下面是我初步的排查过程:
[1]
[root@71 ~]# tcpdump host 192.168.0.71|grep "IP 115.*"|more
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
09:49:26.832352 IP 115.28.141.133.ftp > 71.com.35350: P
2147650553:2147650557(4) ack 2665769856 win 65346
<nop,nop,timestamp 27703966 161939534>
09:49:27.092451 IP 115.28.141.133.ftp > 71.com.35350: . ack 28
win 65319 <nop,nop,timestamp 27703969 161941001>
09:49:27.549998 IP 115.28.141.133.http > 71.com.34660: P
2929376355:2929376359(4) ack 1041793276 win 65130
<nop,nop,timestamp 27703974 161940220>
09:49:27.751314 IP 115.28.141.133.http > 71.com.34660: . ack 28
win 65103 <nop,nop,timestamp 27703976 161941719>
09:49:28.319662 IP 115.28.141.133.ftp > 71.com.35350: P 4:8(4)
ack 28 win 65319 <nop,nop,timestamp 27703981 161941001>
09:49:28.516432 IP 115.28.141.133.ftp > 71.com.35350: . ack 55
win 65292 <nop,nop,timestamp 27703983 161942488>
09:49:29.049496 IP 115.28.141.133.http > 71.com.34660: P 4:8(4)
ack 28 win 65103 <nop,nop,timestamp 27703988 161941719>
[2]
[root@71 vsftpd]# netstat -nlp|grep 35350
[root@71 vsftpd]# netstat -nlp|grep 34660
[root@71 vsftpd]# netstat -nlp|grep 34660
[root@71 vsftpd]# lsof -P -n -t -i:34660
3929
[root@71 vsftpd]# ps aux|grep 3929
root 3929 0.3 0.0 433804 924 ? Ssl Oct27 10:15
[pstart]
[3]
google:pstart
找到,
Linux 系统木马病毒pstart 及其背后的源文件查找经历
http://my.oschina.net/lionel45/blog/310105
http://bbs.chinaunix.net/thread-4138911-1-1.html
[4]
有论坛:http://bbs.chinaunix.net/thread-4149900-1-1.html
[root@71 lm]# pwd
/var/opt/lm
[root@71 lm]# ls -l
total 2488
-rw-r--r-- 1 root root 45 Oct 22 17:49 fake.cfg
-rwxr-xr-x 1 root root 1153664 Oct 27 12:48 https
-rwxr-xr-x 1 root root 1128800 Oct 27 12:48 pstart
-rwxr-xr-x 1 root root 243512 Oct 22 17:49 wget
[root@71 lm]#
===============
参考资料地址:
http://bbs.chinaunix.net/thread-4149900-1-1.html
http://bbs.chinaunix.net/thread-4150148-1-1.html
http://bbs.chinaunix.net/thread-4149586-1-1.html ======哥们儿进来看看,我这儿被黑客攻击后的操作系统怎么办?====== 已经找到会在系统里面运行如下黑客进程: iisdate pstart https 并且这些进程的文件保存在/var/opt/lm/文件夹。 我已经编写一个脚本,只要查询到运行iisdate/pstart/https进程,就会删除/var/opt/lm/文件夹。 但是进程可以杀掉,文件夹可以删除掉,这些东西总是会反复出现,请大家给我出出主意。 -----------------------------------------------------------------> 昨天晚上该来的总会来的,通过脚本输出日志得到的如下信息: \ 查找到关键字iisdate进程(ps -ef | grep 进程号 | grep -v grep) root 11814 1 0 04:20 ? 00:00:00 ./iisdate \ 查看进程号打开的所有文件(lsof -p 进程号) COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME iisdate 11814 root cwd DIR 8,1 4096 12451926 /var/opt/lm iisdate 11814 root rtd DIR 8,1 4096 2 / iisdate 11814 root txt REG 8,1 1135000 12451928 /var/opt/lm/iisdate iisdate 11814 root 0u CHR 1,3 0t0 1029 /dev/null iisdate 11814 root 1u CHR 1,3 0t0 1029 /dev/null iisdate 11814 root 2u CHR 1,3 0t0 1029 /dev/null iisdate 11814 root 3uW REG 8,1 5 15728647 /tmp/gates.lock iisdate 11814 root 4u IPv4 26057293 0t0 TCP matoue06:34685->115.28.141.133:ftp-data (ESTABLISHED) \ 查看进程号打开的所有文件(lsof -c 进程号) COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME iisdate 11814 root cwd DIR 8,1 4096 12451926 /var/opt/lm iisdate 11814 root rtd DIR 8,1 4096 2 / iisdate 11814 root txt REG 8,1 1135000 12451928 /var/opt/lm/iisdate iisdate 11814 root 0u CHR 1,3 0t0 1029 /dev/null iisdate 11814 root 1u CHR 1,3 0t0 1029 /dev/null iisdate 11814 root 2u CHR 1,3 0t0 1029 /dev/null iisdate 11814 root 3uW REG 8,1 5 15728647 /tmp/gates.lock iisdate 11814 root 4u IPv4 26057293 0t0 TCP matoue06:34685->115.28.141.133:ftp-data (ESTABLISHED) \ 查找到关键字https进程(ps -ef | grep 进程号 | grep -v grep) root 11762 1 0 04:20 ? 00:00:00 [https] \ 查看进程号打开的所有文件(lsof -p 进程号) COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME https 11762 root cwd DIR 8,1 0 12451876 /var/opt/lm (deleted) https 11762 root rtd DIR 8,1 4096 2 / https 11762 root txt REG 8,1 1480387 12451927 /var/opt/lm/https (deleted) https 11762 root mem REG 8,1 6259632 1577900 /usr/lib/locale/locale-archive https 11762 root 0u CHR 1,3 0t0 1029 /dev/null https 11762 root 1u CHR 1,3 0t0 1029 /dev/null https 11762 root 2u CHR 1,3 0t0 1029 /dev/null https 11762 root 3u IPv4 26061534 0t0 TCP matoue06:50008->115.28.141.133:ftp (ESTABLISHED) \ 查看进程号打开的所有文件(lsof -c 进程号) COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME https 11762 root cwd DIR 8,1 0 12451876 /var/opt/lm (deleted) https 11762 root rtd DIR 8,1 4096 2 / https 11762 root txt REG 8,1 1480387 12451927 /var/opt/lm/https (deleted) https 11762 root mem REG 8,1 6259632 1577900 /usr/lib/locale/locale-archive https 11762 root 0u CHR 1,3 0t0 1029 /dev/null https 11762 root 1u CHR 1,3 0t0 1029 /dev/null https 11762 root 2u CHR 1,3 0t0 1029 /dev/null https 11762 root 3u IPv4 26061534 0t0 TCP matoue06:50008->115.28.141.133:ftp (ESTABLISHED) 115.28.141.133这个IP地址我查询了一下,信息如下: 本站主数据:北京市 万网高科技信息技术有限公司 电信 参考数据一:北京市 万网高科技信息技术有限公司 \ 列出/var/opt/lm/文件夹的详细信息 drwxr-xr-x 2 root root 4096 Aug 12 04:20 /var/opt/lm/ total 2244 -rw-r--r-- 1 root root 69 Aug 12 04:20 conf.n -rwxr-xr-x 1 root root 1153664 Aug 12 04:20 https -rwxr-xr-x 1 root root 1135000 Aug 12 04:20 iisdate [ 20140812 04:21:01 ] ======================== End ====================== 查看crond里面也是没有什么异常,请大家伙继续给我出出主意,想办法找到源头。 或者说我的脚本还应该截取哪些信息呢? ----------------------------------------------------------------------------------------------------------------------> ======================== 寻找步骤 ======================== Aug 13 11:29:01 matoue06 CRON[29703]: pam_unix(cron:session): session opened for user root by (uid=0) Aug 13 11:29:01 matoue06 CRON[29703]: pam_unix(cron:session): session closed for user root Aug 13 11:30:01 matoue06 CRON[29755]: pam_unix(cron:session): session opened for user root by (uid=0) Aug 13 11:30:01 matoue06 CRON[29756]: pam_unix(cron:session): session opened for user root by (uid=0) Aug 13 11:30:01 matoue06 CRON[29756]: pam_unix(cron:session): session closed for user root Aug 13 11:30:01 matoue06 CRON[29755]: pam_unix(cron:session): session closed for user root Aug 13 11:31:00 matoue06 sshd[29820]: fatal: Read from socket failed: Connection reset by peer [preauth] ----------------------------------------------------------------------------------------------------------------------> 以上日志截取于/var/log/auth.log文件里面,通过执行"top"命令发现进程里面出现"getty"进程,就会在/var/log/auth.log文件里面写入日志。 root@matoue06:/tmp# lsof -c getty COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME getty 1127 root cwd DIR 8,1 4096 2 / getty 1127 root rtd DIR 8,1 4096 2 / getty 1127 root txt REG 8,1 32112 16515075 /sbin/getty getty 1127 root mem REG 8,1 6259632 1577900 /usr/lib/locale/locale-archive getty 1127 root mem REG 8,1 52160 5243102 /lib/x86_64-linux-gnu/libnss_files-2.17.so getty 1127 root mem REG 8,1 47760 5243106 /lib/x86_64-linux-gnu/libnss_nis-2.17.so getty 1127 root mem REG 8,1 97296 5243096 /lib/x86_64-linux-gnu/libnsl-2.17.so getty 1127 root mem REG 8,1 35728 5243098 /lib/x86_64-linux-gnu/libnss_compat-2.17.so getty 1127 root mem REG 8,1 1853400 5243045 /lib/x86_64-linux-gnu/libc-2.17.so getty 1127 root mem REG 8,1 149312 5243025 /lib/x86_64-linux-gnu/ld-2.17.so getty 1127 root mem REG 8,1 151984 1573265 /usr/lib/locale/C.UTF-8/LC_CTYPE getty 1127 root mem REG 8,1 26258 1575111 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache getty 1127 root 0u CHR 4,4 0t0 1046 /dev/tty4 getty 1127 root 1u CHR 4,4 0t0 1046 /dev/tty4 getty 1127 root 2u CHR 4,4 0t0 1046 /dev/tty4 getty 1132 root cwd DIR 8,1 4096 2 / getty 1132 root rtd DIR 8,1 4096 2 / getty 1132 root txt REG 8,1 32112 16515075 /sbin/getty getty 1132 root mem REG 8,1 6259632 1577900 /usr/lib/locale/locale-archive getty 1132 root mem REG 8,1 52160 5243102 /lib/x86_64-linux-gnu/libnss_files-2.17.so getty 1132 root mem REG 8,1 47760 5243106 /lib/x86_64-linux-gnu/libnss_nis-2.17.so getty 1132 root mem REG 8,1 97296 5243096 /lib/x86_64-linux-gnu/libnsl-2.17.so getty 1132 root mem REG 8,1 35728 5243098 /lib/x86_64-linux-gnu/libnss_compat-2.17.so getty 1132 root mem REG 8,1 1853400 5243045 /lib/x86_64-linux-gnu/libc-2.17.so getty 1132 root mem REG 8,1 149312 5243025 /lib/x86_64-linux-gnu/ld-2.17.so getty 1132 root mem REG 8,1 151984 1573265 /usr/lib/locale/C.UTF-8/LC_CTYPE getty 1132 root mem REG 8,1 26258 1575111 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache getty 1132 root 0u CHR 4,5 0t0 1047 /dev/tty5 getty 1132 root 1u CHR 4,5 0t0 1047 /dev/tty5 getty 1132 root 2u CHR 4,5 0t0 1047 /dev/tty5 getty 1140 root cwd DIR 8,1 4096 2 / getty 1140 root rtd DIR 8,1 4096 2 / getty 1140 root txt REG 8,1 32112 16515075 /sbin/getty getty 1140 root mem REG 8,1 6259632 1577900 /usr/lib/locale/locale-archive getty 1140 root mem REG 8,1 52160 5243102 /lib/x86_64-linux-gnu/libnss_files-2.17.so getty 1140 root mem REG 8,1 47760 5243106 /lib/x86_64-linux-gnu/libnss_nis-2.17.so getty 1140 root mem REG 8,1 97296 5243096 /lib/x86_64-linux-gnu/libnsl-2.17.so getty 1140 root mem REG 8,1 35728 5243098 /lib/x86_64-linux-gnu/libnss_compat-2.17.so getty 1140 root mem REG 8,1 1853400 5243045 /lib/x86_64-linux-gnu/libc-2.17.so getty 1140 root mem REG 8,1 149312 5243025 /lib/x86_64-linux-gnu/ld-2.17.so getty 1140 root mem REG 8,1 151984 1573265 /usr/lib/locale/C.UTF-8/LC_CTYPE getty 1140 root mem REG 8,1 26258 1575111 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache getty 1140 root 0u CHR 4,2 0t0 1044 /dev/tty2 getty 1140 root 1u CHR 4,2 0t0 1044 /dev/tty2 getty 1140 root 2u CHR 4,2 0t0 1044 /dev/tty2 getty 1141 root cwd DIR 8,1 4096 2 / getty 1141 root rtd DIR 8,1 4096 2 / getty 1141 root txt REG 8,1 32112 16515075 /sbin/getty getty 1141 root mem REG 8,1 6259632 1577900 /usr/lib/locale/locale-archive getty 1141 root mem REG 8,1 52160 5243102 /lib/x86_64-linux-gnu/libnss_files-2.17.so getty 1141 root mem REG 8,1 47760 5243106 /lib/x86_64-linux-gnu/libnss_nis-2.17.so getty 1141 root mem REG 8,1 97296 5243096 /lib/x86_64-linux-gnu/libnsl-2.17.so getty 1141 root mem REG 8,1 35728 5243098 /lib/x86_64-linux-gnu/libnss_compat-2.17.so getty 1141 root mem REG 8,1 1853400 5243045 /lib/x86_64-linux-gnu/libc-2.17.so getty 1141 root mem REG 8,1 149312 5243025 /lib/x86_64-linux-gnu/ld-2.17.so getty 1141 root mem REG 8,1 151984 1573265 /usr/lib/locale/C.UTF-8/LC_CTYPE getty 1141 root mem REG 8,1 26258 1575111 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache getty 1141 root 0u CHR 4,3 0t0 1045 /dev/tty3 getty 1141 root 1u CHR 4,3 0t0 1045 /dev/tty3 getty 1141 root 2u CHR 4,3 0t0 1045 /dev/tty3 getty 1145 root cwd DIR 8,1 4096 2 / getty 1145 root rtd DIR 8,1 4096 2 / getty 1145 root txt REG 8,1 32112 16515075 /sbin/getty getty 1145 root mem REG 8,1 6259632 1577900 /usr/lib/locale/locale-archive getty 1145 root mem REG 8,1 52160 5243102 /lib/x86_64-linux-gnu/libnss_files-2.17.so getty 1145 root mem REG 8,1 47760 5243106 /lib/x86_64-linux-gnu/libnss_nis-2.17.so getty 1145 root mem REG 8,1 97296 5243096 /lib/x86_64-linux-gnu/libnsl-2.17.so getty 1145 root mem REG 8,1 35728 5243098 /lib/x86_64-linux-gnu/libnss_compat-2.17.so getty 1145 root mem REG 8,1 1853400 5243045 /lib/x86_64-linux-gnu/libc-2.17.so getty 1145 root mem REG 8,1 149312 5243025 /lib/x86_64-linux-gnu/ld-2.17.so getty 1145 root mem REG 8,1 151984 1573265 /usr/lib/locale/C.UTF-8/LC_CTYPE getty 1145 root mem REG 8,1 26258 1575111 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache getty 1145 root 0u CHR 4,6 0t0 1048 /dev/tty6 getty 1145 root 1u CHR 4,6 0t0 1048 /dev/tty6 getty 1145 root 2u CHR 4,6 0t0 1048 /dev/tty6 getty 36505 root cwd DIR 8,1 4096 2 / getty 36505 root rtd DIR 8,1 4096 2 / getty 36505 root txt REG 8,1 32112 16515075 /sbin/getty getty 36505 root mem REG 8,1 6259632 1577900 /usr/lib/locale/locale-archive getty 36505 root mem REG 8,1 52160 5243102 /lib/x86_64-linux-gnu/libnss_files-2.17.so getty 36505 root mem REG 8,1 47760 5243106 /lib/x86_64-linux-gnu/libnss_nis-2.17.so getty 36505 root mem REG 8,1 97296 5243096 /lib/x86_64-linux-gnu/libnsl-2.17.so getty 36505 root mem REG 8,1 35728 5243098 /lib/x86_64-linux-gnu/libnss_compat-2.17.so getty 36505 root mem REG 8,1 1853400 5243045 /lib/x86_64-linux-gnu/libc-2.17.so getty 36505 root mem REG 8,1 149312 5243025 /lib/x86_64-linux-gnu/ld-2.17.so getty 36505 root mem REG 8,1 151984 1573265 /usr/lib/locale/C.UTF-8/LC_CTYPE getty 36505 root mem REG 8,1 26258 1575111 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache getty 36505 root 0u CHR 4,1 0t0 1043 /dev/tty1 getty 36505 root 1u CHR 4,1 0t0 1043 /dev/tty1 getty 36505 root 2u CHR 4,1 0t0 1043 /dev/tty1 getty 41069 root cwd DIR 8,1 0 12451877 /var/opt/lm (deleted) getty 41069 root rtd DIR 8,1 4096 2 / getty 41069 root 0u CHR 1,3 0t0 1029 /dev/null getty 41069 root 1u CHR 1,3 0t0 1029 /dev/null getty 41069 root 2u CHR 1,3 0t0 1029 /dev/null getty 41069 root 4u IPv4 28256797 0t0 TCP matoue06:42906->183.60.106.190:45000 (SYN_SENT) ----------> IP地址:183.60.106.190,这个IP地址不是我们的IP地址,使用www.ip138.com查询IP地址是广东省佛山市。 \ 通过getty进程号41069查询里面运行的文件 root@matoue06:/tmp# cd /proc/41069/ root@matoue06:/proc/41069# ls -ail total 0 27826875 dr-xr-xr-x 9 root root 0 Aug 13 04:30 . 1 dr-xr-xr-x 285 root root 0 Jun 20 10:50 .. 28205075 dr-xr-xr-x 2 root root 0 Aug 13 11:10 attr 28205064 -rw-r--r-- 1 root root 0 Aug 13 11:10 autogroup 28205060 -r-------- 1 root root 0 Aug 13 11:10 auxv 28205081 -r--r--r-- 1 root root 0 Aug 13 11:10 cgroup 28205072 --w------- 1 root root 0 Aug 13 11:10 clear_refs 27827522 -r--r--r-- 1 root root 0 Aug 13 04:31 cmdline 28205065 -rw-r--r-- 1 root root 0 Aug 13 11:10 comm 28205087 -rw-r--r-- 1 root root 0 Aug 13 11:10 coredump_filter 28205080 -r--r--r-- 1 root root 0 Aug 13 11:10 cpuset 27835142 lrwxrwxrwx 1 root root 0 Aug 13 04:39 cwd -> /var/opt/lm (deleted) --------------> 看见这个目录一切真相大白 28205059 -r-------- 1 root root 0 Aug 13 11:10 environ 27826876 lrwxrwxrwx 1 root root 0 Aug 13 04:30 exe -> /usr/bin/bsd-port/getty --------------> getty命令怎么会放在这个目录里面呢?使用"whereis getty"命令就清楚了。 27835145 dr-x------ 2 root root 0 Aug 13 04:39 fd 27835151 dr-x------ 2 root root 0 Aug 13 04:39 fdinfo 28205088 -r-------- 1 root root 0 Aug 13 11:10 io 28205079 -r--r--r-- 1 root root 0 Aug 13 11:10 latency 28205062 -r--r--r-- 1 root root 0 Aug 13 11:10 limits 28205085 -rw-r--r-- 1 root root 0 Aug 13 11:10 loginuid 28205057 dr-x------ 2 root root 0 Aug 13 11:10 map_files 27835144 -r--r--r-- 1 root root 0 Aug 13 04:39 maps 28205068 -rw------- 1 root root 0 Aug 13 11:10 mem 28205070 -r--r--r-- 1 root root 0 Aug 13 11:10 mountinfo 28205069 -r--r--r-- 1 root root 0 Aug 13 11:10 mounts 28205071 -r-------- 1 root root 0 Aug 13 11:10 mountstats 27819588 dr-xr-xr-x 6 root root 0 Aug 13 04:30 net 28205058 dr-x--x--x 2 root root 0 Aug 13 11:10 ns 28205067 -r--r--r-- 1 root root 0 Aug 13 11:10 numa_maps 28205083 -rw-r--r-- 1 root root 0 Aug 13 11:10 oom_adj 28205082 -r--r--r-- 1 root root 0 Aug 13 11:10 oom_score 28205084 -rw-r--r-- 1 root root 0 Aug 13 11:10 oom_score_adj 28205074 -r--r--r-- 1 root root 0 Aug 13 11:10 pagemap 28205061 -r--r--r-- 1 root root 0 Aug 13 11:10 personality 27835143 lrwxrwxrwx 1 root root 0 Aug 13 04:39 root -> / 28205063 -rw-r--r-- 1 root root 0 Aug 13 11:10 sched 28205078 -r--r--r-- 1 root root 0 Aug 13 11:10 schedstat 28205086 -r--r--r-- 1 root root 0 Aug 13 11:10 sessionid 28205073 -r--r--r-- 1 root root 0 Aug 13 11:10 smaps 28205077 -r--r--r-- 1 root root 0 Aug 13 11:10 stack 27827520 -r--r--r-- 1 root root 0 Aug 13 04:31 stat 28168119 -r--r--r-- 1 root root 0 Aug 13 10:36 statm 27827521 -r--r--r-- 1 root root 0 Aug 13 04:31 status 28205066 -r--r--r-- 1 root root 0 Aug 13 11:10 syscall 28205056 dr-xr-xr-x 10 root root 0 Aug 13 11:10 task 28205089 -r--r--r-- 1 root root 0 Aug 13 11:10 timers 28205076 -r--r--r-- 1 root root 0 Aug 13 11:10 wchan root@matoue06:/proc/41069# whereis getty --------------> 使用"whereis getty"命令就清楚了。getty命令存放在/sbin/getty。 getty: /sbin/getty /usr/share/man/man8/getty.8.gz root@matoue06:/proc/41069# ls -ld /usr/bin/ drwxr-xr-x 4 root root 36864 Aug 12 18:09 /usr/bin/ root@matoue06:/proc/41069# ls -ld /usr/bin/bsd-port/ --------------> /usr/bin/bsd-port/目录创建于2014年08月07日 drwxr-xr-x 2 root root 4096 Aug 7 11:46 /usr/bin/bsd-port/ root@matoue06:/proc/41069# cd /usr/bin/bsd-port/ root@matoue06:/usr/bin/bsd-port# ls -al --------------> 查看 /usr/bin/bsd-port/目录存放的所有文件 total 1160 drwxr-xr-x 2 root root 4096 Aug 7 11:46 . drwxr-xr-x 4 root root 36864 Aug 12 18:09 .. -rw-r--r-- 1 root root 69 Aug 13 11:47 conf.n -rwxr-xr-x 1 root root 1135000 Aug 13 04:30 getty -rwxr-xr-x 1 root root 5 Aug 13 04:30 getty.lock root@matoue06:/usr/bin/bsd-port# |