The authors introduce
Chen Hao, R&D engineer of BEIxinyuan, has five years of experience in Linux operation and maintenance, and is keen on the research, practice and team sharing of operation and maintenance technology.
1
The cause of
I had a normal rest at home, but the online server we put in the hosting room in Shanghai suddenly collapsed and the remote service could not be started. Then I asked the Shanghai computer room to restart again, or directly hung up, until I was on the remote line.
2
The phenomenon of
The remote server found this information
Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files! Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files! Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files! Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files! Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files! Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files!
Login information, and then went over the wall to look at foreign websites
This means something like:
Greetings, your server has been hacked and your files have been deleted. They are removed before we support our server control. You must send a total of 3 BTC addresses :1 b1ou6edreyffif3******* Failure to do so will result in the file being deleted after 5 days. We could leak your files, too. You can be reached by email at [email protected]. We will not provide any documentation before payment. Good bye!
Oh, it’s been hacked!
3
Start screening
First, check the logs. I have done security operation and maintenance before, so I have written similar check commands and tools.
RPM -vf /usr/sbin/ls RPM -vf /usr/sbin/sshd RPM -vf /sbin/ifconfig RPM -vf /usr/sbin/lsof # Check whether the system has elf files replaced # Run the grep -r “getRuntime” command in the web directory./ # Check whether the system has Trojan find. -type f-name “*. JSP” | xargs grep -i “getRuntime” # run by connection or by any application. Call find -type f -name “*. JSP” | xargs grep -i “getHostAddress” # returns a string, find the IP address. – type f -name “*. JSP” | xargs grep -i “wscript. Shell” # create WshShell object can run the application, the registry operation, create a shortcut, access to the system folder, management, environment variables Find. -type f -name “*. JSP” | xargs grep -i “gethostbyname” # gethostbyname () returns corresponding to a given host name of a pointer to a hostent structure contains the host name and the address information to find. -type f -name “*. JSP” | xargs grep -i “bash” # call system command right to mention the find. -type f -name “*. JSP” | xargs grep -i “jspspy” # JSP Trojan name by default find . -type f -name “*.jsp” | xargs grep -i “getParameter” fgrep – R “admin_index.jsp” 20120702.log > log.txt Log >log. TXT fgrep -r “select “*. Log >log. TXT fgrep -r “union “*.log>log.txt fgrep – R “.. /.. TXT fgrep -r “Runtime”*. Log >log. TXT fgrep -r “passwd”*. Log >log. TXT # Check whether the corresponding record is displayed -a”*.log>log.txt fgrep – R “id”*.log>log.txt fgrep – R “ifconifg”*.log>log.txt fgrep – R “ls -l”*.log>log.txt Tail -n 10 /var/log/secure last cat /var/log/wtmp cat / var/log/sulog # check whether there are unauthorized su command cat/var/log/cron # to check the plans of the tasks to be normal tail – n 100 ~. / bash_history | more check to see if the temporary directory is left when the attacker invasion of residual files Ls -la/TMP ls -la /var/tmp # If there are.c.py. Sh files or binary elf files.
I’m looking for an IP address that’s kind of like a hacker’s, just guessing and then looking at the IP address and filtering out the access information for that IP address
And check where the IP address is.
Apr 17 03:14:56 localhost sshd[11499]: warning: /etc/hosts.deny, line 14: missing “:” separator Apr 17 03:15:01 localhost sshd[11499]: Address 46.214.146.198 Maps to 46-214-146-198. Next-gen. Ro, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT! Apr 17 03:15:01 localhost SSHD [11499]: Invalid user ubnt from 46.214.146.198 Apr 17 03:15:01 localhost SSHD [11500]: input_userauth_request: invalid user ubnt Apr 17 03:15:01 localhost sshd[11499]: pam_unix(sshd:auth): check pass; user unknown Apr 17 03:15:01 localhost sshd[11499]: pam_unix(sshd:auth): authentication failure; Logname = uid=0 euid=0 tty= SSH ruser= rhost=46.214.146.198 Apr 17 03:15:01 localhost SSHD [11499]: pam_succeed_if(sshd:auth): error retrieving information about user ubnt Apr 17 03:15:03 localhost sshd[11499]: Failed password for invalid user ubnt from 46.214.146.198 port 34989 ssh2 Apr 17 03:15:03 LOCALhost SSHD [11500]: Connection closed by 46.214.146.198
That’s him. Check the history books.
Invalid user ubnt from 46.214.146.198 was found.
History and related access logs have been deleted and traces cleared.
Install chrootkit check whether there is a rootkit mkdir chrootkit chrootkit CD/wget tar at ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz ZXVF chkRootkit.tar. gz CD chkrootkit0.50 / ls yum install -y glibc-static make sense./chkrootkit
The check was found to be normal
Run the vi /etc/motd command
[root@mall ~]# vi /etc/motd Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files! Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files! Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files! Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files! Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files! Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files!
Can’t find out the back door can’t find the relevant command, feel the train of thought is damaged, dizzy.
Finally, search for Web access logs and IP access logs of the current day.
Found a command that made me wonder, GET /cgi-bin/center.cgi? Id = 20 HTTP / 1.1.
And it’s a little unusual
Find a bug like the most popular Bash shell, test it, and sure enough there is a bug.
env x='() { :; }; echo vulnerable’ bash -c “echo this is a test” [root@mall ~]# env x='() { :; }; echo vulnerable’ bash -c “echo this is a test” vulnerable this is a test
4
Repairing upgrade Commands
yum -y install yum-downloadonly
Yum -y install bash – 4.1.2-33. El6_7. 1. X86_64. RPM
[root@mall TMP]# yum -y install bash-4.1.2-33.el6_7.1.x86_64. RPM
Plug-ins loaded: FastestMirror, Security
Setting the Installation Process
Diagnosis of bash – 4.1.2-33. El6_7. 1. X86_64. RPM: bash – 4.1.2-33. El6_7. 1. X86_64
Bash-4.2-33.el6_7.1.x86_64. RPM will be used as an update to bash-4.1.2-15.el6_4.x86_64
Loading mirror speeds from cached hostfile
* base: ftp.sjtu.edu.cn
* extras: mirrors.skyshe.cn
* updates: ftp.sjtu.edu.cn
Resolving dependencies
–> Execute transaction check
–> Package bash.x86_64 0:4.1.2-15.el6_4 will be upgraded
–> Package bash.x86_64 0:4.1.2-33.el6_7.1 will be an update
–> Complete the dependency calculation
Dependency resolution
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Total file size: 3.0M
Download the package:
Run rpm_check_debug
Execute transaction tests
Transaction test successful
Perform transactions
Upgrading: bash-4.1.2-33.el6_7.1.x86_64
Cleaning: bash – 4.1.2-15. El6_4. X86_64
Verifying: bash – 4.1.2-33. El6_7. 1. X86_64
Verifying: bash – 4.1.2-15. El6_4. X86_64
Updated:
Bash. X86_64 0-4. 1.2-33. El6_7. 1
Finished!
To test
[root@mall tmp]# env x='() { :; }; echo vulnerable’ bash -c “echo this is a test”
this is a test
5
After the completion of the following measures
-
The system account password is changed.
-
The SSHD port is changed to 2220.
-
Modify Nginx user nologin;
-
Found bash serious vulnerability Shellshock vulnerability in the system server and fixed it;
-
After the update is complete, no intrusion is detected or the server breaks down automatically.
6
The process by which the vulnerability is exploited
I send a GET request — > target server CGI path
The target server parses the GET request, hits the parameter after UserAgent, and the Bash interpreter executes the following command.
7
Shellshock introduction
Shellshock, also known as Bashdoor, is a security vulnerability in the Bash shell widely used in Unix, which was first made public on September 24, 2014. Many Internet daemons, such as web servers, use bash to process certain commands, allowing an attacker to execute arbitrary code on a vulnerable version of bash. This allows an attacker to gain unauthorized access to a computer system.
8
More articles recommended
-
http://zone.wooyun.org/content/15392
-
http://www.freebuf.com/articles/system/50707.html
-
http://bobao.360.cn/news/detail/408.html
-
http://hacker-falcon.blog.163.com/blog/static/23979900320148294531576/
Article source: 51CTO Technology Stack, reproduced with the author’s permission
Recent hot articles:
With this script, DB maintenance & MGR deployment is more efficient!
Application architecture specification and The Agile War: a one-time SQL optimization
2017 Gdevops Beijing station: The promised dry goods and PPT come!
Beware: Java over SQL is a performance no-no!
From helpless pain to awesome, detailed Linux operation and maintenance engineers to beat the strange upgrade road