Repair Process after operating system Intrusion

Due to the special nature of work, these things are exposed. This article Article It only analyzes a simple intrusion and does not have kernel-level trojans such as rootki! Experts laugh, for reference only

Body: I was just a system administrator at a school station, responsible for three hosts. First, I checked and found a suspicious file in the skin directory of one host. Haha, I just found out the problem when I got on duty. Hey, good performance.

Certainly, this host is intruded.

Operation:

1. The system uses 2003 + iis6.0, NTFS partition format, and the permission settings are normal. Pcanywhere10.0 remote management. The page uses the dynamic Article System and version 3.51 is modified. Mount another website and use the dynamic network modified version.

2. The test showed that the former Administrator did not pay attention to Web security. The power article has a severe upload vulnerability that has not been fixed. The Internet version 7.00sp2 does not rule out intrusion. Then, the system is thoroughly checked and No Trojans are found. Determine host system security. However, a large number of webshells are found in the web and need to be cleared. Iis6.0 no log records!

3. Check and repair (back up the current web system .)

A time lookup method: searches for all files created and modified after this time based on the earliest creation time of the above files. We also found many unknown GIF, JPG, ASP, CER and other format files. Use NotePad to open and discover ASP Trojans. Backup and delete.

Tool B Search Method: After manual search, install anti-virus software to completely eliminate viruses. In addition to killing a small number of ASP Trojans, there are no other discoveries. Check the user, no exception. Check the drive C. There are no unknown files. This means that intruders do not further escalate permissions after obtaining web permissions, but do not rule out installing a more concealed Trojan Horse. To be checked.

C. According to the time search method, some normal ASP files have been modified. The dynamic Article System Management page is inserted.CodeSave the administrator password in plaintext. The code is similar to the code used to obtain the password in plain text in the Forum.

In other modified ASP files, Trojan horses, icefox one-sentence Trojan horses, and marine Trojan horses are all encrypted.

D. Back up the web system and extract the database. Delete! Restore the system backed up several months ago. Check that there is no Trojan! Import the current database. Delete the ASP file of the dynamic Article upload software and add anti-injection code. Modify the password of all Web administrators, change the password of all system administrators, and upgrade pcAnywhere to 11.0 to change the password of pcAnywhere and restrict IP addresses. Enable iis6.0 logging. Because the connected website has not been updated for a long time, the web administrator cannot contact, change the path, remove the connection, and reserve it!

Analysis: Intruders may not be able to escalate permissions due to host permission settings. (The pcAnywhere password may have been obtained, but the host remains locked for a long time. It is estimated that the hacker technology is not very good .) Analysis by the files left by him. When obtaining the webshell, he uploads the CMD file, but the permission settings are good. It is estimated that too much information can be obtained. Upload files such as 2003.bat xp3389.exe and open port 3389 on the server. However, permissions cannot be upgraded. PS: If PCAnywhere is installed on a host, the 3389 service cannot be enabled, and its main file is replaced by pcAnywhere. Cannot be enabled. Other files are tools such as viewing processes and installing services. It is estimated that the obtained information is insufficient to obtain administrator permissions without higher permissions. The only note is that the pcAnywhere password file can be viewed by everyone. In *: documents and settingsall usersapplication datasymantec, the directory is everyone, where the pcAnywhere Password File *. CIF, there is a password viewer on the Internet, but Version 11.0 cannot be viewed. Please upgrade it.