Emergency remedy after server intrusion (1)

Attackers intrude into a system, which is always driven by a major purpose. For example, to show off the technology, to obtain confidential enterprise data, and to disrupt normal business processes of the enterprise, sometimes the attacker's attack behavior may change from one purpose to another after intrusion, for example, it was originally a show-off technique, but after entering the system, it found some important confidential data. As a result of the interests, attackers finally stole the confidential data.

However, If attackers intrude into the system for different purposes, the attack methods will be different, and the impact scope and loss will not be the same. Therefore, when dealing with different system intrusion events, the right remedy should be given. Different types of system intrusion should be handled in different ways, so that they can be targeted, achieve the best processing effect.

1. system intrusion recovery for the purpose of show off Technology

Some attackers intrude into the system only to show off their superb network technology to their peers or others, or to experiment with a system vulnerability. For such system intrusion events, attackers usually leave some evidence in the system to prove that they have successfully intruded into the system, sometimes the results of his intrusion will be published in a forum on the Internet. For example, the attacker intruded into a WEB server, they will change the homepage information of the WEB site to indicate that they have intruded into the system, or install a backdoor to make the compromised system a zombie, and then sell it publicly or publish it on some forums to declare that you have intruded into a system. That is to say, we can further classify this type of system intrusion into system intrusion for the purpose of controlling the system and system intrusion for the purpose of modifying the service content.

For system intrusion activities aimed at modifying service content, you can complete system recovery without stopping services.

1. Handling methods to be adopted

(1) create a complete system snapshot of the intruded system, or save only the snapshots of the modified part for later analysis and evidence.

(2) immediately restore the modified Webpage Through backup.

(3) In Windows, check the current network connection status of the system using the network monitoring software or the "netstat-an" command. If an abnormal network connection is found, the connection to it should be closed immediately. Then, by checking the system process, service, and analysis system and service log files, we can check what operations the system attacker has performed in the system for recovery.

(4) analyze system log files or use vulnerability detection tools to learn about vulnerabilities exploited by attackers to intrude into the system. If attackers exploit system or network application vulnerabilities to intrude into the system, they should find system or application vulnerability patches to fix them, if no patches are available for these vulnerabilities, we should use other methods to temporarily prevent intrusion activities that reuse these vulnerabilities. If attackers use other methods, such as social engineering, to intrude into the system and check that there are no new vulnerabilities in the system, they do not need to perform this step, it is necessary to understand and train the targets of social engineering attacks.

(5) After fixing system or application vulnerabilities, add appropriate firewall rules to prevent such incidents from happening again. If IDS/IPS and anti-virus software are installed, you should also upgrade their feature libraries.

(6) Finally, use the system or corresponding application detection software to perform a thorough Vulnerability Detection on the system or service, and ensure that the feature library is up-to-date before detection. After all the work is completed, special personnel should be assigned to monitor the system in real time within a period of time to ensure that the system will no longer be attacked by such intrusion events.

If attackers attack the system to control the system as a zombie, they will install the corresponding backdoor program in the system in order to be able to control the system for a long time. At the same time, in order to prevent the System user or administrator from discovering it, attackers will do everything they can to hide traces of operations on the system and the backdoor installed by him.

Therefore, we can only check the system process, network connection status, and port usage to check whether the system has been controlled by attackers. If the system has become a zombie for attackers, intrusion recovery should be performed in the following ways:

(1) analyze the specific time of system intrusion, the scope and severity of the impact, and create a snapshot of the system to save the current damage, for later analysis and retention of evidence.

(2) Use Network Connection monitoring software or port monitoring software to check the network connections and port usage that have been established by the system. If an illegal network connection exists, immediately disconnect them, and add a rule for disabling the IP address or port in the firewall.

(3) use the Windows Task Manager to check whether any illegal process or service is running and immediately end all illegal processes found. However, some backdoor processes with special processing will not appear in the Windows Task Manager, we can use tools such as Icesword to find these hidden processes, services, and loaded kernel modules, and then end all of them.

However, sometimes we cannot terminate the process of some backdoor programs through these methods, so we can only suspend the business and switch to the security mode for operations. If you cannot end the operation of these backdoor processes in security mode, you can only back up business data, restore the system to a safe period of time, and then restore business data.

In this way, business interruption events will occur. Therefore, the processing speed should be as fast as possible to reduce the impact and loss caused by business interruption. Sometimes, we should also check whether illegal backdoor services exist in the system service, which can be checked by opening "service" in "Control Panel"-"Management Tools, disable all illegal services.

(4) When looking for backdoor processes and services, you should record all the processes and service names found, and then search for these files in the system registry and system partition, delete all the data related to this logstore. You should also delete all content in the "Start Menu"-"All Programs"-"start" menu.

(5) analyze system logs to understand how attackers intrude into the system and what operations they perform in the system. Then, all the modifications made by the attacker in the system are corrected. If the attacker uses system or application vulnerabilities to intrude into the system, it should find corresponding vulnerability patches to fix the vulnerability.