Article Directory
- windows
- Linux analysis and troubleshooting
windows
File analysis
Startup project check
- Under normal circumstances, various Trojan horses, viruses and other malicious programs will start automatically when booting up
- Three ways to view
- C:\Users\lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
- msconfig Check whether the registry is added to the startup
- regdeit opens the registration form editor
Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Throw the file into the file that the Trojan horse checks and kills
Temp temporary exception file
- Open %temp% temp folder
- View (exe, dll, sys) or have a particularly large tmp file
- Upload the file to
https://www.virustotal.com/
see if it is malicious code
Browser information analysis
- After the server is taken down by the hacker, it is possible to use the browser to visit the website, check the browser record, and whether the malicious code has been downloaded
- Browser browsing history view
- Browser download record view
- Browser cookie viewing
Folder time attribute analysis
- Under windows system, the time attributes of file attributes include: creation time, modification time, access time (disabled by default)
- If the modification time is earlier than the creation time, the file is suspicious! Use Chinese kitchen knife and other tools to modify the modification time. You can view the creation time, modification time, and access time through the file properties.
File analysis-recently opened file analysis
- win+R input
%UserProfile%\Recent
- Can see recently opened files
- find /c /n /i "eval" specific files
- Return paragraph containing eval
Suspicious process discovery and shutdown
- The communication between the computer and the external network is established on the TCP or UDP protocol, and each communication has a different port (0-65535). If the computer is trojan horse, it will communicate with the external network. At this time, you can find the corresponding process ID by viewing the network connection status, and close the process ID
- netstat -ano|find "ESTABLISHED" View network connection status
- tasklist /svc | find "PID" Check the program corresponding to the specific PID process
- taskkill /PID 12696 /T Shut down the process
system message
Windows scheduled tasks
- In the computer, you can set scheduled tasks to perform fixed operations at a fixed time. Under normal circumstances, malicious code may also be executed at a fixed time.
- Use the schtasks.exe command to manage the scheduled tasks, enter directly to view the scheduled tasks saved in the current computer
- Or look in the windos management tool in the beginning
Hidden account discovery and deletion
- Hidden account, refers to the establishment of a computer account in the computer system that is not easily discovered in order to maintain access to the computer after a hacker invades
net user test$ test/add && net localgroup administrator test$ /add where the $ symbol can cause the system administrator to be unable to view the test user when using net user
- The user account that opens the computer management or control panel can be deleted
- After win+R regedit opens the registry and gives permission, you can open the hidden test$
Malicious process-discovery and shutdown
- When the malicious code is running in the windos system, it will be displayed in the form of a process, in which the malicious process performs various malicious actions
- For executable programs, you can directly use anti-virus software to check and kill, or manually check and kill, use the tool psexplore, and then use virustotal.com for analysis. Shut down services related to malicious programs
Patch review and update
- systeminfo View system information and display the corresponding system patch information number.
- You can also view system patches and third-party software patches in the uninstall software
- Third-party software opens the control panel to view programs and functions
Webshell killing
- D-Shield Firewall is a proactive protection software specially designed for IIS. It uses internal and external protection to prevent websites and servers from intruding. When it is difficult to run various websites just now, the fewer functions, the more secure the server. While design
- http://www.d99net.net/
Linux analysis and troubleshooting
File analysis-sensitive file information
tmp
Everything in the Linux system is a file. Among them, /tmp is a special temporary directory file. Every user can read and write to it. Therefore, an ordinary user can perform read and write operations on the /tmp directory
- ls -alt / a: all information l: long format t: sort by modification time
Upload file rights in tmp directory
cd /tmp/
ls -alh
/etc/init.d/
- Malicious code may set the location to start automatically
- ls -alh /etc/init.d/
- View the contents of startup items
- View the chronological order of files in the specified directory
ls -alh /etc/init.d/ | head -n 10
- View file time attributes: stat apache2 returns detailed file time content
- /etc/init.d/ program name status view status
- update-rc.d program name disable does not start when booting, enable starts automatically when booting
New file analysis:
- find ./ -mtime 0 -name "*.php" Find files that have been modified within 24 hours
- find ./ -mtime 2 -name "*.php" to find files that have been modified within 72 hours
- Permission search find ./ -iname "*.php" -perm 777 iname ignore case -perm is used to set filter file permissions
Network connection analysis
- netstat -pantl
- kill -9 PID
Process analysis-the files of the process
- In Linux, you can use ps to view process related information
- ps aux | grep "PID" After viewing all process information, filter out specific PID process information
Login Analysis
- Operations done in linux will be recorded in the system log
- You can also check the log information to check whether there is abnormal login
last -i|grep -v 0.0.0.0
View login logs, filter non-local loginsw
You can check the current login information
Analysis and exclusion of abnormal users
- In linux root user can do anything on linux
New user useradd username
Set password passwd username Password
Set user uid and gid to 0 (root user is 0 and 0) Modify the file to
cat /etc/passwd
greo "0:0" /etc/passwd View users with root privileges
History command analysis history
- The linux system will record the previously executed command/root/.bash_history file by default
- Users can use cat /root/.bash_history to view or use the history command to view
- Pay special attention to commands such as wegt, ssh, tar zip, system configuration, etc.
- history | grep “ssh”
Scheduled task troubleshooting crontab
- In the linux system, you can use the command crontab to set the scheduled task
e Edit a user's scheduled task
l List the current scheduled day dance to be executed
r Delete the scheduled task
- Pay special attention to unknown content in planned tasks
$PATH variable is abnormal
- Determines which directories the shell will search for commands or programs. The value of PATH is a series of directories. When you run a program, Linux searches in these directories, compiles and links ls cd
- echo $PATH
- Modify PATH export PATH=$PATH:/usr/locar/new/bin This time the terminal is valid and invalid after restart
Windows system log analysis
- Start-->Administrative Tools-->Event Viewer
- Win+R Open and run, enter "eventvwr.msc", press Enter to run, and open "Event Viewer"
- Windows system log filtering
In the windows system, the log management tool provides a filtering function to facilitate users to view. (Different types of logs have different numbers, and each operation has a different log ID)
4624-Login successful 4625-Login failed 4634-Logout successful 4647-User-initiated logout 4672-Login using super user
- When using mstsc to remotely log in to a host, if the account used is an administrator account, if it is successful, events with ID4776, 4648, 4672, 4624 will be generated
- In the process of intrusion and privilege escalation, the following two sentences are often used
- net user USER PASSWORD /add
- net localgroup administors USER /add