Instance analysis: how to find intruders

 
One day in a daze, a friend on QQ asked me for help: "My website is hacked, my homepage is changed, SOS !". Nothing happened recently. Just help him.
Recover lost ground
I was just about to enter the address of his website in a browser, but it stopped: if an intruder hangs on the homepage, wouldn't I suffer? So I checked it with the trojan check tool. No invisible form, no JS call, no Object, OK. On the homepage, you can see only the names and images of intruders. You can check the website details later. Ask a friend for the Administrator's password and log on to the system at 3389 to check whether the password is correct.
First, let's take a look at the server user's situation. After Entering "net user", we can see that "tsinternetuser" is a prominent user.
Tsinternetuser is the end user of Windows2000, but does not exist in Windows2003. I went to Baidu for a query and asked my friends, saying I should not have this user. It seems that this intruders are self-defeating. When I checked the Administrator group and found that this user does not exist, I initially guessed that it should be cloned. Open Regedt32 first and raise your permissions: Open Regedit and go to "HKEY_LOCAL_MACHINESAMSAMDomains account". Compare the value of the binary key F in the administrator and tsinternetuser, and the result is the same. It is determined that the user "tsinternetuser" is cloned as an administrator. Then, check other users and find no clone marks. Delete "tsinternetuser", but it is not finished here.
Check Backdoor
Offering the "ice blade", it is the star of the backdoor, and most of the demons and ghosts will be invisible in front of it.

First use the ice blade to view the process and find that the process is not hidden (marked in red ). Check the port and find that port 1066 is listening.

This port is not a common port and the program to start it is also not common.

"Systemram.exe" was added in the process, and a chip icon was found in the process,

No wonder you didn't notice it just now. Stop him first, but don't worry about deleting it. Let's first check whether the Startup Group is normal and check whether there is any problem.

However, when viewing the service, we found a familiar figure: Radmin.

The program itself is a program that listens to port 1066. Now, it's easy to delete programs and uninstall services.

Radmin is still well cleared (search online and find this is the modified version of radmin.it is rare to find admdll.exe and raddrv. dll.

But it is doing too poorly in terms of services, so that people can see it as a backdoor service at a Glance ).
Reforming Heshan
No other backdoors were found during the inspection for half a day, and no technical skills were found for the intruders. Then the website will be restored.
I browsed the website and found that many pages were completely different. I recovered the website from the backup file so that the website can be accessed normally.

The next task is to add the website vulnerabilities because I don't know how intruders come in, and I need to perform a comprehensive check.
Multiple tools have been rummaged out, with no obvious vulnerabilities. Some remote locations have been manually checked and no vulnerabilities have been found.

How did intruders come in? Side note? Impossible. websites use independent servers.

Suddenly, you can check the position of the attacker's WebShell to determine its intrusion location. Upload the ASP Trojan search tool written by lake2.

This tool is easy to use. The pattern he looks for is dangerous components and functions.

The location of WebShell is in the Forum directory, and it is basically determined that it comes in from here. However, during the test, I found that the Elevation of Privilege Vulnerability has been completed.

Check that no cross-site code is found in the forum. How did he come in? Is it intentionally placing WebShell in the Forum directory?

Ask a friend about the password of the forum administrator ...... Very retarded, and the front and back ends are all the same. A certain person can guess it several times,

It seems that most of the security issues are personal issues. At last, I asked my friends to make their passwords stronger. Basically, the "lost ground" has been recovered, and it is time to pursue the enemy.
Log pursuit
The cost of doing bad things will be paid. Now I will catch you. Open the "Event Viewer" and unfortunately find that all logs are cleared,

IIS logs only contain access records of my friends and me. I have already reminded my friends to change the log storage path. It is best to install specialized software monitoring. Unfortunately, he just doesn't listen.
TIPS: how to modify the log storage location:

Windows system log files include application logs, security logs, system logs, and DNS server logs. Default location of application logs, security logs, system logs, and DNS logs:
% Systemroot % system32config. The default file size is kb.
Security log file: % systemroot % system32configSecEvent. EVT
System log file: % systemroot % system32configSysEvent. EVT
Application Log File: % systemroot % system32configAppEvent. EVT
DNS log: % SystemRoot % system32configDnsEvent. EVT
Modify the location where Windows system logs are stored in the registry. Open the registry,

Find "HKEY_LOCAL_MACHINESystem CurrentControlSetServicesEventlog ",

The branches in this directory correspond to different logs, and the "file" key in each directory is the log storage location. You can modify it.
Modify the location where IIS logs are stored: Open the Internet Information Service (IIS) manager, find your website and view its properties, and select the properties next to the log. You can change it here. the "advanced" option can also select the log record information type. IIS logs can also be saved to the database.
It seems that intruders are still a bit "secure", which makes me hard. Where can I find him? When I was about to give up,

We can see the webshells left by intruders. View his password (some people like to use their QQ number as the WebShell password, and I have met a few of them ),

Unfortunately, I did not get the desired information. However, this reminds me that He intruded from the Internet, so there should be records in the database of the Internet. Open the dynamic network database,

Looking at the DV_LOG table, the record intruders may have forgotten to delete it. The intrusion method is determined from here: uploading a file and backing it up to ASP. what's even more gratifying is that he got his IP address.
Hancheng strategy
After searching for this IP address, we found that it was a host in South Korea.
First, scan the port to find that the host has opened ports 21, 1433, and 3389.
If port 80 is not enabled, it seems impossible to penetrate the website. The focus is on port 1433. MSSQL overflow test fails.

Only hope for weak passwords. I prefer HSCAN. Command Format: "HSCAN-h ip-mssql-ftp ".
There is an empty SA password. The SQLTools connection is successful. When executing the command, it is found that xplog70.dll has been deleted.
After turning over the hard drive for half a day, I did not find the xplog70.dll. I asked a few friends and said no. It seems that commands can only be executed with other extension components.

An odd phenomenon occurs when you use the SQL query analyzer to connect to the target host. After the connection is successful, the program is automatically closed, and another one is downloaded from the Internet,

If you enter a wrong password, a message indicating a wrong password is displayed. When I was overwhelmed, a friend threw a SQLRootkit.

Add the IP address, user name, and password to the program interface. Click "Log on" and the connection is successful. SqlRootkit uses four components to execute system commands,

You can check the component before executing the task and restore it. Of course, the premise is that files supporting components must exist,

For example, xplog70.dll, odsole70.dll, and xpstar. dll. Let's first check whether the component exists.
The xp_cmdshell file is missing and cannot be used. The sp_cmdeate command is successfully executed, but the host does not execute the command, the xp_regwrite command times out,

Although the xp_servicecontrol command is not displayed, it is the only one that can be successfully executed.
Log on to the host remotely, open the Event Viewer, and find that the log is not deleted. Compare the intrusion time recorded in the dynamic network database to the user logon log in the security field,

The attacker's IP address is found. The history of website browsing by intruders is found in the "C: Documents and Settings" directory. The evidence is conclusive,

He can't run (the log images won't be shown to everyone, sorry ). Check the IP address of the attacker and find that the hacker is Shanghai's ADSL. "Quser" is executed in CMD when leaving ",

The Administrator is also online, and the host has been online for three hundred days.
I have never seen a Windows host that has been online for such a long time. No wonder the intruders are so arrogant. The hacker's IP address and relevant evidence were handed over to a friend and the process was told to him,

The subsequent things will follow him.
To sum up the anti-intrusion process, there is basically no difficulty. There is no new technology. Everyone knows it, that is, they are all combined.

It seems that protection is much more difficult than intrusion. We need to do a good job of protection from all aspects. Here we advise the "hackers" that our intrusion proves our technology, not for destruction.