服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 在Windows Server 2003上奇怪的计划任务
Intereting Posts
将Synologyjoin到域中的特定OU 一旦terminalclosures,如何确保脚本及其命令被杀死 debian挂在启动“启动winbind守护进程:winbind” 粗切割光缆 防止Linux被取代 httpd服务没有自动启动 内核:audit(1298407016.926:258):avc:denied 哪里可以findMysql的terminal日志 主机不能被域名访问,只能通过IP:Apache的错误? Windows 2008 64bit可以使用6核心CPU吗? 如何Linux顶部显示2%空闲,但负载说1.20? 如何重新启动后chnages hosts.allow 通过SSH的X适用于一个用户,但不是另一个用户 使用LVM和MD RAID 5的KVM中的磁盘I / O速度较慢 通过IP地址阻止Facebook和Myspace

在Windows Server 2003上奇怪的计划任务

几天前,我注意到我们的Windows Server 2003系统有奇怪的计划任务。 我不知道他们来自哪里,或者是谁设置的。 我删除了他们,他们今天又来了。 他们有“At1”,“At2”,“At3”等名称,状态表示正在运行。

当我打开它们的属性时,运行命令看起来像rundll32.exe zfypspqu.u,ygxjgq

它可能是什么? 我的服务器有病毒吗? 我用nod32进行扫描,没有任何报告。 我没有在这个服务器上设置任何不寻常的东西 – 它只是运行带有ReportServer的SQLServer 2005。 另外两台configuration相似的服务器没有这些奇怪的计划任务。

这是一个Conficker感染。

删除它的基本步骤:

  • 运行最新版本的Microsoft Malicous软件删除工具 。
  • 安装KB958644修补程序。

如果你有多个系统,确保你修复所有的系统。

Conficker保护自己的完整微软指南就在这里 。

祝好运,我不得不面对一个小客户的Conficker感染,大约30台服务器遍布12个站点,这并不好玩。

如果可能的话,尝试对networking中的所有计算机进行扫描,消毒,应用补丁,对其有不良的使用体验(B版本,我们的networking在3个站点中有大约300台计算机)

http://www.confickerworkinggroup.org

http://www.confickerworkinggroup.org/wiki/pmwiki.php/ENT/Enterprise#toc10

我更新batch file申请GPO(在互联网上的某个地方) 

 @echo off REM ######################################## REM Version 6 - 10:19pm Pacific Jan 4th, 2009 REM Created by Ckemper and Shainw REM For disabling infection points and potentially removing Conficker.B malware REM http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.B REM ##################################### REM ##################################### REM REM Modify <domain.com> to your domain name in the script portion below. REM Rename it to .BAT and drop it in the \\%windir%\sysvol\sysvol\<domain.com>\scriptsfolder (aka, Netlogon share). REM REM Please drop the following tools\files in the Netlogon share for this to work REM REM Getver.exe - attached with this batch file. REM SC.EXE - attached with this batch file (can get from a WS2003 or Windows XP system, not native to Windows 2000) REM REG.exe - attached with this batch file (can get from WS2003 or Windows XP system, not native to Windows 2000) REM windows-kb890830-v2.6.exe - x86 version of MSRT, available from Microsoft Security Support Engineer REM windows-kb890830-x64-v2.6.exe - x64 version of MSRT, available from Microsoft Security Support Engineer REM sleep.exe - for use with the MSRT tool, attached with batch file REM Hotfix update for Windows 2000, Windows XP and Windows 2003, download all updates listed in http://support.microsoft.com/kb/953252, except REM the Itanium update as this script does not support Itanium. Place all 3 updates in the Netlogon directory. REM Security update MS08-038 for Windows Vista and Windows Server 2008 - http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx REM This vulnerability is not being exploited, however, to disable Autorun properly this needs to be applied as it contains a fix related to REM autorun, same as the one listed above in KB953252. REM REM Place all above in the netlogon directory and edit the <domain.com> values in the script below. REM REM Create a Startup Script policy and reference this batch file. This needs to be a Startup Script and not a Logon script, so that the REM script runs under the machine account. REM Link the GPO with the Startup Script to the OU and Groups where you want it to apply. REM REM We do not recommend you use this on DC's or critical servers, those should be cleaned manually so that the services REM disabled below do not need to be left disabled for an extended period of time. REM REM Also note that you can set both the Server service (lanmanserver) and Task Scheduler server (schedule) to disabled via group policy REM If that is done, then those items can be remarked out below REM REM ########################################### REM REM REM Methods of spread we will be disabling - REM REM REM We will disable the Server service and Task Scheduler service. REM REM Why disable the Server service? This is due to Weak Passwords which the malware attempts to exploit. REM The password change will need to be accomplished via password policy for the domain, resetting any local and domain admin password to a REM complex password which includes at least 10 characters and contains, alpha-numeric characters and extended characters such as a question REM mark or exclamation point. REM REM Why disable the Task Scheduler service? This is because the malware creates several AT jobs that run every hour to reinfect the system. REM REM MS08-067 security update. This security update needs to be applied ASAP via your normal patch management process. REM http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx REM REM Why install MS08-067? This is the main attack vector of the malware. REM REM Autorun - To block the autorun feature, we must apply an and set a registry value. REM REM Why disable Autorun? This is because the malware drops a binary file called Autorun.inf on all removable drives. REM REM REM For environments that use Windows Update to deploy updates. This section will install MS08-067. REM You must place the updates that was downloaded from the link above in the Netlogon share and modify <domain.com> REM to your domain. Also, you must remove the REM**** from in front of the lines, note there is one at the bottom also. Note that the REM Windows Vista and WS2008 file is the same for both - Windows6.0-KB958644-x86.msu. REM if /i %PROCESSOR_ARCHITECTURE% == IA64 goto :End REM ****IF not exist %windir%\$NtUninstallKB958644$ goto Check REM ****IF exist %windir%\$NtUninstallKB958644$ goto Clean REM ****:Check REM ****IF not exist %windir%\Servicing\Packages\Package_for_KB958644*.* goto Install REM ****IF exist %windir%\Servicing\Packages\Package_for_KB958644*.* goto Clean REM ****:Clean REM REM Checking if already run successfully REM \\<domain.com>\netlogon\sc.exe query wuauserv | find "STOPPED" > nul if %ErrorLevel% EQU 0 goto INIT if %ErrorLevel% EQU 1 goto END :INIT REM REM Stopping and Disabling services REM \\<domain.com>\netlogon\GETVER.EXE > nul if %ErrorLevel% EQU 50 goto SC_Stop if %ErrorLevel% EQU 51 goto SC_Stop if %ErrorLevel% EQU 52 goto SC_Stop if %ErrorLevel% EQU 60 goto Vista_2008Server_SC_Stop :SC_Stop \\<domain.com>\netlogon\sc.exe stop lanmanserver \\<domain.com>\netlogon\sc.exe stop schedule \\<domain.com>\netlogon\sc.exe config lanmanserver start= disabled \\<domain.com>\netlogon\sc.exe config schedule start= disabled goto MSRT_RUN :Vista_2008Server_SC_Stop \\<domain.com>\netlogon\reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f goto MSRT_RUN :MSRT_RUN REM REM Running MSRT locally REM REM REM Checking for x86 or x64 REM Make sure to edit the <servername>\<share> in the lines below so the logs can be copied up to a central server if desired. REM Otherwise the copying of the mrt.log can be remarked out. REM Notice the copy of the MRT.log up to a central location has <servername>\<share with write perms>. This is on purpose. REM In most cases, opening a share with everyone write permissions on a DC is not recommended, it is suggested to use a REM member server or workstation. REM if /i %PROCESSOR_ARCHITECTURE% == x86 goto x86 if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto x64 :x86 call \\<domain.com>\netlogon\Sleep.exe 10 Start /wait \\<domain.com>\netlogon\Windows-KB890830-V2.6.exe /q copy %windir%\debug\mrt.log \\<servername>\<share>\Logs\%computername%_%username%_mrt.log goto Tasks :x64 call \\<domain.com>\netlogon\Sleep.exe 10 Start /wait \\<domain.com>\netlogon\windows-kb890830-x64-v2.6.exe /q copy %windir%\debug\mrt.log \\<servername>\<share>\%computername%_%username%_mrt.log goto Tasks REM REM Deleting all scheduled tasks, we have to do this due to the potential random naming of the scheduled task job. REM Note, even though we are disabling the Task Scheduler service above, these still need to be remove for when the Task Scheduler service is REM started up again. Erase command is available on Windows 2000 and above OS, so we do not need to make available on Netlogon share. REM :Tasks attrib -h %windir%\tasks\*.job AT /delete /yes REM old entry -erase %windir%\tasks\*.job /f /q REM REM Checking for and installing Autorun hotfix. Turning off Autorun for all drives, the malware can spread via this mechanism. REM Download all updates listed in http://support.microsoft.com/kb/953252, except the Itanium update as this script does not support Itanium. REM Download the Windows Vista and Windows Server 2003 update - http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx REM IF not exist %windir%\$NtUninstallKB950582$ goto Next IF exist %windir%\$NtUninstallKB950582$ goto Autorun :Next IF not exist %windir%\Servicing\Packages\Package_for_KB950582*.* goto 950582 IF exist %windir%\Servicing\Packages\Package_for_KB950582*.* goto Autorun :950582 REM REM Checking OS version for install of KB950582 REM \\<domain.com>\netlogon\GETVER.EXE > nul if %ErrorLevel% EQU 50 goto Win2K_950582 if %ErrorLevel% EQU 51 goto WinXP_950582 if %ErrorLevel% EQU 52 goto Win2003_950582 if %ErrorLevel% EQU 60 goto Vista_2008Server_950582 REM REM WIN2k section REM :Win2k_950582 \\<domain.com>\netlogon\Windows2000-KB950582-x86-ENU.EXE /quiet /norestart goto Autorun REM REM WINXP section REM :WinXP_950582 if /i %PROCESSOR_ARCHITECTURE% == x86 goto WinXP_950582_x86 if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto WinXP_950582_x64 :WinXP_950582_x86 \\<domain.com>\netlogon\WindowsXP-KB950582-x86-ENU.exe /quiet /norestart goto Autorun :WinXP_950582_x64 \\<domain.com>\netlogon\WindowsServer2003.WindowsXP-KB950582-x64-ENU.exe /quiet /norestart goto Autorun REM REM WIN2003 section REM :Win2003_950582 if /i %PROCESSOR_ARCHITECTURE% == x86 goto Win2003_950582_x86 if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto Win2003_950582_x64 :Win2003_950582_x86 \\<domain.com>\netlogon\WindowsServer2003-KB950582-x86-ENU.exe /quiet /norestart goto Autorun :Win2003_950582_x64 \\<domain.com>\netlogon\WindowsServer2003.WindowsXP-KB950582-x64-ENU.exe /quiet /norestart goto Autorun REM REM Vista_2008 section REM :Vista_2008Server_950582 if /i %PROCESSOR_ARCHITECTURE% == x86 goto Vista_2008Server_950582_x86 if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto Vista_2008Server_950582_x64 :Vista_2008Server_950582_x86 wusa.exe \\<domain.com>\netlogon\Windows6.0-KB950582-x86.msu /quiet /norestart goto Autorun :Vista_2008Server_950582_x64 wusa.exe \\<domain.com>\netlogon\Windows6.0-KB950582-x64.msu /quiet /norestart goto Autorun :Autorun \\<domain.com>\netlogon\reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f REM REM Removing Hidden setting REM \\<domain.com>\netlogon\reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0x1 /f REM REM Enabling Automatic Updates, Background Intelligent Transfer and Error Reporting services REM \\<domain.com>\netlogon\sc.exe config wuauserv start= auto \\<domain.com>\netlogon\sc.exe config BITS start= auto \\<domain.com>\netlogon\sc.exe config ERsvc start= auto REM REM Restarting REM Shutdown.exe /r REM ****:Install REM ****\\<domain.com>\netlogon\GETVER.EXE > nul REM ****if %ErrorLevel% EQU 50 goto Win2K REM ****if %ErrorLevel% EQU 51 goto WinXP REM ****if %ErrorLevel% EQU 52 goto Win2003 REM ****if %ErrorLevel% EQU 60 goto Vista_2008Server REM ****:Win2k REM ****\\<domain.com>\netlogon\Windows2000-KB958644-x86-ENU.EXE /quiet /forcerestart REM ****:WinXP REM ****\\<domain.com>\netlogon\WindowsXP-KB958644-x86-ENU.exe /quiet /forcerestart REM ****:Win2003 REM ****\\<domain.com>\netlogon\WindowsServer2003-KB958644-x86-ENU.exe /quiet /forcerestart REM ****:Vista_2008Server REM ****wusa.exe \\<domain.com>\netlogon\Windows6.0-KB958644-x86.msu /quiet :End Exit