一次入侵秀的详细分析
合集下载
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
2004-9-21 16:48 in.telnetd[1320]: connect from 210.X.X.X
注意到没有,这些端口连接的源地址不是发送ICMP Echo 的202.X.X.X,而是
210.X.X.X这个地址。很显然,我的朋友使用了TCP/UDP协议的代理跳板,而
ICMP 协议不被该跳板支持,所以他的真实IP 地址也暴露了。:P
日志、历史命令,以及Snort 录下的会话过程。当然,为了节约篇幅和保护隐
私作了部分裁减。希望读者从各自的角度都能有所收获。
2.扫描
一个周六的下午,Snort 报警提示有来自202.X.X.X 的SuperScan 扫描,发送
了一个ICMP Echo 的数据包测试系统是否存活:
2004-9-21 16:48 snort[1852]: [1:474:1] ICMP superscan echo [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 202.X.X.X -> 10.0.0.1
3.本地越权尝试
用我的诱饵账号tom轻松登入,一次成功,就像进自己家一样:
2004-9-21 16:52 login: LOGIN ON 1 BY tom FROM 210.X.X.X
2004-9-21 16:52 PAM_pwdb[1321]: (login) session opened for user tom by(uid=0)
| Linux kernel 2.2.X (X<=15) & sendmail <= 8.10.1 |
| local root exploit |
| |
| Bugs found and exploit wr#tten by Wojciech Purczynski |
| wp@elzabsoft.pl cliph/ircnet Vooyec/dalnet |
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd ftp
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
建立一个普通用户账号,密码同用户名,在控制台上用该账号登录,让他一直
发呆,同时确认系统开放着finger 服务。比较怀旧的入侵者对finger还是情有
独钟的,企图finger出一大堆用户名,然后简单猜测密码进入系统,期望能够
与后生可畏的Script Kids 们划清界限。
没想到我的朋友记忆力特别好,事隔一个月,在我没发请柬的情况下,轻车熟
路的找到honeypot,然后用那个普通账号登录了进去。
明明知道这是个蜜罐系统,所有行为都被监控和记录,还要企图本地拿root、
安装后门、作为肉鸡攻击其他机器,不就是在舞台上表演请观众们欣赏么?这
就是入侵秀一词的由来。
下面就让我们一起来观摩这场表演,素材主要来源于日志服务器收集到的系统
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd .font-unix
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd fs-1
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd /
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd home
2004-9-21 16:48 rshd[1318]: Connection from 210.X.X.X on illegal port
2004-9-21 16:48 telnetd[1313]: ttloop: peer died: EOF
2004-9-21 16:48 inetd[413]: pid 1316: exit status 1
同时,系统日志记录了后续进行的端口探测活动:
Sinbad Technical Publications Page 2
2004-9-21 16:48 in.rlogind[1316]: connect from 210.X.X.X
2004-9-21 16:48 inetd[413]: pid 1318: exit status 1
2004-9-21 16:48 in.rshd[1318]: connect from 210.X.X.X
2004-9-21 16:48 in.fingerd[1315]: connect from 210.X.X.X
2004-9-21 16:48 in.telnetd[1313]: connect from 210.X.X.X
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd foo
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd fs-1
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls -al
Sinbad Technical Publications Page 4
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd ..
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 令输入的每个字符都出现了
两遍,这是终端的回显功能,Snort是忠实的作了双向记录:
[tom@abc tom]$ ..//11..sshh
+-----------------------------------------------------------+
No such file or directory
Waiting for suid shell (/tmp/sush)
[tom@abc tom]$ llss
第一次尝试失败,删除1.sh,同时留下“XXXX到此一游”的签名。也好,知
道是你干的了J
2004-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 rm -rf 1.sh
2004-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 echo haha shi wo XXXX > haha.txt
我的朋友开始闲逛了,好像没什么收获:
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd /tmp
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 ./1.sh
2004-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 ls
Sinbad Technical Publications Page 3
输入./1.sh 执行后的结果呢?我们通过检查Snort 的SESSION录像后发现,系
2004-9-21 17:01 -bash: HISTORY: PID=1322 UID=500 ps -ef
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd /
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:48 inetd[413]: pid 1313: exit status 1
2004-9-21 16:48 sendmail[1314]: NOQUEUE: Null connection from [210.X.X.X]
2004-9-21 16:48 in.fingerd[1319]: connect from 210.X.X.X
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 pwd
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 cd ..
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 ls
用cat 重定向加粘贴方式传送一段本地越权脚本到系统内,请注意时间差,他
的翻箱倒柜花了4 分钟:
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 w
+-----------------------------------------------------------+
Creating temporary directory
Creating anti-noexec library (capdrop.c)
Compiling anti-noexec library (capdrop.so)
近邮件列表中还有过这种讨论,有个家伙说他朋友在某黑客IRC 中公布了
honeypot 的IP 地址,结果一帮罗马利亚黑客入侵后发现是一个蜜罐系统,所
有动作都被完整记录,于是愤怒了,采用分布式拒绝服务方式疯狂报复,导致
临近网络瘫痪一个月之久。
所以,在引诱入侵者的时候要讲究技巧。上个月我曾和一个朋友聊起我的方法:
[转载]一次入侵秀的详细分析
信息来源:
Sinbad Technical Publications Page 1
1.起因
本文聚焦于我的Linux Honeypot,她在网络中散发着阵阵蜜香,引诱蠕虫和各
路客们的光临。为了让honeypot 更加attractive,都要采取一些处理方式。最
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 cd tom
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 cat > 1.sh
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 chmod 755 1.sh
Creating suid shell (sush.c)
Compiling suid shell (sush.c)
Creating shell script
Creating own sm.cf
Dropping CAP_SETUID and calling sendmail
/bin/true: error in loading shared libraries: /tmp/foo/capdrop.so: cannot open shared object file:
注意到没有,这些端口连接的源地址不是发送ICMP Echo 的202.X.X.X,而是
210.X.X.X这个地址。很显然,我的朋友使用了TCP/UDP协议的代理跳板,而
ICMP 协议不被该跳板支持,所以他的真实IP 地址也暴露了。:P
日志、历史命令,以及Snort 录下的会话过程。当然,为了节约篇幅和保护隐
私作了部分裁减。希望读者从各自的角度都能有所收获。
2.扫描
一个周六的下午,Snort 报警提示有来自202.X.X.X 的SuperScan 扫描,发送
了一个ICMP Echo 的数据包测试系统是否存活:
2004-9-21 16:48 snort[1852]: [1:474:1] ICMP superscan echo [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 202.X.X.X -> 10.0.0.1
3.本地越权尝试
用我的诱饵账号tom轻松登入,一次成功,就像进自己家一样:
2004-9-21 16:52 login: LOGIN ON 1 BY tom FROM 210.X.X.X
2004-9-21 16:52 PAM_pwdb[1321]: (login) session opened for user tom by(uid=0)
| Linux kernel 2.2.X (X<=15) & sendmail <= 8.10.1 |
| local root exploit |
| |
| Bugs found and exploit wr#tten by Wojciech Purczynski |
| wp@elzabsoft.pl cliph/ircnet Vooyec/dalnet |
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd ftp
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
建立一个普通用户账号,密码同用户名,在控制台上用该账号登录,让他一直
发呆,同时确认系统开放着finger 服务。比较怀旧的入侵者对finger还是情有
独钟的,企图finger出一大堆用户名,然后简单猜测密码进入系统,期望能够
与后生可畏的Script Kids 们划清界限。
没想到我的朋友记忆力特别好,事隔一个月,在我没发请柬的情况下,轻车熟
路的找到honeypot,然后用那个普通账号登录了进去。
明明知道这是个蜜罐系统,所有行为都被监控和记录,还要企图本地拿root、
安装后门、作为肉鸡攻击其他机器,不就是在舞台上表演请观众们欣赏么?这
就是入侵秀一词的由来。
下面就让我们一起来观摩这场表演,素材主要来源于日志服务器收集到的系统
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd .font-unix
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd fs-1
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd /
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd home
2004-9-21 16:48 rshd[1318]: Connection from 210.X.X.X on illegal port
2004-9-21 16:48 telnetd[1313]: ttloop: peer died: EOF
2004-9-21 16:48 inetd[413]: pid 1316: exit status 1
同时,系统日志记录了后续进行的端口探测活动:
Sinbad Technical Publications Page 2
2004-9-21 16:48 in.rlogind[1316]: connect from 210.X.X.X
2004-9-21 16:48 inetd[413]: pid 1318: exit status 1
2004-9-21 16:48 in.rshd[1318]: connect from 210.X.X.X
2004-9-21 16:48 in.fingerd[1315]: connect from 210.X.X.X
2004-9-21 16:48 in.telnetd[1313]: connect from 210.X.X.X
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd foo
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd fs-1
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls -al
Sinbad Technical Publications Page 4
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd ..
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 令输入的每个字符都出现了
两遍,这是终端的回显功能,Snort是忠实的作了双向记录:
[tom@abc tom]$ ..//11..sshh
+-----------------------------------------------------------+
No such file or directory
Waiting for suid shell (/tmp/sush)
[tom@abc tom]$ llss
第一次尝试失败,删除1.sh,同时留下“XXXX到此一游”的签名。也好,知
道是你干的了J
2004-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 rm -rf 1.sh
2004-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 echo haha shi wo XXXX > haha.txt
我的朋友开始闲逛了,好像没什么收获:
2004-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd /tmp
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 ./1.sh
2004-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 ls
Sinbad Technical Publications Page 3
输入./1.sh 执行后的结果呢?我们通过检查Snort 的SESSION录像后发现,系
2004-9-21 17:01 -bash: HISTORY: PID=1322 UID=500 ps -ef
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd /
2004-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:48 inetd[413]: pid 1313: exit status 1
2004-9-21 16:48 sendmail[1314]: NOQUEUE: Null connection from [210.X.X.X]
2004-9-21 16:48 in.fingerd[1319]: connect from 210.X.X.X
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 pwd
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 cd ..
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 ls
用cat 重定向加粘贴方式传送一段本地越权脚本到系统内,请注意时间差,他
的翻箱倒柜花了4 分钟:
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 w
+-----------------------------------------------------------+
Creating temporary directory
Creating anti-noexec library (capdrop.c)
Compiling anti-noexec library (capdrop.so)
近邮件列表中还有过这种讨论,有个家伙说他朋友在某黑客IRC 中公布了
honeypot 的IP 地址,结果一帮罗马利亚黑客入侵后发现是一个蜜罐系统,所
有动作都被完整记录,于是愤怒了,采用分布式拒绝服务方式疯狂报复,导致
临近网络瘫痪一个月之久。
所以,在引诱入侵者的时候要讲究技巧。上个月我曾和一个朋友聊起我的方法:
[转载]一次入侵秀的详细分析
信息来源:
Sinbad Technical Publications Page 1
1.起因
本文聚焦于我的Linux Honeypot,她在网络中散发着阵阵蜜香,引诱蠕虫和各
路客们的光临。为了让honeypot 更加attractive,都要采取一些处理方式。最
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 cd tom
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 cat > 1.sh
2004-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 chmod 755 1.sh
Creating suid shell (sush.c)
Compiling suid shell (sush.c)
Creating shell script
Creating own sm.cf
Dropping CAP_SETUID and calling sendmail
/bin/true: error in loading shared libraries: /tmp/foo/capdrop.so: cannot open shared object file: