The SessionManager IIS backdoor SessionManager 是一個利用 IIS modules 的惡意後門
它被 IIS 應用程序載入後,就一直在背後看 IIS 請求的進進出出,且不易被監控查覺
它的功能
- 讀、寫、刪除伺服器上的檔案
- 可以作 RCE (remote command execution)
- 可以任意建立想要的連線
等於無敵了啦
微軟也特別說明一下 IIS extensions 的應用 Malicious IIS extensions quietly open persistent backdoors into servers
可能可以檢查是否已被感染的地方
Files paths
%PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OWA\Auth\SessionManagerModule.dll
%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\SessionManagerModule.dll
%WINDIR%\System32\inetsrv\SessionManagerModule.dll
%WINDIR%\System32\inetsrv\SessionManager.dll
C:\Windows\Temp\ExchangeSetup\Exch.ps1
C:\Windows\Temp\Exch.exe
C:\Windows\Temp\vmmsi.exe
C:\Windows\Temp\safenet.exe
C:\Windows\Temp\upgrade.exe
C:\Windows\Temp\exupgrade.exe
C:\Windows\Temp\dvvm.exe
C:\Windows\Temp\vgauth.exe
C:\Windows\Temp\win32.exePDB Paths
C:\Users\GodLike\Desktop\t\t4\StripHeaders-master\x64\Release\sessionmanagermodule.pdb
C:\Users\GodLike\Desktop\t\t4\SessionManagerModule\x64\Release\sessionmanagermodule.pdb
C:\Users\GodLike\Desktop\t\t4\SessionManagerV2Module\x64\Release\sessionmanagermodule.pdb
C:\Users\GodLike\Desktop\t\t4\SessionManagerV3Module\x64\Release\sessionmanagermodule.pdb
C:\Users\GodLike\Desktop\t\t0\Hook-PasswordChangeNotify-master\HookPasswordChange\x64\Release\HookPasswordChange.pdb
我立馬來檢查我家的
雖然沒有上述的內容,但也該警惕了
-rwxrwx—+ 1 xxxxx None 172108 Oct 26 0000 c/Windows/Temp/39.exe-rwxrwx—+ 1 xxxxx None 82432 Oct 26 0000 c/Windows/Temp/Cmd.exe-rwxrwx—+ 1 xxxxx None 157696 Oct 26 0000 c/Windows/Temp/MRT/Cmd.exe-rwxrwx—+ 1 xxxxx None 942080 Apr 3 0000 c/Windows/Temp/cmd.exe-rwxrwx—+ 1 xxxxx None 4648 Oct 21 0000 c/Windows/Temp/rad01EC4.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 4648 Dec 24 0000 c/Windows/Temp/rad08CC5.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 4648 Dec 24 0000 c/Windows/Temp/rad0BB91.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 0 Sep 27 0000 c/Windows/Temp/rad1B269.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 4648 Dec 24 0000 c/Windows/Temp/rad2C026.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 4648 Jan 6 0000 c/Windows/Temp/rad51601.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 0 Sep 27 0000 c/Windows/Temp/rad5F409.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 4648 Dec 24 0000 c/Windows/Temp/rad60180.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 4648 Oct 21 0000 c/Windows/Temp/rad60426.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 4648 Dec 24 0000 c/Windows/Temp/rad6CE73.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 4648 Oct 21 0000 c/Windows/Temp/rad81D14.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 4648 Jan 6 0000 c/Windows/Temp/rad85660.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 4648 Oct 21 0000 c/Windows/Temp/rad9310B.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 4648 Oct 21 0000 c/Windows/Temp/rad93196.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 4648 Oct 21 0000 c/Windows/Temp/radA028E.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 0 Sep 27 0000 c/Windows/Temp/radA0B9C.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 0 Sep 27 0000 c/Windows/Temp/radA4A07.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 4648 Dec 24 0000 c/Windows/Temp/radA4E34.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 0 Sep 27 0000 c/Windows/Temp/radB5CDE.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 4648 Oct 21 0000 c/Windows/Temp/radBC2E0.tmp/svchost.exe-rwxrwx—+ 1 xxxxx None 0 Sep 27 0000 c/Windows/Temp/radD79D5.tmp/svchost.exe-rwx——+ 1 xxxxx None 304676 Sep 28 0000 c/Windows/Temp/JuicyPotato.exe-rwx——+ 1 xxxxx None 349696 Mar 29 0000 c/Windows/Temp/DeploymentLogs/cmd2012.exe-rwxrwx—+ 1 xxxxx None 96768 Dec 8 0000 c/Windows/Temp/cve-2019-1458.exe-rwxrwx—+ 1 xxxxx None 2362368 Dec 8 0000 c/Windows/Temp/xmrig.exe
- xmrig.exe 可能是個挖礦的
- cve-2019-1458.exe可能是 Windows LPE Exploit
- JuicyPotato.exe 可能是個搞提權的
留言