Analyze the intruder've done!
Recall for the convenience of the machine in his coat a RADMIN, log a bit, password is not the way, appears to be some people up, and it also got the intruder system administrator privileges.
Went to room, out ERD COMMANDER, change the password, reboot, enter the system after the first step to upgrade your account, more than a hud $ user, administrators group, delete, guest user though look disabled, but the substance of the narrative wrong. Look closely, administrators group, the same deletion. Then read the following other users, groups were normal, the remote connection privileges are removed, the account handling side be finished.
Then look at each drive C: The following documents are as follows
sqlhello.exe
sqlhello2.exe
result.txt
1.bat
2.bat
Edit the next 1.bat, which are scanning the entire network segment content. It seems some people take this machine as a springboard, and move all the files to another directory.
Then the audit application, consider the use of the machine and the environment.
Is WINDOWS2000 + IIS + SERV-U
SERV-U audit users look to see if there are no other additional system privileges FTP users do not see down.
Execute permissions are not available, locked directory state is right.
Did not read the next log.
Then read version.
5.0.0.4 ... as early as a promotion for him, just do not rise, the invasion seems to be the first step, the first upgrade to 6.0.0.2
FTP It should be no problem.
IIS's analysis:
Open log records, good, wait a moment analysis of the log
Read the rest are the default configuration, the first in the application mapping in all the file types are clean and keep only to delete. ASP and. ASA
Audit file permissions
Set each partition and directory permissions.
Then review the Trojan situation, because the system can not reinstall, can only reinforce the existing system has been invaded, taking into account the intruder as well as add the user put files in the root directory of C is open and so the situation there is the log, estimated level is not high, it will not implant their own Trojan horse prepared.
Compiled using a friend thrkdev ATE to check it again, it seems there is no known Trojans.
Then find WEBSHELL, taking into account the level of the invaders, most will be using with the Hai Duong, and also put up some copyright information removed, search all the content containing lcx's. ASP files.
Sure enough, the four documents.
2005.asp
ok.asp
dvbbs7.asp
aki.asp
It seems still more accurate analysis, in addition to dvbbs7.asp a little creativity, move the files to another directory, for later audit use.
Then the network portion of the
TCP filtering is not open, IPSEC is not assigned.
NETBIOS first off, and then allows only 20,21,80,3389 TCP
Taking into account the possibility of reverse Trojan
Turn the unit within the IPSEC SPORT 20,21,80,3389 to any external port, the other from the inside out to be shielded.
System extraction, a number of related services and software to shut down or uninstall.
Patch to upgrade the system, but fortunately, there is no patch or missing, the automatic UPDATE set to install automatically.
The final step is to analyze the logs, see if there is missing in the system itself, the log had been closed. It seems the intruder is more cautious.
Open part of the audit, the key directory, such as the system directory with the audit, so that all of the C: WINNT creating documents the successes and failures are recorded in the log book.
As mentioned earlier, SERV-U did not record the original log, can only open the IIS logs to find the find the four WEBSHELL's visit, found the visit to the IP, back to check, from a fixed IP address, browsing a bit, get message to the e-mail informing them of the other party administrator to do security work.
In fact, some part of the contents should be limited to certain conditions which do not do.
1. To replace the system default user user name
As brothers they are not familiar with computers, there is no change, but expect them to use stronger password
2. The search for encrypted webshell
The content of a search for WEBSHELL only, and only for explicit coding procedures of the search page, should be able to join the encoded ASP WEBSHELL search.
Also search the content should be simple LCX extended to such wider wscript.shell and find matching keywords
3. Look for the Trojans
As expected intruder level is not high, so the only Trojan horse software to rely on to kill a search, if you have time, then he should find the manual for
4. On the page program evaluation
Also of time, no time to check the original site procedures.
5. Intrusion test
As intrusion detection is likely to be thought an intruder away with the neglect of other weak links.
So the best test should be fully completed testing to ensure that the other path is the same strong