麥咖啡(mcafee) VSE 8.5 服務(wù)器防掛馬心得

發(fā)布時(shí)間：2009-07-20 12:37:07 作者：佚名

正好今天在查看服務(wù)器日志的時(shí)候.發(fā)現(xiàn)McAfee又一次成功的攔截了掛馬,特給大家分享下。

重點(diǎn):

單單的防還是不能解決問(wèn)題，下面是我們找出真兇了

給大家介紹一個(gè)工具可以像MMC計(jì)算機(jī)管理管理單元中的“會(huì)話”文件夾，顯示的是通過(guò)網(wǎng)絡(luò)登錄到計(jì)算機(jī)的會(huì)話，
遠(yuǎn)程服務(wù)管理單元顯示的是遠(yuǎn)程桌面登錄的會(huì)話，但沒(méi)有一個(gè)工具可以顯示所有登錄會(huì)話---不管任何登錄類型--以及這些用戶使用的程序列表。
這個(gè)工具是Sysinternals（現(xiàn)在已經(jīng)是微軟）的LogoSessions工具!
http://www.microsoft.com/technet/sysinternals/security/logonsessions.mspx
可以從這個(gè)地址去下載 Free
可以把LogoSessions中顯示代碼和其它工具顯示的信息關(guān)聯(lián)起來(lái)。

復(fù)制代碼

代碼如下:

日志
=========
Logonsesions v1.1
Copyright (C) 2004 Bryce Cogswell and Mark Russinovich
Sysinternals - wwww.sysinternals.com
[0] Logon session 00000000:000003e7:
User name: WORKGROUP\SDAHFPWE
Auth package: NTLM
Logon type: (none)
Session: 0
Sid: S-1-5-18
Logon time: 2008-2-18 15:33:05
Logon server:
DNS Domain:
UPN:
356: \SystemRoot\System32\smss.exe
404: \??\C:\WINDOWS\system32\csrss.exe
428: \??\C:\WINDOWS\system32\winlogon.exe
472: C:\WINDOWS\system32\services.exe
484: C:\WINDOWS\system32\lsass.exe
692: C:\WINDOWS\system32\svchost.exe
836: C:\WINDOWS\System32\svchost.exe
960: C:\WINDOWS\system32\spoolsv.exe
1128: C:\Program Files\Symantec\pcAnywhere\awhost32.exe
1164: C:\WINDOWS\System32\svchost.exe
1300: C:\Program Files\McAfee\Common Framework\FrameworkService.exe
1376: C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
1452: C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
1532: C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
1696: C:\WINDOWS\System32\svchost.exe
1912: C:\WINDOWS\System32\svchost.exe
3844: C:\WINDOWS\system32\wbem\wmiprvse.exe
4000: C:\WINDOWS\system32\dllhost.exe
3172: C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
3960: \??\C:\WINDOWS\system32\csrss.exe
396: \??\C:\WINDOWS\system32\winlogon.exe
372: C:\WINDOWS\system32\inetsrv\inetinfo.exe
2920: C:\WINDOWS\System32\svchost.exe
2780: \??\C:\WINDOWS\system32\csrss.exe
1576: \??\C:\WINDOWS\system32\winlogon.exe
[1] Logon session 00000000:000081e5:
User name:
Auth package: NTLM
Logon type: (none)
Session: 0
Sid: (none)
Logon time: 2008-2-18 15:33:05
Logon server:
DNS Domain:
UPN:
[2] Logon session 00000000:0000c0f7:
User name: NT AUTHORITY\ANONYMOUS LOGON
Auth package: NTLM
Logon type: Network
Session: 0
Sid: S-1-5-7
Logon time: 2008-2-18 15:33:08
Logon server:
DNS Domain:
UPN:
[3] Logon session 00000000:000003e5:
User name: NT AUTHORITY\LOCAL SERVICE
Auth package: Negotiate
Logon type: Service
Session: 0
Sid: S-1-5-19
Logon time: 2008-2-18 15:33:09
Logon server:
DNS Domain:
UPN:
[4] Logon session 00000000:5cbf7d87:
User name: SDAHFPWE-WUYMBI\maggie
Auth package: NTLM
Logon type: RemoteInteractive
Session: 2
Sid: S-1-5-21-1476199771-2381760486-1211474579-1009
Logon time: 2008-2-21 9:44:18
Logon server: SDAHFPWE-WUYMBI
DNS Domain:
UPN:
3164: C:\WINDOWS\system32\rdpclip.exe
740: C:\WINDOWS\Explorer.EXE
3528: C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
392: C:\WINDOWS\system32\ctfmon.exe
3952: C:\WINDOWS\system32\mmc.exe
336: C:\Program Files\RhinoSoft.com\Serv-U\ServUAdmin.exe
[5] Logon session 00000000:60d81435:
User name: SDAHFPWE-WUYMBI\IUSR_SDAHFPWE-WUYMBI
Auth package: NTLM
Logon type: NetworkCleartext
Session: 0
Sid: S-1-5-21-1476199771-2381760486-1211474579-1015
Logon time: 2008-2-21 10:55:33
Logon server: SDAHFPWE-WUYMBI
DNS Domain:
UPN:
[6] Logon session 00000000:000003e4:
User name: NT AUTHORITY\NETWORK SERVICE
Auth package: Negotiate
Logon type: Service
Session: 0
Sid: S-1-5-20
Logon time: 2008-2-18 15:33:06
Logon server:
DNS Domain:
UPN:
2496: c:\windows\system32\inetsrv\w3wp.exe
[7] Logon session 00000000:000309aa:
User name: SDAHFPWE-WUYMBI\jooline2008sh
Auth package: NTLM
Logon type: RemoteInteractive
Session: 1
Sid: S-1-5-21-1476199771-2381760486-1211474579-500
Logon time: 2008-2-18 15:35:34
Logon server: SDAHFPWE-WUYMBI
DNS Domain:
UPN:
[8] Logon session 00000000:60f64f82:
User name: SDAHFPWE-WUYMBI\jooline2008sh
Auth package: NTLM
Logon type: RemoteInteractive
Session: 3
Sid: S-1-5-21-1476199771-2381760486-1211474579-500
Logon time: 2008-2-21 11:06:47
Logon server: SDAHFPWE-WUYMBI
DNS Domain:
UPN:
1840: C:\WINDOWS\system32\rdpclip.exe
3580: C:\WINDOWS\Explorer.EXE
2876: C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
888: C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
3280: C:\WINDOWS\system32\cmd.exe
376: C:\WINDOWS\system32\conime.exe
1820: C:\Program Files\McAfee\VirusScan Enterprise\mcconsol.exe
720: C:\WINDOWS\system32\NOTEPAD.EXE
2320: E:\logonsessions.exe
==============================

在安全日志事件中，可以把輸出的登錄會(huì)話ID和安全日志事件說(shuō)明進(jìn)行關(guān)聯(lián)，查找登錄事件和會(huì)話相關(guān)的事件。
這樣很容易找到是怎么回事了....

Tag：麥咖啡 McAfee 服務(wù)器防掛馬

欧美bbbwbbbw肥妇,免费乱码人妻系列日韩,一级黄片

麥咖啡(mcafee) VSE 8.5 服務(wù)器防掛馬心得

相關(guān)文章

最新評(píng)論

文章分類

大家感興趣的內(nèi)容

最近更新的內(nèi)容