1.原因:本來在家正常休息了,我們放在上海託管機房的線上服務器突然蹦了遠程不了,服務啓動不了,然後讓上海機房重啓了一次,還是直接掛了,一直到我遠程上才行。
2.現象:遠程服務器發現出現這類信息
Hi, please view: 
轉存失敗重新上傳取消http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files!
Hi, please view: 轉存失敗重新上傳取消http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files!
Hi, please view: 轉存失敗重新上傳取消http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files!
Hi, please view: 轉存失敗重新上傳取消http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files!
Hi, please view: 轉存失敗重新上傳取消http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files!
Hi, please view: 轉存失敗重新上傳取消http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files!
登錄信息
然後翻牆去了國外網站查看
Greetings,
Your server has been hacked and your files have been deleted.
Before they were deleted, we backed them up to a server we control.
You must send a total of 3 BTC to the address: 1B1oU6EdREYffif3**********
Failure to do so will result in your files being deleted after 5 days.
We may also leak your files.
You can e-mail [email protected] for support. We will not give any files before a payment has been made.
Goodbye!
發現被黑。
3.開始排查:
首先檢查日誌,以前做過安全運維,所以寫過類似於檢查命令和工具,開始一一排查。
#查看是否爲管理員增加或者修改
find / -type f -perm 4000
#顯示文件中查看是否存在系統以外的文件
rpm -Vf /bin/ls
rpm -Vf /usr/sbin/sshd
rpm -Vf /sbin/ifconfig
rpm -Vf /usr/sbin/lsof
#檢查系統是否有elf文件被替換
#在web目錄下運行
grep -r "getRuntime" ./
#查看是否有木馬
find . -type f -name "*.jsp" | xargs grep -i "getRuntime"
#運行的時候被連接或者被任何程序調用
find . -type f -name "*.jsp" | xargs grep -i "getHostAddress"
#返回ip地址字符串
find . -type f -name "*.jsp" | xargs grep -i "wscript.shell"
#創建WshShell對象可以運行程序、操作註冊表、創建快捷方式、訪問系統文件夾、管理環境變量
find . -type f -name "*.jsp" | xargs grep -i "gethostbyname"
#gethostbyname()返回對應於給定主機名的包含主機名字和地址信息的hostent結構指針
find . -type f -name "*.jsp" | xargs grep -i "bash"
#調用系統命令提權
find . -type f -name "*.jsp" | xargs grep -i "jspspy"
#Jsp木馬默認名字
find . -type f -name "*.jsp" | xargs grep -i "getParameter"
fgrep - R "admin_index.jsp" 20120702.log > log.txt
#檢查是否有非授權訪問管理日誌
#要進中間件所在日誌目錄運行命令
fgrep - R "and1=1"*.log>log.txt
fgrep - R "select "*.log>log.txt
fgrep - R "union "*.log>log.txt
fgrep - R "../../"*.log >log.txt
fgrep - R "Runtime"*.log >log.txt
fgrep - R "passwd"*.log >log.txt
#查看是否出現對應的記錄
fgrep - R "uname -a"*.log>log.txt
fgrep - R "id"*.log>log.txt
fgrep - R "ifconifg"*.log>log.txt
fgrep - R "ls -l"*.log>log.txt
#查看是否有shell攻擊
#以root權限執行
cat /var/log/secure
#查看是否存在非授權的管理信息
tail -n 10 /var/log/secure
last cat /var/log/wtmp
cat /var/log/sulog
#查看是否有非授權的su命令
cat /var/log/cron
#查看計劃任務是否正常
tail -n 100 ~./bash_history | more
查看臨時目錄是否存在攻擊者入侵時留下的殘餘文件
ls -la /tmp
ls -la /var/tmp
#如果存在.c .py .sh爲後綴的文件或者2進制elf文件。
|
1
2
|
檢查出有點類似於黑客的ip,只能猜測然後查看ip地址過濾出這個ip的訪問信息並查看ip地址是那邊的 |
Apr 17 03:14:56 localhost sshd[11499]: warning: /etc/hosts.deny, line 14: missing ":" separator
Apr 17 03:15:01 localhost sshd[11499]: Address 46.214.146.198 maps to 46-214-146-198.next-gen.ro, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Apr 17 03:15:01 localhost sshd[11499]: Invalid user ubnt from 46.214.146.198
Apr 17 03:15:01 localhost sshd[11500]: input_userauth_request: invalid user ubnt
Apr 17 03:15:01 localhost sshd[11499]: pam_unix(sshd:auth): check pass; user unknown
Apr 17 03:15:01 localhost sshd[11499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=46.214.146.198
Apr 17 03:15:01 localhost sshd[11499]: pam_succeed_if(sshd:auth): error retrieving information about user ubnt
Apr 17 03:15:03 localhost sshd[11499]: Failed password for invalid user ubnt from 46.214.146.198 port 34989 ssh2
Apr 17 03:15:03 localhost sshd[11500]: Connection closed by 46.214.146.198
就是他了,查看歷史記錄
日誌發現 Invalid user ubnt from 46.214.146.198
歷史記錄和相關訪問日誌已經被刪除,痕跡清除。
|
1
2
3
4
5
6
7
8
9
10
|
安裝chrootkit檢查是否有rootkitmkdir chrootkitcd chrootkit/wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gztar zxvf chkrootkit.tar.gz cd chkrootkit-0.50/lsyum install -y glibc-staticmake sense./chkrootkit |
發現檢查沒有異常
打開 vi /etc/motd 發現
|
1
2
3
4
5
6
7
|
[root@mall ~]# vi /etc/motd Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files!Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files!Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files!Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files!Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files!Hi, please view: http://pastie.org/pastes/10800563/text?key=hzzm4hk4ihwx1jfxzfizzq for further information in regards to your files! |
查找不出後門也找不到相關命令,感覺思路受損,暈頭轉向。
最後查找下單天的web訪問日誌和相關ip訪問
發現一條命令讓我好奇,GET /cgi-bin/center.cgi?id=20 HTTP/1.1
並且有點異常
發現像目前最流行的bash shell 漏洞,測試一下,果然存在漏洞。
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
[root@mall ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
4.修復升級命令:
yum -y install yum-downloadonly
yum -y install bash-4.1.2-33.el6_7.1.x86_64.rpm
[root@mall tmp]# yum -y install bash-4.1.2-33.el6_7.1.x86_64.rpm
已加載插件:fastestmirror, security
設置安裝進程
診斷 bash-4.1.2-33.el6_7.1.x86_64.rpm: bash-4.1.2-33.el6_7.1.x86_64
bash-4.1.2-33.el6_7.1.x86_64.rpm 將作爲 bash-4.1.2-15.el6_4.x86_64 的更新
Loading mirror speeds from cached hostfile
* base: ftp.sjtu.edu.cn
* extras: mirrors.skyshe.cn
* updates: ftp.sjtu.edu.cn
解決依賴關係
--> 執行事務檢查
---> Package bash.x86_64 0:4.1.2-15.el6_4 will be 升級
---> Package bash.x86_64 0:4.1.2-33.el6_7.1 will be an update
--> 完成依賴關係計算
依賴關係解決
======================================================================================================================================================================================
總文件大小:3.0 M
下載軟件包:
運行 rpm_check_debug
執行事務測試
事務測試成功
執行事務
正在升級 : bash-4.1.2-33.el6_7.1.x86_64
清理 : bash-4.1.2-15.el6_4.x86_64
Verifying : bash-4.1.2-33.el6_7.1.x86_64
Verifying : bash-4.1.2-15.el6_4.x86_64
更新完畢:
bash.x86_64 0:4.1.2-33.el6_7.1
完畢!
重新測試
[root@mall tmp]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
5.完成後做了如下措施:
1.修改了系統賬號密碼。
2.修改了sshd端口爲2220。
3.修改nginx用戶nologin。
4.發現系統服務器存在bash嚴重漏洞 破殼漏洞(Shellshock)並修復。
5.更新完成後後面沒有發現被入侵或者服務器自動宕機現象。
6.漏洞被利用過程:
我發送GET請求–>目標服務器cgi路徑
目標服務器解析這個get請求,碰到UserAgent後面的參數,Bash解釋器就執行了後面的命令
7.Shellshock介紹
Shellshock,又稱Bashdoor,是在Unix中廣泛使用的Bash shell中的一個安全漏洞,首次於2014年9月24日公開。許多互聯網守護進程,如網頁服務器,使用bash來處理某些命令,從而允許攻擊者在易受攻擊的Bash版本上執行任意代碼。這可使攻擊者在未授權的情況下訪問計算機系統。
8.相關文章:
http://zone.wooyun.org/content/15392
http://www.freebuf.com/articles/system/50707.html
http://bobao.360.cn/news/detail/408.html
http://hacker-falcon.blog.163.com/blog/static/23979900320148294531576/
【文章轉載自:http://blog.51cto.com/chenhao6/1768695】