Emergency-Response-Notes

Emergency Response Notes is a Chinese-language reference collection for security engineers who need to investigate and handle computer intrusion incidents. The author describes it as personal study notes built up from real case analysis, covering the full arc from discovering that a system was compromised through to cleaning it up.

The content is organized into six chapters. The first covers intrusion investigation on both Windows and Linux systems, including how to detect webshells (files attackers plant on web servers to maintain access) and how to respond to ransomware infections. The second chapter is about log analysis, covering Windows event logs, Linux system logs, web server logs, and database logs from MySQL and MSSQL.

The third chapter addresses persistence techniques, meaning the methods attackers use to keep access even after a victim reboots or patches. It covers hidden files and backdoors on both Windows and Linux, file download methods, and common webshell management tools used by attackers. The fourth and fifth chapters walk through practical Windows and Linux case studies, including FTP brute-force attacks, trojan viruses, ransomware, cryptomining malware, DDoS infections, and rootkits.

The sixth chapter focuses on web-specific incidents: sites that had webshells injected, sites hijacked to serve cryptomining scripts, bulk defacement attacks, hijacking of news sources and mobile traffic, search engine hijacking, and administrator account tampering.

The project is defensive in nature. The intended reader is a security professional or aspiring security engineer who wants case-based guidance on what to look for and how to contain damage after a breach. The README is in Chinese, and the full content is published as a GitBook site.