BOT Operation Method

There were too many infiltrated servers. At first, they installed pigeons and pcshare for BOTs. They thought it would be okay, but they often disappeared the next day. At first I was wondering, my backdoors are free of X. How does the Administrator find my traces? Later, I accumulated some experiences and shared them with you.

First, the first thing on the server is to check the document records.
Let's take a look at what is available here, and there is a number in mind. Remember to delete it here when new things are opened. Some servers run, which is blank. Do not enter anything here, such as cmd. If you accidentally enter anything, right-click the task bar and choose Properties> advanced> clear,
Some friends may say, just start with-attachment-cmd, isn't that all right? No, because the programs that he usually don't need are hidden. In drive C, press W and press enter, then press t, and the system 32 will be searched up. Just click cmd.

When you need to flip the text block on the opposite server, what is the most secure? For example, if you want to open his drive C, use cmd to open it, start c: \, and press enter to open drive C. If you want to use Notepad, do not right-click to create a text document, enter notepad in cmd, so no records will be generated. Do not think that the Administrator is a good cook. After all, you are illegal and people are legal. Develop habits, benefit for life,

When connecting SQL, try to use the Enterprise Manager for connection. Do not use the query analyzer. Otherwise, an IP record and sqlusername record will be left, in some special cases, you must use the query analyzer, when it is used up, remember to delete records in the registry [HKEY_CURRENT_USER \ Software \ Microsoft SQL Server \ 80 \ tools \ Client \ prefservers.

Delete the sub-keys server0 and user0. By the way, when you Open regedit, remember the original key value and restore it to its original state. There are also ts login records, this is also worth noting, please go
[HKEY_CURRENT_USER \ Software \ Microsoft \ Terminal Server Client \ default] to delete,
Find the corresponding deleted.

There will also be some records of running programs, text, c: \ Documents and

Settings \ Administrator \ recent \ Remember to check out frequently-used files by the Administrator. You can run the files on your own. Remember to delete the files when you are in a flash. run the program in cmd whenever possible. The program on the GUI can also be run in cmd. Drag the program icon to CMD and press Enter, here I use IIS information service as an example.

To use a management tool, you 'd better click my computer-right-click-manage, or directly click it on the control panel. In short, do not leave any trace, just as no one has ever moved. The most important thing is not to leave a backdoor. Apart from webshell, do not leave any backdoor. Leaving a backdoor is equivalent to telling the Administrator: "Congratulations, you have already got my horse." Webshell, try to use one sentence Haiyang, Win2000 uses the official version of Haiyang 2006, and win2003 uses the 2006 + version. Why can't Win2000 use the 06 + sentence? Because 06 + has many functions and is very fat, the win2000 system has a feature. If the size of the submitted ASP file exceeds 100 kb, an error occurs .....
Another point is that webshells must be processed without logs,

The file closed. asp is inserted in Haiyang. When you access it, IIS will record it and remove the access record. This is not perfect. You also need to modify the file creation time. You only need to modify the file modification time to deal with the average cainiao administrator. The Savvy administrator will directly search for the Creation Time, if a file was found to have been modified on July 15, 2004, but was created on yesterday, what would he think? So, before inserting a sentence, first check the creation time and modification time, write down, change the system time to the same as the creation time, and then insert the horse, and then change it back.

I have to say a few more about searching. A smart administrator will start searching for something he thinks is suspicious, for example, you can use "when to modify" to search for the files created in a suspicious period of time, and check whether someone used the last search to find some files, so remember to clear the records here. The method is to clear the search options after searching for what you need, and then click search, so that the Administrator will not be able to see the files you searched last time.

Another point is the log review by the login system, which does not seem to be clear by line. However, after logging in, you can set no record in the Local Security Policy. If you want to delete the account after adding it, do not forget to delete it. c: \ Documents ents and Settings \ Corresponding USERNAME \ should also be del. You can find a way to delete the account. Here, we provide two methods for deletion. First, we should establish an IPC connection with the target machine, then delete the number, use IPC to kill the folder, and then delete the IPC connection, complete (suitable for Intranet ). Second, write a vbs script with the following code:
On Error resume next
Set shell = Createobject ("wscript. Shell ")
Shell. Run "run the DELETE command yourself"
Save as del. vbs and drop it to the startup directory. The folder is automatically deleted when the Administrator logs in. Download things. Try not to use IE to download things. The correct method is: Open cmd, open IP, enter your FTP account and password, and then get. You can also download things with a vbs script, look at yourself. It is best to download AIO or MT first, and then use the download function above to download things.

Before you get off the server, you must delete the Temporary Internet File (if you use IE to get off something or open a webpage.
To do this, the Administrator is more than enough to deal with the problem. pay more attention to the problem and keep the zombie for a long time. If you are always tired of finding a zombie, log out and enter logoff under cmd, see you later :)
------------------------------------
Self-added:
1. The Administrator should never upload the file. Especially 3389
First query the user.

2. It is best to leave a webshell with one sentence, one sentence of the ice Fox prodigal son or lake2, and insert it into the commonly used scripts on the Web. If you need to use the webshell, you should just delete it.

3. Remember to clear login logs, firewall logs, FTP logs, and so on. It is best to perform manual operations. Sometimes tools may cause errors. This is my own test and only represents my point of view.

4. Do not put pigeons or anything after you go up. If you have a password-free telnet-type Trojan, forget the rest. The most important thing is to build the Administrator's password, pcAnywhere, SQL, mySQL. wait for everything that requires a password. If there is a password on the server, you can find a way to get it. Then, clear the log flashes.

5. Remember to check the Administrator Logon Time for later use. To put it bluntly, it is the habit of searching for administrators. You can get up on Google and classify the collection on your computer. Then compare and analyze
This service is available for the moment and can be updated at any time. If you have any good information, you can also send me an email [email protected] to communicate with me.

BOT Operation Method