Many people like to intrude into Win2000 system. There are interface-type remote control like 3389, and there are so many vulnerabilities to exploit. Moreover, articles about intrude into Win2000 are everywhere, which is convenient. But do you know, what footprints have you left in the system? I recently conducted an intrusion analysis and found a lot of things. Of course, I guess it will be listed when the intrusion time and then search for the files.
We will not analyze log records from FTP and HTTP here, because this is easier to analyze and prevent intrusion behavior, while guessing in through account password is more troublesome (the security configuration is quite OK).
1. System logging. A good administrator should record what can be recorded as much as possible. In the local security policy, record the audit policy enough. You can find that if all audits are selected (as long as you don’t think too many), the entire process of access to an account can be recorded in full without missing any trace. The most recorded content in the event viewer is, and all audited events can be viewed from the security log.
Let's take a look at the login/logout event records of an account: Session interrupts connection from winstation: Username: guest Domain: Refdom Login ID: (0x0, 0x28445D9) Session name: Unknown Client name: GUDULOVER Client address: 202.103.117.94
This is a 3389 login event, and the system records the IP address, machine name and user name used. It's still very complete.
This is a detailed tracking record: New process has been created: New process ID: 4269918848 Image file name: \WINNT\system32\ Creator process ID: 2168673888 Username: Refdom$Content$nbsp; Domain: Refdom Login ID: (0x0,0x3E7)
This is a record that was run using localsystem. Haha, is it not to use net user or something to run with a local system account (of course, it can do a lot of things). Be careful that you have too many log records and the log space is full, so that WIN will no longer record new events. Please select to rewrite the log as needed in the log properties, so that new events can be recorded, but the events that need to be analyzed may be rewritten. Unfortunately, the records here are so conspicuous that most of them cannot survive.
2. Enough traces remain in the "Documents and Settings" directory. This directory is the footprint storage place for all accounts. Of course, if you enter the graphical interface from 3389 or this machine, you will leave the account directory. Let’s take a look at what’s in the “Documents and Settings” directory of an account. First, check all files and folders and don’t hide anything.
"Start" menu: Of course, it is to store the things in the account's own "Start". The "Start" in this is a better thing. "Application Data": Some applications leave data, backups, etc., and the analysis is not very useful.
"Cookies": If the intruder comes in through 3389 and also browses the web page, then there are enough cookies stored here to let you know where he is going.
"Local Settings": This is also a place for temporary data storage, as well as IE offline things. Maybe you can find many good websites. "Recent": This folder is hidden, but there are too many things stored in it, and the directories and files accessed by the account are recorded one by one. You can know clearly what things were used and what documents you looked at.
"Templates": Where to store temporary files.
3. Judging from the hacker tool, he will definitely find a way to obtain the administrator permission. After obtaining this permission, he can do whatever he wants. According to the various invasion textbooks introduced, of course, it is to place other scanners to make broilers, install backdoors, delete logs... Haha, these scanners have enough logs to provide analysis, and can also help him collect some broilers for free. Moreover, the intruder's intentions and level can also be seen from the logs (configuration files) of these tools. OK, let’s talk about Liuguang. The results of each scan have been written down, and everyone can read it, not to read it. The best thing is to be installed backdoors and proxy springboards (not multi-levels). Who can remotely control what you do? Of course, we can grasp the origin of the intruder from the backdoor program, and use the connection to the connection from where it is transmitted. Of course, you can even use a very interesting file name to disguise your * horse and let it be used as a back-up. If you want to play, everyone will play together. Of course, the invaders who came from the control of the other 3389 broilers were only found by his broilers. (Adventure, get his broiler too)
We will not analyze log records from FTP and HTTP here, because this is easier to analyze and prevent intrusion behavior, while guessing in through account password is more troublesome (the security configuration is quite OK).
1. System logging. A good administrator should record what can be recorded as much as possible. In the local security policy, record the audit policy enough. You can find that if all audits are selected (as long as you don’t think too many), the entire process of access to an account can be recorded in full without missing any trace. The most recorded content in the event viewer is, and all audited events can be viewed from the security log.
Let's take a look at the login/logout event records of an account: Session interrupts connection from winstation: Username: guest Domain: Refdom Login ID: (0x0, 0x28445D9) Session name: Unknown Client name: GUDULOVER Client address: 202.103.117.94
This is a 3389 login event, and the system records the IP address, machine name and user name used. It's still very complete.
This is a detailed tracking record: New process has been created: New process ID: 4269918848 Image file name: \WINNT\system32\ Creator process ID: 2168673888 Username: Refdom$Content$nbsp; Domain: Refdom Login ID: (0x0,0x3E7)
This is a record that was run using localsystem. Haha, is it not to use net user or something to run with a local system account (of course, it can do a lot of things). Be careful that you have too many log records and the log space is full, so that WIN will no longer record new events. Please select to rewrite the log as needed in the log properties, so that new events can be recorded, but the events that need to be analyzed may be rewritten. Unfortunately, the records here are so conspicuous that most of them cannot survive.
2. Enough traces remain in the "Documents and Settings" directory. This directory is the footprint storage place for all accounts. Of course, if you enter the graphical interface from 3389 or this machine, you will leave the account directory. Let’s take a look at what’s in the “Documents and Settings” directory of an account. First, check all files and folders and don’t hide anything.
"Start" menu: Of course, it is to store the things in the account's own "Start". The "Start" in this is a better thing. "Application Data": Some applications leave data, backups, etc., and the analysis is not very useful.
"Cookies": If the intruder comes in through 3389 and also browses the web page, then there are enough cookies stored here to let you know where he is going.
"Local Settings": This is also a place for temporary data storage, as well as IE offline things. Maybe you can find many good websites. "Recent": This folder is hidden, but there are too many things stored in it, and the directories and files accessed by the account are recorded one by one. You can know clearly what things were used and what documents you looked at.
"Templates": Where to store temporary files.
3. Judging from the hacker tool, he will definitely find a way to obtain the administrator permission. After obtaining this permission, he can do whatever he wants. According to the various invasion textbooks introduced, of course, it is to place other scanners to make broilers, install backdoors, delete logs... Haha, these scanners have enough logs to provide analysis, and can also help him collect some broilers for free. Moreover, the intruder's intentions and level can also be seen from the logs (configuration files) of these tools. OK, let’s talk about Liuguang. The results of each scan have been written down, and everyone can read it, not to read it. The best thing is to be installed backdoors and proxy springboards (not multi-levels). Who can remotely control what you do? Of course, we can grasp the origin of the intruder from the backdoor program, and use the connection to the connection from where it is transmitted. Of course, you can even use a very interesting file name to disguise your * horse and let it be used as a back-up. If you want to play, everyone will play together. Of course, the invaders who came from the control of the other 3389 broilers were only found by his broilers. (Adventure, get his broiler too)