Attack recently, in a school network administrator received foreign users complained that the campus of a video server is external to the unlawful TCP443 port scanning.
The video server's address is 192.168.1.10, operating system, open port is redhat7.3 TCP22, 80, 443. However, the administrator of the machine after a heavy double check, did not observe any abnormalities. In this case, we accept requests to help them check the machine. Preliminary testing we first switch on the server of the network traffic for a mirror and find that the host does exist external port 443 traffic scanning, but log on to the system using netstat-an command but I don't see any associated with 443 port connected to the network, use the psef command did not see any suspicious in the system. Therefore, we doubt that system may be installed a rootkit (Note 1). In order to prove this, we will system ps command copy to another trusted operating system version on the same machine (of course if you are in the initial system installation was a piece on the maintenance of a system command md5 value tables, then you are simply copying from other places over a md5sum program can), use md5sum command to compare two ps to found on the ps have 192.168.1.10 is modified, it can therefore be concluded that the system is being invaded and installed a rootkit-backdoors. Offline analysis since the system command has been replaced, then in the system on any action that is not trusted, then we will be invaded the server is shut down and remove the hard drive is linked to another host the above analysis. We first find the system log records in suspicious, use the following command: more/var/log/secure | grepAccepted (Note 2) our system login log viewing, ruled out the administrator your own login records, following this record had we suspected: Jul314: 01: 01vsp-thusshd [14042]: Acceptedpasswordfornewsfrom82.77.188.56port1143ss2 this record appears in the July 3, 14: 01: 01 seconds, someone uses news account to log on from the successful 82.77.188.56 system, according to Romania's 82.77.188.56 is an address. According to each other directly using the news account that point of view, the other the attack succeeds time should be older than the July 3, 14 points, because the system default news account is a built-in account has no password and cannot log in, but we see/etc/shadow file only to find that the following records: news: $ ChmaBoHa $ ha.JnyJkIryk5wc5DeWzR1: 12967: 0: 99999: 7::: news account that is an intruder with an additional password, and changed it can remote login account, the reason for doing such a modification, typically an intruder would like to leave a hidden login account, to facilitate future logins. We continue to check the system log of the other but never found any suspicious records, it is obvious that an intruder has to system log files have been modified. Further clues here seems to be broken. And we know just the intruder might come from Romania, he modified the system's news account permissions, and tamper with the system log. These known information look on the entire event and not much help. But we have a very useful information, that is, the approximate time attack occurred can be positioned on July 3, at 2 o'clock, this time we can use the find command to find out the time period for which the system was modified files? command format: Find/-ctime + nprint > find.log (Note 3) in the output of the results we found an intruder in/var/opt built a. (Point followed by a space character) (Note 4) of the directory and the directory that contains the table 1 in the subdirectories and files. On the basis of an analysis of these programs, to know its function as follows: table 1 intruder in/var/opt established under the directory named-1, z program is used to clear the system log for related information, such as:-this command execution/z82.77.188.56, system all 82.77.188.56 this address all the relevant log information will be cleared away; 2, cata directory is an IRC backdoor programs that run when the system will automatically connect to the following four IRC server, and then an intruder as long as the log in the IRC chat rooms can be sent to the machine control directive, four IRC chat server address is: server194.134.7.1956662server195.197.175.217000server161.53.178.2406667server66.198.160.28080; 3, login procedure is used to replace the system logon process of Trojans, can record login account and password; 4, kaka directory placement is used to replace the system command the program, this is the directory where the program allows us to system-see no exception; 5, atp directory placement is designed to scan https service and attack program, openssl abroad from 443 port scan complaints is because this directory of openssl-too program. This attack program is April 19, 2005, was published, use the number for the CAN-2002-0656 openssl program vulnerabilities; in addition, on July 3, is an intruder modified file also includes the following two:/etc/httpd/conf/hTtpd.conf (Note 5)/etc/httpd/logs/ssl_request_log (note 6)
No comments:
Post a Comment