Eight, check the homepage source code, in this place see if any iframe does not belong to this web site info. (find nets horse methods), and how to discover some potential Trojan and network available loopholes.

Here is that we get some of his nets horse.

Q: gg3. Asp 183637

Log. The asp

Pigpot. Asp

J webdown VBS

Attach/al-qeada.someotherwordpeopledontthinkoffirst

Attach/chongtian. GIF

Attach / 111. Rar

The system/unit/yjh. Asp

The system/unit/conn. asp join prevent injected

Q: 6242889678

Volume/mm. JPG = exe self-extracting homepage include file

A word Trojan:

Backup word trojans

Injection inspection, in IIS find out whether exist inside there are for % 20 and 1 = 1 'SQL

'or' = 'or' a 'or' 1 = 1 -, 'or1 = 1 -, "or1 = 1 -, or1 = 1 -,' or 'a' = 'a," or "=" a' = 'a etc

Role: to avoid validation information mainly USES in the background on landing

The 5 cs blasting database, role % direct download on the server database, obtains the user name and password, after system mention right and get the whole server permissions.

In view of some downloaders such trojans, main need in Windows/document and setting of the local setting below the Internet 1389 1389 or the folder check just generated exe file, key check in system32 folders below.exe file, particularly concerned about the latest generation.exe file, forged system files, etc.

Above is in A server's entire inspection process and found the problem how to handle and remedial after the relevant solutions.

B server check forensic analysis

B server pack is Windows 2000 server version, operation procedure is alexandrine.

After a period of careful check or let me and assistants were found a Trojan horse, cause is found in the website source code is inserted some strange code, in system32 system folder also found new niu. Exe, very suspicious, extracting this.exe files in a virtual machine is analyzed, the conclusion is drawn that this exe working principle:

This kind of trojans, viruses exe file currently executing judgment running after the file path if not System32 % \ % SVCH0ST. Exe, will open the current file directories located reproduce themselves to % System32 %, renamed SVSH0ST. Exe and derivative autorun.inf file;. Reproduce themselves to all drive root directory, renamed niu. Exe and derivative.inf file, realize autorun. Double click to open drives, automatic operation virus document, Traverse all drive in HTM, asp, aspx, PHP, HTML, JSP format file tail insert 96 bytes of virus code; Delete to traverse disk GHO for extension of documents, the user can't carry on the system restore, Connected to the Internet to download virus document, Changing the system time for 2000; The virus after the operation delete itself.