一早来开机就发现Host Monitor报告Web Server出问题了,SQL Server No Answer,远程到此机器,AVG的定时扫描报告说C:/WINNT/SYSTEM32/SPOOL/下HELP中的Secure.bat有病毒,顺着检查发现C:/WINNT/SYSTEM32/SPOOL/下比平时多了一个Help的隐藏目录,于是学警察BaiBai用ALT+Print Screen对现场做了个快照,然后将Help目录打包下来,将目录删除,并将此次事件写入系统运维记录,遗憾的是引子Secure.bat给我第一时间删除了,以后发现问题得先保留现场再处理。
分析一下Help的内容(如下),基本上以收集信息为主,再加上一个Telsrv的程序,充分体现了孙子兵法里面知己知彼,百战不殆的精神:
AV_FW.bat,用来停止各种Anti Virus以及防火墙如BackICE的服务,并且最后还删除了历史扫描记录和病毒数据库文件;
Fport.exe,用来收集端口信息,包括守护在端口的进程,并将收集的结果保存到Fport.txt中;
regedit.exe,注册表编辑器;
kill.exe,PsKill v1.03 - local and remote process killer;
system.bat,报告系统信息,以及找到Serv-U信息,并将结果保存到Systeminfo.txt中;
telsrv.exe,一个Telnet Server,http://www.pcmicro.com/netfoss/telsrv.html;
由于这台服务器是自己接手的,是一台All in One的服务器,于是一步一步来:
※根据Secure.bat在Google上找到了Symantec一个有关Backdoor.Sumtax的安全公告:http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sumtax.html,按照说明检查了相关的地方,并清理了注册表;
※重新检查服务,将不需要的服务都关闭了(也纳闷怎么开了那么多乱七八糟的服务);
※使用%SystemRoot%/system32/wupdmgr.exe到微软站点打足补丁;
※重新修改了SQL Server的SA密码,将本地Administrator改名,同时也修改密码,并写入服务器运维报告;
※将可疑的进程都Kill掉,并且查看以下的键值,将可疑的进程都砍掉;
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Runonce
AV_FW.bat的内容:
net stop _Avp32.exe /y >> av_fw.txt
net stop _Avpcc.exe /y >> av_fw.txt
net stop _Avpm.exe /y >> av_fw.txt
net stop Ackwin32.exe /y >> av_fw.txt
net stop Agnitum Outpost Firewall /y >> av_fw.txt
net stop Anti-Trojan.exe /y >> av_fw.txt
net stop ANTIVIR /y >> av_fw.txt
......
net stop AVCONSOL /y >> av_fw.txt
net stop WEBTRAP /y >> av_fw.txt
net stop POP3TRAP /y >> av_fw.txt
del c:/*ANTI-VIR*.DAT /s /q >> av_fw.txt
del c:/*CHKLIST*.DAT /s /q >> av_fw.txt
del c:/*CHKLIST*.MS /s /q >> av_fw.txt
del c:/*CHKLIST*.CPS /s /q >> av_fw.txt
del c:/*CHKLIST*.TAV /s /q v
......
system.bat的内容:
@echo off
echo System Information: > Systeminfo.txt
echo. >> Systeminfo.txt
echo. >> Systeminfo.txt
echo. >> Systeminfo.txt
echo. >> Systeminfo.txt
#OPERATING SYSTEM
echo ___________________ >> Systeminfo.txt
echo Operating System... >> Systeminfo.txt
echo ?>> Systeminfo.txt
VER >> Systeminfo.txt
#FREE SPACE
echo _____________ >> Systeminfo.txt
echo Free Space... >> Systeminfo.txt
echo ?>> Systeminfo.txt
dir c: | find "bytes" >> Systeminfo.txt
dir c: | find "libres" >> Systeminfo.txt
dir d: | find "bytes" >> Systeminfo.txt
dir d: | find "libres" >> Systeminfo.txt
dir e: | find "bytes" >> Systeminfo.txt
dir e: | find "libres" >> Systeminfo.txt
dir f: | find "bytes" >> Systeminfo.txt
dir f: | find "libres" >> Systeminfo.txt
dir g: | find "bytes" >> Systeminfo.txt
dir g: | find "libres" >> Systeminfo.txt
dir h: | find "bytes" >> Systeminfo.txt
dir h: | find "libres" >> Systeminfo.txt
#FINDING SERVU
echo ________________ >> Systeminfo.txt
echo Finding Servu... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/Ser*.ini >> Systeminfo.txt
Dir /s /a d:/Ser*.ini >> Systeminfo.txt
Dir /s /a e:/Ser*.ini >> Systeminfo.txt
Dir /s /a c:/Ser*.exe >> Systeminfo.txt
Dir /s /a d:/Ser*.exe >> Systeminfo.txt
Dir /s /a e:/Ser*.exe >> Systeminfo.txt
#FINDING rar
echo ________________ >> Systeminfo.txt
echo Finding RAR.. >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/*.rar >> Systeminfo.txt
Dir /s /a d:/*.rar >> Systeminfo.txt
Dir /s /a e:/*.rar >> Systeminfo.txt
Dir /s /a f:/*.rar >> Systeminfo.txt
Dir /s /a g:/*.rar >> Systeminfo.txt
Dir /s /a h:/*.rar >> Systeminfo.txt
#FINDING mp3
echo ________________ >> Systeminfo.txt
echo Finding MP3... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/*.mp3 >> Systeminfo.txt
Dir /s /a d:/*.mp3 >> Systeminfo.txt
Dir /s /a e:/*.mp3 >> Systeminfo.txt
Dir /s /a f:/*.mp3 >> Systeminfo.txt
Dir /s /a g:/*.mp3 >> Systeminfo.txt
Dir /s /a h:/*.mp3 >> Systeminfo.txt
#FINDING nfo
echo ________________ >> Systeminfo.txt
echo Finding NFO... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/*.nfo >> Systeminfo.txt
Dir /s /a d:/*.nfo >> Systeminfo.txt
Dir /s /a e:/*.nfo >> Systeminfo.txt
Dir /s /a f:/*.nfo >> Systeminfo.txt
Dir /s /a g:/*.nfo >> Systeminfo.txt
Dir /s /a h:/*.nfo >> Systeminfo.txt
#FINDING FTP.EXE
echo ________________ >> Systeminfo.txt
echo Finding FTP... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/FTP.EXE >> Systeminfo.txt
Dir /s /a d:/FTP.EXE >> Systeminfo.txt
Dir /s /a e:/FTP.EXE >> Systeminfo.txt
Dir /s /a f:/FTP.EXE >> Systeminfo.txt
Dir /s /a g:/FTP.EXE >> Systeminfo.txt
Dir /s /a h:/FTP.EXE >> Systeminfo.txt
#FINDING TFTP.EXE
echo ________________ >> Systeminfo.txt
echo Finding TFTP... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/TFTP.EXE >> Systeminfo.txt
Dir /s /a d:/TFTP.EXE >> Systeminfo.txt
Dir /s /a e:/TFTP.EXE >> Systeminfo.txt
Dir /s /a f:/TFTP.EXE >> Systeminfo.txt
Dir /s /a g:/TFTP.EXE >> Systeminfo.txt
Dir /s /a h:/TFTP.EXE >> Systeminfo.txt
#FINDING FIREDAEMON.EXE
echo ________________ >> Systeminfo.txt
echo Finding Firedaemon... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/FIREDAEMON.EXE >> Systeminfo.txt
Dir /s /a d:/FIREDAEMON.EXE >> Systeminfo.txt
Dir /s /a e:/FIREDAEMON.EXE >> Systeminfo.txt
Dir /s /a f:/FIREDAEMON.EXE >> Systeminfo.txt
Dir /s /a g:/FIREDAEMON.EXE >> Systeminfo.txt
Dir /s /a h:/FIREDAEMON.EXE >> Systeminfo.txt
#FINDING IOFTPD
echo ________________ >> Systeminfo.txt
echo Finding Ioftpd... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/io*.ini >> Systeminfo.txt
Dir /s /a d:/io*.ini >> Systeminfo.txt
Dir /s /a c:/io*.exe >> Systeminfo.txt
Dir /s /a d:/io*.exe >> Systeminfo.txt
Dir /s /a c:/rai*.ini >> Systeminfo.txt
Dir /s /a d:/rai*.ini >> Systeminfo.txt
Dir /s /a c:/rai*.exe >> Systeminfo.txt
Dir /s /a d:/rai*.exe >> Systeminfo.txt
#FINDING Sub0t.ini
echo ________________ >> Systeminfo.txt
echo Finding Sub0t.ini... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/Sub0t.ini >> Systeminfo.txt
Dir /s /a d:/Sub0t.ini >> Systeminfo.txt
Dir /s /a e:/Sub0t.ini >> Systeminfo.txt
Dir /s /a c:/svrany.exe >> Systeminfo.txt
Dir /s /a d:/svrany.exe >> Systeminfo.txt
#FINDING ftpc.exe
echo ________________ >> Systeminfo.txt
echo Finding ftpc.exe... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/ftpc.exe >> Systeminfo.txt
Dir /s /a d:/ftpc.exe >> Systeminfo.txt
Dir /s /a e:/ftpc.exe >> Systeminfo.txt
Dir /s /a f:/ftpc.exe >> Systeminfo.txt
Dir /s /a g:/ftpc.exe >> Systeminfo.txt
Dir /s /a h:/ftpc.exe >> Systeminfo.txt
#RUNNING SERVICES
echo ___________________ >> Systeminfo.txt
echo Running Services... >> Systeminfo.txt
echo ?>> Systeminfo.txt
NET START >> Systeminfo.txt
#RUNNING SERVICES
echo ______ >> Systeminfo.txt
echo SET... >> Systeminfo.txt
echo >> Systeminfo.txt
SET >> Systeminfo.txt
#INSTALLED SOFTWARE
echo _____________________ >> Systeminfo.txt
echo Installed Software... >> Systeminfo.txt
echo ?>> Systeminfo.txt
Start /Wait Regedit /E %TEMP%./Tmp HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Uninstall
Find "DisplayName" > Systeminfo.txt
Del %TEMP%./Tmp
#INSTALLED SOFTWARE
echo ___________ >> Systeminfo.txt
echo NET STAT... >> Systeminfo.txt
echo ?>> Systeminfo.txt
NETSTAT >> Systeminfo.txt
#RUNNING PROCESSES
echo ____________________ >> Systeminfo.txt
echo Running Processes... >> Systeminfo.txt
echo >> Systeminfo.txt
TASKLIST /SVC >> Systeminfo.txt
#SYSTEM INFO
echo ______________ >> Systeminfo.txt
echo System Info... >> Systeminfo.txt
echo >> Systeminfo.txt
echo. >> Systeminfo.txt
echo. >> Systeminfo.txt
Trackback: http://tb.blog.csdn.net/TrackBack.aspx?PostId=242180