记一次linux服务器被黑事件

  • 内容
  • 评论
  • 相关

早晨五点半,还没醒利索,结果朋友给来电话,说他的服务器挂了,叫机房重启了不行,远程倒是可以连接上去。

登录服务器后,在服务器中发现这种消息:

Hi, please view: http://pastie.org/private/tlixxvclirxmut6djqyacq for further in formation in regards to your files!

索性看了下,看到下面的消息:

Greetings,

Your server has been hacked and your files have been deleted.
Before they were deleted, we backed them up to a server we control.
You must send a total of 3 BTC to the address: 1M71Lt6RtrdwB43UFWZCBt8FQ7dMqjqNsd
Failure to do so will result in your files being deleted after 5 days.
We may also leak your files.

You can e-mail onewayout@sigaint.org for support. We will not give any files before a payment has been made.

Goodbye!

当然,我是不会去支付这三个比特币的,从日志开始排查。

#查看是否为管理员增加或者修改

find / -type f -perm 4000

#显示文件中查看是否存在系统以外的文件

rpm -Vf /bin/ls

rpm -Vf /usr/sbin/sshd

rpm -Vf /sbin/ifconfig

rpm -Vf /usr/sbin/lsof

#检查系统是否有elf文件被替换

#在web目录下运行

grep -r "getRuntime" ./

#查看是否有木马

find . -type f -name "*.jsp" | xargs grep -i  "getRuntime"

#运行的时候被连接或者被任何程序调用

find . -type f -name "*.jsp" | xargs grep -i  "getHostAddress"

#返回ip地址字符串

find . -type f -name "*.jsp" | xargs grep -i  "gethostbyname"

#gethostbyname()返回对应于给定主机名的包含主机名字和地址信息的hostent结构指针

find . -type f -name "*.jsp" | xargs grep -i  "bash"

#调用系统命令提权

find . -type f -name "*.jsp" | xargs grep -i  "jspspy"

#Jsp木马默认名字

find . -type f -name "*.jsp" | xargs grep -i  "getParameter"

fgrep – R "admin_index.jsp" 20120702.log > log.txt

#检查是否有非授权访问管理日志

#要进中间件所在日志目录运行命令

fgrep – R "and1=1"*.log>log.txt

fgrep – R "select "*.log>log.txt

fgrep – R "union "*.log>log.txt

fgrep – R "../../"*.log >log.txt

fgrep – R "Runtime"*.log >log.txt

fgrep – R "passwd"*.log >log.txt

#查看是否出现对应的记录

fgrep – R "uname -a"*.log>log.txt

fgrep – R "id"*.log>log.txt

fgrep – R "ifconifg"*.log>log.txt

fgrep – R "ls -l"*.log>log.txt

#查看是否有shell攻击

#以root权限执行

cat /var/log/secure

#查看是否存在非授权的管理信息

tail -n 10  /var/log/secure

last cat /var/log/wtmp

cat /var/log/sulog

#查看是否有非授权的su命令

cat /var/log/cron

#查看计划任务是否正常

tail -n 100 ~./bash_history | more

查看临时目录是否存在攻击者入侵时留下的残余文件

ls -la /tmp

ls -la /var/tmp

#如果存在.c .py .sh为后缀的文件或者2进制elf文件。

Mar 16 03:25:06 localhost sshd[11499]: warning: /etc/hosts.deny, line 14: missing ":" separator

Mar 16 03:25:11 localhost sshd[11499]: Address 46.214.146.198 maps to 46-214-146-198.next-gen.ro, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!

Mar 16 03:25:11 localhost sshd[11499]: Invalid user ubnt from 46.214.146.198

Mar 16 03:25:11 localhost sshd[11500]: input_userauth_request: invalid user ubnt

Mar 16 03:25:11 localhost sshd[11499]: pam_unix(sshd:auth): check pass; user unknown

Mar 16 03:25:11 localhost sshd[11499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=46.214.146.198 

Mar 16 03:25:11 localhost sshd[11499]: pam_succeed_if(sshd:auth): error retrieving information about user ubnt

Mar 16 03:25:13 localhost sshd[11499]: Failed password for invalid user ubnt from 46.214.146.198 port 34989 ssh2

Mar 16 03:25:13 localhost sshd[11500]: Connection closed by 46.214.146.198

发现46.214.146.198就是他了,查看历史记录。

日志发现 Invalid user ubnt from 46.214.146.198

历史记录和相关访问日志已经被删除,痕迹清除。

查不到后门,也找不到日志,有点头疼。

发现一条命令让我好奇,GET /cgi-bin/center.cgi?id=20 HTTP/1.1

发现像看过的bash shell漏洞

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

[root@mall ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

vulnerable

this is a test

经测试,漏洞存在。升级修复漏洞。

yum -y install yum-downloadonly

yum -y install bash-4.1.2-33.el6_7.1.x86_64.rpm

升级之后,重新修改了系统用户密码,nginx用户和密码,更改了sshd端口,重启后服务器正常。

找工程师,重新验证网站所有文件md5,对比后未发现异常。


漏洞被利用过程:

发送GET请求–>目标服务器cgi路径

目标服务器解析这个get请求,碰到UserAgent后面的参数,Bash解释器就执行了后面的命令。