Chinaunix首页 | 论坛 | 博客
  • 博客访问: 73951
  • 博文数量: 10
  • 博客积分: 336
  • 博客等级: 一等列兵
  • 技术积分: 132
  • 用 户 组: 普通用户
  • 注册时间: 2009-07-31 12:20
文章分类

全部博文(10)

文章存档

2013年(2)

2011年(2)

2010年(6)

我的朋友

分类: WINDOWS

2010-08-15 11:44:31

    前段时间看到一篇关于Serv-U后门注入的文章,估计大部分还是经常会使用到这个工具的,这个软件让不少人头痛过,特别是软件注入后门的问题,今天我们就举一个例把它说清楚,一个服务器安装Serv-U,客户给了一个Serv-U6.4.0.6版本,还包括一个汉化包,安装完成后,居然在防火墙上发现一个SYS的对外连接,晕!
C:\Windows\system32\drivers\XSRProto.sys
    绝对不是好事情!去google了一下,发现一片文章:

    一、临时处理
    且不说软件来自哪里,出问题了,总不能让我去重装服务器吧,先看看怎么处理吧。
    1、先从防火墙禁止它的对外连接,然后分析启动项、进程、服务,最后发现在注册表服务中添加了XSRProto服务,调用的就是XSRProto.sys。
    2、删除注册表项,删除sys文件,重起。
    3、果然又创建出一个XSRProto.sys,注册表也重新添加了XSRProto服务,看起来没有这么简单,同事此时建议删除该文件,然后用txt文件改名为XSRProto.sys试试,删除,重起。
    4、居然没有被替换,呵呵,比较少见,很少有这么处理的,只检测文件是否存在,存在就不管了,一般都是有就替换,没有就创建。
    5、好了,暂时不影响服务器了,去分析下到底哪里出的问题。
    二、简单分析
    在vm下跑了一下安装程序和汉化包,发现是汉化包引起的,只要你双击执行了汉化包,后门就执行了,问题汉化包执行后会释放原始的汉化包,同时创建一个UPX加壳的some.exe。
    文件信息:
XSRProto.sys
    35,456 bytes    MD5:286f6932711d14e9f6568535ad887a28
some.exe
    55,296 bytes    MD5:de2a6b1ee228a43581710a5e7e7f1371
    朋友简单看了一下这两个文件,信息如下,有兴趣的看看它干了些什么,呵呵!
unpacked:004020E0 00000035 C SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost                                                   

unpacked:00402118 0000000C C                                                                                                

unpacked:00402124 0000000B C ServiceDll                                                                                                 

unpacked:00402130 00000021 C %SystemRoot%\\system32\\VMUSRV.dll                                                                         

unpacked:00402154 00000034 C SYSTEM\\CurrentControlSet\\Services\\VMUSRV\\Parameters                                                    

unpacked:00402188 0000001D C Virtual Machine User Service                                                                               

unpacked:004021A8 0000002C C %SystemRoot%\\system32\\svchost.exe -k VMUSRV                                                              

unpacked:004021D4 00000007 C VMUSRV                                                                                                     

unpacked:004021DC 00000033 C :INS\r\nDEL \"%s\"\r\nif exist \"%s\" goto INS\r\nDEL \"%s\"\r\n                                           

unpacked:00402210 0000000D C %s\\UNINS.bat                                                                                              

unpacked:00402220 00000006 C FILES                                                                                                      

unpacked:00402234 0000000B C XSpoof-SR3                                                                                                 

unpacked:00402240 0000000C C _                                                                                               

unpacked:0040224C 0000000C C                                                                                                

unpacked:00402258 00000011 C SeDebugPrivilege                                                                                           

unpacked:0040C408 0000005A C insert into T_XSSV (XS_Server,XS_UserName,XS_Password,XS_Type) values('%s','%s','%s',%u)                   

unpacked:0040C468 0000006C C update T_XSSV set XS_Password='%s',XS_Update=False where XS_Server='%s' AND XS_UserName='%s' AND XS_Type=%d

unpacked:0040C4D8 0000004E C select * from T_XSSV where XS_Type=%d AND XS_Server='%s' AND XS_UserName='%s'                              

unpacked:0040C528 0000000B C XSpoof-SR3                                                                                                 

unpacked:0040C534 00000009 C DATABASE                                                                                                   

unpacked:0040C540 00000005 C                                                                                                       

unpacked:0040C558 00000007 C VMUSRV                                                                                                     

unpacked:0040C664 00000035 C SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost                                                   

unpacked:0040C69C 0000002B C SYSTEM\\CurrentControlSet\\Services\\XSRProto                                                              

unpacked:0040C6C8 00000029 C SYSTEM\\CurrentControlSet\\Services\\VMUSRV                                                                

unpacked:0040C6F4 00000009 C XSRProto                                                                                                   

unpacked:0040C700 0000002D C update T_XSSV set XS_Update=True where ID=%u                                                               

unpacked:0040C730 00000008 C XS_Type                                                                                                    

unpacked:0040C738 0000000C C XS_Password                                                                                                

unpacked:0040C744 0000000C C XS_UserName                                                                                                

unpacked:0040C750 0000000A C XS_Server                                                                                                  

unpacked:0040C760 0000002B C select * from T_XSSV where XS_Update=false                                                                 

unpacked:0040C78C 0000001E C system32\\DRIVERS\\XSRProto.sys                                                                            

unpacked:0040C7AC 00000009 C                                                                                                 

unpacked:0040C7B8 00000006 C POST                                                                                                       

unpacked:0040C7C0 0000000C C                                                                                                 

unpacked:0040C7D0 0000000A C                                                                                                   

unpacked:0040C7DC 00000007 C Host:                                                                                                      

unpacked:0040C7E4 00000007 C Basic                                                                                                      

unpacked:0040C7EC 0000000F C Authorization:                                                                                             

unpacked:0040C7FC 00000005 C GET                                                                                                        

unpacked:0040C804 00000006 C %s:%u                                                                                                      

unpacked:0040C80C 00000006 C PASS                                                                                                       

unpacked:0040C814 00000006 C USER                                                                                                       

unpacked:0040C81C 0000001A C Global\\TcpipReconfigEvent                                                                                 

unpacked:0040C838 00000013 C TcpipReconfigEvent                                                                                         

unpacked:0040C84C 00000011 C Global\\XSR3Event                                                                                          

unpacked:0040C860 0000000A C XSR3Event                                                                                                  

unpacked:0040C86C 0000000B C                                                                                               

unpacked:0040C878 00000016 C                                                                                     

unpacked:00413F68 00000011 C .?AV_com_error@@                                                                                           

unpacked:00413F88 00000010 C .?AVtype_info@@                                                                                            

unpacked:00424B30 00000012 C 1'?\x1B·&“N‰±Y\\?I=?\a                                                                                     

unpacked:004380D4 0000000D C KERNEL32.DLL                                                                                               

unpacked:004380E1 0000000D C ADVAPI32.dll                                                                                               

unpacked:004380EE 0000000B C MSVCRT.dll                                                                                                 

unpacked:004380FA 0000000D C LoadLibraryA                                                                                               

unpacked:00438108 0000000F C GetProcAddress                                                                                             

unpacked:00438118 0000000C C ExitProcess                                                                                                

unpacked:00438126 0000000C C RegCloseKey                                                                                                

unpacked:00438134 00000005 C exit                                                                                                       

.snaker:00439050  0000000D C ADVAPI32.dll                                                                                               

.snaker:00439060  0000000C C RegCloseKey                                                                                                

.snaker:0043906E  0000000E C RegOpenKeyExA                                                                                              

.snaker:0043907E  00000013 C CloseServiceHandle                                                                                         

.snaker:00439094  0000000D C OpenServiceA                                                                                               

.snaker:004390A4  0000000F C OpenSCManagerA                                                                                             

.snaker:004390B6  00000016 C AdjustTokenPrivileges                                                                                      

.snaker:004390CE  00000016 C LookupPrivilegeValueA                                                                                      

.snaker:004390E6  00000011 C OpenProcessToken                                                                                           

.snaker:004390FA  0000000E C StartServiceA                                                                                              

.snaker:0043910A  0000000E C RegCreateKeyA                                                                                              

.snaker:0043911A  0000000F C CreateServiceA                                                                                             

.snaker:0043912C  0000000F C RegSetValueExA                                                                                             

.snaker:0043913E  0000001A C SetSecurityDescriptorDac                                                                                 

.snaker:0043915A  0000001D C InitializeSecurityDescriptor                                                                               

.snaker:00439178  0000000D C KERNEL32.dll                                                                                               

.snaker:00439188  00000011 C GetModuleHandleA                                                                &, amp;, amp;, nbsp;                          

.snaker:0043919C  0000000C C MoveFileExA                                                                                                

.snaker:004391AA  0000000D C CreateMutexA                                                                                               

.snaker:004391BA  0000000D C GetLastError                                                                                               

.snaker:004391CA  0000000D C ReleaseMutex                                                                                               

.snaker:004391DA  0000000E C FindResourceA                                                                                              

.snaker:004391EA  0000000F C SizeofResource                                                                                             

.snaker:004391FC  0000000D C LoadResource                                                                                               

.snaker:0043920C  0000000D C LockResource                                                                                               

.snaker:0043921C  0000000C C SetFileTime                                                                                                

.snaker:0043922A  0000000D C FreeResource                                                                                               

.snaker:0043923A  00000013 C GetModuleFileNameA                                                                                         

.snaker:00439250  0000000D C GetTempPathA                                                                                               

.snaker:00439260  0000000A C WriteFile                                                                                                  

.snaker:0043926C  00000010 C GetStartupInfoA                                                                                            

.snaker:0043927E  0000000F C CreateProcessA                                                                                             

.snaker:00439290  00000012 C GetCurrentProcess                                                                                          

.snaker:004392A4  0000000C C CloseHandle                                                                                                

.snaker:004392B2  0000000C C GetFileTime                                                                                                

.snaker:004392C0  0000000C C CreateFileA                                                                                                

.snaker:004392CE  00000008 C lstrcat                                                                                                    

.snaker:004392D8  00000014 C GetSystemDirectoryA                                                                                        

.snaker:004392EE  00000008 C lstrlen                                                                                                    

.snaker:004392F8  0000000C C ExitProcess                                                                                                

.snaker:00439304  0000000B C msvcrt.dll                                                                                                 

.snaker:00439312  0000000B C _controlfp                                                                                                 

.snaker:00439320  0000000F C __set_app_type                                                                                             

.snaker:00439332  0000000D C __p__commode                                                                                               

.snaker:00439342  0000000D C _adjust_fdiv                                                                                               

.snaker:00439352  00000011 C __setusermatherr                                                                                           

.snaker:00439366  0000000A C _initterm                                                                                                  

.snaker:00439372  0000000E C __getmainargs                                                                                              

.snaker:00439382  00000008 C _acmdln                                                                                                    

.snaker:0043938C  00000005 C exit                                                                                                       

.snaker:00439394  0000000C C _XcptFilter                                                                                                

.snaker:004393A2  00000006 C _exit                                                                                                      

.snaker:004393AA  00000011 C _except_handler3                                                                                           

.snaker:004393BE  00000008 C sprintf                                                                                                    

.snaker:004393C8  0000000B C __p__fmode
 
    基本了解了some.exe干了些什么,有兴趣的下载汉化包去看看。
    三、简单处理
    通过分析,我们可以简单的处理掉这个后门。
    1、删除注册表
HKLM\SYSTEM\CurrentControlSet\Services\VMUSRV
使用的还是“Virtual Machine User Service”,挺有迷惑性的
HKLM\SYSTEM\CurrentControlSet\Services\XSRProto
    2、删除文件
C:\Windows\system32\drivers\XSRProto.sys
    3、重起后删除
C:\Windows\system32\VMUSRV.dll
    四、其他
    看看文件的东西,其实蛮恐怖的,人家都使用数据库在管理肉鸡了,这年头没什么东西是可靠的,建议还是从官方下载文件,使用注册码一类的东西来处理。

阅读(1492) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~