Article Title: linux bot intrusion detection. Linux is a technology channel of the IT lab in China. Including desktop applications, Linux system management, kernel research, embedded systems and open source and other basic categories yesterday agreed to wzt to find a few linux zombie testing programs, open the http://www.milw0rm.com/webapps.php, I tried a program with the include vulnerability and soon got a webshell. There's nothing to say, redhat9 machine, and then localroot.
The IP address and host name in this article have been replaced. Please do not enter the seat number. This method is for your reference only. In regular intrusion detection operations, we still need to pay attention to many process and details. In addition, this article does not explain some basic concepts or programs. If you do not understand anything, ask google.
Into the zombie, put on our ssh backdoor, the specific method can be found on the http://baoz.net or http://xsec.org, with video tutorial if you have doubts after watching the video, you can go to the linux version of The http://cnhonker.com/bbs/ to exchange.
When I enter ssh, oh, it's strange that the people of the US greet the people of South Korea? Something strange ......
Last login: Fri Nov 17 08:21:14 2006 from ac9e2da9.ipt.aol.com
Curious. scan it.
Reference:
[Fatb @ baoz ~] $ Nmap-P0 ac9e2da9.ipt.aol.com-O |
The first thing to do with the machine is to see if it is vmware. If it is, run the road quickly. Don't fall into the broken jar of others.
Let's see:
# Check whether it is a vmware Machine
Reference:
[Root @ victim root] # ifconfig-a | grep-I-e "00-05-69"-e "00-0C-29"-e "00-50-56 "; dmesg | grep-I vmware |
If there is no output, it's okay .... Even a honeypot is a honeypot invested in some devices. Continue to see what equipment he has invested:
Reference:
[Root @ victim root] # cat/proc/cpuinfo | grep name; cat/proc/meminfo | grep MemTotal Model name: Intel (R) Xeon (TM) CPU 2.80 GHz Model name: Intel (R) Xeon (TM) CPU 2.80 GHz Model name: Intel (R) Xeon (TM) CPU 2.80 GHz Model name: Intel (R) Xeon (TM) CPU 2.80 GHz MemTotal: 1030228 kB
|
The remaining machine, although 4 CPU has only 1 GB of memory, is a bit strange, but it is barely enough to run a password or something.
There are two good articles about anti-honeynet, but they are all for vmware or User Mode Linux. If people use real machines, they have to rely on their own personalities.
Http://xsec.org/index.php? Module = arc... ew & type = 3 & id = 5
Http://xsec.org/index.php? Module = arc... ew & type = 3 & id = 6
For more information about honeynet and anti-honeynet, visit here.
Http://cnhonker.com/bbs/thread.php? Fid = 15 & type = 1
Let's talk nonsense. The second thing to do next is to check whether there are friends on it. If there are friends, I am sorry. Please go out.
Generally, I will first run a few commands to check whether the rootkit is changed badly or the version is incorrect. No matter what the reason is, some parameters of some replaced programs do not exist.
Reference:
[Root @ victim root] # ls-alh Ls: invalid option -- h Try 'ls -- help' for more information. |
Haha, ls is replaced. Check out netstat.
Reference:
[Root @ victim root] # netstat-anp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Tcp 0 0 0.0.0.0: 80 0.0.0.0: * LISTEN 1702/httpd Tcp 0 0 0.0.0.0: 22 0.0.0.0: * LISTEN 1516/sshd Tcp 0 0 127.0.0.1: 25 0.0.0.0: * LISTEN 1540/ Tcp 0 300 123.123.123.123: 22 10.20.30.40: 2245 ESTABLISHED 6097/sshd: Tcp 0 0 123.123.123.123: 22 10.20.30.40: 2247 ESTABLISHED 6815/sshd: Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node PID/Program name Path Unix 2 [ACC] stream listening 121430 6815/sshd:/tmp/ssh-vfJj6815/agent.6815 Unix 2 [ACC] stream listening 116904 6097/sshd:/tmp/ssh-weHq6097/agent.6097 Unix 6 [] DGRAM 1560 1476/syslogd/dev/log Unix 2 [] DGRAM 1771 1570/crond Unix 2 [] DGRAM 1728 1549/ Unix 2 [] DGRAM 1714 1540/ Unix 2 [] DGRAM 1568 1480/klogd
|
It seems to be normal.
Regardless of 3721, let's check two rootkit items, chkrootkit and rkhunter.
Let's take a look at chkrootkit:
Note: we are currently checking in an untrusted environment. Some may ask "Why check in an untrusted environment?" Because of this, because we first check in an untrusted environment to obtain a result, and then check in a slightly trusted environment, and then get a result, so that we can compare the results before and after, you can see if this daoyou has used LKM or a higher level rootkit.
After checking, we find the following interesting information:
Reference:
[Root @ victim chkrootkit-0.47] #./chkrootkit Checking 'ifconfig'... INFECTED Checking 'pstree'... INFECTED Searching for t0rn's v8 ults... Possible t0rn v8 \ (or variation \) rootkit installed Searching for Showtee... Warning: Possible Showtee Rootkit installed Searching for Romanian rootkit.../usr/include/file. h/usr/include/proc. h Checking 'binshell'... not infected Checking 'lkm '... You have 2 process hidden for ps command Chkproc: Warning: Possible LKM Trojan installed |
[1] [2] [3] [4] [5] Next page