Let's talk to the rookie today about the intruder's point of view. After the server was hacked off, what we should do to protect and inspect the work, Daniel's words are more familiar with the system reinforcement and safety issues, for me and so rookie, did not do the work of safety, so can only from the angle of the intruder to say the opposite work. Because we will be the rookie of our own server to build their own stations, and no professional knowledge, nor what major projects, so they can only maintain their own, then be killed, it is certainly to do their own maintenance and inspection work, and then have the following.
Usually the server is killed, there are generally the following situations, follow me to see.
Simple to be black after the work of inspection processing process:
These are the kinds of situations we often meet, rookie you when the server was black and wide, you are swollen do not do (certainly not cold, garbage is also the server well: D, but also their own use)? We can according to the above situation, to do relative countermeasures and detection. The following is my own summary, if there is a similar accident:
1. The server was killed, the first thing I want to do is, the development of the system is temporarily closed, the System account password are revised again, please change before the server to check whether there are Trojans and so on. To avoid being black and wide give you get hash (by some means to obtain the hash value of the system password and to crack the plaintext password) or clear (then you're in vain, black and wide grinning, thinking you a silly bird I listen to you again)
2. Check whether the system has redundant accounts, there are general manual and tool inspection, I refer to the idea here, specifically to do your own to achieve, for example, you can check c:documents and settings here, if you create a new account login 3389 regret in this generation and account name corresponding to the folder, Even if it is God horse with $ hidden account, and the register also want to check, do not know on the tools, Baidu so good
3. Check the system open port, the familiar port on the first no matter, there are unfamiliar to check, in the end what is the program to use, sometimes can check out the Trojan or backdoor use of the port, the unnecessary ports are closed, to avoid accidents
4. Check the log, rookie level generally can't clean up some logs, you can take a good look, such as the Iis,web system with the log function, System log, which can analyze the black and wide dry God horse bad, and your server is how to be killed
5. Check the system each letter and key directory operation permissions, for example, a 2B management gave me a server, E disk originally did not have permission, and then I changed to everyone, and just he did not go to check, that as long as I webshell in the words, the right to be very large, especially with some power tools, it is cool crooked
6. Use antivirus security software, this is for the overall scan Trojan (EXE and script and other), killing Trojans and repair system loopholes, as to choose god Horse anti-virus software, everyone to find, I do not recommend to avoid being said to be gunmen, these days when good people difficult
7.web system script back door to check, generally look at file operation time (but file time can be changed), with tool audit, there is manual audit, no ability to find a base friend, find acquaintances, there is a good early backup of each system, after the problem, the two files to the local use beyond Compare comparative analysis, of course, other contrast analysis tools can also make sure that the black-wide script is removed, and the vulnerability to find your own web system is the best, if you know how black and wide how to do your Web system then you should fix it, remember that there are also those variants of the extended script to be aware of.
8. Install WAF software, although can not guarantee 100% protection, but at least to the black and wide make your server add a lot of difficulties, but also can block a group of so-called script kid.
After doing this, the rest of you have to give the server to strengthen, where was screwed, where you should pay more attention to, concrete reinforcement, we find information for reference it, this is a digression, not to mention I this Dish Force rookie is not specifically engaged in this, so the base friends do not embarrass me, I can only slightly understand some of the various account password settings more complex, and different accounts use different passwords, must be social workers, social workers too strong, not what you imagine, the server is strictly assigned to each directory, you can refer to the next star, there are other references, nothing to look at the log, monitoring the flow, monitoring the lower mouth, black wide to do in your server bad, there will be a lot of movement, Just a little attention to the details.
Note : More wonderful tutorials Please pay attention to the triple computer tutorial section, triple Computer office group: 189034526 welcome you to join