About the inspection process after the server is hacked

Today, I want to talk to cainiao about the protection and inspection work we should do after the server is killed from the perspective of intruders. Daniel is familiar with system reinforcement and security issues, I have never worked on security for cainiao, so I can only talk about the relative work from the perspective of intruders. Because cainiao, we will also build our own servers and have no professional knowledge or big projects, so we can only maintain them on our own. After we are killed, you must perform maintenance and inspection on your own.
 
The server is usually killed. There are usually the following situations. Let me see it.
 
1. The server is granted the highest permission, that is, the system permission.
Generally, in order to obtain system permissions, we certainly won't do anything good, and the server's data will basically be packaged, because the system permissions are much more competent than the highest permissions, I won't say what the hackers are doing with permissions. You understand.
 
2. The server was taken webshell
Usually a web system has a vulnerability, which causes the black box to detect and take advantage of 0-Day or something and directly obtain a webshell permission. This permission can be large or small, it mainly depends on the permissions set on the web directory of the server. If the permissions are not set properly, the system disk directory can be fully viewed. Of course, if the directory is strictly set, it is not enough to destroy the webshell, it can be deprecated and packaged at most (key components such as wscript and fso are disabled). In particular, there is little to do with a single webshell when no privilege escalation is found, at present, most servers are safe, and it is still difficult to win a webshell privilege.
 
3. server data collection
For example, the accounts and passwords of 3389 terminals, FTP, and WEB system management are assigned to the agency, or the management accounts with certain permissions can be obtained through the preceding webshell to obtain data and organize and analyze the data, in addition, the popular XSS is used for the X backend and account management. These permissions must be determined based on the system corresponding to the account, such as the 3389 terminal account, if you get to the community, it is the system permission (the premise is that you can log on to the cloud, or Shenma is on the cloud). WEB system management depends on what system it is, ASP, ASP. NET and PHP do not involve system permissions, but the JSP system should pay attention to it. If the permission configuration is not good, the permissions are not general. In this case, what can be done is based on the account's permissions.
 
4. The server is intercepted by Class C or sniffing
This situation is different from the third case. This requires a server with system permissions in the same section before data sniffing can be performed. A large amount of data can be sniffed, for example, 3389 login account and password, 80 is the web system management account and password, and so on. What can be done is the same as the third one. It depends on the permissions of the account to be sniffed.
 
5. The server has been hit by various 0DAY attacks
This is generally not done by cainiao. It is either a new 0-day, and then published to the public, so that cainiao can enjoy it. There are various 0-day types, which are roughly divided into 0-day and 0-day systems, for example, the system has 0-day overflow to obtain system permissions and reverse SHELL, and the WEB 0-day is generally directed to getshell for a WEB system. the permissions of the two can be referred to above, generally, the system can directly obtain the system permission on 0 day, and the WEB will be similar to the second point. You must determine what you can do based on the permission size.
 
Simple process for checking and handling the hacked work:
 
We often see these situations. When you are a newbie, when the server is hacked, you are swollen (it will certainly not be cool, and then garbage is also a server: D, is it used by yourself )? We can perform relative countermeasures and detection based on the above situations. I have summarized the following:
 
1. The server is killed. The first thing I want to do is to temporarily shut down the developed system and change the system account and password. before changing the password, check whether a trojan exists on the server. Otherwise, you will be blackmailed to Get Hash (obtain the hash value of the system password by some means and crack it to Get the plaintext password) or plaintext (then you are white, black and smiling, I want to listen to you again)
 
2. check whether there are redundant accounts in the system. Generally, manual and tool checks are available. Here I will talk about the ideas and specific implementation. For example, you can check C: \ Documents and Settings \ here, if you create a new account and log on to account 3389, you will regret generating a folder corresponding to the account name here. Even if it is a hidden account of Shenma $, you must check the folder in the registry. If you do not understand it, just use a tool, baidu is so good
 
3. check the ports opened by the system. If you are familiar with the ports, check what programs are used again. Sometimes you can check the ports used by Trojans or backdoors, disable unnecessary ports to avoid accidents
 
4. check logs. Generally, some logs cannot be cleared at the cainiao level. You can take a good look, such as IIS, the log functions provided by the WEB system, and system logs, this can tell you how the hacker and the hacker are killed.
 
5. check the operation permissions of all the drive letters and key directories of the system. For example, if a 2B Administrator gave me the server, the E disk did not have the permission. Then I changed it to everyone, but he did not check it again, as long as my WEBSHELL is there, the permissions will be huge, especially when used with some permission escalation tools.
 
6. the anti-virus software is used to scan Trojans (EXE, scripts, and others), scan Trojans, and fix system vulnerabilities. If you choose Shenma anti-virus software, find it by yourself, I also don't recommend it to avoid being called a gunman. It's hard to be a good guy this year.
 
7. check the webshell script. Generally, you can check the file operation time (but the file time can be changed), use a tool for review, and manually review. If you are not able to find your friends, find acquaintances, and back up each system in advance. After a problem occurs, pack the two files to the local machine and use Beyond Compare for comparative analysis. Of course, other comparative analysis tools are also supported, make sure that you remove the black and wide scripts and find the best web system vulnerabilities. If you know how to fix the black and wide web system, fix it accordingly, remember to pay attention to the variant extension scripts.
 
8. I am not advertising the installation of waf software such as dongle. Many cainiao are basically bypassing the dog's servers. Otherwise, they will be bitten. Daniel can bypass it, however, it may not be necessary for me to wait for these cainiao to share, so installing similar software does not guarantee 100% protection, but at least it is difficult to add a lot of difficulties to your server, it can also block a group of so-called script boys (you have? I ran away when I met a dog)
 
After completing these steps, the rest of the steps should be reinforced by the server. If the problem is solved, you should pay more attention to them. For details, refer to the relevant materials. This is an external question, what's more, the cainiao I like is not dedicated to this, so the friends don't bother me. I can only understand a little, and the various account and password settings are more complicated, in addition, different accounts use different passwords, which must be used by social workers. Social workers are so powerful that they are not what you think. The directories on the servers are strictly allocated, there are other references. You can check the logs, listen to the traffic, listen to the port, and check if you want to do something bad on your server. There will certainly be a lot of movements. Just pay attention to the details.