Wzt yesterday promised to find several linux broiler test program, open the http://www.milw0rm.com/webapps.php, found a include vulnerabilities that tried it, will soon be one webshell, nothing to say, machines, and then redhat9 localroot.
Plug in, this ip address and hostname are replaced, please don't be inferred, this manipulation is for informational purposes only, in the normal operation of intrusion detection, we still need to be aware of many processes and details of the problem. In addition this article on some basic concepts or procedures, without explanation, if not understand, ask google. Into the chicken and put on our ssh backdoor, specific methods can be found on http://baoz.net or http://xsec.org, with video tutorials if after watching the video, you can have questions to a linux version of AC http://cnhonker.com/bbs/. A into ssh, Oh, strange, m people regards Korea is a peculiar people? ... Lastlogin: FriNov1708: 21 142006fromac9e2da9.ipt aol.com curious glances. Reference: fatb @ baoz ~] $ nmap-P0ac9e2da9.ipt aol.com-O into the machine first thing is to look at is vmware, so hurriedly, don't fall into the other's broken jar went, Oh, look at: ## check is not a vmware machine references: root @ victim root] # ifconfig-a | grep-i-e "00-05-69"-e "00-0C-29"-e "00-50-56" dmesg | grep-ivmware if no output, but also good. Even a honeypot, I'll also be invested point equipment honeypot. Continue to look at what equipment he investment: references: root @ victim root] # cat/proc/cpuinfo | grepname; cat/proc/meminfo | grepMemTotalmodelname: Intel (R) Xeon (TM) CPU2.80Gzmodelname: Intel (R) Xeon (TM) CPU2.80Gzmodelname: Intel (R) Xeon (TM) CPU2.80Gzmodelname: Intel (R) Xeon (TM) CPU2.80GzMemTotal: 1030228kB can also machine, although 4CPU has only 1 g of memory, a bit weird, but reluctantly, ran a password or anything. About anti-honeynet, here are two articles are good, but are for vmware or UserModeLinux, if person household real machine, it also depends on character, Ah, huh, huh. Http://xsec.org/index.php?module=arc...ew & & type = 3 id = 5http://xsec.org/index.php? module = 3 type = arc...ew & & id = 6 on honeynet and discussions, can anti-honeynet here chat http://cnhonker.com/bbs/thread.php?fid=15 & type = 1 crap, then the second thing is to see if there is no drug-addicts in the above, then I'm sorry, so please go out and I will be playing in General a few commands and see, because some rootkit he changed, or because the version of the problem, anyway, for whatever reason, have been replaced by some of the parameters of the program will not. Reference: root @ victim root] # ls-al ls: invalidoption--Try would ls--help'formoreinformation. Oh, ls is replaced. In see netstat references: root @ victim root] # netstat-anpActiveInternetconnections (serversandestablised) ProtoRecv-QSend-QLocalAddressForeignAddressStatePID/Programnametcp000.0.0.0: 800.0.0.0: * LISTEN1702/ttpdtcp000.0.0.0: 220.0.0.0: * LISTEN1516/ssdtcp00127.0.0.1: 250.0.0.0: * LISTEN1540/tcp0300123.123.123.123: 2210.20.30.40: 2245ESTABLISHED6097/ssd: tcp00123.123.123.123: 2210.20.30.40: 2247ESTABLISHED6815/ssd: ActiveUNIXdomainsockets (serversandestablised) ProtoRefCntFlagsTypeStateI-NodePID/ProgramnamePat unix2 [ACC] STREAMLISTENING1214306815/sshd:/tmp/ssh-vfJj6815/agent.6815unix2 [ACC] STREAMLISTENING1169046097/sshd:/tmp/ssh-weHq6097/agent.6097unix6 [] DGRAM15601476/syslogd/dev/logunix2 [] DGRAM17711570/crondunix2 [] DGRAM17281549/unix2 [] DGRAM17141540/unix2 [] DGRAM15681480/klogd looks looks fairly normal. Regardless, directly engaging 3721 two check rootkit things come back and see that chkrootkit rkhunter and. First look at chkrootkit: cool, we now are simply not credible environment inspection, there may be a friend to ask "why in an untrusted environment check Ah", the reasons for this, because we start in an untrusted environment checks that a copy of the results, and then in a trusted environment check, and then get a copy of the results before and after comparison, so we generally can know this bit addicted is there an LKM rootkit or more advanced. Check after we find the following interesting information: references: root @ victim chkrootkit-0.47] # ifconfig '-/chkrootkitChecking would ... INFECTEDChecking`pstree'... INFECTEDSearchingfort0rn'sv8defaults... Possiblet0rnv8\(orvariation\)rootkitinstalledSearchingforShowtee... Warning:PossibleShowteeRootkitinstalledSearchingforRomanianrootkit.../usr/include/file.h/usr/include/proc. Checking`bindshell'...notinfectedChecking`lkm'... Youhave2processhiddenforpscommandchkproc:Warning:PossibleLKMTrojaninstalled
No comments:
Post a Comment