麦咖啡(mcafee) VSE 8.5 服务器防挂马心得
程序员文章站
2022-03-06 15:41:03
正好今天在查看服务器日志的时候.发现McAfee又一次成功的拦截了挂马,特给大家分享下。
... 09-07-20...
重点:
单单的防还是不能解决问题,下面是我们找出真凶了
给大家介绍一个工具可以像mmc计算机管理管理单元中的“会话”文件夹,显示的是通过网络登录到计算机的会话,
远程服务管理单元显示的是远程桌面登录的会话,但没有一个工具可以显示所有登录会话---不管任何登录类型--以及这些用户使用的程序列表。
这个工具是sysinternals(现在已经是微软)的logosessions工具!
http://www.microsoft.com/technet/sysinternals/security/logonsessions.mspx
可以从这个地址去下载 free
可以把logosessions中显示代码和其它工具显示的信息关联起来。
复制代码
代码如下:日志
=========
logonsesions v1.1
copyright (c) 2004 bryce cogswell and mark russinovich
sysinternals - wwww.sysinternals.com
[0] logon session 00000000:000003e7:
user name: workgroup\sdahfpwe
auth package: ntlm
logon type: (none)
session: 0
sid: s-1-5-18
logon time: 2008-2-18 15:33:05
logon server:
dns domain:
upn:
356: \systemroot\system32\smss.exe
404: \??\c:\windows\system32\csrss.exe
428: \??\c:\windows\system32\winlogon.exe
472: c:\windows\system32\services.exe
484: c:\windows\system32\lsass.exe
692: c:\windows\system32\svchost.exe
836: c:\windows\system32\svchost.exe
960: c:\windows\system32\spoolsv.exe
1128: c:\program files\symantec\pcanywhere\awhost32.exe
1164: c:\windows\system32\svchost.exe
1300: c:\program files\mcafee\common framework\frameworkservice.exe
1376: c:\program files\mcafee\virusscan enterprise\vstskmgr.exe
1452: c:\program files\mcafee\common framework\naprdmgr.exe
1532: c:\program files\rhinosoft.com\serv-u\servudaemon.exe
1696: c:\windows\system32\svchost.exe
1912: c:\windows\system32\svchost.exe
3844: c:\windows\system32\wbem\wmiprvse.exe
4000: c:\windows\system32\dllhost.exe
3172: c:\program files\mcafee\virusscan enterprise\mcshield.exe
3960: \??\c:\windows\system32\csrss.exe
396: \??\c:\windows\system32\winlogon.exe
372: c:\windows\system32\inetsrv\inetinfo.exe
2920: c:\windows\system32\svchost.exe
2780: \??\c:\windows\system32\csrss.exe
1576: \??\c:\windows\system32\winlogon.exe
[1] logon session 00000000:000081e5:
user name:
auth package: ntlm
logon type: (none)
session: 0
sid: (none)
logon time: 2008-2-18 15:33:05
logon server:
dns domain:
upn:
[2] logon session 00000000:0000c0f7:
user name: nt authority\anonymous logon
auth package: ntlm
logon type: network
session: 0
sid: s-1-5-7
logon time: 2008-2-18 15:33:08
logon server:
dns domain:
upn:
[3] logon session 00000000:000003e5:
user name: nt authority\local service
auth package: negotiate
logon type: service
session: 0
sid: s-1-5-19
logon time: 2008-2-18 15:33:09
logon server:
dns domain:
upn:
[4] logon session 00000000:5cbf7d87:
user name: sdahfpwe-wuymbi\maggie
auth package: ntlm
logon type: remoteinteractive
session: 2
sid: s-1-5-21-1476199771-2381760486-1211474579-1009
logon time: 2008-2-21 9:44:18
logon server: sdahfpwe-wuymbi
dns domain:
upn:
3164: c:\windows\system32\rdpclip.exe
740: c:\windows\explorer.exe
3528: c:\program files\mcafee\virusscan enterprise\shstat.exe
392: c:\windows\system32\ctfmon.exe
3952: c:\windows\system32\mmc.exe
336: c:\program files\rhinosoft.com\serv-u\servuadmin.exe
[5] logon session 00000000:60d81435:
user name: sdahfpwe-wuymbi\iusr_sdahfpwe-wuymbi
auth package: ntlm
logon type: networkcleartext
session: 0
sid: s-1-5-21-1476199771-2381760486-1211474579-1015
logon time: 2008-2-21 10:55:33
logon server: sdahfpwe-wuymbi
dns domain:
upn:
[6] logon session 00000000:000003e4:
user name: nt authority\network service
auth package: negotiate
logon type: service
session: 0
sid: s-1-5-20
logon time: 2008-2-18 15:33:06
logon server:
dns domain:
upn:
2496: c:\windows\system32\inetsrv\w3wp.exe
[7] logon session 00000000:000309aa:
user name: sdahfpwe-wuymbi\jooline2008sh
auth package: ntlm
logon type: remoteinteractive
session: 1
sid: s-1-5-21-1476199771-2381760486-1211474579-500
logon time: 2008-2-18 15:35:34
logon server: sdahfpwe-wuymbi
dns domain:
upn:
[8] logon session 00000000:60f64f82:
user name: sdahfpwe-wuymbi\jooline2008sh
auth package: ntlm
logon type: remoteinteractive
session: 3
sid: s-1-5-21-1476199771-2381760486-1211474579-500
logon time: 2008-2-21 11:06:47
logon server: sdahfpwe-wuymbi
dns domain:
upn:
1840: c:\windows\system32\rdpclip.exe
3580: c:\windows\explorer.exe
2876: c:\program files\mcafee\virusscan enterprise\shstat.exe
888: c:\program files\rhinosoft.com\serv-u\servutray.exe
3280: c:\windows\system32\cmd.exe
376: c:\windows\system32\conime.exe
1820: c:\program files\mcafee\virusscan enterprise\mcconsol.exe
720: c:\windows\system32\notepad.exe
2320: e:\logonsessions.exe
==============================
在安全日志事件中,可以把输出的登录会话id和安全日志事件说明进行关联,查找登录事件和会话相关的事件。
这样很容易找到是怎么回事了....