Linux服务器沦陷为肉鸡的全过程实录--粉丝服务平台-粉丝头条-fensifuwu.com

Linux服务器沦陷为肉鸡的全过程实录

科技 07-12 来源：程序员圣经

作者：kluan
来源：https://www.cnblogs.com/kluan/p/4810366.html

1 从防火墙瘫痪说起

2015年3月10日，还没到公司就被电话告知办公室无法正常连接互联网了，网速非常慢，无法正常浏览网页。急急忙忙感到公司，开始查找问题。

首先排除了交换机故障，因为内部局域网正常。当ping防火墙设备时，丢包严重。很明显，防火墙出了问题，撑不住了，其Web管理界面根本无法正常登陆。立即联系其服务商远程查找问题，经过近3个小时的分析，得出结论是网内有两台主机大量发送TCP数据包，瞬间就能在防火墙上造成40万链接数，大大超出了防火墙的处理能力，造成无法响应正常路由请求。我们暂且称这两台机器为A和B。把这两台机器断线之后，网路立刻正常了，防火墙上的链接数很快降低到正常水平。

主机A配置如下：

OS - RedHat Enterprise Linux Server release 6.3
部署软件 - Tomcat，sshd, oracle
RAM - 4GB
CPU - Intel Core i3-2130
IP地址 - 172.16.35.201（对外映射为59.46.161.39）

主机B为客户托管主机，具体配置不详。

本文只对主机A进行分析处理。

通过防火墙命令行界面，抓包发现A机器疯狂对一组IP地址进行22端口扫描。下面是抓包结果片段：

proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:39895=====>183.58.99.130:22, packet=3, bytes=208[REPLY] 183.58.99.130:22=====>59.46.161.39:39895, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:33967=====>183.58.99.131:22, packet=3, bytes=208[REPLY] 183.58.99.131:22=====>59.46.161.39:33967, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:34117=====>183.58.99.132:22, packet=3, bytes=208[REPLY] 183.58.99.132:22=====>59.46.161.39:34117, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:54932=====>183.58.99.125:22, packet=3, bytes=208[REPLY] 183.58.99.125:22=====>59.46.161.39:54932, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:60333=====>183.58.99.135:22, packet=3, bytes=208[REPLY] 183.58.99.135:22=====>59.46.161.39:60333, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:52737=====>183.58.99.136:22, packet=3, bytes=208[REPLY] 183.58.99.136:22=====>59.46.161.39:52737, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:52291=====>183.58.99.137:22, packet=3, bytes=208[REPLY] 183.58.99.137:22=====>59.46.161.39:52291, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:46183=====>183.58.99.138:22, packet=3, bytes=208[REPLY] 183.58.99.138:22=====>59.46.161.39:46183, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:36864=====>183.58.99.139:22, packet=3, bytes=208[REPLY] 183.58.99.139:22=====>59.46.161.39:36864, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:34515=====>183.58.99.133:22, packet=3, bytes=208[REPLY] 183.58.99.133:22=====>59.46.161.39:34515, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:57121=====>183.58.99.134:22, packet=3, bytes=208[REPLY] 183.58.99.134:22=====>59.46.161.39:57121, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:37830=====>183.58.99.140:22, packet=3, bytes=208[REPLY] 183.58.99.140:22=====>59.46.161.39:37830, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:42742=====>183.58.99.141:22, packet=3, bytes=208[REPLY] 183.58.99.141:22=====>59.46.161.39:42742, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:55018=====>183.58.99.142:22, packet=3, bytes=208[REPLY] 183.58.99.142:22=====>59.46.161.39:55018, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:46447=====>183.58.99.143:22, packet=3, bytes=208[REPLY] 183.58.99.143:22=====>59.46.161.39:46447, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:51039=====>183.58.99.147:22, packet=3, bytes=208[REPLY] 183.58.99.147:22=====>59.46.161.39:51039, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:33123=====>183.58.99.146:22, packet=3, bytes=208[REPLY] 183.58.99.146:22=====>59.46.161.39:33123, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:35956=====>183.58.99.151:22, packet=3, bytes=208[REPLY] 183.58.99.151:22=====>59.46.161.39:35956, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:45002=====>183.58.99.145:22, packet=3, bytes=208[REPLY] 183.58.99.145:22=====>59.46.161.39:45002, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:54711=====>183.58.99.150:22, packet=3, bytes=208[REPLY] 183.58.99.150:22=====>59.46.161.39:54711, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:58976=====>183.58.99.155:22, packet=3, bytes=208[REPLY] 183.58.99.155:22=====>59.46.161.39:58976, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:37967=====>183.58.99.157:22, packet=3, bytes=208[REPLY] 183.58.99.157:22=====>59.46.161.39:37967, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:47125=====>183.58.99.158:22, packet=3, bytes=208[REPLY] 183.58.99.158:22=====>59.46.161.39:47125, packet=0, bytes=0
proto=6 TCP TCP_NS_ESTABLISHED,status:00001198,left_time:0s,172.16.35.201:35028=====>183.58.99.156:22, packet=3, bytes=208[REPLY] 183.58.99.156:22=====>59.46.161.39:35028, packet=0, bytes=0

可以清晰的看到，肉鸡扫描程序疯狂扫描一个网段内的22端口。

2 查找黑客行踪的方法

对于Linux主机，出现问题后分析和处理的依据主要是日志。/var/log/messages、/var/log/secure都是必不可少的分析目标，然后就是.bash_history命令记录。黑客登录主机必然会在日志中留下记录，高级黑客也许可以删除痕迹，但目前大部分黑客都是利用现成工具的黑心者，并无太多技术背景。该主机对外开放三个TCP侦听端口：

22 sshd
80 Tomcat
1521 Oracle

这三个服务都有可能存在漏洞而被攻击，最容易被扫描攻击的还是sshd用户名密码被破解。所以最先分析 /var/log/secure日志，看登录历史。

3 沦陷过程分析

3.1 oracle用户密码被破解

分析/var/log/secure日志。不看不知道一看吓一跳，该日志已经占用了四个文件，每个文件都记录了大量尝试登录的情况，执行命令：

结果如下：

可以看出攻击程序不断采用不同的账户和密码进行尝试。然后在接近尾部的地方发现如下2行，说明被攻破了。

Mar 9 20:35:30 localhost sshd[30379]: Accepted password for oracle from 10.10.10.1 port 56906 ssh2
Mar 9 20:35:30 localhost sshd[30379]: pam_unix(sshd:session): session opened for user oracle by (uid=0)

可见账户oracle的密码被猜中，并成功登入系统。

3.2 黑客动作推演

下面看看黑客用oracle账户都做了什么。首先复制一份oracle的命令历史，防止后续操作丢失该记录。