Article Title: linux bot intrusion detection. Linux is a technology channel of the IT lab in China. Including desktop applications, Linux system management, kernel research, embedded systems and open source and other basic categories yesterday agreed to wzt to find a few linux zombie testing programs, open the http://www.milw0rm.com/webapps.php, I tried a program with the include vulnerability and soon got a webshell. There's nothing to say, redhat9 machine, and then localroot.
The IP address and host name in this article have been replaced. Please do not enter the seat number. This method is for your reference only. In regular intrusion detection operations, we still need to pay attention to many process and details. In addition, this article does not explain some basic concepts or programs. If you do not understand anything, ask google.
Into the zombie, put on our ssh backdoor, the specific method can be found on the http://baoz.net or http://xsec.org, with video tutorial if you have doubts after watching the video, you can go to the linux version of The http://cnhonker.com/bbs/ to exchange.
When I enter ssh, oh, it's strange that the people of the US greet the people of South Korea? Something strange ......
Last login: Fri Nov 17 08:21:14 2006 from ac9e2da9.ipt.aol.com
Curious. scan it.
Reference:
| [Fatb @ baoz ~] $ Nmap-P0 ac9e2da9.ipt.aol.com-O |
The first thing to do with the machine is to see if it is vmware. If it is, run the road quickly. Don't fall into the broken jar of others.
Let's see:
# Check whether it is a vmware Machine
Reference:
| [Root @ victim root] # ifconfig-a | grep-I-e "00-05-69"-e "00-0C-29"-e "00-50-56 "; dmesg | grep-I vmware |
If there is no output, it's okay .... Even a honeypot is a honeypot invested in some devices. Continue to see what equipment he has invested:
Reference:
[Root @ victim root] # cat/proc/cpuinfo | grep name; cat/proc/meminfo | grep MemTotal
Model name: Intel (R) Xeon (TM) CPU 2.80 GHz
Model name: Intel (R) Xeon (TM) CPU 2.80 GHz
Model name: Intel (R) Xeon (TM) CPU 2.80 GHz
Model name: Intel (R) Xeon (TM) CPU 2.80 GHz
MemTotal: 1030228 kB
|
The remaining machine, although 4 CPU has only 1 GB of memory, is a bit strange, but it is barely enough to run a password or something.
There are two good articles about anti-honeynet, but they are all for vmware or User Mode Linux. If people use real machines, they have to rely on their own personalities.
Http://xsec.org/index.php? Module = arc... ew & type = 3 & id = 5
Http://xsec.org/index.php? Module = arc... ew & type = 3 & id = 6
For more information about honeynet and anti-honeynet, visit here.
Http://cnhonker.com/bbs/thread.php? Fid = 15 & type = 1
Let's talk nonsense. The second thing to do next is to check whether there are friends on it. If there are friends, I am sorry. Please go out.
Generally, I will first run a few commands to check whether the rootkit is changed badly or the version is incorrect. No matter what the reason is, some parameters of some replaced programs do not exist.
Reference:
[Root @ victim root] # ls-alh
Ls: invalid option -- h
Try 'ls -- help' for more information. |
Haha, ls is replaced. Check out netstat.
Reference:
[Root @ victim root] # netstat-anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
Tcp 0 0 0.0.0.0: 80 0.0.0.0: * LISTEN 1702/httpd
Tcp 0 0 0.0.0.0: 22 0.0.0.0: * LISTEN 1516/sshd
Tcp 0 0 127.0.0.1: 25 0.0.0.0: * LISTEN 1540/
Tcp 0 300 123.123.123.123: 22 10.20.30.40: 2245 ESTABLISHED 6097/sshd:
Tcp 0 0 123.123.123.123: 22 10.20.30.40: 2247 ESTABLISHED 6815/sshd:
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
Unix 2 [ACC] stream listening 121430 6815/sshd:/tmp/ssh-vfJj6815/agent.6815
Unix 2 [ACC] stream listening 116904 6097/sshd:/tmp/ssh-weHq6097/agent.6097
Unix 6 [] DGRAM 1560 1476/syslogd/dev/log
Unix 2 [] DGRAM 1771 1570/crond
Unix 2 [] DGRAM 1728 1549/
Unix 2 [] DGRAM 1714 1540/
Unix 2 [] DGRAM 1568 1480/klogd
|
It seems to be normal.
Regardless of 3721, let's check two rootkit items, chkrootkit and rkhunter.
Let's take a look at chkrootkit:
Note: we are currently checking in an untrusted environment. Some may ask "Why check in an untrusted environment?" Because of this, because we first check in an untrusted environment to obtain a result, and then check in a slightly trusted environment, and then get a result, so that we can compare the results before and after, you can see if this daoyou has used LKM or a higher level rootkit.
After checking, we find the following interesting information:
Reference:
[Root @ victim chkrootkit-0.47] #./chkrootkit
Checking 'ifconfig'... INFECTED
Checking 'pstree'... INFECTED
Searching for t0rn's v8 ults... Possible t0rn v8 \ (or variation \) rootkit installed
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for Romanian rootkit.../usr/include/file. h/usr/include/proc. h
Checking 'binshell'... not infected
Checking 'lkm '... You have 2 process hidden for ps command
Chkproc: Warning: Possible LKM Trojan installed |
[1] [2] [3] [4] [5] Next page
