Once the Linux server is compromised, the detection process

650) this.width=650; "src=" Http://si1.go2yd.com/get-image/0BKiERm87Ie "style=" border:0px;margin:20px 0px; "alt=" 0bkierm87ie "/>

Author | Hazbund Source | Freebuf

0x00 Preface

The story is this, Lunar New Year, customer response to their server can not access, view the route, found that a ORACLE+TOMCAT server UDP traffic oversized, the bandwidth accounted for, the new Year, the customer first found the local technical staff to get a few days did not fix, and then no way to find us third day ... The Customer is God!

In fact, I have encountered this kind of attack before, at that time an IDC was paralyzed, but the horse is not in our equipment, so not too much attention ...

0x01 Find Trojan

First SSH login, top view process, find strange name of the command GEJFHZTHBP, a look on the feeling there is a problem.

650) this.width=650; "src=" Http://si1.go2yd.com/get-image/0BKiEQIw9Dc "style=" border:0px;margin:20px 0px; "alt=" 0bkieqiw9dc "/>

Lsof–c GEJFHZTHBP

View the associated file, discover the external TCP connection, do not know if it is reverse shell ...

650) this.width=650; "src=" Http://si1.go2yd.com/get-image/0BKiENYsmnI "style=" border:0px;margin:20px 0px; "alt=" 0BKiENYsmnI "/>

650) this.width=650; "src=" http://si1.go2yd.com/get-image/0BKiEMGj1cm "style=" border:0px;margin:20px 0px; "alt=" 0bkiemgj1cm "/>

Execute command

Whereis GEJFHZTHBP Ls-al GEJFHZTHBP

View the file path. and view the file creation time, which matches the intrusion time.

650) this.width=650; "src=" Http://si1.go2yd.com/get-image/0BKiDs12FMm "style=" border:0px;margin:20px 0px; "alt=" 0BKIDS12FMM "/>

By the way, copy the files down to the Kali virtual machine to try the power, a few seconds results are as follows ...

650) this.width=650; "src=" Http://si1.go2yd.com/get-image/0BKiDqY183E "style=" border:0px;margin:20px 0px; "alt=" 0bkidqy183e "/>

650) this.width=650; "src=" Http://si1.go2yd.com/get-image/0BKiDtfll0C "style=" border:0px;margin:20px 0px; "alt=" 0bkidtfll0c "/>

I thought it was a foreigner, it should prove that the people are doing it ...

650) this.width=650; "src=" Http://si1.go2yd.com/get-image/0BKiDv6I2ka "style=" border:0px;margin:20px 0px; "alt=" 0bkidv6i2ka "/>

0X02 Resume Business

First kill process, the result is certainly not so simple, the process changed a name and came out

650) this.width=650; "src=" Http://si1.go2yd.com/get-image/0BKiDvvmlbU "style=" border:0px;margin:20px 0px; "alt=" 0BKiDvvmlbU "/>

In the middle of a lot of process, ps–ef |grep found that the parent process is different each time, the association process is sometimes sshd, sometimes pwd,ls, the middle of a VNC connection, and then shut down the SSH service, the same invalid, and kill a few times found that the parent process becomes 1, the level is limited, the production server, Or conservative treatment, to business-oriented bar ...

Since the invasion, the first or the firewall of the SSH map off it, after all, the server is still to use, or to write a few iptables rules it

Iptables-a Output-o lo-j ACCEPT

Allow native access to native

Iptables-a output-m State--state established-j ACCEPT

Allow unsolicited access to this server

Iptables-a output–p tcp–d 192.168.1.235-jaccept

IP whitelist that allows the server to actively access

Iptables-a DROP

Refusal of external access

650) this.width=650; "src=" Http://si1.go2yd.com/get-image/0BKiDxTqU9A "style=" border:0px;margin:20px 0px; "alt=" 0bkidxtqu9a "/>

Here, the business is back to normal.

0x03 Find Reason

In fact, in the beginning I realized that the problem is SSH, but first to help people to restore business again, the Web port is only Tomcat, web vulnerabilities have been checked, what Struts2,manager page, there are some common web vulnerabilities will not exist, unless there is 0day .... Oracle doesn't even have a single ssh.

Based on this, I directly check the root account SSH log, turn and turn, finally ....

Cd/var/log Less secure

650) this.width=650; "src=" Http://si1.go2yd.com/get-image/0BKiDymp9BA "style=" border:0px;margin:20px 0px; "alt=" 0bkidymp9ba "/>

650) this.width=650; "src=" http://si1.go2yd.com/get-image/0BKiE0GaMsq "style=" border:0px;margin:20px 0px; "alt=" 0bkie0gamsq "/>

For example, the use of Indonesian IP blasting success, and the back of the server intranet IP landed unexpectedly is a failure, asked the customer, it is understood how the end, they add equipment, to the server temporarily changed the weak password to facilitate a variety of third-party technical personnel debugging, and then estimated to forget to change back, the result of tragedy, was the bad man landed not The root password has also been changed, you can not log on ... I wonder if their boss knows ...

Keep looking at the history file and see what people are doing.

650) this.width=650; "src=" Http://si1.go2yd.com/get-image/0BKiE1V81Wi "style=" border:0px;margin:20px 0px; "alt=" 0bkie1v81wi "/>

650) this.width=650; "src=" Http://si1.go2yd.com/get-image/0BKiEFLIabQ "style=" border:0px;margin:20px 0px; "alt=" 0BKiEFLIabQ "/>

The operation of the bad guys is basically here, he executed a lot of scripts, who knows how much he did, or recommend the customer to re-install the system it ...

0x04 PostScript

The main or own experience is shallow, Linux operation and maintenance play is not familiar, do not know how to drive out the horse completely ... Daniel, don't squirt.

Article Source: Marco Education

Official: Marco Linux operations

Technology Exchange Group: 485374463

This article is from the "Marco Linux Training" blog, so be sure to keep this source http://mageedu.blog.51cto.com/4265610/1901543

Once the Linux server is compromised, the detection process