[讨论]抓住黑客，计算机取证

[这个贴子最后由黑色海岸线在 2004/12/15 10:16am 第 1 次编辑]

   首先，一台计算机的扫描报告如下：
Address: 192.168.1.249
This is the IP (Internet Protocol) address of the machine, a single machine might have multiple IP adresses associated with it.  
Host name: WALL
This is the domain name of the machine. There can be multiple domain names assigned to a single IP (Internet Protocol) address or one domain name assigned to multiple IP addresses.  
Average Ping Response: 0 ms
Time To Live: 128
Report Date: 2004-12-01
This is the date and time the scanner started to perform the auditing process. The date and time is reported off the machine local time zone.  
Audits 4 - 3

NetBIOS: Null Session
Description A Null session is sending a null for the user name and password when establishing a connection to the ipc$ (Inter Process Communication) pipe. If a remote attacker is able to establish a null session they can gain lists of user names, shares, etc...
Risk Level: High
How To Fix: Add the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Name: RestrictAnonymous Type: REG_DWORD Value: 1.
CVE GENERIC-MAP-NOMATCH
BugtraqID: 494
Accounts: Administrator - Password Does Not Expire
Description If a users password does not expire you allow a remote attacker endless amount of time to try to figure out your users password. It is recommended that you make all users passwords expire unless the user account is used for a system service.
Risk Level: Medium
How To Fix: Remove the password never expires option from the user account.
1. Open User Manager.
2. Select the user from the list.
3. Select Properties from the User menu.
4. Uncheck "Password Never Expires."
5. Click "Ok".
CVE CAN-1999-0535
Accounts: Guest - User Never Logged On
Description It is suggested that you review this user account. If it is not needed or was not created by an administrator of your network, it is suggested that you disable or delete it.
Risk Level: Information
How To Fix: To delete the account:
1. Open User Manager
2. Select the account to delete
3. Press the "Delete" key
4. Click "Ok"
To Disable the account:
1. Open User Manager
2. Select the account to disable
3. Select Properties from the User menu
4. Check "Account Disabled"
5. Click "Ok"
CVE GENERIC-MAP-NOMATCH
Accounts: Guest - Password Does Not Expire
Description If a users password does not expire you allow a remote attacker endless amount of time to try to figure out your users password. It is recommended that you make all users passwords expire unless the user account is used for a system service.
Risk Level: Medium
How To Fix: Remove the password never expires option from the user account.
1. Open User Manager.
2. Select the user from the list.
3. Select Properties from the User menu.
4. Uncheck "Password Never Expires."
5. Click "Ok".
CVE CAN-1999-0535
Machine 4 - 4
Date and Time 12/14/2004 2:17
Name WALL
Workgroup DEVP-DOMAIN
OSName Windows NT
OSVersion 5.0
Shares 4 - 5
IPC$: 远程 IPC
Type IPC
Description This is a default share created when the server first boots. Responsible for Inter Process Communications.  
D$: 默认共享
Type DISKTREE
Description This is a default share created when the server first boots. It is a mapping to the root of your D drive.  
tools
Type DISKTREE
ADMIN$: 远程管理
Type DISKTREE
Description Default Administration share. The admin$ share is a mapping to \winnt\system32. An attacker could use access to this share to remotely run l0pht crack against your server to find out your passwords.  
C$: 默认共享
Type DISKTREE
Description This is a default share created when the server first boots. It is a mapping to the root of your C drive.  

Users 4 - 6

Administrator: 管理计算机(域)的内置帐户
User: Administrator
Logon Server: \\*
Number of Logons: 252
Privilege: Administrator
Password expired: no
RID: 500
Bad PW Count: 0
Country Code: 0
Guest: 供来宾访问计算机或访问域的内置帐户
User: Guest
Account Disabled: True
Logon Server: \\*
Number of Logons: 104
Privilege: Guest
Password expired: no
RID: 501
Bad PW Count: 4
Country Code: 0
Ports 4 - 7

21: FTP - File Transfer Protocol [Control]
Found Audits 0
80: WWW-HTTP - World Wide Web HTTP (Hyper Text Transfer Protocol)
Found Audits 0
81: HOSTS2-NS - HOSTS2 Name Server
Found Audits 0
82: XFER - XFER Utility
Found Audits 0
83: MIT-ML-DEV - MIT ML Device
Found Audits 0
119: NNTP - Network News Transfer Protocol
Found Audits 0
135: RPC-LOCATOR - RPC (Remote Procedure Call) Location Service
Found Audits 0
137: NETBIOS-NS - NETBIOS Name Service
Found Audits 0
138: NETBIOS-DGM - NETBIOS Datagram Service
Found Audits 0
139: NETBIOS-SSN - NETBIOS Session Service
Reply Banner in Request ?/TD>
Found Audits 0
445: MICROSOFT-DS - Microsoft-DS
Found Audits 0
500: ISAKMP -
Found Audits 0
1025: LISTEN - listen
Found Audits 0
1026: NTERM - nterm
Found Audits 0
1080: SOCKS - Socks
Found Audits 0
5190: AOL - America-Online
Found Audits 0
8080: Generic - Shared service port
Found Audits 0
8088: Generic - Shared service port
Found Audits 0
9010: SERVICE
Found Audits 0
--------------------------------------------------------------------------------

我们长期可以发现计算机的桌面有动过的痕迹——注意，并不是在cmd下的修改，而是桌面交互的修改，大家讨论黑客是怎么实现入侵的？
二，如何抓住对方入侵的证据

注意：本计算机没有安装IIS或者PWS 等WWW信息发布组建，也没有安装FTP软件！·

再次说明：在被入侵的计算机上用netstat/an查到没有21和80端口在监听

有效信息说:攻击者没有放木马,只有一个小程序
没有防火墙,这是我用两台机子对连的扫描结果
攻击方没有使用代理程序
我所说的桌面被动过,不是说某文件被使用
而是桌面上有一个软件在运行,但是这个窗口的位置被移动或者关闭了