Practical analysis once the WinRoute Backdoor offensive and defensive live-vulnerability warning-the black bar safety net

ID MYHACK58:62200924426
Type myhack58
Reporter 佚名
Modified 2009-08-28T00:00:00


The school through the Windows 2 0 0 0 and the winroute proxy way to access the Internet. These two days, the proxy server always appears some strange phenomenon, running the program seems to be very slow, but it will also automatically restart. Could it be a virus? Or in a Trojan. Anyway, go and have a look.

Came to the room, put the network cable unplugged it. After the restart, run anti-virus software, kill it again, and found no viruses. Then plug in the network cable, open IE browser, then strange things happened, how the address bar in some strange URL? Did someone ever used this computer? I think this is serious, probably a Trojan.

I got up to go pour a glass of water, prepare for a major war. When I came back, the browser actually automatically opens the “fantasy westward journey”website, is download client-new installation a download software, it actually want to use my proxy server to hang up the hit online game!

Since we know the reason, I think the total can be solved. It is also not in a hurry. For revenge, I let him download. After a while, when the download to 9 0% of the time, I had to cancel. Then turn the network off, open the Trojan Killer, a scan. Found is to install the Remote administrator. The Trojan kill after I went through the file search method of this within one week of the installation of the software to remove all. But this still does not solve the problem Ah, the key is to find out is to attack the vulnerability.

Because this computer is just used to make the proxy service, winroute will open the SMTP, POP3 and DNS services. Is it the Windows 2 0 0 0 The setting on the out of the question? According to some security settings, I disabled many unnecessary services. Playing on the latest patch, the Guest account is disabled, the administrator account to change the password, and changed the name, it will read the disk permissions also did the set, also done some local security policy. This is not to speak more, we can go now. After a burst of busy, that this total can rest easy. Open the proxy service, let it continue to work.

But did not last long, one Saturday afternoon, I came to the room to view the equipment. When I open the proxy server to display the time, makes me desperate scene appeared. Actually it was also in the proxy server to download dream West tour! The original a few days before the calm is the invaders don't want to let me find, in fact, the problem was not solved. He believed that Saturday, not people, can do whatever they want, it seems his purpose is to want to use my computer hang up.

I seem to see hackers in the network that end ridiculed me. Exactly where is the problem? The patch just hit, it should be nothing to exploit, the intruder in the end is using which port come in? Go to the DOS directory, enter Netstat-a to see a bit of the port, in addition to the normal a few, and found there a 3 1 2 9 port being in use.

I just remember the winroute's proxy to 3 1 2 to 8 ports, does this 3 1 2 9 Port also and winroute? View a bit of information, found that the Trojan Master Paradise open 3 1 2 9 port. And this computer is generally running the winroute service, think of here immediately open the winroute control interface, on the inside carefully search a lot, and sure enough found in“Settings→Advanced”, there is a “Remote Administration”, it by default allows remote control, and the default open ports happens to be 3 1 2 9 The.

The original is winroute left by the back door. Because a lot of information on the winroute provided with a detailed description, but the remote control of the console function to speak less, so you are not very care about this place. But it really can be some Trojans, but the harm is very large. Here want to remind you to use the winroute friends, best to keep this feature removed, to never troubles. Cause finally found, I usually also don't use the remote control, it will be this option removed. Then in like just do a set and finally put the intruder that the door blocked.