一早来开机就发现Host Monitor报告Web Server出问题了,SQL Server No Answer,远程到此机器,AVG的定时扫描报告说C:\WINNT\SYSTEM32\SPOOL\下HELP中的Secure.bat有病毒,顺着检查发现C:\WINNT\SYSTEM32\SPOOL\下比平时多了一个Help的隐藏目录,于是学警察BaiBai用ALT+Print Screen对现场做了个快照,然后将Help目录打包下来,将目录删除,并将此次事件写入系统运维记录,遗憾的是引子Secure.bat给我第一时间删除了,以后发现问题得先保留现场再处理。
分析一下Help的内容(如下),基本上以收集信息为主,再加上一个Telsrv的程序,充分体现了孙子兵法里面知己知彼,百战不殆的精神:
AV_FW.bat,用来停止各种Anti Virus以及防火墙如BackICE的服务,并且最后还删除了历史扫描记录和病毒数据库文件;
Fport.exe,用来收集端口信息,包括守护在端口的进程,并将收集的结果保存到Fport.txt中;
regedit.exe,注册表编辑器;
kill.exe,PsKill v1.03 - local and remote process killer;
system.bat,报告系统信息,以及找到Serv-U信息,并将结果保存到Systeminfo.txt中;
telsrv.exe,一个Telnet Server,http://www.pcmicro.com/netfoss/telsrv.html;
由于这台服务器是自己接手的,是一台All in One的服务器,于是一步一步来:
※根据Secure.bat在Google上找到了Symantec一个有关Backdoor.Sumtax的安全公告:http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sumtax.html,按照说明检查了相关的地方,并清理了注册表;
※重新检查服务,将不需要的服务都关闭了(也纳闷怎么开了那么多乱七八糟的服务);
※使用%SystemRoot%\system32\wupdmgr.exe到微软站点打足补丁;
※重新修改了SQL Server的SA密码,将本地Administrator改名,同时也修改密码,并写入服务器运维报告;
※将可疑的进程都Kill掉,并且查看以下的键值,将可疑的进程都砍掉;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
AV_FW.bat的内容:
net stop _Avp32.exe /y >> av_fw.txt
net stop _Avpcc.exe /y >> av_fw.txt
net stop _Avpm.exe /y >> av_fw.txt
net stop Ackwin32.exe /y >> av_fw.txt
net stop Agnitum Outpost Firewall /y >> av_fw.txt
net stop Anti-Trojan.exe /y >> av_fw.txt
net stop ANTIVIR /y >> av_fw.txt
......
net stop AVCONSOL /y >> av_fw.txt
net stop WEBTRAP /y >> av_fw.txt
net stop POP3TRAP /y >> av_fw.txt
del c:\*ANTI-VIR*.DAT /s /q >> av_fw.txt
del c:\*CHKLIST*.DAT /s /q >> av_fw.txt
del c:\*CHKLIST*.MS /s /q >> av_fw.txt
del c:\*CHKLIST*.CPS /s /q >> av_fw.txt
del c:\*CHKLIST*.TAV /s /q v
......
system.bat的内容:
@echo off
echo System Information: > Systeminfo.txt
echo. >> Systeminfo.txt
echo. >> Systeminfo.txt
echo. >> Systeminfo.txt
echo. >> Systeminfo.txt
#OPERATING SYSTEM
echo ___________________ >> Systeminfo.txt
echo Operating System... >> Systeminfo.txt
echo ?>> Systeminfo.txt
VER >> Systeminfo.txt
#FREE SPACE
echo _____________ >> Systeminfo.txt
echo Free Space... >> Systeminfo.txt
echo ?>> Systeminfo.txt
dir c: | find "bytes" >> Systeminfo.txt
dir c: | find "libres" >> Systeminfo.txt
dir d: | find "bytes" >> Systeminfo.txt
dir d: | find "libres" >> Systeminfo.txt
dir e: | find "bytes" >> Systeminfo.txt
dir e: | find "libres" >> Systeminfo.txt
dir f: | find "bytes" >> Systeminfo.txt
dir f: | find "libres" >> Systeminfo.txt
dir g: | find "bytes" >> Systeminfo.txt
dir g: | find "libres" >> Systeminfo.txt
dir h: | find "bytes" >> Systeminfo.txt
dir h: | find "libres" >> Systeminfo.txt
#FINDING SERVU
echo ________________ >> Systeminfo.txt
echo Finding Servu... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:\Ser*.ini >> Systeminfo.txt
Dir /s /a d:\Ser*.ini >> Systeminfo.txt
Dir /s /a e:\Ser*.ini >> Systeminfo.txt
Dir /s /a c:\Ser*.exe >> Systeminfo.txt
Dir /s /a d:\Ser*.exe >> Systeminfo.txt
Dir /s /a e:\Ser*.exe >> Systeminfo.txt
#FINDING rar
echo ________________ >> Systeminfo.txt
echo Finding RAR.. >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:\*.rar >> Systeminfo.txt
Dir /s /a d:\*.rar >> Systeminfo.txt
Dir /s /a e:\*.rar >> Systeminfo.txt
Dir /s /a f:\*.rar >> Systeminfo.txt
Dir /s /a g:\*.rar >> Systeminfo.txt
Dir /s /a h:\*.rar >> Systeminfo.txt
#FINDING mp3
echo ________________ >> Systeminfo.txt
echo Finding MP3... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:\*.mp3 >> Systeminfo.txt
Dir /s /a d:\*.mp3 >> Systeminfo.txt
Dir /s /a e:\*.mp3 >> Systeminfo.txt
Dir /s /a f:\*.mp3 >> Systeminfo.txt
Dir /s /a g:\*.mp3 >> Systeminfo.txt
Dir /s /a h:\*.mp3 >> Systeminfo.txt
#FINDING nfo
echo ________________ >> Systeminfo.txt
echo Finding NFO... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:\*.nfo >> Systeminfo.txt
Dir /s /a d:\*.nfo >> Systeminfo.txt
Dir /s /a e:\*.nfo >> Systeminfo.txt
Dir /s /a f:\*.nfo >> Systeminfo.txt
Dir /s /a g:\*.nfo >> Systeminfo.txt
Dir /s /a h:\*.nfo >> Systeminfo.txt
#FINDING FTP.EXE
echo ________________ >> Systeminfo.txt
echo Finding FTP... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:\FTP.EXE >> Systeminfo.txt
Dir /s /a d:\FTP.EXE >> Systeminfo.txt
Dir /s /a e:\FTP.EXE >> Systeminfo.txt
Dir /s /a f:\FTP.EXE >> Systeminfo.txt
Dir /s /a g:\FTP.EXE >> Systeminfo.txt
Dir /s /a h:\FTP.EXE >> Systeminfo.txt
#FINDING TFTP.EXE
echo ________________ >> Systeminfo.txt
echo Finding TFTP... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:\TFTP.EXE >> Systeminfo.txt
Dir /s /a d:\TFTP.EXE >> Systeminfo.txt
Dir /s /a e:\TFTP.EXE >> Systeminfo.txt
Dir /s /a f:\TFTP.EXE >> Systeminfo.txt
Dir /s /a g:\TFTP.EXE >> Systeminfo.txt
Dir /s /a h:\TFTP.EXE >> Systeminfo.txt
#FINDING FIREDAEMON.EXE
echo ________________ >> Systeminfo.txt
echo Finding Firedaemon... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:\FIREDAEMON.EXE >> Systeminfo.txt
Dir /s /a d:\FIREDAEMON.EXE >> Systeminfo.txt
Dir /s /a e:\FIREDAEMON.EXE >> Systeminfo.txt
Dir /s /a f:\FIREDAEMON.EXE >> Systeminfo.txt
Dir /s /a g:\FIREDAEMON.EXE >> Systeminfo.txt
Dir /s /a h:\FIREDAEMON.EXE >> Systeminfo.txt
#FINDING IOFTPD
echo ________________ >> Systeminfo.txt
echo Finding Ioftpd... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:\io*.ini >> Systeminfo.txt
Dir /s /a d:\io*.ini >> Systeminfo.txt
Dir /s /a c:\io*.exe >> Systeminfo.txt
Dir /s /a d:\io*.exe >> Systeminfo.txt
Dir /s /a c:\rai*.ini >> Systeminfo.txt
Dir /s /a d:\rai*.ini >> Systeminfo.txt
Dir /s /a c:\rai*.exe >> Systeminfo.txt
Dir /s /a d:\rai*.exe >> Systeminfo.txt
#FINDING Sub0t.ini
echo ________________ >> Systeminfo.txt
echo Finding Sub0t.ini... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:\Sub0t.ini >> Systeminfo.txt
Dir /s /a d:\Sub0t.ini >> Systeminfo.txt
Dir /s /a e:\Sub0t.ini >> Systeminfo.txt
Dir /s /a c:\svrany.exe >> Systeminfo.txt
Dir /s /a d:\svrany.exe >> Systeminfo.txt
#FINDING ftpc.exe
echo ________________ >> Systeminfo.txt
echo Finding ftpc.exe... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:\ftpc.exe >> Systeminfo.txt
Dir /s /a d:\ftpc.exe >> Systeminfo.txt
Dir /s /a e:\ftpc.exe >> Systeminfo.txt
Dir /s /a f:\ftpc.exe >> Systeminfo.txt
Dir /s /a g:\ftpc.exe >> Systeminfo.txt
Dir /s /a h:\ftpc.exe >> Systeminfo.txt
#RUNNING SERVICES
echo ___________________ >> Systeminfo.txt
echo Running Services... >> Systeminfo.txt
echo ?>> Systeminfo.txt
NET START >> Systeminfo.txt
#RUNNING SERVICES
echo ______ >> Systeminfo.txt
echo SET... >> Systeminfo.txt
echo >> Systeminfo.txt
SET >> Systeminfo.txt
#INSTALLED SOFTWARE
echo _____________________ >> Systeminfo.txt
echo Installed Software... >> Systeminfo.txt
echo ?>> Systeminfo.txt
Start /Wait Regedit /E %TEMP%.\Tmp HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
Find "DisplayName" > Systeminfo.txt
Del %TEMP%.\Tmp
#INSTALLED SOFTWARE
echo ___________ >> Systeminfo.txt
echo NET STAT... >> Systeminfo.txt
echo ?>> Systeminfo.txt
NETSTAT >> Systeminfo.txt
#RUNNING PROCESSES
echo ____________________ >> Systeminfo.txt
echo Running Processes... >> Systeminfo.txt
echo >> Systeminfo.txt
TASKLIST /SVC >> Systeminfo.txt
#SYSTEM INFO
echo ______________ >> Systeminfo.txt
echo System Info... >> Systeminfo.txt
echo >> Systeminfo.txt
echo. >> Systeminfo.txt
echo. >> Systeminfo.txt
Trackback: http://tb.blog.csdn.net/TrackBack.aspx?PostId=242180