A lot of people like the intrusion Win2000 system, there are 3389 of such interface-type remote control, there are so many loopholes can be used, and about the intrusion Win2000 articles are everywhere, convenient ah. But, you know, what footprints do you have left in the system? Recently made an intrusion analysis, found a lot of things, of course, estimated to the invasion time and then in the search for files listed.
Here we do not analyze from FTP, HTTP log records, because this intrusion behavior analysis and prevention is relatively easy, and through the account password guessing in the prevention is more troublesome (security configuration quite ok another said).
1, the system's log records. A good administrator should record as much as possible what can be recorded, in the local security policy, a sufficient number of audit policy records, you can find that if all the audit is selected (as long as you are not too much), an account of the operation of the entire process of access can be fully recorded, a bit do not leak. The Event Viewer has the largest number of entries, and all audited events can be viewed from the security log.
Let's take a look at an account Login/Logoff event record: Session disconnected from WinStation: User name: Guest domain: Refdom login ID: (0X0,0X28445D9) session Name: Unknown client Name: Gudulover Client Address: 202.103.117.94
This is a 3389 logged in event, and the system records the IP address, machine name, and user name used. It's still a complete one.
This is a detailed track record: A new process has been created: The new process id:4269918848 image filename: \winnt\system32\cmd. EXE Creator procedure id:2168673888 user name: refdom$content$nbsp domain: Refdom login ID: (0x0,0x3e7)
This is the use of LocalSystem to run the Cmd.exe records, oh, with the local system account to run Cmd.exe is not using net user or what (of course, many things to do). Be careful of your own logging too much, log space is full, so win will no longer record new events, please select the log properties to overwrite the log as needed, so that you can record new events, but you may need to analyze the event to overwrite. Unfortunately, the record here is so conspicuous that most of them cannot survive.
2, enough traces to stay in the "Documents and Settings" Directory This directory is the footprint of all accounts, of course, from 3389 or local access to use the graphical interface will leave the account directory. Let's take a look at what's in the "Documents and Settings" directory of an account, first look at all the files and folders, and don't hide anything.
"Start" menu: Of course, the account is stored in the "start" of the things, the inside of the "start" is a better thing oh. "Application Data": Some of the data left by the application Ah, backup ah what things, analysis is not very useful.
"Cookies": If an intruder comes in through 3389 and browses the Web page, there's plenty of cookies in store to let you know where he went.
"Local Settings": This is also a number of temporary data storage, there is IE offline dongdong. Maybe you can find a lot of good websites. "Recent": This folder is hidden, but there are so many things stored in the account access to the directory, file a record. What you use, what documents you see, you can know clearly.
"Templates": where temporary files are stored.
3, from the hacker tool to see was invaded, then he will find a way to get the administrator permissions, got this permission he can do whatever, according to various introduction of the intrusion teaching materials, of course, is to put other scanners to do broiler, install back door, delete log ... Oh, these scanners have enough logs to provide analysis, but also to help their own collection of some chickens in vain. And from the log of these tools (configuration file) can also see the intruder's intentions and levels, and so on. Good, that streamer to say it, each scan of the results are written down, we can see, do not look at white. be installed back door, agent springboard (not multi-level) is the best, who can remotely control what you do? We can certainly from the backdoor procedures to seize the origins of intruders, from where the connection, with a sniff sigh is, of course, you can even use a very interesting file name to disguise their own Trojan, let him go back to use, want to play everyone together. Of course, the invaders, from the other 3389 chickens, were the only chickens found. (Take the risk and get his chickens done)
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
