Record the 'new' course of an emergency investigation

0x01 An overview

Some time ago, I received a message from the sales representative that there was a problem with the server of a certain unit , But the problem is a cloud server , The act of reaching out to Germany , Alarm behavior remote control , There may be no logs , I'm still in a hurry , Let's support the disposal first , If possible, help trace the source and catch people , I gave it to a third-party master who handled it correctly .

0x02 analysis

After all, the information given is external remote control , If it is an external connection, it is generally necessary to consider whether it is a grey black product , In this case, it is more likely to occur in the personal terminal than in the server , So this time is basically anti-virus , Run the sandbox to see if there will be any outreach , If it is a remote control Trojan horse , Generally, the server is more likely to be uploaded , Fishing may be personal terminals , This is based on the service relationship .

0x03 Remote disposal

The third-party teacher Fu gave a vpn Let's show it to the remote first , Under normal circumstances, the backup image must be considered first , Operate in the image , If you need to back up the image, I recommend ``FTK``, After backup, you can use it again vm Just open it ok 了 , Easy to operate . Direct operation on the physical machine will destroy the evidence , However, information collection based on the given outreach address must be the proxy address of the attacker , No practical significance , It is basically impossible to achieve counteraction and traceability without a highly interactive honeypot .

0x04 screening

Tinder antivirus

windows Log query

eventvwr

It is found that the log has not been cleared , If the remote control is realized , At least in terms of operator behavior , It's about martial virtue .

windows Logs fall into five categories

• Application log

• Security log

• Setup journal # Installation log

• system log

• Forwarded Events journal # Forwarding log

Here, you can mainly look at the application log and security log , The application log is the event generated by the installation of the application , The security log mainly records the logs generated by user operations , For example, log in / Log out , Clear logs, etc .

In fact, there are no abnormal login Events , There is no problem from the login event when the problem occurs to the server shutdown and the operation log

View scheduled tasks

There is no newly created scheduled task in the scheduled task

be familiar with winserver2012 It is clear to all that there are automatic tasks at the beginning of installation , No other special planned tasks .

net user

No new users

Just in terms of business , The intranet part is not involved , So I don't worry about the risk of Intranet horizontal . When the network is disconnected, it is impossible to judge what program triggered it by viewing the connection status , Analyze the files of the business disk

The service didn't start at this time , You can find the middleware used ,jar Bag is 2017 Year of , But it is not clear whether there is a patch , Because I didn't find it patch Documents and other things like weblogic Patch for jar package , There may be questions here , Didn't see the package and didn't patch it , Don't accept questions from the elite , It's just analysis , At this time, the connection with development and operation and maintenance can confirm that the middleware service has a mapping to the public network , Check the file directory , Because the result of the killing didn't come out , A malicious file was found in the file directory

Isn't the ice scorpion horse ？

But the problem is that the attribute date of the file will not deceive people , The problem occurred this year , But this file attribute is last year , That's a little interesting , Unless there is another possibility , There are other Trojans or other Trojans that have been used without warning . Check the anti-virus results

Find file analysis , The Trojan horse family ：CoinMiner Behavior characteristics of

Look for... According to the information base

It belongs to Germany , In fact, this situation has been able to hand over the work . But what I care about is the middleware RCE, Because it involves data problems , The master of the third party requires to use the mirror intranet to reproduce in the unit .

We did find the upload point , Determine the upload path

xxx/xxx/x/x/x/x/x/x/mages/shell2.jsp

http://10.xxxxxxxxxxxxxxxxxx/images/shell2.jsp

Connect the Trojan horse successfully

At this time, there are logs from cloud vendors , The quantity is very small , But it's not about weblogic Use of logs

This is more interesting , In fact, there is only one case here , The server was hacked last year , However, the notification received is abnormal remote control , It may be based on intelligence base rather than monitoring for a long time , It can only be said that it was discovered by accident .

Laboratory experiment recommendation of Hetian network security ：

Understand the use of common memory image forensics tools , Include Dumplt、FTK Imager、Belkasoft RAM Capture and Dump Mirror memory extraction tool .

link ：https://www.hetianlab.com/expc.do?ec=ECID6a2f-ed6f-4f85-9363-731535a5c3c4&pk_campaign=weixin-wemedia#stu

Original manuscript collection

Solicit original technical articles , Welcome to post

Send email ：[email protected]

Type of article ： Hacker geek Technology 、 Information security hot spots, security research and analysis and other security related issues

Through review and release, you can gain 200-800 Yuan .

For more details , Check me out. ！

Shooting range practice , stamp “ Read the original “