Linux系统的入侵分析 三

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jan 21 19:01:54 dnscache sshd[23334]: fatal: Read error from remote
host: Connection reset by peer
Jan 21 19:13:33 dnscache sshd[23975]: log: Connection from 80.96.178.194
port 2406
Jan 21 19:13:33 dnscache sshd[23975]: log: Could not reverse map address
80.96.178.194.
Jan 21 19:13:44 dnscache sshd[23975]: log: Password authentication for
operator accepted.
Jan 21 19:17:41 dnscache sshd[270]: log: Generating new 768 bit RSA
key.
有新机器进来呢，FT，不是好兆头

重启
From root Mon Jan 21 23:01:00 2002
Return-Path:
Received: (from root@localhost)
by dnscache.i-168.com (8.9.3/8.9.3) id XAA00309
for root; Mon, 21 Jan 2002 23:01:00 +0800
Date: Mon, 21 Jan 2002 23:01:00 +0800
From: root
Message-Id: <200201211501.XAA00309@dnscache.i-168.com>
To: root@dnscache.i-168.com
Subject: dnscache.i-168.com 01/21/02:23.01 system check

Feb 2 07:28:18 dnscache sshd[1991]: log: Connection from 24.112.92.
135 port 3854
Feb 2 07:28:21 dnscache sshd[1992]: log: Connection from 24.112.92.
135 port 3855
Feb 2 07:28:30 dnscache sshd[1992]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:28:31 dnscache sshd[1993]: log: Connection from 24.112.92.
135 port 3856
Feb 2 07:28:34 dnscache sshd[1993]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:28:34 dnscache sshd[1994]: log: Connection from 24.112.92.
135 port 3857
Feb 2 07:28:39 dnscache sshd[1994]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:28:40 dnscache sshd[1995]: log: Connection from 24.112.92.
135 port 3858
Feb 2 07:28:44 dnscache sshd[1995]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:28:46 dnscache sshd[1996]: log: Connection from 24.112.92.
135 port 3859
Feb 2 07:28:49 dnscache sshd[1996]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:28:49 dnscache sshd[1997]: log: Connection from 24.112.92.
135 port 3860
Feb 2 07:28:54 dnscache sshd[1997]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:28:55 dnscache sshd[1998]: log: Connection from 24.112.92.
135 port 3861
Feb 2 07:28:59 dnscache sshd[1998]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:28:59 dnscache sshd[1999]: log: Connection from 24.112.92.
135 port 3862
Feb 2 07:29:05 dnscache sshd[1999]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:29:06 dnscache sshd[2000]: log: Connection from 24.112.92.
135 port 3863
Feb 2 07:29:09 dnscache sshd[2000]: fatal: Local: crc32 compensation
attack: network attack detected
Feb 2 07:29:10 dnscache sshd[2001]: log: Connection from 24.112.92.
135 port 3864
Feb 2 07:29:15 dnscache sshd[2001]: fatal: Local: crc32 compensation
attack: network attack detected
From root Sat Feb 2 08:09:26 2002
Return-Path:
Received: from localhost (localhost)
by dnscache.i-168.com (8.9.3/8.9.3) with internal id IAA02520;
Sat, 2 Feb 2002 08:09:25 +0800
Date: Sat, 2 Feb 2002 08:09:25 +0800
From: Mail Delivery Subsystem
Message-Id: <200202020009.IAA02520@dnscache.i-168.com>
To: root@dnscache.i-168.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="IAA02520.1012608565/dnscache.i-168.com"
Subject: Returned mail: Service unavailable
Auto-Submitted: auto-generated (failure)

This is a MIME-encapsulated message

--IAA02520.1012608565/dnscache.i-168.com

The original message was received at Sat, 2 Feb 2002 08:09:22 +0800
from root@localhost

----- The following addresses had permanent fatal errors -----
ja_ja_j@yahoo.com

----- Transcript of session follows -----
... while talking to mx2.mail.yahoo.com.:
> >> DATA
< 554 delivery error: dd This user doesn't have a yahoo.com account
(ja_ja_j@yahoo.com) - mta619.mail.yahoo.c
om
554 ja_ja_j@yahoo.com... Service unavailable
--IAA02520.1012608565/dnscache.i-168.com
Content-Type: message/delivery-status

Reporting-MTA: dns; dnscache.i-168.com
Arrival-Date: Sat, 2 Feb 2002 08:09:22 +0800

Final-Recipient: RFC822; ja_ja_j@yahoo.com
Action: failed
Status: 5.0.0
Remote-MTA: DNS; mx2.mail.yahoo.com
Diagnostic-Code: SMTP; 554 delivery error: dd This user doesn't have a
yahoo.com account (ja_ja_j@yahoo.com) -
mta619.mail.yahoo.com
Last-Attempt-Date: Sat, 2 Feb 2002 08:09:25 +0800

--IAA02520.1012608565/dnscache.i-168.com
Content-Type: message/rfc822

Return-Path:
Received: (from root@localhost)
by dnscache.i-168.com (8.9.3/8.9.3) id IAA02513
for ja_ja_j@yahoo.com; Sat, 2 Feb 2002 08:09:22 +0800
Date: Sat, 2 Feb 2002 08:09:22 +0800
From: root
Message-Id: <200202020009.IAA02513@dnscache.i-168.com>
To: ja_ja_j@yahoo.com
Subject: Linux dnscache.i-168.com 2.2.18-2 #1 Tue Feb 27 20:54:01 CST
2001 i686 unknown

Linux dnscache.i-168.com 2.2.18-2 #1 Tue Feb 27 20:54:01 CST 2001 i686
unknown
|------
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/binsync
shutdown:x:6:0:shutdown:/sbin:/sbinshutdown
halt:x:7:0:halt:/sbin:/sbinhalt
mail:x:8:12:mail:/var/spoolmail:
news:x:9:13:news:/var/spoolnews:
uucp:x:10:14:uucp:/var/spooluucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usrgames:
gopher:x:13:30:gopher:/usr/libgopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
wnn:x:127:127:Wnn:/usr/local/bin/Wnn6:
哪里来的SHELL？又是后门，FT！
mysql:x:128:128:MySQL server:/var/lib/mysql:/binbash
bind:x:129:129::/etc/named:/dev/null
piranha:x:60:60::/home/httpd/html/piranha:/dev/null
squid:x:23:23::/var/spool/squid:/dev/null
chair:x:500:503::/home/chair:/bin/bash
dnscache:x:501:504::/home/dnscache:/binbash
dnslog:x:502:505::/home/dnslog:/binbash
cgi:x:0:0::/home/cgi:/bin/bash
家伙1
luck:x:503:506::/home/luck:/bin/bash
家伙2
luck1:x:0:507::/home/luck1:/bin/bash
家伙3|------
root:XXXXXXXXX.:11649:0:99999:7::: 保密啦
bin:*:11649:0:99999:7:::
daemon:*:11649:0:99999:7:::
adm:*:11649:0:99999:7:::
lp:*:11649:0:99999:7:::
sync:*:11649:0:99999:7:::
shutdown:*:11649:0:99999:7:::
halt:*:11649:0:99999:7:::
mail:*:11649:0:99999:7:::
news:*:11649:0:99999:7:::
uucp:*:11649:0:99999:7:::
operator:XXXXXXXXXX:11708:0:99999:7:-1:-1:134539376
games:*:11649:0:99999:7:::
games:*:11649:0:99999:7:::
gopher:*:11649:0:99999:7:::
ftp:*:11649:0:99999:7:::
nobody:*:11649:0:99999:7:::
wnn:*:11649:0:99999:7:::
mysql:!!:11649:0:99999:7:::
bind:!!:11649:0:99999:7:::
piranha:!!:11649:0:99999:7:::
squid:!!:11649:0:99999:7:::
chair:XXXXXXXXX:11649:0:99999:7:-1:-1:134539416 保密啦
dnscache:!!:11649:0:99999:7:::
dnslog:!!:11649:0:99999:7:::
cgi:5DnRYHyIa5w0g:11708:0:99999:7:-1:-1:134539416
luck:SqXj0pjOPwcxA:11720:0:99999:7:-1:-1:134538336
luck1:cqrTW5Ortfn7s:11720:0:99999:7:-1:-1:134538336
这几个就是他们的3DES后的东西，哪位朋友有时间和兴趣就CRACK了他吧
PING 216.115.108.245 (216.115.108.245) from 192.168.100.27 : 56(84)
bytes of data.
64 bytes from 216.115.108.245: icmp_seq=0 ttl=233 time=167.9 ms
64 bytes from 216.115.108.245: icmp_seq=1 ttl=233 time=170.7 ms
64 bytes from 216.115.108.245: icmp_seq=2 ttl=233 time=171.2 ms
64 bytes from 216.115.108.245: icmp_seq=3 ttl=233 time=174.6 ms
64 bytes from 216.115.108.245: icmp_seq=4 ttl=233 time=171.0 ms

--- 216.115.108.245 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 167.9/171.0/174.6 ms

下面的是在/home/luck/目录下的东西，看来也是不细心，又有
线索了，看样子改了内核，这个家伙在这里还考虑周到，怕
我重编内核？？
[root@mail luck]# cat .bash_history
cd /usr/src
ls
cd star
ls
cd S*
ls
tar -zxpvf *
ls
cd root
ls
l
ls
cd ls
ls
ls -af
ls
cd ..
ls
cd etc
ls
cd ..
ls
cd boot
ls
cd ..
ls
cd boto
ls -af
cd ..
ls
cd root
ls
ls -af
cd ..
ls
rm * -rf
ls
tar -zxpvf *
ls
cd ske
ls
ls -af
vi .X*
ls
ls -af
ls
ls -af
rm .X*
LS
ls
rm * -rf
ls
ls -af
ls
ls -af
vi .x*
ls
ls -af
rm .x*
ls
ls -af
vi .inputrc
ls
ls -af
vi .bashrc
ls -af
rm .g*
rm .gnome*
rm .gnome* -rf
ls
ls -af
rm .kde*
ls
ls -af
mv
mc
ls
ls -af
rm .net*
rm .net* -rf
ls -af
mc
ls
ls -af
cp -r .* /root
y
cd /
ls
cd usr
ls
cd src
ls
cd ..
ls
cd ..
ls
cd usr
ls
cd src
ls
cd tar
l
s
ls
cd S&*
cd S*
LS
ls
mount /dev/hdd /mnt/cdrom
cd /mnt/cdrom
ls
cd S*
ls
ls f*
rpm -i filesys*
cd ..
ls *ske*
ls
cd S*
ls
ls *ske*
rpm -i *ske*
cd ..
cd /
ls
cd root
ls
ls -af
cd ..
mv root rootstar
mkdir root
cd root
ls -af
cd ..
ls
cd rootstar
ls
ls -af
cd ..
ls
rm root -rf
ls
mkdir root
ls
cd root
ls -af
ls -a
ls .
rm ske -rf
ls
ls -af
rm skel -rf
ls
ls -af
ls
vi
ls