Clearing intrusion records is a critical step in the entire Penetration Process, especially when important servers are obtained. Of course, you must be cautious about how to retreat.
Some time ago, I got a more important server, and the Administrator was also relatively savvy. The server is still not lost.
As a responsible administrator, checking whether the system is infiltrated will always check whether the system account has been created, changed, or logged on.
If you have logged on to the system with a new account, please take a look at the user name and operation materials you have created in the C: \ Documents and Settings/directory.
It is easy to be discovered by the Administrator. In addition, you will find that the deletion fails. Here, we provide a method to delete the log. It is to install a shift backdoor, restart the server after exiting the account, and open
Shift backdoor, inputCommandExPlorer browses C: \ Documents ents and Settings/to delete the file. Because the shift backdoor is running with the system permission at this time.
I generally do not create a new account, which is too troublesome. And sometimes it is very strange to delete it, it is very easy to expose yourself. The following describes my common methods.
Run
Net user guest/active: yes // activate the guest account
Net localgroup adminisTrAtors guest/Dd// Add to the Administrator Group
You cannot log on to the Remote Desktop group. It may be abnormal to the Administrator.
Net localgroup "Remote Desktop Users" guest/add // use the "" No. Here. The directory name with spaces under the DOS command can be taken down.
What's more unusual is to use the Management Group Command. Net localgoup.
In this way, the smart administrator can use the net user guest command to view the last logon date of the guest account .. the system is intruded and exposed.
What should I do? I checked the information online and found nothing about how to modify the last logon date of my account. No way. solve it by yourself.
After half a day of research with John, he was unable to delete and reconstruct the system, modify the system date, and so on. Aha, suddenly changed the windows database ~!!!
Haha, the key is here. Of course, this database is the Registry. account information is stored in the registry. Remember to copy the F key value.
Clone the administrator account. The following is the test in the virtual machine. It is successful ~!
I export the names and users items of the guest account from the registration registry of a pure windows server 2003. You are not authorized to upload the file. Send an external connection to download the file.
| Http://www.linuxso.com/uploads/soft/100620/guest_regedit.rar |
Double-click to import the registry. For example
This is obviously a permission issue. It's simple. Right-click SAM under HKEY_LOCAL_MACHINE in the registry.In this way, the data can be imported successfully. After the import, let's take a look at the net user guest.
If the password is set successfully, you don't have to worry about it. The system you just installed is the same. The time displayed is the time when the command was executed.
Remember to go to the Event Viewer and clear the security logs.
In fact, the Registry is a windows database, and a lot of configuration information is stored in the registry.
For example, the IP address of the SERVER that is locally connected to remote SERVER 3389 records the records of the SQL SERVER Management tool connecting to the remote SERVER.
Ctrl + f find the IP address of the server. Delete it.
Purely original. If you have any technical questions about this article, leave a message below. Original article, declined to reprint.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
