About the inspection process after the server is hacked

Today, let's talk about the protection and inspection work we should do after the server is killed from the perspective of intruders. Experts are familiar with system reinforcement and security issues. For Beginners, I have never been engaged in security work, so I can only talk about the relative work from the perspective of intruders. Because for beginners, we will also build our own servers on our own without professional knowledge or big projects, so we can only maintain them on our own. After the intrusion, you must perform maintenance and inspection on your own. Generally, servers are intruded into the following

Today, let's talk about the protection and inspection work we should do after the server is killed from the perspective of intruders. Experts are familiar with system reinforcement and security issues. For Beginners, I have never been engaged in security work, so I can only talk about the relative work from the perspective of intruders. Because for beginners, we will also build our own servers on our own without professional knowledge or big projects, so we can only maintain them on our own. After the intrusion, you must perform maintenance and inspection on your own.

Generally, servers are intruded into the following situations. Let's take a look.

1. The server is granted the highest permission, that is, the system permission.
Generally, in order to obtain system permissions, we certainly won't do anything good, and the server's data will basically be packaged, because the system permissions are much more competent than the highest permissions, I don't know why hackers use permissions. You understand.

2. The server was taken webshell
Generally, a web system has a vulnerability that allows hackers to detect and use the black box or 0-day vulnerabilities to directly obtain a webshell permission. This permission can be large or small, mainly depending on the permissions set by the web directory of the server, if the permission settings are not good, the system disk directory can be kept at a glance. Of course, if the directory settings are rigorous, it is not enough to destroy the webshell, you can download data pants and package them at most (key components such as wscript and fso are disabled). In particular, if you cannot find the Elevation of Privilege, only one webshell can do very little, at present, most servers are safe, and it is still difficult to win a webshell privilege.

3. server data collection
For example, 3389 terminals, FTP, and WEB system management accounts and passwords are managed by social workers, or management accounts with certain permissions obtained through the preceding webshell data and analysis, in addition, the popular XSS is used for the X backend and account management. These permissions must be determined based on the system corresponding to the account, such as the 3389 terminal account, if the website goes to the community, it is directly the system permission (the premise can be logged on, otherwise everything will go off the cloud). WEB system management depends on what system it is, ASP, ASP. NET and PHP do not involve system permissions, but the JSP system should pay attention to it. If the permission configuration is not good, the permissions are not general. In this case, what can be done is based on the account's permissions.

4. The server is intercepted by Class C or sniffing
This is different from the third case. In this case, you need to take a server with system permissions in the same segment before you can perform data sniffing. A large amount of data can be sniffed, for example, 3389 login account and password, 80 is the web system management account and password, and so on. What can be done is the same as the third one. It depends on the permissions of the account to be sniffed.

5. The server has been hit by various 0DAY attacks
This is generally not done by cainiao. It is either a new 0-day, and then published to the public, so that cainiao can enjoy it. There are various 0-day types, which are roughly divided into 0-day and 0-day systems, for example, the system has 0-day overflow to obtain system permissions and reverse SHELL, and the WEB 0-day is generally directed to getshell for a WEB system. the permissions of the two can be referred to above, generally, the system can directly obtain the system permission on 0 day, and the WEB will be similar to the second point. You must determine what you can do based on the permission size.

Simple process for checking and handling the hacked work:

We often encounter these situations. For Beginners, if you are a server hacker, you will be swollen (it will certainly not be cool, and even worse, it will be a server, is it used by yourself )? We can perform relative countermeasures and detection based on the above situations:

1. The server is killed. The first thing I want to do is to temporarily shut down the developed system and change the system account and password. before changing the password, check whether a trojan exists on the server. To prevent hackers from giving you Get Hash (Obtain the hash value of the system password by some means and crack it to obtain the plaintext password.) Or plaintext

2. check whether there are redundant accounts in the system. Generally, manual and tool checks are available. Here I will talk about the ideas and specific implementation. For example, you can check C: \ Documents and Settings \ here, if you create a new account and log on to account 3389, you will regret generating a folder corresponding to the account name here. Even if it is a hidden account with $, you should check the folder in the registry. If you do not understand it, just use a tool, baidu is so good

3. check the ports opened by the system. If you are familiar with the ports, check what programs are used again. Sometimes you can check the ports used by Trojans or backdoors, disable unnecessary ports to avoid accidents

4. check logs. For Beginners, some logs cannot be cleared. You can take a good look, such as IIS, the log function provided by the WEB system, and system logs, this can tell you how hackers have done things and how your servers have been killed.

5. check the operation permissions of all the drive letters and key directories of the system. For example, if a certain Administrator gave me the server, the E disk did not have the permission. Then I changed it to everyone, but he did not check it again, as long as my WEBSHELL is there, the permissions will be huge, especially when used with some permission escalation tools.

6. the anti-virus software is used to scan Trojans (EXE, scripts, and others), scan Trojans, and fix system vulnerabilities. You can find the anti-virus software you choose, I do not recommend it to avoid being a promoter.

7. check the webshell script. Generally, you can check the file operation time (but the file time can be changed), use a tool for review, and manually review. If you cannot find an acquaintance, another method is to back up each system in advance. After a problem occurs, pack the two files to a local machine and use Beyond Compare for comparative analysis. Of course, other comparative analysis tools are also supported, make sure that the hacker's script is removed and the vulnerability in your web system is the best. If you know how hackers win your web system, fix it accordingly, remember to pay attention to the variant extension scripts.

8. I am not an advertisement for installing waf software such as safedog. Many beginners will basically bypass servers with dogs. Otherwise, they will be bitten. God can bypass it, but it may not always be shared with me by beginners. Therefore, installing similar software does not guarantee 100% protection, but it at least makes it difficult for hackers to intrude into your server, it can also block a batch of so-called script boys

After completing these steps, you must reinforce the server on your own. If the intrusion is detected, you should pay more attention to the specific reinforcement. For more information, please refer to them, what's more, I am not a beginner here, so don't bother me. I only have to know a little bit about it. The various account and password settings are more complicated, and different accounts use different passwords, it must be done by social workers. Social workers are too powerful. They are not what you think. The directories on the servers are strictly allocated. You can refer to other references on the off-star website and check the logs, listen to the traffic and listen to the port. If hackers want to do something bad on your server, there will certainly be a lot of movement. Just pay attention to the details.

Suggestions: Check whether a trojan exists on the server as mentioned in the workflow. We recommend that you use professional anti-virus software and webshell scanning tools. (Anti-virus software is recommended for foreign mcafee Enterprise Edition, Norton Enterprise Edition or related Server Edition, webshell scanning tools are recommended for frequently updated webshell scanning tools such as ah d and dark groups. After all, shell has been deformed. If you only use the old scanning tool, nothing can be scanned. It is recommended that the server sideNot usedXX guardian, XX Butler, etc .) The Troubleshooting process of a simple server hacked is suitable for users who are just engaged in network management or who are not very good at technology. In fact, there is no such thing as security. It is not to say that installing a firewall or making more patches can guard against those criminals. It is always safe to remember.

This article is from the "no trace" blog, please be sure to keep this source http://hucwuhen.blog.51cto.com/6253667/1338638