1.起因
本文聚焦于我的Linux Honeypot,她在网络中散发着阵阵蜜香,引诱蠕虫和各路客们的光临。为了让honeypot 更加attractive,都要采取一些处理方式。最近邮件列表中还有过这种讨论,有个家伙说他朋友在某黑客IRC 中公布了honeypot 的IP 地址,结果一帮罗马利亚黑客入侵后发现是一个蜜罐系统,所有动作都被完整记录,于是愤怒了,采用分布式拒绝服务方式疯狂报复,导致临近网络瘫痪一个月之久。
所以,在引诱入侵者的时候要讲究技巧。上个月我曾和一个朋友聊起我的方法:
建立一个普通用户账号,密码同用户名,在控制台上用该账号登录,让他一直发呆,同时确认系统开放着finger 服务。比较怀旧的入侵者对finger还是情有独钟的,企图finger出一大堆用户名,然后简单猜测密码进入系统,期望能够与后生可畏的Script Kids 们划清界限。
没想到我的朋友记忆力特别好,事隔一个月,在我没发请柬的情况下,轻车熟路的找到honeypot,然后用那个普通账号登录了进去。
明明知道这是个蜜罐系统,所有行为都被监控和记录,还要企图本地拿root、安装后门、作为肉鸡攻击其他机器,不就是在舞台上表演请观众们欣赏么?这就是入侵秀一词的由来。
下面就让我们一起来观摩这场表演,素材主要来源于日志服务器收集到的系统日志、历史命令,以及Snort 录下的会话过程。当然,为了节约篇幅和保护隐私作了部分裁减。希望读者从各自的角度都能有所收获。
2.扫描
一个周六的下午,Snort 报警提示有来自202.X.X.X 的SuperScan 扫描,发送了一个ICMP Echo 的数据包测试系统是否存活:
2002-9-21 16:48 snort[1852]: [1:474:1] ICMP superscan echo [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 202.X.X.X - 10.0.0.1
同时,系统日志记录了后续进行的端口探测活动:
Sinbad Technical Publications Page 2
2002-9-21 16:48 in.rlogind[1316]: connect from 210.X.X.X
2002-9-21 16:48 inetd[413]: pid 1318: exit status 1
2002-9-21 16:48 in.rshd[1318]: connect from 210.X.X.X
2002-9-21 16:48 in.fingerd[1315]: connect from 210.X.X.X
2002-9-21 16:48 in.telnetd[1313]: connect from 210.X.X.X
2002-9-21 16:48 rshd[1318]: Connection from 210.X.X.X on illegal port
2002-9-21 16:48 telnetd[1313]: ttloop: peer died: EOF
2002-9-21 16:48 inetd[413]: pid 1316: exit status 1
2002-9-21 16:48 inetd[413]: pid 1313: exit status 1
2002-9-21 16:48 sendmail[1314]: NOQUEUE: Null connection from [210.X.X.X]
2002-9-21 16:48 in.fingerd[1319]: connect from 210.X.X.X
2002-9-21 16:48 in.telnetd[1320]: connect from 210.X.X.X
注意到没有,这些端口连接的源地址不是发送ICMP Echo 的202.X.X.X,而是
210.X.X.X这个地址。很显然,我的朋友使用了TCP/UDP协议的代理跳板,而
ICMP 协议不被该跳板支持,所以他的真实IP 地址也暴露了。
3.本地越权尝试
用我的诱饵账号tom轻松登入,一次成功,就像进自己家一样:
2002-9-21 16:52 login: LOGIN ON 1 BY tom FROM 210.X.X.X
2002-9-21 16:52 PAM_pwdb[1321]: (login) session opened for user tom by(uid=0)
用cat 重定向加粘贴方式传送一段本地越权脚本到系统内,请注意时间差,他的翻箱倒柜花了4 分钟:
2002-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 ls
2002-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 w
2002-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 pwd
2002-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 cd ..
2002-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 ls
2002-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 cd tom
2002-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 cat 1.sh
2002-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 chmod 755 1.sh
2002-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 ./1.sh
2002-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 ls
Sinbad Technical Publications Page 3
输入./1.sh 执行后的结果呢?我们通过检查Snort 的SESSION录像后发现,系统由于缺少相关库文件,没成功。注意:录像中命令输入的每个字符都出现了两遍,这是终端的回显功能,Snort是忠实的作了双向记录:
[tom@abc tom]$ ..//11..sshh
+-----------------------------------------------------------+
| Linux kernel 2.2.X (X
| local root exploit |
| |
| Bugs found and exploit wr#tten by Wojciech Purczynski |
| wp@elzabsoft.pl cliph/ircnet Vooyec/dalnet |
+-----------------------------------------------------------+
Creating temporary directory
Creating anti-noexec library (capdrop.c)
Compiling anti-noexec library (capdrop.so)
Creating suid shell (sush.c)
Compiling suid shell (sush.c)
Creating shell script
Creating own sm.cf
Dropping CAP_SETUID and calling sendmail
/bin/true: error in loading shared libraries: /tmp/foo/capdrop.so: cannot open shared object file:
No such file or directory
Waiting for suid shell (/tmp/sush)
[tom@abc tom]$ llss
第一次尝试失败,删除1.sh,同时留下“XXXX到此一游”的签名。也好,知道是你干的了J
2002-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 rm -rf 1.sh
2002-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 echo haha shi wo XXXX haha.txt
我的朋友开始闲逛了,好像没什么收获:
2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd /tmp
2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd foo
2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
Sinbad Technical Publications Page 4
2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd ..
2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls -al
2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd .font-unix
2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd fs-1
2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd fs-1
2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls -al
2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd /
2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd home
2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd ftp
2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd /
2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2002-9-21 17:01 -bash: HISTORY: PID=1322 UID=500 ps -ef
4.第二次本地越权尝试
重新换了个本地越权程序,编译后又立即把它删除了?
2002-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 cd ~tom
2002-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 cat su.c
2002-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 gcc -o su su.c
2002-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 ls
2002-9-21 17:06 -bash: HISTORY: PID=1322 UID=500 rm -rf su.c
原来是编译的时候出错了。源代码中有些字符在用cat 重定向粘贴的时候出了问题:
[tom@abc tom]$ ggcccc - -oo ssuu susu..cc
su.c unterminated character constant
Sinbad Technical Publications Page 5
换种方式,vi 一个新文件,往里面贴:
2002-9-21 17:06 -bash: HISTORY: PID=1322 UID=500 vi su.c
2002-9-21 17:07 -bash: HISTORY: PID=1322 UID=500 gcc -o su su.c
这次的效果更加不好,出现了三个错误。同时我们也注意到,记录下来的的输入命令部分有大量的[A、[D 字符,这其实是在用上下键寻找刚才敲过的历史命令“gcc ?o su su.c”,看来他是够懒的
[tom@abc tom]$ [Avi su.c[A[D[D[D[D[D[D[D[4@rm -rf su.c[A[D[D[D[D[D[D[D[D[D[D[Dls[K[A[D[Dgcc -o su su.c
su.c unterminated character constant
su.c:523: unterminated string or character constant
su.c possible real start of unterminated constant
又留下一句话“以后有空再搞”,走了。周末下午的5 点多,应该有活动吧:
2002-9-21 17:09 -bash: HISTORY: PID=1322 UID=500 ls
2002-9-21 17:10 -bash: HISTORY: PID=1322 UID=500 rm -rf *.c
2002-9-21 17:10 -bash: HISTORY: PID=1322 UID=500 echo kao,y
