Therefore: 1, intruder modifies httpd.conf file, unregister the httpd.conf of 443 port (with administrator confirmed is not their own Logoff), probably do not want to take advantage of a vulnerability by others; 2, intruder removed ssl_request_log log July 3, 12 noon to 14 points in all records (because ssl_request_log is not the system log, so you cannot use z program directly to clear intruder can manually delete the corresponding time period of logging).
Continue to check the log we also found in the root directory of the .bash_history (note 7) file with the following command:. uncovering the mysteries with/z82.77.188.240 the above information, we can make this intrusion event are as follows: 1, intrusion: from catalog generation time and intruder delete ssl_request_log log record in the corresponding period of time by the invasion of time probably should be in the July 3, 13 o'clock noon; 2 the use of vulnerability: a vulnerability scanner to scan the system found that the system has multiple exploitable vulnerabilities, but from intruders off Apache 443 port services and modify ssl_request_log log file, he takes advantage of Apache mod_ssl module vulnerability (CAN-2002-0656) intrusion system; 3, attack address source: attack address source with two to 82.77.188.56 and 82.77.188.240 (but these two addresses may also be an intruder control of machines); 4, an intruder enters the system do the following: in the system installed by IRC chat server control of backdoor modified the news account in the system of permissions and password; replace system in a series of system commands; replaces the system itself, the login process and for root password (note 8); use of external attacks that a 443 port scan attack; the use of clear procedures to clear the system log for related records. Solution due to the system kernel-level program has been replaced, we suggest user to backup the data after reinstalling the system and do the following: 1, install a later version of the operating system; 2, install the appropriate system patches; 3, modify the system administrator password, and check the same network segment use the same password in the other host. (Because the intruder has passed the Trojan program access password for the administrator); 4, install a later version of the apache process, and turn off unnecessary service ports; 5, use the firewall restrictions ssh22 port log source address. (The author is CERNET emergency response group) Note 1: the simple point that rootkit is a hacker's Toolkit, it usually includes: modified system command program, backdoors, attack program, log, clear procedures, hackers use rootkit program is aimed at the invasion of host hiding their aggressive behavior. Note 2:/var/log/secure records system account login information, and grepAccepted can effectively filter out those who are not successful login record. Note 3: this command means find "/" directory of all n days before being modified files, use the > pipe character in such a way as to include a query result output to a file for easy find.log subsequent analysis. Note 4: a Linux system using the "." At the beginning of files and directories are hidden files, you need to use ls-al command to view to point followed by a space in the directory name is easy to display the results in ls-al are we ignoring the past) Note 5: httpd.conf is apche program master configuration file, in this file, comment out the 443 port, will cause apche does not provide the https port 443. Note 6: ssl_request_log file is a log file of apache, it records a user access based on the HTTPS protocol. Note 7: by default the corresponding user home directories .bash_history file records holds 500 that user in the system have performed the action command. Note 8: If an intruder has used a clear procedure to clear the system log, why in root's .bash_history in leaving a record of the commands-/z82.77.188.240? this is the mechanism of records from the .bash_history says, every time a user logs system after any operation that is not directly in respect of storage to the .bash_history file, which is saved in a variable, only when the user logs off, the variable's value will be written to the .bash_history file. This statement intruders from the last time through the use of this address 82.77.188.240 root account login system, he runs the command-/z82.77.188.240./bash_history yet this record, so it is not clear, when he quit the system variables./z82.77.188.240 is written to the .bash_history. Therefore we can conclude that the intruder has passed the fake login procedures for the root password.
No comments:
Post a Comment