办公电脑被集团公司通报两次,存在病毒病,并不断攻击其它电脑要求处理。系统重装了,杀毒软件也上了,还是没有清除。估计是硬盘被感染了,电脑权限被黑客夺了。
结束所有运行程序,断开网络,查询运行端口
netstat -a
活动连接
协议 本地地址 外部地址 状态
TCP 0.0.0.0:135 wxdw-PC:0 LISTENING
TCP 0.0.0.0:445 wxdw-PC:0 LISTENING
TCP 0.0.0.0:5357 wxdw-PC:0 LISTENING
TCP 0.0.0.0:11200 wxdw-PC:0 LISTENING
TCP 0.0.0.0:16422 wxdw-PC:0 LISTENING
TCP 0.0.0.0:18386 wxdw-PC:0 LISTENING
TCP 0.0.0.0:21531 wxdw-PC:0 LISTENING
TCP 0.0.0.0:28653 wxdw-PC:0 LISTENING
TCP 0.0.0.0:49152 wxdw-PC:0 LISTENING
TCP 0.0.0.0:49153 wxdw-PC:0 LISTENING
TCP 0.0.0.0:49154 wxdw-PC:0 LISTENING
TCP 0.0.0.0:49155 wxdw-PC:0 LISTENING
TCP 0.0.0.0:49179 wxdw-PC:0 LISTENING
TCP 10.0.0.3:139 wxdw-PC:0 LISTENING
TCP 10.0.0.3:49425 220.181.163.130:http ESTABLISHED
TCP 10.0.0.3:49444 58.56.65.100:7534 ESTABLISHED
TCP 10.0.0.3:49467 203.119.129.47:https ESTABLISHED
TCP 10.0.0.3:49472 180.149.145.242:https CLOSE_WAIT
TCP 10.0.0.3:49635 115.239.210.219:5287 ESTABLISHED
TCP 10.0.0.3:49641 115.239.210.219:5287 ESTABLISHED
TCP 10.0.0.3:49661 113.96.232.146:8080 ESTABLISHED
TCP 10.0.0.3:49674 58.217.200.62:http CLOSE_WAIT
TCP 10.0.0.3:49686 58.217.200.62:http CLOSE_WAIT
TCP 10.0.0.3:51028 180.149.133.176:http LAST_ACK
TCP 10.0.0.3:51515 103.231.98.196:https TIME_WAIT
TCP 10.0.0.3:51585 180.163.255.156:https ESTABLISHED
TCP 10.0.0.3:51609 180.163.255.156:https ESTABLISHED
TCP 10.0.0.3:51622 180.163.255.156:https ESTABLISHED
TCP 10.0.0.3:51627 58.222.38.24:https TIME_WAIT
TCP 10.0.0.3:51793 106.39.162.97:https CLOSE_WAIT
TCP 10.0.0.3:51795 58.217.200.62:http TIME_WAIT
TCP 10.0.0.3:51798 59.37.97.23:https ESTABLISHED
TCP 10.0.0.3:51801 101.227.22.158:http TIME_WAIT
TCP 10.0.0.3:51802 193.112.237.121:http TIME_WAIT
TCP 10.0.0.3:51803 193.112.237.121:http TIME_WAIT
TCP 10.0.0.3:51804 193.112.237.121:http TIME_WAIT
TCP 10.0.0.3:51805 101.227.200.22:http CLOSE_WAIT
TCP 10.0.0.3:51806 101.227.22.158:http CLOSE_WAIT
TCP 10.0.0.3:51807 180.149.133.176:http ESTABLISHED
TCP 10.0.0.3:51808 117.48.124.216:http TIME_WAIT
TCP 10.0.0.3:51809 117.48.124.156:http TIME_WAIT
TCP 127.0.0.1:7475 wxdw-PC:0 LISTENING
TCP 127.0.0.1:8088 wxdw-PC:0 LISTENING
TCP 127.0.0.1:10000 wxdw-PC:0 LISTENING
TCP 127.0.0.1:16888 wxdw-PC:0 LISTENING
TCP 127.0.0.1:20871 wxdw-PC:0 LISTENING
TCP 127.0.0.1:21440 wxdw-PC:0 LISTENING
TCP 127.0.0.1:21441 wxdw-PC:0 LISTENING
TCP 127.0.0.1:45777 wxdw-PC:0 LISTENING
TCP 127.0.0.1:56741 wxdw-PC:56746 ESTABLISHED
TCP 127.0.0.1:56746 wxdw-PC:56741 ESTABLISHED
TCP [::]:135 wxdw-PC:0 LISTENING
TCP [::]:445 wxdw-PC:0 LISTENING
TCP [::]:5357 wxdw-PC:0 LISTENING
TCP [::]:49152 wxdw-PC:0 LISTENING
TCP [::]:49153 wxdw-PC:0 LISTENING
TCP [::]:49154 wxdw-PC:0 LISTENING
TCP [::]:49155 wxdw-PC:0 LISTENING
TCP [::]:49179 wxdw-PC:0 LISTENING
UDP 0.0.0.0:68 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:5355 *:*
UDP 0.0.0.0:18386 *:*
UDP 0.0.0.0:20871 *:*
UDP 0.0.0.0:30550 *:*
UDP 0.0.0.0:50317 *:*
UDP 0.0.0.0:53817 *:*
UDP 0.0.0.0:54515 *:*
UDP 0.0.0.0:58746 *:*
UDP 0.0.0.0:60000 *:*
UDP 0.0.0.0:61660 *:*
UDP 0.0.0.0:64976 *:*
UDP 10.0.0.3:137 *:*
UDP 10.0.0.3:138 *:*
UDP 10.0.0.3:1900 *:*
UDP 10.0.0.3:2177 *:*
UDP 10.0.0.3:50703 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:50704 *:*
UDP 127.0.0.1:52303 *:*
UDP 127.0.0.1:61659 *:*
UDP 127.0.0.1:62533 *:*
UDP [::]:500 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:4500 *:*
UDP [::]:5355 *:*
UDP [::]:64977 *:*
UDP [::1]:1900 *:*
UDP [::1]:50702 *:*
UDP [fe80::5942:18bd:8edf:d2c6%11]:1900 *:*
UDP [fe80::5942:18bd:8edf:d2c6%11]:2177 *:*
UDP [fe80::5942:18bd:8edf:d2c6%11]:50701 *:*
说明是中招了。
处置方法:
(1)禁用所有可疑开机启动项
(2)取消远程协助和远程桌面连接
(3)关闭137、138、139、445和3389端口,
执行如下批命令
%1 mshta vbscript:CreateObject("Shell.Application").ShellExecute("cmd.exe","/c %~s0 ::","","runas",1)(window.close)&&exit
@echo off
color 1f
title 关闭135 137 138 139 445 3389 端口
echo.
echo.
echo.
echo 正在关闭135端口 请稍候…
netsh advfirewall firewall add rule name = "Disable port 135 - TCP" dir = in action = block protocol = TCP localport = 135
echo.
netsh advfirewall firewall add rule name = "Disable port 135 - UDP" dir = in action = block protocol = UDP localport = 135
echo.
echo 正在关闭137端口 请稍候…
netsh advfirewall firewall add rule name = "Disable port 137 - TCP" dir = in action = block protocol = TCP localport = 137
echo.
netsh advfirewall firewall add rule name = "Disable port 137 - UDP" dir = in action = block protocol = UDP localport = 137
echo.
echo 正在关闭138端口 请稍候…
netsh advfirewall firewall add rule name = "Disable port 138 - TCP" dir = in action = block protocol = TCP localport = 138
echo.
netsh advfirewall firewall add rule name = "Disable port 138 - UDP" dir = in action = block protocol = UDP localport = 138
echo.
echo 正在关闭139端口 请稍候…
netsh advfirewall firewall add rule name = "Disable port 139 - TCP" dir = in action = block protocol = TCP localport = 139
echo.
netsh advfirewall firewall add rule name = "Disable port 139 - UDP" dir = in action = block protocol = UDP localport = 139
echo.
echo 正在关闭445端口 请稍候…
netsh advfirewall firewall add rule name = "Disable port 445 - TCP" dir = in action = block protocol = TCP localport = 445
echo.
netsh advfirewall firewall add rule name = "Disable port 445 - UDP" dir = in action = block protocol = UDP localport = 445
echo 正在关闭3389端口 请稍候…
netsh advfirewall firewall add rule name = "Disable port 3389 - TCP" dir = in action = block protocol = TCP localport = 3389
echo.
echo 按任意键退出
pause>nul
(4)启动系统审核策略
“开始”——“运行”框中输入“gpedit.msc”进入组策略编辑器,在计算机配置——Windows设置——安全设置——本地策略——审核策略中,将审核登录事件、审核对象访问、审核系统事件和审核帐户登录事件启用成功方式的审核。
(5)用户权利指派
同样在组策略编辑器,在计算机配置——Windows设置——安全设置——本地策略——用户权利指派中,将“从网络访问此计算机”策略中的所用用户都删除,在“拒绝从网络访问此计算机”策略中确保已有“everyone”帐户,然后再删除“通过终端服务允许登录”策略中的所有用户,并确保在“通过终端服务拒绝登录”策略中有“everyone”帐户。
(6)禁用系统默认共享
在组策略编辑器中,计算机配置——Windows设置——安全设置——安全选项,将“网络访问:不允许SAM帐户的匿名枚举”及“网络访问:不允许SAM帐户和共享的匿名枚举”全部启用;将“网络访问:可匿名访问的共享”、“可匿名访问的管道”及“可远程访问的注册表路径”中的内容全部删除。
(6)安装杀毒软件查杀
