Shulou(Shulou.com)06/02 Report--

Here's the plot. * are you there? Windows server cpu utilization has been 100% * answer: in * * can you take a look? * * answer: good * * it seems that it is a mining virus, which is killed and automatically generated * * answer: take a look at it remotely. * * TeamViewer**ID and password have been sent. Here to reiterate why to use TeamViewer, rather than qq; in the same network environment, qq remote card is not good, TeamViewer is much smoother! * * several pictures of poisoning are attached first: * *

Began to solve the problem to see that the desktop has XX antivirus software, testing and scanning unexpectedly found no virus, startup items did not see abnormal. * * Honey, the virus has been immune to XX antivirus software * *, don't be stunned, this is too normal. Officially enter the problem-solving link 1. Download 360 security guard, it must be an offline installation package, copy it to the server. two。 After installation, 360 will have a full physical examination immediately. 3. Check and kill 4. Startup items optimize acceleration, optimize useless startup items, and what you think of viruses (of course, if it is a virus, it will be prompted; but some viruses depend on your program to start during startup, all antivirus periods are best. Disable all applications that are not system startup items! ) 5. The system in the security guard has been fixed by 6. Install in the function book: anti-black reinforcement and system first aid kit (if the system is not online, download the disconnection system first aid kit separately and upload it to the windows system) 7. Modify the administrator administrator password, the password does not lie in many, the key lies in the complexity! For example: 12346789, 1qaz2wsx, 1234@qwer these passwords have already appeared in the blasting dictionary. 8. Rename administrator administrator to something else. 9. Of course, disable Guest users, and all other users you don't know. 10. Run anti-black reinforcement: detect immediately. The following items are generally detected: 1. Turn off the default windows system share hidden directory 2. Detect whether the administrator password is complex and easy to crack. You will be prompted for your password, which is ignored here. 3. Will detect if the remote Desktop is open? You may turn off the remote and turn it on manually later. Or ticking is not optimized. 11. Run the system first aid kit, check and kill it all. * * all the above steps can be carried out simultaneously! * 12. Change the default remote port number of the system to another port range: less than 65535 (do not temporarily use the port number of the system and application services! ). * * Don't change it to the same number: for example, 1111 ports * the steps for modifying the remote port number are as follows: 1. Open "start" →, enter "regedit", press enter, open the registry, click: [HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Terminal Server\ Wds\ rdpwd\ Tds\ tcp], find PortNumber double-click, click "decimal", you can see that the default value of PortNumber is 3389. Just change it to the desired port. 2. Open [HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Terminal Server\ WinStations\ RDP-Tcp], double-click PortNumber, click "Decimal", and change the value of PortNumber (default is 3389) to the same as in the previous step. Note: the port numbers of step 1 and step 2 should be the same! 13. Windows Firewall adds remote port number inbound policy. 14. Looking back at steps 1 to 5, when the test is complete, you will ok with one click. In general: at this time you can open the task manager and end the cpu 100% process, because its mother virus has been killed, you kill it, there will be no virus. At this point, the cpu usage of the average machine is back to normal, but for security reasons, the next steps need to be carried out! 15. After waiting for the system first aid kit to be checked and killed, the system will be prompted to restart; after restart, the system first aid kit will be started again after a slight scan, and then the system will restart; the system will start the first aid kit will indicate whether the problem is solved. 16. Check the task manager to see if cpu is working. If abnormal, you can continue the above operation. (* Note: some * * files require a network to continuously cycle the generation process, so you can disable or disconnect the network card during antivirus. * *) windows security reminder to install * * a * * 360security guard, and then install a 360antivirus if there is enough memory. Don't install other antivirus software. if you install too much, they still fight!

Finally, remind me that without that diamond, don't run naked!

After the windows system is installed: change the complex password, change the default port, install an antivirus software. Interpret the principle of general * server 1. Use the relevant software to scan the default port number of the system: (Port number: of course, it is the port through which you can log in to the system and then lift the rights to do other things. For example: 3389, 3306, 22 of linux, etc.) so how do they know about your IP? In fact, each person has another n ip address field files. This is unstoppable. two。 Scan to the default port number, (each person will have a dictionary file of n accounts and passwords. ) 3. Use accounts and password dictionaries to circularly match the login system. 4. After the match is successful, there will be an automated script that automatically uploads the generated * * files to some sensitive paths on the system, such as C:\ Windows\ System32 directory. And automatic tasks will be set. 5. After the copy of the file is completed. In general, you will start the Alistair * file, and then generate other similar system filenames' Bitters * files to do bad things. 6. Then at the beginning of the launch of the Aspirations * file at this time just continue to check whether the Bainbow * files are executed, using cpu is so small that it is almost impossible to see. 7. While you see the utilization of CPU 100% of the file when the BBQ * file. So you kill the Backknife * file and find that it is automatically generated after a while. 8. Some viruses even nest many layers. 9. That's about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.