Analyze the footprint left after entering Win2000

Many people like to intrude into Win2000, and there are also interface-based remote control such as 3389, so many vulnerabilities can be exploited, and articles about intruding Win2000 are everywhere, convenient. However, do you know what footprint you have left in the system? I recently made an intrusion analysis and found a lot of things. Of course, it is estimated that the intrusion time will be listed in the search file.

Here, we will not analyze log records from FTP or HTTP, because it is easier to analyze and prevent intrusion behaviors, it is troublesome to guess the account and password (security configuration is quite OK ).

1. system logging. A good administrator should record what can be recorded as much as possible. In the Local Security Policy, the audit policy should be recorded as many as possible. You can find that, if all the reviews are selected (as long as you do not have too many), the entire process of operation and access performed by an account can be fully recorded. The Event Viewer records the most content. You can view all audit events in the security log.

Let's take a look at the logon/logout event record of an account: Session interrupted connection from winstation: Username: guest domain: Refdom Login ID: (0x0, 0x28445D9) Session Name: unknown client name: GUDULOVER client address: 202.103.117.94

This is a 3389 logon event. The system records the IP address, machine name, and user name used. It is quite complete.

This is a detailed tracing record: a new process has been created: New process ID: 4269918848 Image File Name: \ WINNT \ system32 \ CMD. EXE creator process ID: 2168673888 Username: Refdom $ Content $ nbsp; domain: Refdom Login ID: (0x0, 0x3E7)

This is to use localsystemto run the logs for example. Execute the logs in one go and run cmd.exe with the guest system account number. It is not a net user or anything (of course there are still many things to do ). Be careful that you have too many log records and the log space is full. In this way, WIN will not record new events. Please select to write logs as needed in the log attribute so that you can record new events, however, the event to be analyzed may be rewritten. Unfortunately, the records here are too conspicuous to survive.

2. There are enough traces left in the "Documents and Settings" directory. This directory is the place where all accounts are stored. Of course, the account directory will be left when you enter the GUI from 3389 or the local machine. Let's take a look at what is in the "Documents and Settings" Directory of an account. First, check all files and folders and do not hide anything.

"Start" menu: Of course, it is a good thing to store the items in the account's "start. "Application Data": the Data, backups, and other things left by some applications are not very useful for analysis.

"Cookies": if an intruder visits the webpage through 3389, there are enough Cookies to let you know where he actually went.

"Local Settings": This is also the place where temporary data is stored, and Internet Explorer is offline. Maybe we can find many good websites. "Recent": this folder is hidden, but there are too many items in it, and the directories and files accessed by the account are recorded one by one. You can understand what you have used and what files you have read.

"Templates": the place where temporary files are stored.

3. If a hacker has been intruded into the tool, he will surely find a way to obtain the administrator permission. After obtaining this permission, he will be able to do whatever he wants. According to various intrusion teaching materials, of course, it is to place other scanners as bots, install backdoors, and delete logs ...... Well, these scanners have enough logs to provide analysis and help them collect some bots in vain. In addition, the intention and level of intruders can be seen from the logs (configuration files) of these tools. Well, let's just take a look at it. The results of each scan are all written down. You can read them. Backdoor and proxy stepping stone installed (not multi-level) are the best. Who can remotely control what you do? Of course, we can capture the origins of intruders from the backdoor program, where to transfer the connection, just use the sniffing tool, of course, you can even use a very interesting file name to disguise your own Trojan so that he can use it back and play it together. Of course, the intruders controlled by another 3389 bots only find their bots. (Take a risk and take care of him as a zombie)