解析某管理员处理被入侵的服务器的.bash_history
这是一个大公司的管理员,但是一个不合格的管理员。
有一天我不小心又进去看了下,好奇管理员如何处理被入侵的服务器,就看了下管理员的.bash_history文件。
ls
cp unerrata_en.php unerrata_ch.php
cd ..
ls
cd yum/
ls
diff yum_en.php yum_ch.php
cd ..
ls
ls -ll
chown apache.apache common_ch.inc.php
cd ..
cd ..
cd /tmp
ls
mv tsn_local_20100113.tgz ~
rm tsn_local -rf
exit
cd /var/www/html/tsn_local
ls
rm controller_bak -rf
rm model -rf
cd include/
ls
rm setting.inc.php.bak function.inc.php.bak -f
cd config/
ls
rm info.config.php.bak
cd ../../..
ls
cd tsn_local
ls
cd template/
ls
rm js_bak lang_bak tpl_bak -rf
ls
rm css_bak -rf
ls
exit
cp controller/ ../tsn_local/controller_bak -r
cd ../tsn_local
ls
ls
cd controller
ls
cp AccessControl.act.php AccessControl.php ../controller_bak/
cp Channel.act.php Channel.php Downiso.act.php Downiso.php Download.act.php Download.php Errata.act.php Errata.php FalsePackages.php Feed.php Rpmlist.act.php Rpmlist.php Unerrata.act.php Unerrata.php ../controller_bak/
y
ls
cd ..
mv controller controller_bb
mv controller_bak/ controller
vi template/tpl/index_login.tpl
cp ../tsn_local_219/template/tpl/index_login.tpl template/tpl/
vi template/tpl/left.tpl
cp ../tsn_local_219/template/tpl/left.tpl template/tpl/left.tpl
ciiiiiiiii
ls
mv tsn_local tsn_local_bak
ls
mv tsn_local_bk_weizhan tsn_local
ls
mv tsn_local tsn_local_bk_weizhan
cp tsn_local_bk_weizhan tsn_local_
cp tsn_local_bk_weizhan tsn_local -rf
ls
cd tsn_local
ls
ls
cp ~/tsn_local_20100113.tgz /tmp/
tar zxvf /tmp/tsn_local_20100113.tgz -C /tmp/
ls
ls
cd controller/
ls
cp /tmp/tsn_local/controller/AccessControl.act.php AccessControl.php Channel.act.php Channel.php Downiso.act.php Downiso.php Download.act.php Download.php Errata.php Errata.act.php FalsePackages.php Feed.php Unerrata.act.php Unerrata.php ./
cp /tmp/tsn_local/controller/AccessControl.act.php AccessControl.php Channel.act.php Channel.php Downiso.act.php Downiso.php Download.act.php Download.php Errata.php Errata.act.php FalsePackages.php Feed.php Unerrata.act.php Unerrata.php ./.
cp /tmp/tsn_local/controller/AccessControl.act.php AccessControl.php Channel.act.php Channel.php Downiso.act.php Downiso.php Download.act.php Download.php Errata.php Errata.act.php FalsePackages.php Feed.php Unerrata.act.php Unerrata.php ./
y
cd /tmp/tsn_local/controller/
cp AccessControl.act.php AccessControl.php Channel.act.php Channel.php Downiso.act.php Downiso.php Download.act.php Download.php Errata.php Errata.act.php FalsePackages.php Feed.php Unerrata.act.php Unerrata.php /var/www/html/tsn_local/controller/.
cd ../model/
ls
cp AccessControl.php Channel.php Downiso.php Download.php Errata.php FalsePackages.php Feed.php /var/www/html/tsn_local/model/.
cd /var/www/html/tsn_local_bak
ls
mv controller controller_bak
mv model model_bak_new
ls
history |grep ‘rm’
ls
mv controller_bb controller
cp /tmp/tsn_local/model/ . -r
ls
cd ..
ls
rm tsn_local -rf
mv tsn_local_bak/ tsn_local
cd tsn_local
ls
cd model
vi Errata.php
vi Errata.php
cd ..
ls
rm controller_bak -rf
rm model_bak -rf
ls
cd /var/www/html/tsn_local/template/
ls
cd lang/
ls
locale
vim accessControl/accessControl_ch.php
grep -ri ‘channel’ *
grep -ri ‘channel’ accessControl
vim accessControl/accessControl_ch.php
vim errata/errata_ch.php
vim channel/channel_ch.php
vim downiso/downiso_ch.php
vim falsePackages/falsePackages_ch.php
vim falsePackages/falsePackages_ch.php
vim unerrata/unerrata_ch.php
vim errata/errata_ch.php
exit
who
last
clear
cd /var/www/html/tsn_local/template/lang/
ls
mv /home/SomeName/tsn/accessControl_ch.php accessControl/
mv /home/SomeName/tsn/channel_ch.php channel/
mv /home/SomeName/tsn/downiso_ch.php downiso/
mv /home/SomeName/tsn/errata_ch.php errata/
mv /home/SomeName/tsn/falsePackages_ch.php falsePackages/
mv /home/SomeName/tsn/unerrata_ch.php unerrata/
ll
chown -R apache:apache *
ll
clear
exit
passwd root
exit
exit
mkpasswd
mkpasswd
mkpasswd
passwd SomeName2
exit
passwd SomeName2
cd /var/www/html/
ls
l
ll
clear
mkpasswd
ls /usr/sbin/apacher
updatedb
locate apacher
ps aux|grep apacher
locate -i ‘apacher’
top
find / -name ‘apacher’
find / -name ‘apacher’ | more
file /usr/bin/find
ps aux|grep find
find / -name ‘*apacher*’ | more
ll /usr/bin/find
which find
who
ps aux|grep apacher
find / -name ‘fstab’
ls
cd /var/log
ls
who
file /usr/bin/who
clear
ls
uname -a
find / -name ‘fstab’
cd /var/www/html/ppd/
vim software_detail.php
find / -name ‘fstab’
ls /proc/1001/
more /proc/1001/loginuid
more /proc/1001/status
vim /etc/passwd
find
find / -name ‘fstab’
more /proc/1112/task/
ls /proc/1112/task/
more /proc/1001/status
more /proc/1295/status
more /proc/1295/stat
more /proc/1295/cwd
more /proc/1295/cwd
more /proc/1295/cmdline
more /proc/1295/exe
more /proc/1295/environ
more /proc/1295/auxv
more /proc/1295/root
ps aux|grep httpd
more /proc/1145/status
more /proc/1295/status
kill -9 1295
more /proc/1295/status
ls /proc
ps aux|grep 23153
more /proc/23153/status
top
ps aux|grep 23153
ps aux
service httpd status
service httpd stop
ps aux
service httpd start
ps aux
ps aux
ps aux
more /proc/23153/status
more /proc/1295/status
clear
top
clear
who
clear
ls
ps aux
clear
clear
ls
cd ..
ls
exit
./chkrootkit
ls
cd /tmp
ls
ls -al
ls .st
file .st
which apache
cd /home/SomeName/build/chkrootkit-0.49/
./chkproc -v
more /proc/15480/status
more /proc/154
./chkproc -v
more /proc/1062/cmdline
ls -al /usr/sbin/sshd
cd /var/www/html
find ./ -name ‘sshbd.tgz’
cd ..
cd ..
find ./ -name ‘sshbd.tgz’
cd /home
find ./ -name ‘sshbd.tgz’
cd /
find ./ -name ‘sshbd.tgz’
ls
ls /tmp/\ /openssh
cd /tmp/\ /openssh
ls
more TODO
ls
ll
ls
crontab -l
atq
ls
cd ..
ls
file ksh
ll
who
last
clear
cd /var/log
ls
file sa
ls sa
df -h
exit
cd /home/SomeName/
ls
rpm –force -ivh openssh*
service sshd restart
file /usr/sbin/sshd
ll /usr/sbin/sshd
clear
cd /tmp
ls
ls -al | grep -v ‘sess’
file RCS/
cd RCS/
ls
move test,v
more test,v
clear
vim /etc/ssh/sshd_config
groupadd sysadmin
usermod -a -G sysadmin SomeName
service sshd restart
more /etc/rc.local
clear
more /etc/rc.local
passwd SomeName
vim /etc/php.ini
service httpd restart
cd ..
ls
ls -d
file test
more test
ls
ls | grep -v ‘sess’
file angel_bc
more angel_bc
rm angel_bc
clear
ls
ls -al
rm .s*
rm .tmp_bc
ls -al
file back
more back
rm back
cd /var/tmp/
ls
ls -al
ls -alR
cd /home/SomeName/
ls -alR
cd /var/www/html/
find ./ -mtime -7
file tmp_packages
cd tmp_packages/
ls
ls 697685/
ls 697685/AX3.0-x86/
ls
cd
cd /
find ./ -mtime -7
clear
ls
find ./ -mtime -7 > /home/SomeName/modify
cd /home/SomeName/modify
cd /home/SomeName/
vim modify
vim /etc/php.ini
service httpd restart
cd /var/www/html/
find ./ -name ‘.php’
cd ..
find ./ -name ‘.php’
rm icons/.php
rm error/.php
rm cgi-bin/.php
du -h
du -h /var/lib
du -h /var/lib/mysql
ll /usr/sbin/php
find / -mtime -1
find / -mtime -1 | more
cd /
ls
cd tmp
ls
ls -al |more
cd /var/www/html/
find ./ -name ‘*php*’ -exec grep -r ‘exec’ {} \;
find ./ -name ‘*php*’ -exec grep -H -r ‘exec’ {} \;
clear
ls
du -h /var/www
cp -R /var/www /home/SomeName/
clear
who
exit
cd /data/html/ppd/product_user
chown SomeName:SomeName index.php
cd
cat .vimrc
vim /data/html/ppd/product_user/login_failed_user.php
vim /data/html/ppd/product_user/login_failed_user.php
clear
passwd fengxu
passwd SomeName2
passwd root
clear
locate rxkeygen
updatedb
locate rxkeygen
cd /var/www/html/ppd/admin/ihv
vim h_edit_post_new.php
clear
sleep 1000 && service sshd restart
exit
cd /etc/
vim php.ini
service httpd restart
clear
clear
ll
cd /var/www/
find ./ -name ‘.php’
cd /tmp
ls -alR
ls -alR | more
file /usr/sbin/sshd
ll /usr/sbin/sshd
cd /tmp
ps aux|grep sshd
cd \ /
ls
file ksh
rm ksh
rm sshbd.tgz
cd openssh/
ll
more TODO
cd ..
ls
cd ..
rm -rf \ /
cd \
cd /home/SomeName/
cd /var/t
cd /var/tmp/
ls
ls -alR
cd ..
updatedb
locate sshd
cd /var/empty/
ll sshd/
cd sshd/
ll
cd ..
ll
locate sshd | more
ll /etc/pam.d/sshd
more /etc/pam.d/sshd
clear
cd /var/www/
ls
find ./ -mtime -7
find ./ -mtime +7
find ./ -mtime +7 | more
cd icons/
ls
ls -alR | more
cd ..
service network stop
find ./ -name ‘*php’ -exec grep -H ‘exec’ {} \;
find ./ -name ‘*php’ -exec grep -H ‘exec’ {} \; > /home/SomeName/list
vim /home/SomeName/list
find ./ -name ‘*php’ -exec grep -H ‘ngel’ {} \;
find ./ -name ‘*php’ -exec grep -H ’4ngel’ {} \;
find ./ -name ‘*php’ -exec grep -H ‘angel’ {} \;
find ./ -name ‘*php’ -exec grep -H ‘angel’ {} \; | more
clear
cd html/ppd
ls
ls sx
ls -alR sx
ls -alR
clear
ls
cd /etc/sysconfig/network-scripts/
ls
vim ifcfg-eth0
cp ifcfg-eth0 ifcfg-eth1
vim ifcfg-eth1
ping 111.101.111.222
service network restart
ping 111.101.111.222
ping 111.131.111.222
ping -I eth0 111.222.111.222
ping -I eth1 111.222.111.222
ifdown eth1
ping -I eth0 111.222.111.222
ifdown eth0
ifup eth0
ping -I eth0 111.222.111.222
ifup eth1
ping -I eth0 111.222.111.222
ping -I eth1 111.222.111.222
setup
ifdown eth1
ping -I eth0 111.222.111.222
ping -I eth1 111.222.111.222
ping -I eth0 111.222.111.222
vim ifcfg-eth1
service network restart
ping -I eth0 111.222.111.222
ping -I eth0 111.222.111.222
exit
管理员清了后门(也没清理干净),却没有修复漏洞,真是让人吐血。服务器被入侵了,其shadow文件就可能泄露了,管理员却不改密码,再次吐血,好在管理员重新装了ssh修改了默认端口并且限制了登录的用户。
看管理员如何清理后门,只查找过去7天被修改的文件,所以webshell、后门、工具的时间戳一定要修改。
查找webshell貌似只是对默认的phpspy和带有‘exec‘关键字的文件进行查找,这样的话根本就不可能查找到所有的webshell,对入侵者来说留一个隐蔽的webshell、其实可以不用用那些乱七八糟的带有各种关键字的webshell,也不用留一句话,可以留一个隐蔽的漏洞,甚至根本就不改变web目录里的任何文件。
貌似检查了rootkit和sshdoor恩有时候留一个隐蔽的webshell后门以及本地后门也是必须的,后门不能是一种,留的方式也不能一样,甚至可以丢几个稍微明显点的故意让管理员发现,以满足管理员的成就感。
别的就是最小化日志了。