Practical Analysis of A WinRoute backdoor attack and defense

The school accesses the Internet through proxy methods of Windows 2000 and WinRoute. In the past two days, the proxy server has always encountered some strange phenomena, and the running program seems very slow and will automatically restart. Is it a virus? Or is it a trojan? Anyway, let's check it out first.

Go to the data center and unplug the network cable first. After restarting, Run anti-virus software and kill it again. No virus is found. Then plug in the network cable and open the IE browser. Then something strange happens. Why are there some inexplicable URLs in the address bar? Has someone used this computer? I think the situation is serious. It may be a Trojan.

I got up and poured a cup of water to prepare for a war. When I came back, the browser automatically opened the "Fantasy westward journey" website and was downloading the client (a new software was installed ), it wants to use my proxy server to hook up and play online games!

Now that you know the reason, I want to solve it. So I am not in a hurry. In response, I will let him download it first. After a while, when downloading to 90%, I clicked cancel. Then I disconnected the network, opened the wooden star, and scanned it. Remote administrator is installed. After killing the trojan, I deleted all the software installed in the last week by searching for files. However, this still cannot solve the problem. The key is to find the vulnerability under attack.

Because this computer is only used as a proxy service, WinRoute enables SMTP, POP3, and DNS services. Is there a problem with Windows 2000 settings? According to some security settings, I disabled many unnecessary services. With the latest patch, disable the Guest account, change the password of the Administrator account, change the name, set the disk read permission, and set some local security policies. I will not talk about this much. You can refer to the materials. After a while, I thought it was okay. Enable the proxy service to continue working.

However, this is not a long time. On a Saturday afternoon, I went to the data center to check the device. When I turned on the proxy server's Monitor, a desperate scene appeared. Someone downloaded fantastic westward journey on the proxy server! It turns out that the last few days of calm were When intruders did not want me to discover the problem. In fact, the problem was not solved. He thinks there is no one on Saturday and he can do whatever he wants. It seems that he wants to use my computer to hook up.

I seem to have seen a hacker smile at me on the other side of the network. What's wrong? The patch has just been installed, so there should be no vulnerabilities. Which port did Intruders use to access? Go to the DOS directory and enter Netstat-a to check the port number. In addition to the common port number, we found that port 3129 was used.

I only remember that the proxy in WinRoute uses port 3128. Is this port 3129 also related to WinRoute? I checked the information and found that the trojan Master Paradise opened port 3129. In addition, this computer generally runs the WinRoute service. When I think of it, I immediately open the WinRoute control interface and carefully searched it. I found that there was a "Remote Administration" in "Settings> advanced ", it allows remote control by default, and the default open port is 3129.

It turns out to be a backdoor left by WinRoute. This is because many materials have detailed descriptions of WinRoute settings, but the remote control console features are rarely described, so we are not very concerned about this. But it can indeed be used by some Trojans, and it is very harmful. Here, I would like to remind everyone who uses WinRoute to remove this function to avoid further problems. The cause is finally found. I usually do not use remote control, so I will remove this option. Then I made some settings as I did just now, and finally blocked the door of the intruders.