Basic checkpoint
Detecting unusual account
Find the new accounts, especially administrator group (Administrators group) in the new account.
C:\lusrmgr.msc
C:\>net localgroup administrators
C: \> net localgroup administrators
Look for hidden files
View recent new file in the system folder, such as C: \ Windows \ system32.
C:\>dir /S /A:H
Check the registry startup items
Check boot Windoows registry startup items is normal, especially about the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx
Check the unusual service
Check all running services, system services and whether there is a camouflage unknown services, see the path to the executable file.
Check the Startup folder Account
For example: Windows Server 2008
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup
View session is connected
C:\net use
Session between the computer and other computers on the network
C:\net session
Check the Netbios connection
C:\nbtstat –S
The inspection system is not properly connected to the network
C: \ netstat -nao 5
Check the automation tasks
Check the list of scheduled tasks in the plan unknown
C:\at
Check the windows log exceptions
Check the firewall, antivirus software, event, or any suspicious records.
Check the large number of login attempts error or blocked accounts.
www import Web server access logs, and view Web access log analysis is complete and there are traces of the attack.
Check www directory exists webshell Trojan, focus on examination of similar upload directory.
3. Check and backdoor Trojan
Trojans and backdoor on advanced inspection should check these items in turn: startup items, processes, modules, core service functions, networking situation. Further inspection tools and backdoor Trojan hidden, you can use PChunter
Click to open the interface process, I first process of investigation, just select a process, right-click menu verify all digital signatures, pchunter will be in different colors to display different types of processes.
Microsoft's digital signature process: Black
Non-Microsoft digital signature process: blue
Microsoft of course, if some non-Microsoft module: khaki
No signature modules: Pink
Suspicious processes hidden services, is the hook function: red
Microsoft is not the focus of the digital signature process and drive the investigation, in particular, no signature and Bin hidden services, processes and functions are linked to the drive, such as:
This driver file comparison doubt, you can right-click upload to online analysis pchunter virscan scan it.