IRC Trojan/IIS Worm - Mini Internet Service Provider (ISP)
IRC Trojan/IIS Worm - Mini Internet Service Provider (ISP)
ﻣﺸﺘﺮﻱ
ﺍﻳﻦ ﻣﺸﺘﺮﻱ ﻣﻦ ﻳﻜﻲ ﺍﺯ ﺁﻥ ﺩﺳﺘﻪ ﻣﺸﺘﺮﻱ ﻫﺎﻳﻲ ﺑﻮﺩ ﻛﻪ ﺩﺍﺭﺍﻱ ﺣﺮﻓﻪ ﻫﺎﻱ ﻛﻮﭼﻜﻲ ﻫﺴﺘﻨﺪ ﻭ
ﻧﻴﺎﺯﻱ ﺑﻪ ﻳﻚ ﺧﻂ ﺍﺟﺎﺭﻩ ﺍﻱ ﺑﻪ ﺻﻮﺭﺕ ﻛﺎﻣﻞ ﻧﺪﺍﺭﻧﺪ .ﺩﺭ ﻋﻮﺽ ﺁﻧﻬﺎ ﺑﻪ ﻭﺳﻴﻠﻪ ﺍﻳﻦ ﺧﻂ ﺑﻪ
ﺗﻌﺪﺍﺩﻱ ﺍﺯ ﺩﻭﺳﺘﺎﻥ ﻭ ﺍﻗﻮﺍﻣﺸﺎﻥ ﺑﻪ ﺻﻮﺭﺕ ﭘﺎﺭﻩ ﻭﻗﺖ ﻫﻢ ﺳﺮﻭﻳﺲ ﺍﻳﻨﺘﺮﻧﺖ ﻣﻲ ﺩﻫﻨﺪ .ﺩﺭ
ﻧﺘﻴﺠﻪ ﺷﺒﻜﻪ ﺍﻭ ﺍﺯ ﻣﻴﺎﻥ ﺩﺳﺘﺎﻥ ﺧﻴﻠﻲ ﺍﺯ ﺍﺷﺨﺎﺹ ﺩﺍﺭﺍﻱ ﺳﺮ ﺭﺷﺘﻪ ﮔﺬﺷﺘﻪ ﺑﻮﺩ ﻭ ﺩﺭ ﺗﻤﺎﻡ
ﻃﻮﻝ ﺍﻳﻦ ﺩﻭ ﺳﺎﻝ ﺑﻪ ﻭﺳﻴﻠﻪ ﭘﺮﺳﻨﻞ ﺍﻭ ﭘﺸﺘﻴﺒﺎﻧﻲ ﺷﺪﻩ ﺑﻮﺩ ﻭ ﻫﺮ ﻛﺴﻲ ﺍﺯ ﺁﻧﻬﺎ ﻫﺮ ﻭﻗﺖ ﻛﻪ
ﻣﻲ ﺧﻮﺍﺳﺖ ﻣﻲ ﺗﻮﺍﻧﺴﺖ ﺑﻪ ﻃﺮﺣﺒﻨﺪﻱ ﻭ ﭘﻴﻜﺮﺑﻨﺪﻱ ﺷﺒﻜﻪ ﺍﻭ ﺍﺿﺎﻓﻪ ﻳﺎ ﻛﻢ ﻛﻨﺪ ﻭ ﺑﺮﺍﻱ ﻫﻤﻴﻦ
ﺷﺒﻜﻪ ﺩﻭﺳﺖ ﻋﺰﻳﺰ ﻣﻦ ﺑﻪ ﺻﻮﺭﺕ ﻳﻚ ﺗﻮﻟﻴﺪ ﻛﻨﻨﺪﻩ ﺳﺮﻭﻳﺲ ﺍﻳﻨﺘﺮﻧﺖ ﻛﻮﭼﻚ ٢ﺷﺪﻩ ﺑﻮﺩ.
1
-IRC Trojan/IIS worm
2
)- Mini Internet Service Provider (ISP
1 www.websecuritymgz.com
ﺭﻭﻳﺎﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ
3
- Primary domain controller
2 www.websecuritymgz.com
ﺭﻭﻳﺎﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ
ﺑﻪ ﻣﺤﺾ ﺍﻳﻨﻜﻪ Nmapﻛﺎﻭﺵ ﺧﻮﺩﺵ ﺭﺍ ﺗﻤﺎﻡ ﻛﺮﺩ ﻣﻦ ﺑﻪ ﺳﺮﻋﺖ ﺧﺮﻭﺟﻲ ﺭﺍ ﻣﺮﻭﺭ ﻛﺮﺩﻡ
ﻭ ﺩﻧﺒﺎﻝ ﻫﺮ ﭼﻴﺰ ﻣﺸﻜﻮﻙ ﻭ ﻳﺎ ﭘﻮﺭﺗﻬﺎﻱ ﻣﺸﻬﻮﺭ ﺑﻪ ﻋﻨﻮﺍﻥ ﻣﺜﺎﻝ 23 ، 21 ، 12345 ، 31337
ﻭ ﻳﺎ ﻫﺮ ﭼﻴﺰ ﺩﻳﮕﺮﻱ ﻛﻪ ﻧﺸﺎﻥ ﺩﻫﺪﻩ ﻳﻚ ﺳﺮﻭﻳﺲ ﺍﺿﺎﻓﻲ ﻭ ﻳﺎ ﭘﻮﺭﺗﻲ ﺍﺯ ﻳﻚ ﺗﺮﻭﺟﺎﻥ
ﻣﺸﻬﻮﺭ ﺑﺎﺷﺪ ،ﻣﻲ ﮔﺸﺘﻢ ! ﺣﺎﻝ ﺁﻧﻜﻪ ﺗﻤﺎﻡ ﻛﺎﻣﭙﻴﻮﺗﺮ ﻫﺎ ﺟﻮﺍﺏ ﻣﺜﺒﺘﻲ ﺭﻭﻱ ﭘﻮﺭﺗﻬﺎﻱ ﺍﺯ
135ﺗﺎ 139ﺩﺍﺷﺘﻨﺪ ﻛﻪ ﻧﺸﺎﻥ ﺩﻫﻨﺪﻩ NetBIOSﻭ ﺑﺨﺸﻬﺎﻱ ﻣﻤﻜﻦ ﺁﻥ ﺑﻮﺩ.ﻫﻤﭽﻨﻴﻦ ﭘﻮﺭﺕ
80ﺳﺮﻭﺭ ﺍﺻﻠﻲ ﻣﺸﺘﺮﻱ ﺑﺎﺯ ﺑﻮﺩ).ﻟﻴﺴﺖ ١ﺭﺍ ﻣﺸﺎﻫﺪﻩ ﻛﻨﻴﺪ (
ﺑﻌﺪ ﺍﺯ ﻣﺘﻮﺟﻪ ﺷﺪﻡ ﭘﻮﺭﺕ ٨٠ﺑﺎﺯ ﺍﺳﺖ ،ﺳﺮﻳﻌﺎ ﻣﺮﻭﺭﮔﺮ ﺧﻮﺩﻡ ﺭﺍ ﺑﺎﺯ ﻛﺮﺩﻡ ﺗﺎ ﺑﺒﻴﻨﻢ ﭼﻪ
ﺻﻔﺤﺎﺕ ﻭﺑﻲ ﺭﻭﻱ ﺍﻳﻦ ﺳﺮﻭﺭ ﮔﺬﺍﺷﺘﻪ ﺷﺪﻩ ﺍﺳﺖ .ﭘﻮﺭﺕ 80ﻣﻌﻤﻮﻻ ﺑﺮﺍﻱ ﺳﺮﻭﺭ ﻭﺏ
ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﺷﻮﺩ ﻭ ﺻﻔﺤﺎﺗﻲ ﻛﻪ ﺩﺭ ﻫﻨﮕﺎﻡ ﻧﺼﺐ IISﺑﻪ ﺻﻮﺭﺕ ﻣﻌﻤﻮﻝ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﺭﺍ
ﻣﺸﺎﻫﺪﻩ ﻛﺮﺩﻡ.
ﻗﺪﻡ ﺑﻌﺪﻱ ﺍﻳﻦ ﺑﻮﺩ ﻛﻪ ﺳﺮﻭﺭ ﺭﺍ ﺟﺴﺘﺠﻮ ﻛﻨﻢ ﺑﺮﺍﻱ ﻳﺎﻓﺘﻦ ﺿﻌﻔﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ ﻛﻪ ﻭﺟﻮﺩ ﺩﺍﺭﺩ
ﺑﻨﺎﺑﺮﺍﻳﻦ ﭘﻮﻳﻨﺪﻩ ٤ﻫﺎﻱ ﻣﺤﺒﻮﺏ ﺧﻮﺩ ﺭﺍ ﺍﺟﺮﺍ ﻛﺮﺩﻡ ﻭ ﺧﻮﺩ ﺑﺮﺍﻱ ﺧﻮﺭﺩﻥ ﻳﻚ ﻧﻮﺷﻴﺪﻧﻲ ﺑﻪ
ﻃﺒﻘﻪ ﭘﺎﻳﻴﻦ ﺭﻓﺘﻢ.
ﻭﻗﺘﻲ ﺑﺮﮔﺸﺘﻢ ﻧﺘﺎﻳﺞ ﻧﺎﺭﺍﺣﺖ ﻛﻨﻨﺪﻩ ﺑﻮﺩ ! ﻣﻦ ﺗﻌﺪﺍﺩ ﺑﺴﻴﺎﺭ ﺯﻳﺎﺩﻱ ﺿﻌﻔﻬﺎﻱ ﻭ ﺳﻮﺭﺍﺧﻬﺎﻱ
ﺍﻣﻨﻴﺘﻲ ﻭ ﭘﻮﻧﻴﻜﺪﻫﺎﻱ ﺁﻟﻮﺩﻩ ! ﺭﺍ ﭘﻴﺪﺍ ﻛﺮﺩﻡ .ﺑﺎ ﺯﺑﺎﻥ ﺩﻳﮕﺮ ﻛﻮﭼﻜﺘﺮﻳﻦ ﺿﻌﻒ ﺩﺭ ﺳﺮﻭﺭ ﻣﻲ
ﺗﻮﺍﻧﺪ ﺑﻪ ﻳﻚ ﻧﻔﻮﺫﮔﺮ ﻭ ﻳﺎ ﻳﻚ ﻛﺮﻡ ﺍﻳﻨﺘﺮﻧﺘﻲ ﺑﺮﺍﻱ ﺭﺳﻮﺥ ﺑﻪ ﺳﺮﻭﺭ ﻛﻤﻚ ﻛﻨﺪ ﺁﻥ ﻭﻗﺖ
ﺿﻌﻔﻬﺎﻳﻲ ﻛﻪ ﺍﺯ ﻃﺮﻳﻖ ﻳﻮﻧﻴﻜﺪﻫﺎ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﺍﺯ ﻗﺪﻳﻤﻲ ﺗﺮﻳﻦ ﺍﻳﻦ ﺳﻮﺭﺍﺧﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ ﻣﻲ
ﺑﺎﺷﺪ! ﻭ ﺍﻳﻦ ﻧﺸﺎﻥ ﻣﻲ ﺩﺍﺩ ﻛﻪ ﻣﺴﻮﻭﻟﻴﻦ ﺷﺒﻜﻪ ﺑﻪ ﻫﻴﭻ ﻋﻨﻮﺍﻥ ﻫﻴﭻ ﻳﻚ ﺍﺯ Patchﻫﺎ ﺭﺍ ﺑﺮﺍﻱ
ﺭﻓﻊ ﺍﻳﻨﮕﻮﻧﻪ ﺿﻌﻒ ﻫﺎ ﺑﻪ ﻛﺎﺭ ﻧﺒﺮﺩﻩ ﺍﻧﺪ.
4
- Wishker – Stealth – CGI4
3 www.websecuritymgz.com
ﺭﻭﻳﺎﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ
]http://192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/[ccc
cmd.exe?c+dir+c:\winnt\system32
4 www.websecuritymgz.com
ﺭﻭﻳﺎﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ
5 www.websecuritymgz.com
ﺭﻭﻳﺎﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ
6 www.websecuritymgz.com