friendship detection is good.
After the announcement of friendship detection was published on the Forum, many people challenged me,
By: qing 2011.05.06