Shulou(Shulou.com)06/01 Report--

At present, more and more servers are invaded, and attacks occur frequently, such as data theft, database tampering, user data being taken off their pants, websites being forcibly redirected to malicious websites, and snapshots of websites hijacked in Baidu. Attack symptoms such as endless, when our server is attacked, hacked, how should we deal with it?

How to check for signs of a server being hacked? Whether there is an emergency plan, without affecting website access, when many customers have the above attacks, find our SINE security to deal with and solve the server attack problem. We sine security engineers summed up a set of own methods to share with you, hoping that you can solve the problem of server hacking at the first time. When some customers encounter this situation, the first thing that comes to mind is to shut down the server first, tell the computer room to unplug the power, and some directly shut down the website first. these measures can only solve the current problem first, but not the root cause of the problem. therefore, when we encounter the situation where the server is attacked, we should check the log in detail, as well as the intrusion traces, trace the source, find the loophole, and exactly where the server was invaded and attacked.

First of all, we should start with the following aspects:

Check whether the process of the server is a malicious process, and whether the administrator account has been maliciously increased, check the port of the server, whether it has opened extra ports, and then check the login log of the server. the server's default startup items, services and planning tasks, check whether there is a Trojan backdoor on the website, and whether the server system is infected.

How do I view the process? Open the server, type tasklis under the cmd command, or right-click the task manager to view the process, and click to show all the users' processes. Our comprehensive analysis shows that according to the larger memory usage and more CPU usage, we can take a preliminary look at which processes are in constant use, and we can roughly judge whether there are abnormal processes. Generally speaking, the process is loaded into the system backdoor. Check to see the process details using PID, and then use the command findstr to find out where the files called by the process are stored. The screenshot is as follows:

The next step is to check whether there are other malicious administrator accounts in the system. Typing net user under the cmd command will list all the accounts in the current server, and you can also check whether the administrator account has been added through the registry. Here, you need to enter egedit in the command to open the registry. Find HKEY_LOCAL_MACHINE\ SAM\ SAM\ Domains\ Account\ Users\ Names to see all the account names. The screenshot is as follows:

Port check, for example, some clients and servers are often attacked, such as 3306 database port, 21FTP port, 135445 port, 1433sql database port, 3389 remote desktop port, whether they are open to the public, if these ports are open to the outside world, they are likely to exploit vulnerabilities, intrusions, and weak password account passwords, some database root account passwords are empty, and FTP can connect anonymously Can cause the server to be compromised. Some passwords are still 123456, 111111 and so on. The port of the remote desktop should be modified to prevent attackers from using brute force to log in to the server as much as possible. You can do security verification for remote login here, restrict IP, as well as MAC, and computer names, which greatly enhances the security of the server. Also check the login log of the server to see if the log has been emptied, and the log record of the malicious login of the server. generally speaking, many attackers will log on to the server and will certainly leave the login log. Check event 682.

The next step is to check the startup items, services, and planned tasks of the server. Generally, after an attacker invades the server, he will insert a Trojan back door into the server, which will be inserted into the startup item and the scheduled task, or the service, confused into a system service, so that the administrator can't notice it, and use the msconfig command to view the server.

Check these entries here in the registry:

HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ RunServices\

HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ Run\ HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command

HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ RunOnce\

The most important thing is to check the security of the website code in the service. Compare the backup files of the previous website to see if there are any more suspicious code files. The picture format can be ignored, mainly some asp,aspx,php,jsp and other script execution files, the code to see if it contains special characters such as eval, Trojan horse webshell, and some encrypted files, all may be website Trojan files, website home page code. Title description, whether it is encrypted, some characters you do not understand, this is generally the site has been hacked, step by step leading to the server being attacked.

The overall detection of server intrusion attacks is mentioned above, and some software installed by the server, as well as environmental vulnerabilities, such as apache,strust2,IIS environment vulnerabilities, will lead to server intrusion. If the website is tampered with, be sure to check the website for vulnerabilities, whether there are sql injection vulnerabilities, file upload vulnerabilities, XSS cross-site vulnerabilities, remote code execution vulnerabilities. Troubleshoot server hacking attacks from multiple directions. If you don't know much about the server, you can find a professional network security company to deal with it. Domestic sinesafe, Qiming Star, Green Alliance, are all quite good. The above is our daily summary of a set of own methods to investigate, find problems, trace the source, thoroughly prevent the server from being hacked, and minimize losses. Each customer's server installation environment is different, and how the code is written, according to the actual situation to troubleshoot and solve the problem.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.