The following article mainly introduced the actual operation method of the hacker entering the server to hide himself. The following hiding plans were summarized by myself in the actual operation, and the specific situation depended. Generally speaking, the ways to hide oneself after entering a server were as follows:

I like to hide everywhere, so I summarized some hidden plans

then, generally speaking, there were some ways to hide themselves after entering a server:

1, superdoor clone, but there was a bug. It was not a good thing to rely on IPC to clone brother Rong’s ca

Netuser couldn’t see

2 and create a hidden account like count$, but he could ¡° Manage -> Customer ¡± You can see it in ¡° My computer -> Property -> The user profile ¡± An unknown account number was displayed in the document and setting. There was a folder with count$in it. It was not a good idea. I made some results on the 3 computers, but they were all kill

3, write a guest When VBS was started, the user could create an account or activate the guest or tsinternetuser, and then install the key in the Winlogon of the guest In this way, he created a ghost account in VBS

or install it in [HKEY LOCAL MACHINESoftwareMicrosoftCommand Processor]

” AutoRun”=& quot; C:\Program Files\guest. vbs”

this is associated with CMD. As long as it runs, it will be established

4, like the glacier, it is related to txt and exe. If you run TXT, you will run our program

5. Set up a self operating item in the group policy

6, set the file connection, run the notebook or activate VBS

7, plant hackdefender, hack’sdoor, WINSHELL, Wuhan boy and other backdoors, but they were easily found out. If it didn’t work, then &hellip& hellip; Ha ha

8. Add some files and replace the frequently used files with the RAR self extracting files. It not only contains the original EXE file, but also runs its own program, which is a binding made by WinRAR that can not be found. After it runs, repeat the steps 3, 4 and 5. It’s up to you

9. During the search, he found that hideadmin was a good thing. It required the administrator to have the authority to hide the user whose name was in the form of a dollar. He was so handsome! He was nowhere to be found in the command line, the management interface and the user profile! It’s so strong that I don’t know how to remove it. I can only let him stay here! Then the sect leader also had a tool, which had the same effect

10. Replace the telnet or termsvc with another service or a new one

11. Clone a hidden account in the domains by hand. It seems to be a very good method spreading online, but after my 2000 server test, perhaps it is because it is not in the account, and there is no such key as’ domain ‘or’ account ‘, so I can’t find it

but he still explained in detail: in

Windows 2000 and Windows NT, the SID of the administrator’s account is a fixed number of 500 (0x1f4), so we can clone the account with the SID of 500 with an existing account in the machine. Here, the account we choose is the one with the SID of 500_ MachineName

in CMD,

regedit /e admin reg HKEY_ LOCAL_ MACHINESAMSAMDomainsAccountUsers000001F4

, please export the information about the admin. account with the SID of 500 and edit it In the reg file, add admin The third line of the reg file

[HKEY LOCAL MACHINESAMSAMDomainsAccountUsers000001F4]

*** ¡¯ 1F4¡¯ Revised to IUSR_ MachineName’s SID (for most machines, the user’s SID should be 0x3E9. If the machine didn’t install IIS when it was first installed, and she created an account and then installed IIS, it might not be the same value.) In the reg file, ¡¯ 1F4¡¯ It was changed to ¡¯ 3E9¡¯ The other one is that you need to modify the account’s value

regedit /e iusr. reg HKEY_ LOCAL_ MACHINESAMSAMDomainsAccountUsers000003E9

, iusr In the reg file, ¡° ” V’=hex:0¡± Iusr The reg file was copied and replaced with adam In reg*** Use regedit /s adam Reg installed the Reg file and then ran net user IUSR_ MachineName password changed IUSR_ The password of MachineName. OK, great success

now IUSR_ The MachineName account has the right to be an administrator, but you use net There would be no trace of user management in exe and the management tools. Even if you checked the group and user that belonged to, there would be no difference from before the modification

the above content is an introduction to how a hacker can hide himself in the server. I hope you can gain something

the relevant content is a description of how a hacker could hide himself in the server. I hope it can help you in this respect