实验室服务器被黑记(下)

  本来这篇文章写的差不多了,后来一直忙,存成草稿没有发,直到最近才想起这回事来。简单分析了一下被植入的脚本,才学疏浅,有误的地方请同学们多指教。

  让我们先来看一下植入脚本的文件结构

root@delleon:~/tmp# find . -printf '%y %p\n'
d .
d ./conect1
f ./conect1/autorun
f ./conect1/run
f ./conect1/bash
f ./conect1/LinkEvents
f ./conect1/start
f ./conect1/inst
d ./conect1/r
f ./conect1/r/raway.e
f ./conect1/r/rnicks.e
f ./conect1/r/rversions.e
f ./conect1/r/rkicks.e
f ./conect1/r/rsignoff.e
f ./conect1/r/rtsay.e
f ./conect1/r/rpickup.e
f ./conect1/r/rsay.e
f ./conect1/r/rinsult.e
d ./conect2
f ./conect2/m.pid
f ./conect2/autorun
f ./conect2/m.lev
f ./conect2/run
f ./conect2/alongi.seen
f ./conect2/.192.168.1.98.user.swp
f ./conect2/vhosts
f ./conect2/bash
f ./conect2/m.set
f ./conect2/LinkEvents
f ./conect2/xey.seen
f ./conect2/cron.d
f ./conect2/start
f ./conect2/m.ses
f ./conect2/inst
f ./conect2/update
f ./conect2/192.168.1.98.user
f ./conect2/192.168.1.98.user2
f ./conect2/mech.dir
d ./conect2/r
f ./conect2/r/raway.e
f ./conect2/r/rnicks.e
f ./conect2/r/rversions.e
f ./conect2/r/rkicks.e
f ./conect2/r/rsignoff.e
f ./conect2/r/rtsay.e
f ./conect2/r/rpickup.e
f ./conect2/r/rsay.e
f ./conect2/r/rinsult.e
d ./conect3
f ./conect3/autorun
f ./conect3/run
f ./conect3/bash
f ./conect3/LinkEvents
f ./conect3/start
f ./conect3/inst
d ./conect3/r
f ./conect3/r/raway.e
f ./conect3/r/rnicks.e
f ./conect3/r/rversions.e
f ./conect3/r/rkicks.e
f ./conect3/r/rsignoff.e
f ./conect3/r/rtsay.e
f ./conect3/r/rpickup.e
f ./conect3/r/rsay.e
f ./conect3/r/rinsult.e

实验室服务器被黑记(上)

  早晨上班一到实验室,weekface告诉我说实验室的那台服务器貌似出问题了。他之前写过一个crontab脚本来每天执行一次备份任务,结果今天上去一查,已经不执行好久了,然后查crontab -l,他的那句任务竟然消失不见了,取而代之的指向了一个莫名其妙的脚本。

  我立刻上去看,因为从没遇到这种情况,首先想到的会不会是实验室有同学上来动过,于是问了一下,房间里知道root密码的一共就四个同学,依次询问都说没有动。一边问着,一边看那个脚本的内容,立刻懵了,里面是一些很难阅读的shell命令,这才意识到不妙,出事了。然后查当前在线用户,结果who命令竟然返回的是空!接着last,我靠last也被替换了。赶紧去拔了网线,已经很明显了,我们服务器被黑了。

  接下来一步一步去查找蛛丝马迹。who、last命令已经直接被替换了,root用户的.bash_history已经被我们这几天的新操作给覆盖掉,/var/log/secure也被清空,很干净嘛。然后看crontab修改记录,时间是Jun ......