The newly created Hong Kong VPS has been hacked and is hereby recorded

Yesterday:

Remotely, a vps process is abnormal: the VPS xenguestagent.exe process actually consumes 1 GB of virtual memory.

So I wrote a simple article to record the following: http://www.cyqdata.com/cyq1162/article-detail-54353

Although it is known that the process is not normal, but the process information is very small, can only end processing.

Today:

I went up and looked at it again. I suddenly saw that the process occupied 1 GB of virtual memory.

For more information, we can see that there is a digital process name. At first glance, we can see that the server is scanned and hung up.

 

So we found:

1: The Connection user in the task manager is connected to another unfamiliar user. If I don't talk about it, the user's link will be disconnected and the account's link will be logged out.

2: In the Computer Management-local user group, 4-5 newly created accounts are found and deleted one by one.

3: During the process, the native processes include multiple cmd.exe and multipleNtsd.exe.

Process file: ntsd or ntsd.exe

Process name: Symbolic Debugger for Windows. Ntsd.exe is a user-mode debugging tool in Microsoft Windows 2000 (Microsoft Windows XP. It can end all processes except System, SMSS. EXE, and CSRSS. EXE. This program is often used by viruses to forcibly end the antivirus software process.

4: Check the system service. There are four or five processes at the system level that cannot be stopped directly:

 

5: I checked the C drive. A bunch of niub tools exist. From the modification date, it seems that I have been trying for a few days:

 

Where did hackers intrude into the system?

I checked the event log and found no login connection log.

So I started the following guesses:

1: Which process with abnormal VPS has a vulnerability?

2: Is there any patch on the server updated? (I stopped the automatic update when vps was created)

3: website?

4: database?

 

Question 1: What is caused by the xenguestagent.exe process of vps?

The provider said:

Hundreds of VPS are running. If there is a problem with the virtual process of the VPS, it must be a bunch of intrusions, not a single one.

It is reasonable to say that, despite all this, no one can explain why xenguestagent.exe occupies such a large amount of virtual memory.

 

Question 2: Is there any patch on the server updated? (I stopped the automatic update when vps was created)

Because I stopped the patch update when the vps operating system was running, I asked the vps provider:

Install the default patches for your operating system.

The other party replied: On the day when the patch was applied to the system, the new Hong Kong VPS was last for half a year, that is, half a year ago.

I think: For systems in win2003 N years ago, the vulnerability patches of the older generation have been supplemented for a long time. There should be no new vulnerabilities in the past six months. It is also difficult to estimate, how can a real hacker make such a vps so difficult.

 

Question 3: website?

CYQ. Data used for website database operations. Basically all operations have a strong filtering system, and SQL injection does not exist.

I opened a background sqlexe page, but the page also changed its name. Although any statements can be executed, the page name is only known to me and a new password is required before execution, I also specifically executed one:

 

If an exception is thrown, it seems that sp4 has done the corresponding homework by default:

 

4: database?

Suddenly realized what, this vps put a temporary station, the database did not get any permissions, even the sa password is also a weak password, go to the database to see it, it was really done:

 

It seems that this hacker gave me this account prompt. Otherwise, I would like to guess it ~~~~

The hacker intrusion entry is generally obtained: the weak SA password, which is a breakthrough here.

Now, we will record that it is time to reinstall the system.