Recently there are many
webmaster server is compromised, the invasion is really be taken by surprise ah, "webmaster safety net" for all Jack server has been hacked before and after the analysis of some of the details and processing methods, hoping to pray for a role, if there is a wrong understanding that also see.
an attacker invades a system and is always driven by a primary purpose. For example, display technology, enterprise confidential data, destroy the normal enterprise business process and so on, sometimes in May after the invasion, the attack, by some to become another purpose, for example, was to show off, but after entering the system, found some important confidential data, due to the interests of the the attacker driven, resulted in the theft of confidential data.
, and the purpose of intruder intrusion system is different, the use of attack methods will be different, the impact of the scope and loss will not be the same. Therefore, in dealing with the intrusion events of different systems, different systems should be an antidote against the disease, invasive type, should be resolved by different processing methods, in this way, can we achieve the best treatment effect.
one to restore
with a technical intent of system intrusion
has a part of the attacker’s intrusion into the system, just to show off its superb network technology to its peers or others, or to experiment with a system vulnerability. For this kind of system intrusion events, the attacker will leave some evidence in the invasion of the system to prove that he is a successful invasion of this system, sometimes a forum on the Internet in the announcement of his intrusion results, for example aggressor intrusion is a WEB server, they will change the WEB through the home page of the site information that you’ve invaded the system, or by installing a back door way, make the system intrusion into his chicken, then openly sold or released in some forums, to declare themselves have invaded a system. That is to say, we can invade this type of system and subdivide it into a system intrusion for the purpose of controlling the system and invading and modifying the service content.
for the purpose of modifying the service content of the system intrusion activities, you can not need to stop, you can change the system to complete the restoration work.
1. should be handled by
(1) establishes a snapshot of the current system’s current system, or stores only snapshots of the modified parts for later analysis and retention of evidence.
(2) restores the modified web page immediately by backup.
(3), in the Windows system, to see through the network monitoring software or "netstat -an" command system of current network connections, if found not normal network connection, should immediately disconnect from it. Then check system attacks by viewing system processes, services, and analyzing log files of systems and services