Administrator needs to refer to when the server is compromised by an emergency remediation method _win Server

Source: Internet
Author: User
Tags system log
An attacker who invades a system is always driven by a major purpose. such as showing off technology, getting corporate confidential data, destroying the normal business processes of an enterprise, and so on, sometimes it is also possible that, after an invasion, an attacker's aggressive behavior has been changed from one purpose to another, for example, it was a display of technology, but after entering the system, some important confidential data was found, driven by interest, The attacker eventually stole the confidential data.
However, the attacking methods are different and the impact range and loss will not be the same. Therefore, when dealing with different system intrusion events, it should be the right remedy, different types of system intrusion, should be resolved with different treatment methods, so that it is possible to achieve targeted, to achieve the best treatment effect.
  I. System intrusion recovery with the purpose of flaunting technology
Some attackers invade the system for the purpose of showing off their superb network technology to peers or others, or for a system intrusion to experiment with a system vulnerability. For such system intrusion events, an attacker would typically leave some evidence in the compromised system that he has successfully invaded the system, and sometimes publish his exploits in a forum on the Internet, such as an attacker invading a Web server, They will change the homepage of this web site to show that they have invaded the system, or will be installed through the backdoor way to make the system into his chickens, and then openly sell or in some forums to announce that they have invaded a system. In other words, we can divide this type of system intrusion into a system intrusion which aims at the control system and modifies the service content.
For the purpose of modifying the service content for the system intrusion activities, you can complete the system recovery work without the need for downtime.
   1. Methods of treatment to be used
(1) To establish the current full system snapshot of the compromised system, or only to keep a snapshot of the modified part for subsequent analysis and retention as evidence.
(2), immediately restore the modified page through backup.
(3), under the Windows system, through the network monitoring software or "netstat-an" command to view the current network connection situation, if you find an abnormal network connection, you should immediately disconnect from its connection. Then check the log files of system processes, services, and analysis systems and services to see what else the system attacker has done in the system in order to recover accordingly.
(4) To understand the vulnerabilities exploited by an attacker's intrusion system by analyzing the system log files or through a vulnerability detection tool. If an attacker exploits a system or network application vulnerability to the system, then it is appropriate to look for a system or application patch to fix it, and if there are no patches for these vulnerabilities, we should use other means to temporarily prevent the intrusion from exploiting these vulnerabilities. If an attacker exploits a system in other ways, such as social engineering, and checks that the system does not have a new vulnerability, then this step is not necessary, and the object of social engineering attacks must be understood and trained.
(5), repair system or application vulnerabilities, you should also add the appropriate firewall rules to prevent recurrence of such events, if installed with Ids/ips and anti-virus software, you should also upgrade their characteristics library.
(6), finally, use the system or the corresponding application detection software to the system or service for a thorough vulnerability detection, before testing to ensure that its detection characteristic library is the latest. After all the work has been completed, the system should also be scheduled to be monitored in real time for a further period to ensure that the system will not be attacked again by such intrusion events.
If the attackers attack the system to make the system a broiler, then they will install the corresponding backdoor in the system in order to control the system for a long time. At the same time, in order to prevent being discovered by a system user or administrator, an attacker would do everything possible to hide traces of his operation in the system and hide the back door he had installed.
Thus, we can only understand whether the system has been controlled by the attacker by looking at the system process, network connectivity status, and port usage, and if it is determined that the system has become an attacker's broiler, then an intrusion recovery should be done in the following ways:
(1), immediately analyze the time the system was invaded, the scope and severity of the impact, and then the intrusion system will be set up a snapshot, save the current damage status, to more postmortem analysis and left as evidence.
(2) Use network connection monitoring software or port monitoring software to detect the current network connections and port usage, and if an illegal network connection is found, disconnect all of them immediately and add the disabling rules for this IP or port to the firewall.
(3), through Windows Task Manager, to check if an illegal process or service is running, and to end all illegal processes found immediately. However, some backdoor processes with special handling do not appear in Windows Task Manager, at which point we can find these hidden processes, services, and loaded kernel modules by using tool software such as IceSword, and then complete them all.
However, sometimes we can not terminate the process of some backdoor procedures in these ways, then we can only suspend the business, go to safe mode to operate. If these backdoor processes are not finished in Safe mode, you can restore the system to a secure time period and resume business data only after you have backed up the business data.
This can result in business interruption events, so the speed of processing should be as fast as possible to reduce the impact and loss due to business disruption. Sometimes, we should also detect whether there is an unregistered backdoor service in the system service, which can be checked by opening the services in Control Panel-Administrative tools to disable all illegal services found.
(4), when looking for backdoor processes and services, you should record all the process and service names that you find, and then search for them in the system registry and system partition to remove all the data found associated with this backdoor. You should also delete all the contents of the Start menu-All Programs-start items.
(5) Analyze the system log to see how the attacker hacked into the system and what kind of action he did in the system. Then correct all the changes that the attacker has made in the system, and if he exploits a system or application vulnerability to the system, he should find the appropriate patch to fix the vulnerability.
If you do not currently have a patch for this vulnerability, you should use other security measures, such as blocking the network connection of certain IP addresses through firewalls, to temporarily prevent intrusion attacks through these vulnerabilities, and to keep an eye on the latest status of the vulnerability, which should be modified immediately after a related fix has occurred. Patching the systems and applications, we can automate them with the appropriate software.
(6) After completing the system repair work, you should also use the vulnerability detection tool to conduct a comprehensive vulnerability detection of systems and applications to ensure that there are no system or application vulnerabilities that are already in place. We also apply the manual method to check whether the system has added new user accounts, and the corresponding installation settings are modified by the attack, such as modifying the firewall filtering rules, ids/ips detection sensitivity, enabling the service and security software disabled by the attacker.
   2. Further assurances of the results of the invasion recovery
(1), modify the system administrator or other user account name and login password;
(2), modify the database or other applications of the administrator and user account name and login password;
(3), check firewall rules;
(4) If anti-virus software and Ids/ips are installed in the system, update their virus database and attack characteristic database respectively;
(5), reset user rights;
(6), reset the access control rules of the file;
(7), reset the access control rules of the database;
(8) Modify the name and login password of all accounts related to network operation in the system.
Once we have completed all of the system recovery and patching tasks shown above, we can make a full backup of the system and services and save the new full backup separately from the old full backup.
It should be noted here that for the purpose of the control system for intrusion activities, attackers will find ways to hide themselves from the user discovery. In addition to modifying or deleting systems and firewalls and other related log files, smart Hackers will also use some software to modify the basic attributes of the files they create, modify the file, these basic attributes include the file's last access time, modification time, etc. To prevent users from viewing file properties to understand that the system has been compromised. Therefore, in the detection system file is modified, should use rootkit Revealer software to do file integrity detection. II. system intrusion Recovery for the purpose of obtaining or damaging confidential data in the system
Now, what is most valuable in enterprise IT resources, of course, is the variety of confidential data that exists among these devices. At present, the majority of attackers are in order to obtain confidential data in the enterprise for the purpose of the corresponding system intrusion activities, so as to be able to sell these stolen confidential data to obtain illegal benefits.
If the enterprise's confidential data is stored directly in a file in a folder in a partition in the system, and these folders are not protected by encryption or other security means, the attacker can easily access the confidential data after hacking the system. However, at present, a large number of small and medium-sized enterprises are still using this security-free file storage mode, so that the attackers to provide greater convenience.
However, there are still most of the small and medium-sized enterprises are to save data to a dedicated storage device, and these are used specifically to store confidential data storage devices, generally also use a hardware firewall for further security precautions. Therefore, when attackers invade the system, if they want to obtain the confidential data in these storage devices, they must make further intrusion attacks on these devices, or use the network sniffer to get the confidential data transmitted in the internal LAN.
Confidential data for some small and medium-sized enterprises, can be said to be a kind of life, such as customer files, production planning, new product research files, new product map Library, if the data leaked to the competition, then, it is possible to cause the invasion of the enterprise bankruptcy. In order to minimize the data loss caused by intrusion, the best way is to prevent the further development of the intrusion event before the database has been compromised, for the purpose of rescuing and destroying the confidential data in the system.
Imagine if, when we discovered that the system had been compromised, all the confidential data had been completely compromised or deleted, and even if we recovered the deleted data through backup, the loss of the confidential data was still not diminished. Therefore, we must discover the system intrusion in this way in time, and our recovery will be meaningful only if the attacker has not yet obtained or deleted the confidential data.

Of course, no matter whether there is no loss of confidential data, the system has been invaded, the resumption of work will be done. For system intrusion activities for the purpose of obtaining or destroying confidential data, we can still proceed to which stage of the intrusion activity, and then divide this type of intrusion into an intrusion activity that has not yet obtained or destroyed confidential data, and two types of intrusion activities that have obtained or destroyed confidential data.

1, the recovery has not yet received or destroyed confidential data of the compromised system
Suppose we find that the system has been compromised, and by analyzing the system log, or by directly observing the attacker's subsequent intrusion into the database, we have learned that the confidential data has not been stolen by the attacker, but has entered the system, We can respond to such intrusions in the following ways: If the enterprise stipulates that system downtime is not allowed when dealing with such a system intrusion event, it should be handled in this way:
(1), immediately locate the network connection to the source of the attack and disconnect, and then block by adding firewall rules. Typically, when we immediately disconnect from the source of the attack at the outset, the attacker immediately perceives it and disappears quickly to prevent it from being traced back. So, if we want to catch an attacker, let him be punished by the law, we can take a snapshot of the current state of the system without affecting the confidential data in the database, and then use the IP hunt software to reverse track the attacker, and Locate and disconnect from his network.
However, we should note that the reverse tracking will have a certain impact on the normal system business, at the same time, if the hackers found that they will sometimes do a final fight, will destroy the system after the escape, so in pursuit of the same time to pay attention to security precautions. Only, most enterprises are to restore the system to normal operation as soon as possible, reduce the intrusion loss for the main purpose, so immediately disconnect from the attack source of the network is the best way to deal with.

(2) To establish a snapshot of the current state of the compromised system for subsequent analysis and retention as evidence.

(3) Identify vulnerabilities in the attacker's intrusion system by analyzing log files and vulnerability detection tools, and then understand how these system vulnerabilities are obtained. If the vulnerability is an attacker's own analysis, then there may not be a corresponding patch to fix the vulnerability, so there is a need to use other means to temporarily prevent the exploitation of this vulnerability intrusion system event, if the vulnerability is the attacker through the Internet, and the vulnerability has been around for quite some time, There may be a corresponding vulnerability fix, at which point you can download the patch repair system to the service website established by the system vendor; If the attacker is compromised through social engineering, we should train the client and all the employees to reduce the chance of being used again.

(4) To modify the database administrator account name and login password, to create new accounts and passwords for the users who manipulate the data, and to modify the access rules for the database. As for the rest of the system recovery work, it can be performed according to the system intrusion recovery method for the purpose of resuming the control system.

2, the recovery has been obtained or deleted the secret data of the intrusion system

If, when we find that the system has been compromised, the attacker has obtained or deleted all or part of the confidential data in the system, it is not time to attempt to salvage the lost data, but to protect the data that has not been affected. Since this kind of system intrusion event is already a particularly serious intrusion event, our first action is to disconnect the source of the attack as soon as possible.
If you allow system downtime to handle such serious system intrusion events, you can disconnect the compromised system directly from the network by unplugging the cable directly. When the system still does not allow downtime processing, it should be through network connectivity monitoring software to find the system and the source of the network connection, and then disconnect, and add the appropriate rules in the firewall to intercept the network connection with the attack source. The aim is to prevent further deterioration of the system intrusion and to protect other data that has not been affected.

After disconnecting from the attack source, we should immediately analyze the scope and severity of the data loss, understand what data has not been affected, and then immediately back up or isolate the data that has not been affected. For a system intrusion event that has lost data, we can also generalize it to the following three categories:

(1), data is stolen.
When we detect the database, we find that the data has not been deleted or modified, but by analyzing system logs and firewall logs, knowing that an attacker has entered the database, opened some database tables, or replicated the database tables, it is possible to determine that the attacker was only stealing data without other activities. At this point, you should restore the system to its normal state in the way described earlier, fix the vulnerabilities of system and database applications, and detect weaknesses, and then make a full backup once you have no problems. You should also modify the name and login password of the system steward and database administrator account, all in the same way as previously mentioned. Just a little more database recovery work.

(2), data is modified
If we were to analyze database damage, we found that the attacker did not open the database table, but instead added and modified the contents of a table in the database through a database command. So, we have to one by one find these unauthorized data table related rows and then fix them all or delete them. If the modified content is related to an industry, for example, the government office for the driving licence, the educational institution for diploma, or other relevant units of various licenses, and so on, but also to the changes of the attacker to the outside world, indicating that these attackers modified or added content is invalid, so as not to cause unnecessary social impact. Other systems and database recoveries are handled in the same way that data is stolen.

(3), data is deleted
If we were to analyze database damage and find that the attacker had not only obtained confidential data, but had completely removed the corresponding database tables from the system, we would immediately proceed to recover the deleted data when we disconnected from the network.
When we restore the deleted data by way of backup, it is important to determine when the system was compromised before restoring it, so that we know when the backup is available. This is because if we set up a daily incremental backup of the database, and when the attacker deletes the contents, the illegally modified database is also backed up, so the incremental backup after the intrusion is not available. Similarly, if the database is fully backed up during the intrusion of the system, these full backups are also unavailable.
If we allow downtime for processing, we can remove the hard drive on the system, access to other systems, and then recover the deleted files through the file recovery software, but for the deletion of the contents of the database table, we can only by leaving the paper documents, to their own slowly corrected.

Here we know that backup does not solve all the system intrusion problems, but it is still one of the fastest and most effective ways to restore the system to normal. Through this we can also know that the timely detection of the system has been compromised in the rescue system of confidential data is how important. III. system intrusion Recovery for the purpose of destroying the system or the normal operation of the business

When an attacker invades a system for the purpose of keeping the system or the normal business in the system running, if we find that the failure of such a system intrusion event is successful, it can cause a system outage and business interruption.
When dealing with this kind of system intrusion event, there is no need to consider the system needs no downtime to deal with the problem, since the system has not been able to run normally, consider these are superfluous, the most important thing is to restore the normal operation of the system as soon as possible. There are several categories of these types of events, each of which is handled in a slightly different way:

1, the system runs normally, but the business has been interrupted
For such system intrusion events, we can process without downtime, directly to the system online backup to restore the normal operation of the business, but before the recovery to determine the specific time the system was invaded, and when the backup can be used, Then restore the system and business to the normal state by the related system intrusion recovery approach described earlier in this article.
For enterprises without redundant systems, if the system business is desperately needed, then it is only used directly when the business is properly running through backup. However, in the absence of repair system or application vulnerabilities, it is necessary to arrange real-time monitoring system operation, including network connectivity, system process status, by improving the detection of ids/ips, add the corresponding firewall detection rules to temporarily protect the system security.
2, the system can not operate normally, but the system and business-related content has not been damaged
At this point, our first task is to restore the system to normal operation as soon as possible, but to ensure that the system's business-related data can not be compromised. If important business-related data is not in the system partition, then the system can be quickly restored to normal by a full backup of the system after it is disconnected from the network, which is the quickest solution.

However, in order to prevent the integrity of current business data, if all or part of the data associated with the business is stored in the system partition, we should first start the WinPE system in a manner such as the WinPE optical disk system, and then back up all the important business-related data to other stand-alone storage devices. The system partition is then backed up for recovery operations.

If we find that a full backup of the system is not available, we will be able to restore the normal operation of the entire system by performing a new operating system installation in such a way as to ensure that the important data related to the business is not lost, and then install the business application. However, since this is a new, newly installed operating system, the system is not connected to the network without special requirements, and the system and application should be properly secured and fully backed up.
As for the rest of the system recovery work, it can be performed according to the system intrusion recovery method for the purpose of resuming the control system.

3, the system can not operate normally, the business in the system has been destroyed
At this point, first restore the system to normal operation in the second way, then reinstall the business-related application in the system, and try to restore the business-related data through backup. As for the rest of the system recovery work, it can be performed according to the system intrusion recovery method for the purpose of resuming the control system.

When a system or business is compromised and cannot be run, the impact and loss is positive, and the purpose of doing so is to try to speed up system and business recovery, reduce the time they stop running, and minimize the impact and loss due to system downtime or business disruption.

In the process of recovering the intrusion system, for some special business, such as e-mail server, which dependency with the enterprise, the mail server is to provide the mail server for employees and customers, if the mail server is deactivated, it will affect the normal intercourse of the business. As a result, before you can perform an intrusion recovery on a mail server, you should do the following by using the method described earlier in this article:

(1), enable temporary mailbox, if the affected mail server is the enterprise itself, you can apply for mail server providers such as Sina, 163 and other mailboxes as a substitute.
(2), and then the temporary mailbox information to inform suppliers and partners as soon as possible.
(3), after the completion of these work, the intrusion of the mail server system can be a corresponding intrusion recovery process, the same way as described earlier in this article.

Iv. post-analysis
When you successfully complete any type of system intrusion process, we also need to complete the other important thing related to this, that is, the system intrusion events and event handling process after analysis.

After the analysis is based on a large number of documents, and therefore, in the process of processing the intrusion system, we should record all the operational contents and methods of the event processing in detail. In addition, when I describe how to recover an intrusion system, a snapshot of the current state of the compromised system is required before each intrusion recovery, one of the purposes of which is that it can be used for intrusion analysis afterwards.

By intrusion analysis of the intrusion system, we can understand the extent of the impact of the invasion and the severity of the loss, as well as the time, human and material costs of handling it. On the other hand, by analyzing this intrusion, we can understand how the attacker invaded the system.

By understanding the various ways of the attacker's intrusion system, we can learn from the corresponding preventive measures, and bring the valuable experience to our security work, let us know how to deal with similar system intrusion activities in the future. It can be used to modify the nonstandard content in the security policy, or add the corresponding security policy, so that the security policy adapts to the security requirement of every period.

In the same way, the analysis of the process of each system intrusion event can let us know whether our own or event processing team is correct in dealing with the system intrusion, whether it has produced unnecessary operation, whether human error has occurred, and how these errors are produced, and which actions improve the efficiency of processing, and so on, useful information. After the analysis of the system intrusion recovery process, we can increase the corresponding intrusion response capability, and find out the nonstandard content in the event response plan, and make the corresponding correction.

The conclusions of the analysis of the system intrusion event and its recovery process should all be recorded in written form and reported to the superior leader. At the same time, the processing results should be sent to each incident response team member, or in the hands of various departments in the enterprise, organized by various departments to learn, to prevent the recurrence of such system intrusion events. If necessary, you can also notify partners and customers of event occurrences and processing to help them prevent the occurrence of such system intrusions, or inform the system or application software provider that they will be able to produce the appropriate patches as soon as possible.

As to whether the media disclosure system was invaded and the invasion of the situation, the enterprise can decide according to the actual situation, sometimes, timely release of these content to the enterprise's services to increase the confidence of the enterprise.

Here, we have discussed some of the content related to system intrusion recovery, due to the limitations of the article space, as well as new attacks will continue to appear, it is not possible in this article on all types of system intrusion recovery methods to do a detailed description. However, no matter what kind of system intrusion events, we can only do the right remedy, to have the possibility of the system invasion of the loss of the lowest level.

The above is just for you to talk about the server after the invasion of some remedial ideas and treatment methods, I hope that everyone will not use, haha-_-because I do not want your server to be invaded. If there are any special circumstances or difficult diseases themselves can find "webmaster safety nets" Jack to solve qq:281792208 because professional so trust!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.