Hacking Book | Free Online Hacking Learning


experience: remember the detection process after the linux server is invaded!

Posted by bassolino at 2020-03-29

0 * 00 Preface

The story goes like this: on the first day of the new year, the customer said that their server couldn't be accessed. They checked the route and found that the UDP traffic of an Oracle + Tomcat server was very large, which occupied the bandwidth. The new year's day, the customer first went to the local technical personnel for a few days, and then couldn't do it. On the third day of the new year, they went to us to get it Customer is God!

In fact, I have encountered such attacks before. At that time, some IDC was paralyzed, but the horse was not on our equipment, so I didn't pay much attention to it

0 × 01 find Trojan

First, SSH log in, top check the process, and find the command gejfhzthbp with strange name. It seems that there is a problem.

Check the associated file and find the external TCP connection. I don't know if it's a reverse shell

Executive order

View the file path. And check the file creation time, which is consistent with the intrusion time.

I thought it was done by foreigners, which should prove that it was done by Chinese people

0 × 02 business recovery

First of all, kill the process. The result must not be so simple. The process has another name

Many processes have been tried in the middle. PS – ef|grep finds that the parent process is different every time. Sometimes the associated process is sshd, sometimes PWD, LS. A VNC connection is installed in the middle, and then the SSH service is closed. It is also invalid. After several times of killing, it is found that the parent process has become 1. The level is limited. The production server, or conservative treatment, focuses on business

Since it's intruded, first of all, turn off the SSH mapping of the firewall. After all, the server still needs to use now, so write some iptables rules

Allow native access to native

Requests to allow active access to this server

IP whitelist that server is allowed to access actively

Deny external access

Here, the business is back to normal.

0 × 03 find the reason

In fact, at the beginning, I realized that SSH is the problem. I just need to help people recover the business first. In terms of Web port, Tomcat is the only one. All web vulnerabilities have been checked. No struts 2, manager page or other regular web vulnerabilities will exist unless there is 0day . Oracle is not connected, only SSH

Based on this, I directly check the SSH log of root account, and finally .

As shown in the figure above, Indonesia IP was used successfully, but the intranet IP login of the back server failed. After asking the customer, they understood what happened. They added equipment at the end of the year, temporarily changed the weak password for the server to facilitate the debugging of various third-party technicians, and then estimated that they forgot to change it back. As a result, it was tragic that they were logged in by bad guys, and the root password was not changed. They could not log in by themselves On... I don't know if their boss knows

Continue to check the history file to see what others have done.

The operation process of the villain is basically here. He has executed many scripts. Who knows how many things he has done? I suggest that the customer reinstall the system

0 * 04 postscript

It's mainly because I'm not familiar with Linux operation and maintenance. I don't know how to drive the horses out completely Don't spray, Daniel.

1. The 10th issue of "SCM and embedded system application" in 2018 is newly published!

2. Why do some embedded engineers earn 8000 a month and 400000 a year?

3. Programming language ranking in October: C + + back to the top three!

4. How do beginners "hook up" STM32?

5. Arm and Xilinx provide free Cortex-M processor to help embedded development!

6. Can programmers rely on technology to survive the middle-aged crisis?