Intrusion investigation ideas
Checking account security
1. Check whether the server has a weak password, remote management ports are open to the public
2. see if a server can account, new account
3. To see if a server hidden account, the account cloning
inspection methods:
i open the registry, view the administrator to keys. HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\
Ii using D Shield _web killing tools.
4. combined log for administrator login time, user name, whether there is abnormal
inspection methods:
i.Win + R to open the Run, input eventvwr.msc, open Event Viewer
ii Windos log export - security, use Log Parser to analyze.
Abnormalities ports, processes
1. Check port connections, whether there is a remote connection, you can connect
inspection methods:
. I netstat -anoview the current network connectivity, position location suspicious the ESTABLISHED
ii according to. netstatLocate the PID, then through the tasklistconduct process positioning commandstasklist|findstr "PID"
2. Check the process of
inspection methods:
i.Win + R, enter msinfo32, then click 软件环境→正在运行任务on it to view detailed information about processes, such as process route, process ID, file creation date, start time
ii open D Shield _web killing tools. process Viewer, the process does not concern signature information
iii provided by Microsoft official investigation tools such as process Explorer.
iv see suspicious process and its children, by observing the following: no signature verification process information, process information is not described, owner, of course route process is legitimate, CPU or memory resources the process takes a long time high
3. Tips
i see the port corresponding PID:. netstat -ano|findstr "port"
Ii view the process corresponding PID:. Task Manager - View - Select Columns -PID or tasklist|findstr "Process Name"
iii view the process corresponding to the program location: Task Manager - select the corresponding process - the right to open file location or Win + R, enter wmicinput, cmd interface under process
IV. tasklist/svc
V Windows view port corresponding to the service: %system%/system32/drivers/etc/services(usually %system%is C:\Windows)
Check the startup items, scheduled tasks, services
1. Check the server for unusual startup items
Inspection methods:
. I login server, click [Start]> [All Programs]> [Start], default directory in this case is an empty directory, make sure there is a non-business programs in this directory
ii Click the Start menu. > [run], type msconfig, to see if there are naming unusual startup project, then uncheck naming exception is startup items, and to show the path of the command to delete a file
iii. click [start]> [run], input regedit, open the registry to see whether the normal start-up items, pay particular attention to the following three registry keys: HKEY_CURRENT_USER\software\micorsoft\windows\currentversion\runHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce
whether to the right start check the abnormal items, if any, please delete, and recommended to install anti-virus software killing the virus, remove residual virus or Trojan
iv. use security software to view startup items, startup time management, etc.
v. group policy, run gpedit.msc
2. Check the Scheduled Tasks
Inspection methods:
i Click [Start]> [Settings]> [Control Panel]> [Task Scheduler], view the schedule task properties, they can find the path to the Trojan file.
Ii Click [start]> [Run]; input. cmd, and then enter the scheduled tasks or sessions between at, check the computer and other computers on the network, and if so, whether to confirm normal connection
3. Service from the start
Inspection methods:
Click [start]> [Run], type services.msc, attention to service status and startup type, check for abnormal service.
Check the system-related information
1. Check the system version and patch information
Enter cmdsysteminfo
2. Find directories and files can
Inspection methods:
i view the user directory, the new account will generate a directory in the user directory to see if there are new user directory.
Windows 2003 C:\Documents and Settings
Windows 2008R2 C:\Users\
ii Click [start]> [Run], type% UserProfile% \ Recent, analysis. recently opened analyze suspicious files
iii. in each directory server, you can sort the file list by folder within the time, looking for suspicious files
Automation killing
Virus killing
Inspection methods: download security software updated with the latest virus database, full scan
WebShell killing
Inspection methods: select the specific sites path WebShell killing, killing WebShell recommend the use of two tools simultaneously killing, can complement each other inadequate rule base
Log Analysis
System Log
Analysis:
. I premise: Turn on audit policy, if the system fails, the security incidents in the future, you can view the system log files, troubleshooting, tracing information and other intruders.
ii.Win + R to open the Run, enter "eventvwr.msc", press Enter to run, open the "Event Viewer."
iii. Export Application log, security log, system log, use Log Parser to analyze.
WEB access log
Analysis:
. I found middleware web logs, packaged into a convenient local analysis.
. ii Recommended tools: Under Window, recommended log analysis, support for large text with EmEditor, search efficiency is not bad; under Linux, use the Shell command portfolio analysis