Home >
OS > Linux system attacked the whole process of analysis
Linux system attacked the whole process of analysis
IT industry development to the present, security issues have become critical, from the recent "prism gate" incident, reflecting a lot of security problems, information security problem has become urgent, and as the operations staff, must understand a few safety operational guidelines, and at the same time, to protect their own responsible business, first of all, to stand in the perspective of the attacker, repair any potential threat and vulnerability,
Below through introducing a case when a server is under the rootkit treatment principle and process after the invasion, rootkit attack is under Linux system the most common means of attack and attack way,
1, attack phenomenon
This is a customer portal server, hosted in the telecommunications room, customers of telecommunications notice: due to this server for outgoing packets, 100 m run out of bandwidth, so telecom will cut off this server's network, the server is Centos5.5 version, 80, 22 port opening to the outside world, learned from the customer, web site traffic is not large, so the bandwidth is not too high, and the 100 m running out of bandwidth is absolutely impossible, you probably suffered traffic server attacks, so the login server for detailed inspection,
2, preliminary analysis
In cooperation with telecom personnel through the switch on the server's network traffic detection, found that the host is real foreign 80 port scanning traffic, then login system by netstat - an order to open the port to inspect, but the strange thing is, did not find any network connection associated with port 80,
Then use ps ef, such as top command also didn't find any suspicious process, hence doubt whether system implanted rootkit, to prove that the system is implanted into the rootkit, we will be under the web server of ps, such as top command and backup version with the trusted operating system commands to do before the md5sum check, found that the two commands under the web server have been modified, thus conclude that the server has been invaded and installed the rootkit level backdoor,
3, broken network analysis system
Since the server keep outward contract, therefore, the first thing to do is to this server disconnect network, and then analysis the system log, looking for source of attack, but the system command has been replaced, if continue to perform operations on the system will become unreliable, there can be two ways to avoid this kind of situation, the first method is to this server hard drive down mount to security hosts were analyzed, and the other one
Another way is to copy from a version with the trusted operating system all commands to a path under the invasion of the server, and then when executing commands to specify the full path to the command, using the second method here,
We first reviewed the system login log to see whether there is a suspicious login information, execute the following command:
More/var/log/secure | grep Accepted
Through the view of the command output, there is a log aroused our suspicions:
Oct 3 03:10:25 webserver SSHD [20701] : Accepted the password for the mail from 62.17.163.186 port 53349 an ssh2
The logs show on October 3 3 a.m. to 10 points, there is a mail account from the IP 62.17.163.186 successful login the system, the mail is the built-in system account, it is impossible to perform the login operation by default, and 62.17.163.186 this IP, after verification, is an address from Ireland,
From the perspective of a mail account login time, before the attack, the web server and then check the system password file/etc/shadow, found suspicious information:
Mail: $1 $$W1evaY5BMPQIqfTwTVJiX1 kCEd3yD6:15400:9999-7:0:9: :
Obviously, mail account has been set up a password, and be modified as a remote login, using the mail account, guess it may be because the intruder to leave a hidden account, to facilitate the system login again in the future, and then continue to view other system logs, such as/var/log/messages,/var/log/WTMP are empty file, visible, the intruder has cleared the system log file, why not to empty the/var/log/secure file, is unclear,
4 for attack source
So far, we do know is that there is a mail account used to login system, but why would lead to the web server for outgoing data packets? Have to find the corresponding source of attacks, by replacing the ps command to the server to check the system is currently running process, and found the new suspicious:
22765 1 6 Sep29 nodiv? 4-00:11:58. T
So what is this. T program, continue to implement the top command, the results are as follows:
PID USER PR NI VIRT RES SHR S % % MEM CPU TIME + COMMAND
22765 nodiv 15 0 1740 m 1362 m 1228 S 98.3 91.5 2892:19. T
From the output shows that this t program has been running for about 4 days, run the program is nodiv users, and the t process consumes a lot of memory and CPU, which is before the customer reflect the web server unusually slow reason, from this output, we get the process PID for 22765 t program, then according to the PID to find where the execution path: enter the memory directory, to view the corresponding PID exe file directory information:
/root @ webserver ~ #/MNT/bin/ls - al/proc/22765/exe
LRWXRWXRWX root root 0 1 Sep 29 22:09/proc/22765/exe - & gt; The/var/TMP/.../apa/t
Thus find the process corresponding to the complete program execution path, this is a hidden path, due to the/var/TMP directory by default, any user readability and the intruder is using the hole in the/var/TMP directory created a "..." Directory, and in the hidden attack program source directory, enter the/var/TMP/... Found some columns invaders placed/directory, rootkit file, list as follows:
[root @ webserver...]. #/MNT/bin/ls - al
DRWXR xr - x 2 nodiv nodiv 4096 Sep 29 22:09 apa
Rw - r - r - 1 nodiv nodiv 0 Sep 29 22:09 apa. TGZ
DRWXR xr - x 2 nodiv nodiv 4096 Sep 29 22:09 caca
DRWXR xr - x 2 nodiv nodiv 4096 Sep 29 22:09 haha
Rw - r - r - 1 nodiv nodiv 0 sep 29 no kk. Tar. Gz
1 - rwxr-xr-x mto nodiv nodiv 0 Sep 29 no login
Rw - r - r - 1 nodiv nodiv 0 Sep 29 no login. The TGZ
1 - rwxr-xr-x mto nodiv nodiv 0 Sep 29 no z
Through the analysis of these files, the basic judgment that is the attack source program, we are looking for:
Z program is used to remove system logs and other related information, such as:./z 62.17.163.186 carried out with this command, all 62.17.163.186 related log in the system will be removed entirely,
A backdoor t in apa directory, before this is seen in the system, run the program, the program will automatically read IP apa directory of the file, and IP this file records the IP address information, guess this t program should be to scan IP file records of all IP information, and access to the remote host, visible to the web server is a chicken invaders,
Haha directory placed inside the related command is used to replace system program, namely the program in the directory make it impossible for us to see the unusual situation of the operating system,
The login program is used to replace system login Trojan program, this program can also record the login account and password,
5, find the attack reason
Here, the attack on the server has been basically clear, but how the intruder into this server? This question is very important, be sure to find the root of the invasion, in order to fundamentally loopholes,
To figure out how invaders into the server, need to understand this server under software environment, this server is a Java based web server, the installation of the software have apache2.0.63, tomcat5.5, apache and tomcat
Through the mod_jk module integration between apache open port 80, due to the tomcat without opening up to the port, so the problem on the apache,
Found by looking at the apache configuration, apache just deal with some static resource request, and web pages are in the majority with a static page, so is unlikely to invasion by the web system, since the vulnerability may come from the apache, so try to view the apache log, may be able to access traces found some suspicious, by looking at the access. The log file, found the following information:
62.17.163.186 - [29/Sep/2013:22:17:06 + 0800] "GET
http://www.xxx.com/cgi-bin/awstats.pl? Configdir=| echo; echo; Ps + - aux % 00
HTTP/1.0 "200 12333" - "" Mozilla/5.0 (Windows; U; Windows NT 5.1; Pt - BR;
The rv: Gecko, version 1.8.1)/20121010 Firefox/2.0 "
62.17.163.186 - [29/Sep/213:22:17:35 + 0800] GET http://www.xxx.com/cgi-
"
Bin/awstats. Pl? Configdir=| echo; echo; CD +/var/TMP/.../haha; Ls + - a % 00 HTTP/1.0
"
200, 1626, "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; Pt - BR; The rv:, version 1.8.1)
Gecko/20121010 Firefox/2.0 "
At this point, the root of the found vulnerability, the original is awstats. Pl script configdir a loophole, through understanding the application of this server, the customer is through an open source awstats plug-in for web access statistics, through the hole, the attacker can directly on the browser server operation, such as check process, create the directory,
Through the above article 2 log, you can see that the attacker normal browsers, switch to the/var/TMP/.../haha, this script vulnerabilities are scary, but in the Awstats website also gives the method of repairing already, for the hole, the repair method is very simple, open the Awstats. Pl file, find the following information:
If ($the QueryString=~/configdir=(/^ & amp; +)/I)
{
$DirConfig=& amp; DecodeEncodedString (" $1 ");
}
Can be modified to the following:
If ($the QueryString=~/configdir=(/^ & amp; +)/I)
{
$DirConfig=& amp; DecodeEncodedString (" $1 ");
$DirConfig=~ tr/a - z0-9 _ \ \ - \ \/\ \./a - z0-9 _ \ \ - \ \/\ \./CD;
}
6, uncovered the mystery
nullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnull