Emergency response process

Others 2021-03-27 20:03:01 views: null

Article Directory

windows

File analysis

Startup project check

  • Under normal circumstances, various Trojan horses, viruses and other malicious programs will start automatically when booting up
  • Three ways to view
  1. C:\Users\lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  2. msconfig Check whether the registry is added to the startup
  3. regdeit opens the registration form editor
    Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Throw the file into the file that the Trojan horse checks and kills

Temp temporary exception file

  • Open %temp% temp folder
  • View (exe, dll, sys) or have a particularly large tmp file
  • Upload the file to https://www.virustotal.com/see if it is malicious code

Browser information analysis

  • After the server is taken down by the hacker, it is possible to use the browser to visit the website, check the browser record, and whether the malicious code has been downloaded
  1. Browser browsing history view
  2. Browser download record view
  3. Browser cookie viewing

Folder time attribute analysis

  • Under windows system, the time attributes of file attributes include: creation time, modification time, access time (disabled by default)
  • If the modification time is earlier than the creation time, the file is suspicious! Use Chinese kitchen knife and other tools to modify the modification time. You can view the creation time, modification time, and access time through the file properties.

File analysis-recently opened file analysis

  • win+R input%UserProfile%\Recent
  • Can see recently opened files
  • find /c /n /i "eval" specific files
  • Return paragraph containing eval

Suspicious process discovery and shutdown

  • The communication between the computer and the external network is established on the TCP or UDP protocol, and each communication has a different port (0-65535). If the computer is trojan horse, it will communicate with the external network. At this time, you can find the corresponding process ID by viewing the network connection status, and close the process ID
  • netstat -ano|find "ESTABLISHED" View network connection status
  • tasklist /svc | find "PID" Check the program corresponding to the specific PID process
    Insert picture description here
  • taskkill /PID 12696 /T Shut down the process

system message

Windows scheduled tasks

  • In the computer, you can set scheduled tasks to perform fixed operations at a fixed time. Under normal circumstances, malicious code may also be executed at a fixed time.
  • Use the schtasks.exe command to manage the scheduled tasks, enter directly to view the scheduled tasks saved in the current computer
  • Or look in the windos management tool in the beginning

Hidden account discovery and deletion

  • Hidden account, refers to the establishment of a computer account in the computer system that is not easily discovered in order to maintain access to the computer after a hacker invades

net user test$ test/add && net localgroup administrator test$ /add where the $ symbol can cause the system administrator to be unable to view the test user when using net user

  • The user account that opens the computer management or control panel can be deleted
  • After win+R regedit opens the registry and gives permission, you can open the hidden test$

Malicious process-discovery and shutdown

  • When the malicious code is running in the windos system, it will be displayed in the form of a process, in which the malicious process performs various malicious actions
  • For executable programs, you can directly use anti-virus software to check and kill, or manually check and kill, use the tool psexplore, and then use virustotal.com for analysis. Shut down services related to malicious programs

Patch review and update

  • systeminfo View system information and display the corresponding system patch information number.
  • You can also view system patches and third-party software patches in the uninstall software
  • Third-party software opens the control panel to view programs and functions

Webshell killing

  • D-Shield Firewall is a proactive protection software specially designed for IIS. It uses internal and external protection to prevent websites and servers from intruding. When it is difficult to run various websites just now, the fewer functions, the more secure the server. While design
  • http://www.d99net.net/
    Insert picture description here

Linux analysis and troubleshooting

File analysis-sensitive file information

tmp

Everything in the Linux system is a file. Among them, /tmp is a special temporary directory file. Every user can read and write to it. Therefore, an ordinary user can perform read and write operations on the /tmp directory

  • ls -alt / a: all information l: long format t: sort by modification time

Upload file rights in tmp directory
cd /tmp/
ls -alh

/etc/init.d/

  • Malicious code may set the location to start automatically
  • ls -alh /etc/init.d/
  • View the contents of startup items
  • View the chronological order of files in the specified directory ls -alh /etc/init.d/ | head -n 10
  • View file time attributes: stat apache2 returns detailed file time content
  • /etc/init.d/ program name status view status
  • update-rc.d program name disable does not start when booting, enable starts automatically when booting

New file analysis:

  • find ./ -mtime 0 -name "*.php" Find files that have been modified within 24 hours
  • find ./ -mtime 2 -name "*.php" to find files that have been modified within 72 hours
  • Permission search find ./ -iname "*.php" -perm 777 iname ignore case -perm is used to set filter file permissions

Network connection analysis

Insert picture description here

  • netstat -pantl
  • kill -9 PID

Process analysis-the files of the process

  • In Linux, you can use ps to view process related information
  • ps aux | grep "PID" After viewing all process information, filter out specific PID process information
    Insert picture description here

Login Analysis

  • Operations done in linux will be recorded in the system log
  • You can also check the log information to check whether there is abnormal login
  • last -i|grep -v 0.0.0.0View login logs, filter non-local logins
  • wYou can check the current login information

Analysis and exclusion of abnormal users

  • In linux root user can do anything on linux

New user useradd username
Set password passwd username Password
Set user uid and gid to 0 (root user is 0 and 0) Modify the file to
cat /etc/passwd
greo "0:0" /etc/passwd View users with root privileges

History command analysis history

  • The linux system will record the previously executed command/root/.bash_history file by default
  • Users can use cat /root/.bash_history to view or use the history command to view
  • Pay special attention to commands such as wegt, ssh, tar zip, system configuration, etc.
  • history | grep “ssh”

Scheduled task troubleshooting crontab

  • In the linux system, you can use the command crontab to set the scheduled task

e Edit a user's scheduled task
l List the current scheduled day dance to be executed
r Delete the scheduled task

  • Pay special attention to unknown content in planned tasks

$PATH variable is abnormal

  • Determines which directories the shell will search for commands or programs. The value of PATH is a series of directories. When you run a program, Linux searches in these directories, compiles and links ls cd
  • echo $PATHInsert picture description here
  • Modify PATH export PATH=$PATH:/usr/locar/new/bin This time the terminal is valid and invalid after restart

Windows system log analysis

  1. Start-->Administrative Tools-->Event Viewer
  2. Win+R Open and run, enter "eventvwr.msc", press Enter to run, and open "Event Viewer"
  • Windows system log filtering

In the windows system, the log management tool provides a filtering function to facilitate users to view. (Different types of logs have different numbers, and each operation has a different log ID)
4624-Login successful 4625-Login failed 4634-Logout successful 4647-User-initiated logout 4672-Login using super user

  • When using mstsc to remotely log in to a host, if the account used is an administrator account, if it is successful, events with ID4776, 4648, 4672, 4624 will be generated
  • In the process of intrusion and privilege escalation, the following two sentences are often used
  • net user USER PASSWORD /add
  • net localgroup administors USER /add

Guess you like

Origin blog.csdn.net/CyhDl666/article/details/115162321
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com