I have been engaged in virus analysis, network attack response related work, this time should be good friends with the invitation, help to investigation several servers, we came to a certain XXX stations, first checks. After 1 day time around, which are used to check some special equipment also contains independent writing tools, and third parties provide the survey forensics software, were found problems host server, including 10 sets 2 sets is severe, with A server (hereinafter and B server to replace) and friends agreed, decision back to our laboratory, carry out special for further analysis.

Habit inspection procedure:

Server operating system version information - > operating system installed patches - > operating system installed on time, middle have after reinstall -- - > > server maintenance server installed above software version information

Log checks -- IDS logs/IIS log message/system log message

Website code reviews - whether there is a word on whether there are source code trojans, malicious code inserted

Antivirus software version update situation - whether the newest version, configuration is reasonable, supporting the surveillance whether opened entirely

Data recovery - > use special data recovery software data recovery, restore some deleted logs and system information, once installed a file operations information.

Extracting suspicious files (viruses, trojans, the back door, malicious AD plugin) -- in the system files using third-party directory development software, or self to suspicious files were extracted and in-depth analysis.

The above steps is my personal summary, something is wrong also ask friends to correct, introduce finish theory, we practice with this servers.

A server check process

This A server with operating system is on the 2000 server, server installation are rising 2008 anti-virus software, the virus has been updated to the latest version. But not installed network firewall and other monitoring system software, installation and FTP server version for server -u 6.0 (exists spillover attack threat)

One of the original data recovery

Using Datarecover software to restore some deleted files, the purpose is to be deleted from the files to find some Trojan or back door and viruses. In-depth analysis, have ever done formatting, and recycle bin delete file recover, but unfortunately success winning this server permissions hackers have done professional processing, put some of his trace conducted overall cleaning, the individual thinks his use of the Japanese underground hackers organization development of special log tool to remove, by my assistant and the joint efforts of the system logs or restore to that may.

2 manual analysis suspicious files

In this server c pan-gen directory here is a sethc.. Exe file. This document is Microsoft self-contained, is the system of keys, sticky real size should be 27kb, and this file for 270kb, at first I thought was due to the patched reasons. But after thumbing through some material and do after training, just know such documents is a new development of pop back door, main usage: through 3389 terminal, and then through 5 times knock the shift key, direct call directly obtained sethc. Exe system permissions. Then achieve control of the server, and he generally or through delete normal some disk c exe file. Then put yourself into that have to delete the counterfeit exe file names. Cause an illusion.