Chapter 251: Ghosts
readx;
Chapter 251: Ghosts
The situation at the nodes of the Fermilab network was very strange to Edward. Pen, fun, pavilion www. biquge。 info(《》)
The other party's network, which was already infected with the tree worm, automatically became normal for no reason, and what's even funnier is that the other party thought that the span network security center had successfully removed the worm.
What the hell is going on over there?
Edward thought that maybe Fermilab computers had the answers he wanted.
He contacted Todd again, and finally confirmed that there were many network nodes in other places, although they were still connected to the network, but they seemed to be invulnerable, and the tree worm seemed to ignore them and automatically bypassed their nodes.
These places are also strange.
Could it be that the security measures of the computers in these places are in place, and the tree worm cannot be attacked at all?
Or is there something in these computers that worms are afraid of?
Edward felt more and more that he was getting closer to the truth of the matter.
Perhaps, the solution to the tree worm is hidden in those computers.
He decided to go immediately and go to the scene to see for himself, and since it was just his personal thought, he only told Theodore the news and not anyone else.
When Theodore heard him say that it was possible to find a way to restrain the worms, he immediately told him to move as if he had grasped a life-saving straw, and reported the situation to him at any time.
Edward traveled non-stop for a day and a night, sleeping on the way, and finally arrived at the office of the Nine Astronomy Center of Erie with a tired face, and Anthony warmly received him.
Edward didn't care about resting, so he followed Anthony directly to the computer room in the network center and began to conduct a comprehensive analysis and testing of the servers in the computer room.
"We don't have viruses or worms in our servers, do we?" Anthony said with some apprehension on the side.
"I'll not know until I'm tested. However, this is unlikely, and I came this time mainly to find out why these servers were automatically back up and running. The Templar's Latest Chapter"
"What? Did I hear me right? Didn't you fix the previous failure? "Anthony was shocked.
Edward shook his head helplessly, "No. ”
He thought about it, and he kept trying, but it didn't work.
Anthony also came back to his senses at this time.
He thought it was ridiculous, and the security experts from the span network center came here to find out why the server automatically returned to normal!
"Hehe, then you check slowly, I'll go back to my job first, if you need help, just call me."
"Okay, thank you."
Edward didn't have his head either, his eyes fixed on what was on the monitor.
The first thing he looks at is the computer's system processes, which are normal, and then the user processes, which are also normal.
Very clean without any superfluous programs.
He then began to look for some of the most recently modified files on the disk, the date range after Anthony had called him at the time.
He used the search command to quickly list all the files that had been modified in the past two days, about 300 in total.
He looked over one by one, checking their dates, sizes, and properties to see if anything suspicious.
Half an hour later, Edward's brow furrowed deeply, and the result he got was - everything was fine!
He checked the safety settings of this machine, which can only be said to be average, and through these settings and computer logs, he can judge that Anthony's technical level can only be said to be average, and there is nothing outstanding at all.
This is so weird, why is this server not infected with the tree worm?
It doesn't look like anything special, does it?
Edward was a little unconvinced, the server was connected to the network, he downloaded the source files of the worm from the FTP server inside the SPAN, and then manually ran it on the computer. (《》)
As a result, he was shocked to find that the worm program had disappeared directly.
Disappeared out of thin air?!
That's impossible!
Edward stood up in shock.
The tree worm disappeared from the disk before it could be run successfully, as if there was an invisible hand, and it was deleted directly.
Edward downloaded the Tree worm again and tested it again, and it was still the same result.
The response is so fast, there must be a process running that can detect the presence of the tree worm and then remove it directly.
Edward re-examined the running processes, looking at them one by one, analyzing their specific functions, but he still couldn't find out which process had done the action.
"Which process the hell is it?"
Edward hooked up with it, and he downloaded the worm again, only to be deleted again, again and again......
"No, I need to calm down."
Edward suppressed his inner anxiety and sorted out his thoughts.
"The fact that it detects the presence of the tree worm so quickly means that it must be running, ready to detect programs running in memory......"
"It can't be seen from inside the process, which means it hides its ......"
"The process runs in memory, and the command shows the process, that is, it reads a specific data structure in the memory, and it can hide itself, does it modify the data structure that holds the process information?"
Edward sorted out his thoughts step by step, and came to such a shocking conclusion!
Nothing like this has ever happened before.
Edward thought about it for a long time and thought it was a very big possibility.
So, he ran to Anthony's desk outside the computer room and called Theodore on his phone, asking him to immediately help him find a tool that could detect what was running in memory.
Theodore immediately gave him a reply, although the members of their security team did not know much about VMS system security issues, but they had a deep study in these aspects, and some people happened to have such tools in their hands, which are usually used to crack software programs.
The "ramdetect" software was immediately downloaded to the server.
Edward first ran it, checked it, and there was nothing out of the ordinary, he kept the software motionless, running in the background, and then set the process records in the current memory to be saved to the log file every second.
Then, he downloaded the Tree worm again, and after a flash, he immediately switched to the "Ramdetect" interface, and again, there were no extra processes.
He exited the software, then found the folder he had set up earlier, and found a log file in it.
In just a dozen seconds, more than 200 lines of records have been saved in it.
Edward carefully analyzed the log file, and finally found a difference in the second half, which lifted his spirits.
The record saved at this moment has an additional process called "ghost".
Edward repeatedly compared the records before and after, and this process did not appear before and after, only in that second.
I tried it a few more times, and estimated the time when this process would appear, and finally settled it.
It's just a flash, and it only appears in the memory record for a short second, and it really looks like a ghost!
"That's it!" Edward shouted excitedly.
It is this "ghost" program that will remove the tree worm as soon as it detects it in the process, and no matter what version of the worm is, it will not escape its "magic eye".
Edward was glad he had found the reason, but what was this "ghost" program for? Why is it hidden inside? And how does it hide itself?
A series of new problems plagued Edward.
He checked all the machines in the other rooms of Fermi Labs, and sure enough, there was the process inside.
Edward tried to get rid of it, but he couldn't find an effective way, and even if he could find the traces of the other party, he had to use a tree to lure it to make it appear in the data structure of the memory information, and usually, you can't know where it is hidden in the memory, waiting for an opportunity.
Its technical strength not only shocked Edward, but also caused him to feel an inexplicable panic.
Although the tree worm is powerful, it can be found after all, although it has some new features, but it is not out of the category of worms, and it still has some fatal shortcomings of worms, such as repeated replication, causing network congestion, and it can be easily found in the process, and it will be removed sooner or later.
But this "ghost" program is really like a ghost, extremely difficult to find, if it hadn't happened to encounter the tree worm outbreak this time, I don't know how long it will continue to hide, and I don't know how long the ghost has been buried here.
If, like the tree worm, it also wants to steal confidential information, it is even more terrifying than a worm.
Edward downloaded the network packet protocol analysis tool from FTP again, and it began to monitor the server's outgoing acceptance and sending packets, and then unpacket analysis. He wanted to see if the "ghost" was also sending data to the outside world.
The results of the analysis gave him some peace of mind that there were no special packets, that is, the ghosts in these servers had no contact with the outside world for the time being.
Just as Edward wanted to continue his analysis, Theodore called Edward to complain.
The further outbreak of the tree worm has seriously affected the normal operation of government functions, and people in the White House and the Pentagon have already greeted Theodore and asked them to restore the network as soon as possible.
One level at a time, Theodore also strictly ordered Edward to come up with an effective solution as soon as possible, otherwise they would all roll up and go home.
The ghost can restrain the tree virus, this is what Edward has seen with his own eyes, and now the most important task is to remove all the tree worms on the network as soon as possible and restore the network unblocked, he decided to put aside the real purpose of the ghost first, and began to focus on the ghost's detection and killing worms.
To Edward's surprise, the ghosts, while also appearing to spread, seem to be more organized, and do not spread blindly.
"As long as you succeed in spreading the ghost, won't the crisis of the tree worm be successfully solved?" Edward thought so. This is the fastest way to solve the worm problem at the moment.