Emergency response

1.windows Intrusion detection ideas

1.1 Check system account security

1、 Check whether the server has a weak password , Whether the remote management port is open to the public network .

• Check the method ： According to the actual situation, consult the relevant server administrator .

2、 Check the server for suspicious accounts 、 New account .

• Check the method ： open cmd window , Input lusrmgr.msc command , See if there are any new / Suspicious accounts , If there is an administrator group （Administrators） New accounts in , if there be , Please disable or delete it immediately .

3、 Check whether there is a hidden account on the server 、 Clone accounts .

• Check the method ：

  a、 Open the registry , Check the corresponding key value of the administrator .

  b、 Use D shield _web Killing tools , It integrates the function of detecting cloned accounts .

4、 Combined with the log , View administrator login time 、 Whether the user name is abnormal .

• Check the method ：

  a、Win+R Turn on run , Input “eventvwr.msc”, Carriage return operation , open “ Event viewer ”.

  b、 export Windows journal – Security , utilize Log Parser Analyze .

1.2 Check for abnormal ports 、 process

1、 Check the port connection , Whether there is a remote connection 、 Suspicious connection .

• Check the method ：

  a、netstat -ano View current network connections , Locate the suspected port .

  b、 according to netstat Located pid, Re pass tasklist Command to locate the process tasklist | findstr “PID”

2、 process

• Check the method ：

  a、 Start – function – Input msinfo32, In turn, click “ Software environment → Running task ” You can see the details of the process , For example, the process path 、 process ID、 File creation date 、 Start time, etc .

  b、 open D shield _web Killing tools , Process view , Focus on processes without signature information .

  c、 Through Microsoft's official Process Explorer And other tools .

  d、 View suspicious processes and their children . By looking at the following ：

         Processes without signature verification information 
         There is no process to describe information 
         The owner of the process 
         Whether the path of the process is legal 
        CPU Or processes that take up too much memory for a long time 
  

3、 Tips ：

a、 Check the port corresponding to PID： netstat -ano | findstr “port”

b、 Look at the process corresponding to PID： Task manager – see – Select column –PID perhaps tasklist | findstr “PID”

c、 View the program location corresponding to the process ：

Task manager – Select the corresponding process – Right click to open the file location

Run input wmic,cmd Interface Input process

d、tasklist /svc process –PID– service

e、 see Windows The port corresponding to the service ： %system%/system32/drivers/etc/services（ commonly %system% Namely C:\Windows）

1.3 Check the startup 、 Planning tasks 、 service

1、 Check whether the server has an abnormal boot entry .

• Check the method ：

  a、 logon server , single click 【 Start 】>【 All the procedures 】>【 start-up 】, By default, this directory is an empty directory , Confirm whether there are non business programs in this directory . b、 Click Start Menu >【 function 】, Input msconfig, Check to see if there are startup items with named exceptions , If yes, uncheck the startup item with abnormal name , And go to the path shown in the command to delete the file .

  c、 single click 【 Start 】>【 function 】, Input regedit, Open the registry , Check whether the boot entry is normal , Pay special attention to the following three registry keys ： HKEY_CURRENT_USER\software\micorsoft\windows\currentversion\run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce Check whether there are items with abnormal startup on the right side , If so, please delete , It is recommended to install anti-virus software to check and kill viruses , Remove residual viruses or trojans .

  d、 Use security software to view startup items 、 Boot time management, etc .

  e、 Group Policy , function gpedit.msc.

2、 Check planned tasks

• Check the method ：

  a、 single click 【 Start 】>【 Set up 】>【 Control panel 】>【 Task plan 】, View scheduled task properties , You can find the Trojan file path .

  b、 single click 【 Start 】>【 function 】; Input cmd, Then input at, Check the sessions or scheduled tasks between the computer and other computers on the network , if there be , Then confirm whether it is normal connection .

3、 Service self starting

• Check the method ： single click 【 Start 】>【 function 】, Input services.msc, Pay attention to service status and startup type , Check for abnormal service .

1.4 Check system information

1、 Check the system version and patch information

• Check the method ： single click 【 Start 】>【 function 】, Input systeminfo, Check system information

2、 Find suspicious directories and files

• Check the method ：

  a、 View the user directory , The new account will generate a user directory in this directory , Check to see if there is a new user directory .

  Window 2003 C:\Documents and Settings

  Window 2008R2 C:\Users\

  b、 single click 【 Start 】>【 function 】, Input %UserProfile%\Recent, Analysis recently opened to analyze suspicious files .

  c、 In each directory of the server , It can be sorted according to the time of the file list in the folder , Look for suspicious files .

  d、 The recycle bin 、 Browser download directory 、 Browser history

  e、 If the modification time is before the creation time, it is a suspicious file

3、 Get the findings WEBSHELL、 Creation time of remote control Trojan horse , How to find files created in the same time frame ？

a、 utilize Registry Workshop Search function of registry editor , You can find the file last written to the time interval .

b、 Use the file search function of the computer , Specify the modification time to search .

1.5 Automated killing

• Virus killing
  • Check the method ： Download Security Software , Update the latest virus library , Do a full scan .
• webshell Killing
  • Check the method ： Select the specific site path to complete webshell Killing , Two are recommended webshell Killing tools and killing at the same time , It can complement each other's rule base .

1.6 Log analysis

system log

• Analysis method ：

  a、 Premise ： Open audit strategy , If the system fails in the future 、 For security incidents, you can view the log file of the system , Troubleshooting , Tracking down the intruder's information, etc .

  b、Win+R Turn on run , Input “eventvwr.msc”, Carriage return operation , open “ Event viewer ”.

  C、 Export application log 、 Security log 、 system log , utilize Log Parser Analyze .

WEB Access log

• Analysis method ：

  a、 Find the middleware web journal , Package it locally for analysis .

  b、 Recommendation tool ：Window Next , Recommend to use EmEditor Log analysis , Support for large text , Search efficiency is not bad .

  Linux Next , Use Shell Command combination query analysis

2. windows Tools section

2.1 Virus analysis

PCHunter：http://www.xuetr.com

Flaming sword ：https://www.huorong.cn

Process Explorer：https://docs.microsoft.com/zh-cn/sysinternals/downloads/process-explorer

processhacker：https://processhacker.sourceforge.io/downloads.php

autoruns：https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

OTL：https://www.bleepingcomputer.com/download/otl/

SysInspector：http://download.eset.com.cn/download/detail/?product=sysinspector

2.2 Virus killing

kaspersky ：http://devbuilds.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe （ Recommended reasons ： The green version 、 Latest virus library ）

Big spider ：http://free.drweb.ru/download+cureit+free（ Recommended reasons ： Scan fast 、 One download can only use 1 Zhou , Update virus library ）

Security software of tinder ：https://www.huorong.cn

360 antivirus ：http://sd.360.cn/download_center.html

2.3 Virus dynamics

CVERC- National Computer Virus Emergency Response Center ：http://www.cverc.org.cn

Micro step online Threat Intelligence Community ：https://x.threatbook.cn

Tinder Security Forum ：http://bbs.huorong.cn/forum-59-1.html

Love drug bully community ：http://bbs.duba.net

Tencent computer Butler ：http://bbs.guanjia.qq.com/forum-2-1.html

2.4 Online virus scanning website

http://www.virscan.org // Multi engine online virus scanning network v1.02, The current support 41 An anti-virus engine

https://habo.qq.com // Tencent Hubble analysis system

https://virusscan.jotti.org //Jotti Malware scanning system

http://www.scanvir.com // For computer viruses 、 Mobile virus 、 Detect and analyze suspicious documents, etc

2.5 webshell Killing

D shield _Web Killing ：http://www.d99net.net/index.asp

Hippo webshell Killing ：http://www.shellpub.com

Convinced Webshell Website backdoor detection tool ：http://edr.sangfor.com.cn/backdoor_detection.html

Safe3：http://www.uusec.com/webshell.zip

3. Linux Intrusion detection ideas

3.1 Account security

Basic use ：

1、 User information file /etc/passwd
root:x:0:0:root:/root:/bin/bash
account:password:UID:GID:GECOS:directory:shell
 user name ： password ： user ID： Group ID： The user instructions ： Home directory ： After landing shell
 Be careful ： No password, only local login is allowed , Remote access is not allowed 

2、 Shadow file /etc/shadow
root:$6$oGs1PqhL2p3ZetrE$X7o7bzoouHQVSEmSgsYN5UD4.kMHx6qgbTqwNVC5oOAouXvcjQSt.Ft7ql1WpkopY0UV9ajBwUt1DpYxTCVvI/:16809:0:99999:7:::
 user name ： Encrypted password ： Date the password was last changed ： The time interval between two password changes ： Password validity ： The number of warning days before password modification is due ： The number of days after the password has expired ： Account expiry time ： Retain 
who      View current login user （tty Local landing   pts Remote login ）
w        Check system information , Want to know the user's behavior at a certain moment 
uptime   Check how long you're logged in 、 How many users , load 

Intrusion detection ：

1、 Query privileged user privileged user (uid  by 0)
[[email protected] ~]# awk -F: '$3==0{print $1}' /etc/passwd
2、 Query account information that can be remotely logged in 
[[email protected] ~]# awk '/\$1|\$6/{print $1}' /etc/shadow
3、 except root Out of account , Whether other accounts exist sudo jurisdiction . If not required by management , General account number should be deleted sudo jurisdiction 
[[email protected] ~]# more /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)"
4、 Disable or delete redundant and suspicious accounts 
    usermod -L user     Disable accounts , Account cannot log in ,/etc/shadow The second column is ! start 
    userdel user        Delete user user 
    userdel -r user     Will delete user user , And will /home In the catalog user Delete the directory as well 

3.2 History commands

Basic use ：

 adopt .bash_history Check the system commands executed by the account 
1、root The historical order of 
histroy
2、 open /home Under each account Directory .bash_history, Check the history of normal account 

 Add login for historical commands IP Address 、 Execution time and other information ：
1） preservation 1 Article ten thousand the command 
sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile
2） stay /etc/profile Add the following line number configuration information at the end of the file ：
######jiagu history xianshi#########
USER_IP=`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]
then
USER_IP=`hostname`
fi
export HISTTIMEFORMAT="%F %T $USER_IP `whoami` "
shopt -s histappend
export PROMPT_COMMAND="history -a"
######### jiagu history xianshi ##########
3）source /etc/profile Make the configuration work 

 Generate effect ： 1  2018-07-10 19:45:39 192.168.204.1 root source /etc/profile

3、 Clear the history operation command ：history -c
 But this command does not clear the records saved in the file , So you need to manually delete .bash_profile Records in documents .

Intrusion detection ：

 Enter the user directory 
cat .bash_history >> history.txt

3.3 Check for abnormal ports

Use netstat Network connection command , Analyze suspicious ports 、IP、PID

netstat -antlp|more

 Look at the pid The corresponding process file path ,
 function ls -l /proc/$PID/exe or file /proc/$PID/exe（$PID  For the corresponding pid  Number ）

3.4 Check for abnormal processes

Use ps command , Analysis process

ps aux | grep pid

3.5 Check boot entry

Basic use ：

System operation level diagram ：

Look at the run level command runlevel

The system allows levels by default

vi  /etc/inittab
id=3：initdefault   Which operation level does the system directly enter after starting up 

Boot configuration file

/etc/rc.local
/etc/rc.d/rc[0~6].d

Example : When we need to boot up and start our own scripts , Just leave the executable script in /etc/init.d Under the table of contents , And then in /etc/rc.d/rc*.d You can set up a soft link in

[email protected] ~]# ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S100ssh

here sshd It's a script file for a specific service ,S100ssh It's the soft link ,S The beginning stands for self starting when loading ; If it is K The script file at the beginning , Represents the one that needs to be turned off during runtime level loading .

Intrusion detection ：

Startup files ： more /etc/rc.local /etc/rc.d/rc[0~6].d ls -l /etc/rc.d/rc3.d/

3.6 Check scheduled tasks

Basic use

1、 utilize crontab Create a scheduled task

• Basic commands

crontab -l List a user cron Details of services

Tips： Written by default crontab The documents will be kept in (/var/spool/cron/ user name for example : /var/spool/cron/root

crontab -r Delete each user cront Mission ( cautious ： Delete all scheduled tasks )

crontab -e Use the editor to edit the current crontab file

Such as ：/1 * echo “hello world” >> /tmp/test.txt Write files every minute

2、 utilize anacron Realize asynchronous timing task scheduling

• Use cases

Run daily /home/backup.sh Script ： vi /etc/anacrontab @daily 10 example.daily /bin/bash /home/backup.sh

When the machine is backup.sh Expected to be shut down when run ,anacron It will run ten minutes after the machine starts up , Instead of waiting 7 God .

Intrusion detection

Focus on whether there are malicious scripts in the following directories

/var/spool/cron/* 
/etc/crontab
/etc/cron.d/*
/etc/cron.daily/* 
/etc/cron.hourly/* 
/etc/cron.monthly/*
/etc/cron.weekly/
/etc/anacrontab
/var/spool/anacron/*

Tips ：

 more /etc/cron.daily/*   Check all the files in the directory 

3.7 Inspection services

Service self starting

The first modification method ：

chkconfig [--level  Operation level ] [ Independent service name ] [on|off]
chkconfig –level  2345 httpd on   Turn on self starting 
chkconfig httpd on （ Default level yes 2345）

The second method of modification ：

 modify /etc/re.d/rc.local  file   
 Join in  /etc/init.d/httpd start

The third method of modification ：

Use ntsysv Command management starts itself , Can manage independent services and xinetd service .

Intrusion detection

1、 Query installed services ：

RPM Package installation services

chkconfig  --list   View the service self start status , You can see everything RPM Package installation services 
ps aux | grep crond  View current services 

 The system is in 3 And 5 Start items under level  
 Chinese environment 
chkconfig --list | grep "3: Enable \|5: Enable "
 English environment 
chkconfig --list | grep "3:on\|5:on"

Source code package installation service

 View the service installation location  , Usually in /user/local/
service httpd start
 Search for /etc/rc.d/init.d/   See if it exists 

3.8 Check exception file

1、 Check out the sensitive Directory , Such as /tmp A file in a directory , Also pay attention to hiding the folder , With “…” The folder named has a hidden property

2、 Get the findings WEBSHELL、 Creation time of remote control Trojan horse , How to find files created in the same time frame ？

have access to find Command to find , Such as find /opt -iname “*” -atime 1 -type f find /opt The next day I visited the file

3、 For suspicious files, you can use stat Time to create and modify .

3.9 Check the system log

The default location for logs is ：/var/log/

Check log configuration ：more /etc/rsyslog.conf

Log analysis skills ：

1、 How much is the positioning IP On the blasting machine root Account number ：    
grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more

 What are the positioning IP Blasting ：
grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c

 What's a dictionary ？
 grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr

2、 Login successfully IP What are they? ：     
grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more

 Date of successful login 、 user name 、IP：
grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}' 

3、 Add a user kali journal ：
Jul 10 00:12:15 localhost useradd[2382]: new group: name=kali, GID=1001
Jul 10 00:12:15 localhost useradd[2382]: new user: name=kali, UID=1001, GID=1001, home=/home/kali
, shell=/bin/bash
Jul 10 00:12:58 localhost passwd: pam_unix(passwd:chauthtok): password changed for kali
#grep "useradd" /var/log/secure 

4、 Delete user kali journal ：
Jul 10 00:14:17 localhost userdel[2393]: delete user 'kali'
Jul 10 00:14:17 localhost userdel[2393]: removed group 'kali' owned by 'kali'
Jul 10 00:14:17 localhost userdel[2393]: removed shadow group 'kali' owned by 'kali'
# grep "userdel" /var/log/secure

5、su Switching users ：
Jul 10 00:38:13 localhost su: pam_unix(su-l:session): session opened for user good by root(uid=0)

sudo Authorization to execute :
sudo -l
Jul 10 00:43:09 localhost sudo:    good : TTY=pts/4 ; PWD=/home/good ; USER=root ; COMMAND=/sbin/shutdown -r now

4.linux Tools section

4.1 Rootkit Killing

• chkrootkit

  website ：http://www.chkrootkit.org

   Usage method ：
  wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
  tar zxvf chkrootkit.tar.gz
  cd chkrootkit-0.52
  make sense
  # If there is no error after compilation, check 
  ./chkrootkit
  

• rkhunter

  website ：http://rkhunter.sourceforge.net

   Usage method ：
  Wget https://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.4/rkhunter-1.4.4.tar.gz
  tar -zxvf rkhunter-1.4.4.tar.gz
  cd rkhunter-1.4.4
  ./installer.sh --install
  rkhunter -c
  

4.2 Virus killing

• Clamav

  ClamAV The official download address of is ：http://www.clamav.net/download.html

  Installation mode 1 ：

  1、 install zlib：
  wget http://nchc.dl.sourceforge.net/project/libpng/zlib/1.2.7/zlib-1.2.7.tar.gz 
  tar -zxvf  zlib-1.2.7.tar.gz
  cd zlib-1.2.7
  # Install it. gcc Compile environment ： yum install gcc
  CFLAGS="-O3 -fPIC" ./configure --prefix= /usr/local/zlib/
  make && make install
  
  2、 Add user group clamav And group members clamav：
  groupadd clamav
  useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
  
  3、 install Clamav
  tar –zxvf clamav-0.97.6.tar.gz
  cd clamav-0.97.6
  ./configure --prefix=/opt/clamav --disable-clamav -with-zlib=/usr/local/zlib
  make
  make install
  
  4、 To configure Clamav
  mkdir /opt/clamav/logs
  mkdir /opt/clamav/updata
  touch /opt/clamav/logs/freshclam.log
  touch /opt/clamav/logs/clamd.log
  cd /opt/clamav/logs
  chown clamav:clamav clamd.log
  chown clamav:clamav freshclam.log
  
  5、ClamAV  Use ：
   /opt/clamav/bin/freshclam  Upgrade the virus library 
  ./clamscan –h  View the corresponding help information 
  ./clamscan -r /home   Scan all users' home directories and use 
  ./clamscan -r --bell -i /bin   scanning bin Directory and display the scanning results of the problematic files 
  

  Installation mode II ：

  # install 
  yum install -y clamav
  # Update virus library 
  freshclam
  # Scanning method 
  clamscan -r /etc --max-dir-recursion=5 -l /root/etcclamav.log
  clamscan -r /bin --max-dir-recursion=5 -l /root/binclamav.log
  clamscan -r /usr --max-dir-recursion=5 -l /root/usrclamav.log
  # Scan and kill 
  clamscan -r  --remove  /usr/bin/bsd-port
  clamscan -r  --remove  /usr/bin/
  clamscan -r --remove  /usr/local/zabbix/sbin
  # Check the log and find 
  cat /root/usrclamav.log |grep FOUND
  

4.3 webshell Killing

linux edition ：

 Hippo webshell Killing ：http://www.shellpub.com
 Convinced Webshell Website backdoor detection tool ：http://edr.sangfor.com.cn/backdoor_detection.html

4.4 RPM check Check

System integrity can be achieved through rpm Self contained -Va To check all the rpm software package , See which commands have been replaced ：

./rpm -Va > rpm.log

If everything is checked correctly, no output will be generated , If there's a discrepancy , It will show , The output format is 8 Bit long string , Each character is used to represent the file and RPM A comparison result of an attribute in a database , If it is . ( spot ) The test passed .

 Verify... In content 8 The details of the information are as follows ：
        S          Does the file size change 
        M          The type of file or the permissions of the file （rwx） Is it changed 
        5          file MD5 Verify whether the change （ It can be seen as whether the contents of the file have changed ）
        D          In the device , From whether the code changes 
        L          Whether the file path changes 
        U          Owner of document （ owner ） Whether to change 
        G          Is the file group changed 
        T          Whether the modification time of the document changes 

If the command is replaced , If you restore it back ：

 File extraction and restore case ：
rpm  -qf /bin/ls   Inquire about ls Which package does the command belong to 
mv  /bin/ls /tmp   The first ls Transferred to the tmp Under the table of contents , cause ls The illusion that the command is missing 
rpm2cpio /mnt/cdrom/Packages/coreutils-8.4-19.el6.i686.rpm | cpio -idv ./bin/ls  extract rpm In bag ls Command to the current directory /bin/ls Next 
cp /root/bin/ls  /bin/  hold ls The command is copied to /bin/ Catalog   Fix missing files 

4.5 linux Security check script

Github Project address ：

https://github.com/grayddq/GScan

https://github.com/ppabc/security_check

https://github.com/T0xst/linux

5. common Webshell Killing tools

1、D shield _Web Killing

o D Produce , Use self-developed code analysis engine with no extension , Can analyze more hidden WebShell Back door behavior .

Compatibility ： Only available Windows edition .

Tool download address ：http://www.d99net.net/down/WebShellKill_V2.0.9.zip

2、 Baidu WEBDIR+

The next generation WebShell Detection engine , Adopt advanced dynamic monitoring technology , Combined with a variety of engine zero rule killing .

Compatibility ： Provide online killing Trojans , Open for free API Support batch testing .

Check the address online ：https://scanner.baidu.com/

3、 Hippo

focus webshell Killing research , Have a lot of webshell Samples and independent killing techniques , Use traditional features + Cloud big data dual engine killing technology . Quick kill 、 High precision 、 False positives are low .

Compatibility ： Support Windows、linux, Support online killing .

Official website ：https://www.shellpub.com/

4、Web Shell Detector

Webshell Detector have “ Webshell” Signature database , Can help identify up to 99％ Of “ Webshell”.

Compatibility ： Provide php/python Script , Cross platform , Online detection .

Official website ：http://www.shelldetector.com/

github Project address ：https://github.com/emposha/PHP-Shell-Detector

5、CloudWalker（ Herding cloud ）

An executable command line version Webshell Detection tools . at present , Project stopped updating .

Compatibility , Provide linux edition ,Windows Temporary does not support .

Online killing demo：https://webshellchop.chaitin.cn/

github Project address ：https://github.com/chaitin/cloudwalker

(https://bypass007.github.io/Emergency-Response-Notes/Summary/image/20200407-5.png)

6、Sangfor WebShellKill

Sangfor WebShellKill( Website backdoor detection tool ) Is a web Back door killing tools , Not only support webshell Scan , It also supports dark chain scanning . It's a killing tool with multiple detection engines . Can detect... More accurately WEB Website known and unknown backdoor files .

Compatibility ： Support Windows、linux

Tool download address ：http://edr.sangfor.com.cn/backdoor_detection.html（ Access stopped ）

7、 Deep learning model detection PHP Webshell

A deep learning PHP webshell Kill the engine demo, Provide online sample testing .

Check the address online ：http://webshell.cdxy.me/

8、PHP Malware Finder

PHP-malware-finder It's an excellent test webshell Tools to confuse code with malware

Compatibility ： Provide linux edition ,Windows Temporary does not support .

github Project address ：https://github.com/jvoisin/php-malware-finder

9、findWebshell

This project is based on python Developed webshell Check tools , You can check any type of webshell back door .

github Project address ：https://github.com/he1m4n6a/findWebshell

10、 On-line webshell Killing tools

Check the address online ：http://tools.bugscaner.com/killwebshell/

6. How to find hidden back doors

1、 file MD5 check

2、diff command

stay linux in , We use it a lot diff To compare the differences between two text files . Again , We can quickly find the difference between the two project files through one line of command .

diff -c -a -r cms1 cms2

3、 Version control tools

Version control tools , for instance git, Re upload the code to git,add+commit+push, Then open the project , Click on commits, In the history submission version , View file changes , It's easy to find where the code has been tampered with .

4、 Document comparison tool

key word ： Code comparison tool

Two effective tools

Beyond Compare and WinMerge.

7. Blackmail virus self rescue guide

Blackmail virus search engine

Enter the virus name in the blackmail virus search engine 、 Blackmail mailbox 、 The suffix of the encrypted file , Or upload encrypted files directly 、 Blackmail tips , You can quickly find the details of the virus and decryption tools .

【360】 Blackmail virus search engine , Support retrieval over 800 A common blackmail virus ,

http://lesuobingdu.360.cn

【 tencent 】 Blackmail virus search engine , Support retrieval over 300 A common blackmail virus

https://guanjia.qq.com/pr/ls/

【 Venus 】VenusEye Blackmail virus search engine , super 300 A family of blackmail viruses

https://lesuo.venuseye.com.cn/

【 Qianxin 】 Blackmail virus search engine

https://lesuobingdu.qianxin.com/

【 Convinced 】 Blackmail virus search engine

https://edr.sangfor.com.cn/#/information/ransom_search

Blackmail software decryption tool set

Many security companies offer free download of blackmail virus decryption tools , Collect and sort out relevant download addresses , It can help us understand and obtain the latest blackmail virus decryption tool .

【 Tencent Hubble 】 Blackmail software kills tools

https://habo.qq.com/tool/index

【 Jinshan poison bully 】 Blackmail virus immune tools

http://www.duba.net/dbt/wannacry.html

【 Tinder 】 Security tools download

http://bbs.huorong.cn/forum-55-1.html

【 rising 】 Decryption tool download

http://it.rising.com.cn/fanglesuo/index.html

【nomoreransom】 Blackmail software decryption tool set

https://www.nomoreransom.org/zh/index.html

【MalwareHunterTeam】 Blackmail software decryption tool set

https://id-ransomware.malwarehunterteam.com/

【 kaspersky 】 Free ransom decryptor

https://noransom.kaspersky.com/

【Avast】 Free ransomware decryption tool

https://www.avast.com/zh-cn/ransomware-decryption-tools

【Emsisoft】 Free ransomware decryption tool

https://www.emsisoft.com/ransomware-decryption-tools/free-download

【Github project 】 Blackmail virus decryption tool collection summary

https://github.com/jiansiting/Decryption-Tools

Log analysis

1.Window Log analysis

1.1 Window Introduction to event log

Windows System log is to record the hardware in the system 、 Information about software and system problems , At the same time, it can monitor the events that happen in the system . Users can use it to check the cause of the error , Or look for traces left by attackers when they are attacked .

Windows There are three main types of logging system events ： Application log 、 System log and security log .

system log

 Log events generated by operating system components , It mainly includes driver program 、 System component and application software crash and data loss error, etc . The time type recorded in the system log is determined by Windows NT/2000 The operating system is predefined .

 Default location ： %SystemRoot%\System32\Winevt\Logs\System.evtx

Application log

 Contains events recorded by an application or system program , It mainly records the events of program operation , For example, a database program can record file errors in the application log , Program developers can decide which events to monitor . If an application crashes , Then we can find the corresponding record from the program event log , It may help you solve the problem . 

 Default location ：%SystemRoot%\System32\Winevt\Logs\Application.evtx

Security log

 Record system security audit events , Contains various types of login logs 、 Object access log 、 Process tracking log 、 Privilege use 、 Account management 、 Strategy change 、 system event . Security log is also the most commonly used log in investigation and evidence collection . By default , The security log is closed , Administrators can use group policy to start the security log , Or set the audit policy in the registry , When the system stops responding to the security log .

 Default location ：%SystemRoot%\System32\Winevt\Logs\Security.evtx

System and application logs store troubleshooting information , More useful for system administrators . The security log records the event audit information , Including user authentication （ Sign in 、 Remote access, etc ） And what specific users do to the system after authentication , For investigators , More help .

1.2 Audit policy and event viewer

Windows Server 2008 R2 The approval function of the system is not enabled by default , It is suggested to start the audit strategy , If the system fails in the future 、 For security incidents, you can view the log file of the system , Troubleshooting , Tracking down the intruder's information, etc .

PS： By default , Some simple logs will also be recorded , Default log size 20M

Set up 1： Start → Management tools → Local security policy → The local policy → Audit strategy , Refer to configuration operation ：

Set up 2： Set reasonable log properties , That is, the maximum log size 、 Event coverage threshold, etc ：

How to view the system log ：

1. stay **“ Start ” Menu , Point to in turn “ All the procedures ”、“ Management tools ”, And then click “ Event viewer ”**

2. Press “Window+R”, Input ”eventvwr.msc“ You can also directly enter “ Event viewer ”

   

1.3 event ID

about Windows Event log analysis , Different EVENT ID Represents a different meaning , Extract some descriptions of common security events ：

Each successful login event will be marked with a login type , Different login types represent different ways ：

About more EVENT ID, See Microsoft's official website for details “Windows Vista and Windows Server 2008 Description of security events in ”.

Link to the original text ：https://support.microsoft.com/zh-cn/help/977519/description-of-security-events-in-windows-7-and-in-windows-server-2008

Case study 1： You can use eventlog Event to view System account login status ：

1. stay **“ Start ” Menu , Point to in turn “ All the procedures ”、“ Management tools ”, And then click “ Event viewer ”**;

2. In the event viewer , single click **“ Security ”**, Check the security log ;

3. On the right side of the security log , Click on **“ Filter the current log ”**, Input event ID Screening .

   4624 -- Login successful
   4625 -- Login failed
   4634 – Logout successful 4647 – User initiated logoff
   4672 – Use super users （ Such as administrator ） Log in

We enter Events ID：4625 Log filtering , Discover the event ID：4625, Number of events 175904, That is, the user login failed 175904 Time , Then the server administrator account may have encountered violent guessing .

Case study 2： You can use eventlog Event to view Records of computer switching on and off ：

1、 stay **“ Start ” Menu , Point to in turn “ All the procedures ”、“ Management tools ”, And then click “ Event viewer ”**;

2、 In the event viewer , single click **“ System ”**, Check the system log ;

3、 On the right side of the system log , Click on **“ Filter the current log ”**, Input event ID Screening .

One of the events ID 6006 ID6005、 ID 6009 It means the situation of machines in different states （ Switchgear ）. 6005 Information EventLog Event log service started .( Turn it on ) 6006 Information EventLog The event log service has stopped .( To turn it off ) 6009 Information EventLog Press ctrl、alt、delete key ( abnormal ) To turn it off

We enter Events ID：6005-6006 Log filtering , Found two in 2018/7/6 17:53:51 Left and right records , That's when I just restarted the system .

1.4 Log analysis tool

Log Parser

Log Parser（ It's a log analysis tool produced by Microsoft , It's powerful , Easy to use , You can analyze text-based log files 、XML file 、CSV（ GNU sed ） file , And the event log of the operating system 、 The registry 、 file system 、Active Directory. It can be used like SQL Query and analyze these data like statements , You can even show the analysis results in the form of various charts .

Log Parser 2.2 Download address ：https://www.microsoft.com/en-us/download/details.aspx?id=24659

Log Parser Examples of use ：https://mlichtenberg.wordpress.com/2011/02/03/log-parser-rocks-more-than-50-examples/

[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-4OLwa8a5-1655517725027)(https://bypass007.github.io/Emergency-Response-Notes/LogAnalysis/image/log-1-6.png)]

Basic query structure

Logparser.exe –i:EVT –o:DATAGRID "SELECT * FROM c:\xx.evtx"

Use Log Parser Analysis log

1、 Query the event of successful login

 All events of successful login 
LogParser.exe -i:EVT –o:DATAGRID  "SELECT *  FROM c:\Security.evtx where EventID=4624"

 Events that specify the login time range ：
LogParser.exe -i:EVT –o:DATAGRID  "SELECT *  FROM c:\Security.evtx where TimeGenerated>'2018-06-19 23:32:11' and TimeGenerated<'2018-06-20 23:34:00' and EventID=4624"

 Extract the user name and password of successful login IP：
LogParser.exe -i:EVT  –o:DATAGRID  "SELECT EXTRACT_TOKEN(Message,13,' ') as EventType,TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as Username,EXTRACT_TOKEN(Message,38,' ') as Loginip FROM c:\Security.evtx where EventID=4624"

2、 Query the event of login failure

 All events of login failure ：
LogParser.exe -i:EVT –o:DATAGRID  "SELECT *  FROM c:\Security.evtx where EventID=4625"

 Extract login failed user names for aggregation statistics ：
LogParser.exe  -i:EVT "SELECT  EXTRACT_TOKEN(Message,13,' ')  as EventType,EXTRACT_TOKEN(Message,19,' ') as user,count(EXTRACT_TOKEN(Message,19,' ')) as Times,EXTRACT_TOKEN(Message,39,' ') as Loginip FROM c:\Security.evtx where EventID=4625 GROUP BY Message"

3、 System history switch on record ：

LogParser.exe -i:EVT –o:DATAGRID  "SELECT TimeGenerated,EventID,Message FROM c:\System.evtx where EventID=6005 or EventID=6006"

LogParser Lizard

about GUI Environmental Log Parser Lizard, It is easy to use , You don't even need to memorize cumbersome commands , Just set it up , Write the basic SQL sentence , You can get the results intuitively .

Download address ：http://www.lizard-labs.com/log_parser_lizard.aspx

Dependency package ：Microsoft .NET Framework 4 .5, Download address ：https://www.microsoft.com/en-us/download/details.aspx?id=42642

Query recent user login ：

Event Log Explorer

Event Log Explorer It's a very useful Windows Log analysis tool . Can be used to view , Monitoring and analysis and event recording , Including safety , System , Applications and other Microsoft Windows A recorded event , Its powerful filtering function can quickly filter out valuable information .

Download address ：https://event-log-explorer.en.softonic.com/

2. Linux Log analysis

Linux The system has very flexible and powerful log function , It can save almost all operation records , And we can retrieve the information we need .

2.1 Introduction to the log

The default location for logs is ：/var/log/

Check log configuration ：more /etc/rsyslog.conf

Historical command record ：history Clean up only the current user ： history -c

2.2 Log analysis skills

A、 frequently-used shell command

Linux Next commonly used shell Orders such as ：find、grep 、egrep、awk、sed

Tips ：

1、grep Show the front and back lines of information :

     standard unix/linux Under the grep Control the context with the following parameters ：
    grep -C 5 foo file  Show file The file matches foo The line of the string and up and down 5 That's ok 
    grep -B 5 foo file  Show foo And before 5 That's ok 
    grep -A 5 foo file  Show foo And after 5 That's ok 
     see grep The way to get the version number is 
    grep -V

2、grep Find all files that contain a string

    grep -rn "hello,world!" 
    * :  Represents all files in the current directory , It can also be a file name 
    -r  Is recursive lookup 
    -n  It shows the line number 
    -R  Find all files that contain subdirectories 
    -i  Ignore case 

3、 How to display some lines of a file ：

    cat input_file | tail -n +1000 | head -n 2000
    # From 1000 OK, let's start , Show 2000 That's ok . It shows 1000~2999 That's ok 

4、find /etc -name init

// In the catalog /etc Search for files init

5、 Just show /etc/passwd The account of

`cat /etc/passwd |awk  -F ':'  '{print $1}'`  
//awk -F Specify the field separator as ':', Divides the record into fields according to the specified field separator , Fill fields ,$0 Then all domains ,$1 Represents the first domain ,$n It means the first one n Domains .

6、sed -i ‘153,$d’ .bash_history

 Delete history operation record , Before retention only 153 That's ok 

B、 Log analysis skills

A、/var/log/secure

1、 How much is the positioning IP On the blasting machine root Account number ：    
grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more

 What are the positioning IP Blasting ：
grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c

 What's a dictionary ？
 grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr

2、 Login successfully IP What are they? ：     
grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more

 Date of successful login 、 user name 、IP：
grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}' 

3、 Add a user kali journal ：
Jul 10 00:12:15 localhost useradd[2382]: new group: name=kali, GID=1001
Jul 10 00:12:15 localhost useradd[2382]: new user: name=kali, UID=1001, GID=1001, home=/home/kali
, shell=/bin/bash
Jul 10 00:12:58 localhost passwd: pam_unix(passwd:chauthtok): password changed for kali
#grep "useradd" /var/log/secure 

4、 Delete user kali journal ：
Jul 10 00:14:17 localhost userdel[2393]: delete user 'kali'
Jul 10 00:14:17 localhost userdel[2393]: removed group 'kali' owned by 'kali'
Jul 10 00:14:17 localhost userdel[2393]: removed shadow group 'kali' owned by 'kali'
# grep "userdel" /var/log/secure

5、su Switching users ：
Jul 10 00:38:13 localhost su: pam_unix(su-l:session): session opened for user good by root(uid=0)

sudo Authorization to execute :
sudo -l
Jul 10 00:43:09 localhost sudo:    good : TTY=pts/4 ; PWD=/home/good ; USER=root ; COMMAND=/sbin/shutdown -r now

3. Web Log analysis

3.1 Web journal

Web The access log is logged Web The server receives various original information such as processing requests and runtime errors . Through to WEB Security analysis of logs , Not only can it help us locate the attacker , It can also help us restore the attack path , Find the security vulnerabilities in the website and fix them .

Let's take a look at Apache Access log ：

127.0.0.1 - - [11/Jun/2018:12:47:22 +0800] "GET /login.html HTTP/1.1" 200 786 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"

Through this article Web Access log , We can clearly know what users are IP、 What time? 、 What operating system to use 、 What browser visited which page of your website , Whether the access is successful or not .

Through the introduction of this article Web Thoughts and common skills in log security analysis .

3.2 Log analysis skills

In the face of WEB When performing security analysis on logs , In general, it can be carried out in two ways , Step by step , Restore the entire attack process .

The first one is ： Determine the time frame of the invasion , Take this as a clue , Look for suspicious logs in this time range , Further investigation , Finally determine the attacker , Restore attack process .

The second kind ： After the attacker invades the website , The back door is usually left to maintain permissions , To facilitate another visit to , We can find the file , And use it as a clue to analyze .

Common analysis tools ：

Window Next , Recommend to use EmEditor Log analysis , Support for large text , Search efficiency is not bad .

Linux Next , Use Shell Command combination query analysis .

Shell+Linux Command to realize log analysis , General combination grep、awk And other commands to achieve several commonly used log analysis and statistics skills .

Apache Log analysis skills ：

1、 List the most visited IP command ：
cut -d- -f 1 log_file|uniq -c | sort -rn | head -20

2、 See how many... Are there on that day IP visit ：
awk '{print $1}' log_file|sort|uniq|wc -l

3、 View the number of times a page has been visited ：
grep "/index.php" log_file | wc -l

4、 View each IP How many pages visited ：
awk '{++S[$1]} END {for (a in S) print a,S[a]}' log_file

5、 Each one IP Number of pages visited sorted from small to large ：
awk '{++S[$1]} END {for (a in S) print S[a],a}' log_file | sort -n

6、 View a IP Which pages were visited ：
grep ^111.111.111.111 log_file| awk '{print $1,$7}'

7、 Remove the pages of the day counted by the search engine ：
awk '{print $12,$1}' log_file | grep ^\"Mozilla | awk '{print $2}' |sort | uniq | wc -l

8、 see 2018 year 6 month 21 Japan 14 How many in an hour IP visit :
awk '{print $4,$1}' log_file | grep 21/Jun/2018:14 | awk '{print $2}'| sort | uniq | wc -l

3.3 Log statistical analysis skills

Count reptiles ：

grep -E 'Googlebot|Baiduspider'  /www/logs/access.2019-02-23.log | awk '{ print $1 }' | sort | uniq

Statistics browser ：

cat /www/logs/access.2019-02-23.log | grep -v -E 'MSIE|Firefox|Chrome|Opera|Safari|Gecko|Maxthon' | sort | uniq -c | sort -r -n | head -n 100

IP Statistics ：

grep '23/May/2019' /www/logs/access.2019-02-23.log | awk '{print $1}' | awk -F'.' '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -r -n | head -n 10
   2206 219.136.134.13
   1497 182.34.15.248
   1431 211.140.143.100
   1431 119.145.149.106
   1427 61.183.15.179
   1427 218.6.8.189
   1422 124.232.150.171
   1421 106.187.47.224
   1420 61.160.220.252
   1418 114.80.201.18

Statistics network segment ：

cat /www/logs/access.2019-02-23.log | awk '{print $1}' | awk -F'.' '{print $1"."$2"."$3".0"}' | sort | uniq -c | sort -r -n | head -n 200

Statistical domain name ：

cat  /www/logs/access.2019-02-23.log |awk '{print $2}'|sort|uniq -c|sort -rn|more

HTTP Status：

cat  /www/logs/access.2019-02-23.log |awk '{print $9}'|sort|uniq -c|sort -rn|more
5056585 304
1125579 200
   7602 400
      5 301

URL Statistics ：

cat  /www/logs/access.2019-02-23.log |awk '{print $7}'|sort|uniq -c|sort -rn|more

File traffic statistics ：

cat /www/logs/access.2019-02-23.log |awk '{sum[$7]+=$10}END{for(i in sum){print sum[i],i}}'|sort -rn|more

grep ' 200 ' /www/logs/access.2019-02-23.log |awk '{sum[$7]+=$10}END{for(i in sum){print sum[i],i}}'|sort -rn|more

URL Traffic statistics ：

cat /www/logs/access.2019-02-23.log | awk '{print $7}' | egrep '\?|&' | sort | uniq -c | sort -rn | more

Script running speed ：

Find the slowest script

grep -v 0$ /www/logs/access.2019-02-23.log | awk -F '\" ' '{print $4" " $1}' web.log | awk '{print $1" "$8}' | sort -n -k 1 -r | uniq > /tmp/slow_url.txt

IP, URL extract ：

# tail -f /www/logs/access.2019-02-23.log | grep '/test.html' | awk '{print $1" "$7}'

4.MySQL Log analysis

Common database attacks include weak passwords 、SQL Inject 、 Increase authority 、 Steal backup, etc . Analyze database logs , You can find aggressive behavior , Further restore the attack scene and trace the attack source .

4.1 Mysql Log analysis

general query log It can record successful connections and queries executed each time , We can use it as part of the security deployment , Provide basis for fault analysis or investigation after hacking events .

1、 see log Configuration information 
show variables like '%general%';
2、 Open log 
SET GLOBAL general_log = 'On';
3、 Specify the log file path 
#SET GLOBAL general_log_file = '/var/lib/mysql/mysql.log';

such as , When I visit /test.php?id=1, At this point we get such a log ：

190604 14:46:14       14 Connect    [email protected] on 
                      14 Init DB    test
                      14 Query    SELECT * FROM admin WHERE id = 1
                      14 Quit  

Let's parse by column ：

 First column :Time, Time column , The first one is the date , The next one is the hour and the minute , There are some reasons not to show it because of these sql Statements are executed almost simultaneously , So there is no need to record the time .
 Second column :Id, Namely show processlist Out of the first column of threads ID, For long connections and some time-consuming sql sentence , You can find out exactly which thread is running .
 The third column :Command, Operation type , such as Connect Is to connect to the database ,Query Is to query the database ( All additions, deletions, queries and modifications are displayed as queries ), Some operations can be specified .
 The fourth column :Argument, Details , for example  Connect    [email protected] on  It means to connect to the database , And so on , After connecting to the database , What query operations have been performed .

4.2 Login successful / Failure

Different database connection tools , It is different during the initialization of the connection database . Through this difference , We can simply judge whether the user is connected to the database .

in addition , Whether it's a blasting tool 、Navicat for MySQL、 Or command line , Login failure is the same record .

Log in failure records ：

102 Connect    [email protected] on 
102 Connect    Access denied for user 'mysql'@'192.168.204.1' (using password: YES)

utilize shell Command for simple analysis ：

# What are they? IP Blasting ？
grep  "Access denied" mysql.log |cut -d "'" -f4|uniq -c|sort -nr
     27 192.168.204.1

# What are the user name dictionaries ？
grep  "Access denied" mysql.log |cut -d "'" -f2|uniq -c|sort -nr
     13 mysql
     12 root
      1 root
      1 mysql

In log analysis , Special attention should be paid to some sensitive operation behaviors , For example, delete the table 、 For the library , Read and write documents, etc . key word ：drop table、drop function、lock tables、unlock tables、load_file() 、into outfile、into dumpfile.

Sensitive database tables ：SELECT from mysql.user、SELECT from mysql.func

ysql/mysql.log’;

 such as , When I visit  /test.php?id=1, At this point we get such a log ：

190604 14:46:14 14 Connect [email protected] on
14 Init DB test
14 Query SELECT * FROM admin WHERE id = 1
14 Quit

 Let's parse by column ：

First column :Time, Time column , The first one is the date , The next one is the hour and the minute , There are some reasons not to show it because of these sql Statements are executed almost simultaneously , So there is no need to record the time .
Second column :Id, Namely show processlist Out of the first column of threads ID, For long connections and some time-consuming sql sentence , You can find out exactly which thread is running .
The third column :Command, Operation type , such as Connect Is to connect to the database ,Query Is to query the database ( All additions, deletions, queries and modifications are displayed as queries ), Some operations can be specified .
The fourth column :Argument, Details , for example Connect [email protected] on It means to connect to the database , And so on , After connecting to the database , What query operations have been performed .

### 4.2  Login successful / Failure 

 Different database connection tools , It is different during the initialization of the connection database . Through this difference , We can simply judge whether the user is connected to the database .

 in addition , Whether it's a blasting tool 、Navicat for MySQL、 Or command line , Login failure is the same record .

 Log in failure records ：

102 Connect [email protected] on
102 Connect Access denied for user ‘mysql’@‘192.168.204.1’ (using password: YES)

 utilize shell Command for simple analysis ：

# What are they? IP Blasting ？
grep “Access denied” mysql.log |cut -d “'” -f4|uniq -c|sort -nr
27 192.168.204.1

# What are the user name dictionaries ？
grep “Access denied” mysql.log |cut -d “'” -f2|uniq -c|sort -nr
13 mysql
12 root
1 root
1 mysql

 In log analysis , Special attention should be paid to some sensitive operation behaviors , For example, delete the table 、 For the library , Read and write documents, etc . key word ：drop table、drop function、lock tables、unlock tables、load_file() 、into outfile、into dumpfile.

 Sensitive database tables ：SELECT *from mysql.user、SELECT* from mysql.func























 Big guy link ：[  Emergency response practice notes )](https://bypass007.github.io/Emergency-Response-Notes/)