Attackers can hack into your server.

Recently, a friend's company server wasHacker intrusionLet me help you. As a result, with this article.

First of all, we need to understand the currentServerInfected and damaged by intrusion:

According to friends:

1. The server is abnormal and the network is very slow.

2. frequent appearance on serversVirusAndTrojanPrompt

3. The log on the server shows signs of being deleted.

4. AttackedTrojanSigns

5. The website folder is deleted the next day.

So I started to analyze:

The first thought of log analysis is of course, but the log has been deleted. In addition, the data recovery tool fails to be used, and only pass is allowed. Then I want to view some logs that are not easy to notice-anti-virus software virus detection logs:

A large number of Backdoor trojans and hacker tools were found to be downloaded: including135 scan tool,Gray pigeon,Pcshare,S Scanner.....

From this analysis, we can find that this hacker has the habit of catching bots. One of the purposes of intruding into the server is to use the bandwidth of the server to capture more individual PC bots. Of course, we do not rule out that he will use our serverDDOS AttackOthers.

However, it is obtained through the net user command and the result of viewing the system registry. These accounts no longer exist, and are deleted after they are successfully created and logged in. So the directory file is still in.

So what is the reason for recent hacker login? It is assumed that the hacker has obtained the login password of the server administrator account. So I tried to check whether there were recent logon records that were missing or deleted.

The login record was found. FROM SICHUAN

When you access the website, it is a normal website. It is possible that the zombie of the same intruder logs in as a stepping stone. This intruder is very careful. All the ways to track him are blocked by his clever and skillful skills. Just give up? Of course not! That's not my style!

During further troubleshooting, I found that the server had the characteristics of virus like avterminator-the hidden folder could not be displayed. Therefore, we assume that the attacker has run a trojan like a downloader on the server during the process of elevation of permission or attempted penetration. So I searched the internet to fix the Registry file that showed hidden files. After the fix is run, all possible hidden files and folders are checked. Finally, D: a hidden file is found in the temporary directory of the recycle bin.

The file name is empty and the file size is 246KB. It may be a gray pigeon. So I want to run the listening port locally. In case the trojan is not a gray pigeon, the trojan is first shelled.

After shelling, you can view the Autorun. inf Code under Uedit32.

So it is certain that this file is a Trojan downloader. Unfortunately, the trojan download address cannot be found in the program. Capture packets later. So we often use it to test whether the software has backdoors: audio and video sniffing experts.

The next step is to take the risk that the local server has run the downloader:

Capture the packet and get the URL

Hxxp: // user. free2.7716 *. net/zwj/Ip.txt

Hxxp: // lmhk. go1.icpc *. com/Ip.txt

These addresses. People who know it can understand it at a glance. This is the saving file of the bounce address used by bots for online use.

In this case, we first analyzed the intruders who have the habit of catching bots. He must fill in the real IP address of his local machine to launch the bots.

This query is not the same as the previous two days. But they are all in Anhui. This address is more accurate.

Since then, we have obtained an important information about this intruder-IP address. If we have an alarm, we will ask the police to query records of the Telecommunications Department during this period. You can know who is using this IP address at this time, and then you can invite him to dinner (prison meal) o (prison _ meal) o...

Quote a "representative"-it is not worth catching you, but not worth catching you. When your losses reach a certain level, we will hunt you down at all costs! If you don't know, unless you are yourself! So here, I would like to advise hackers to be more careful in their work and never tamper with other websites. Use hacker attack and defense technology for legitimate purposes!

Next, let's analyze which vulnerabilities on the friend server have caused the intrusion:

1. If you have not set the disk permission to Everyone, you can jump to any directory.

2. The system has not been maintained for a long time and does not install patches (I found that it is still 2003 sp1 1 !)

3. If Serv-U is installed and the Management port and default password have not been modified, You can escalate the permission.

4. The MssqlMysqlTomcat installation seems weak.

5. 3389 open

6. There are no firewall software or hardware, and a series of problems such as blocking the bounce Trojan, downloading and running the trojan, or executing commands to allow the server to browse a specific webpage and escalate permissions. The Simple listing is to remind everyone to pay more attention in the future.