一次被黑經(jīng)歷與反思

gen.ro,butthisdoesnotmapbacktotheaddress-POSSIBLEBREAK-INMay2216:16:48localhostsshd[26364]:Acceptedpasswordforrootfrom46portMay2216:16:48localhostsshd[26364]:pam_unix(sshd:session):sessionopenedforuserrootbyMay2216:17:09localhostpasswd:pam_unix(passwd:chauthtok):passwordchangedforrootMay2216:24:53localhostsshd[3521]:Receivedsignal15;May2216:34:51localhostsshd[26364]:pam_unix(sshd:session):sessionclosedforuserrootMay2216:39:47localhostgroupadd[1622]:newgroup:name=screen,可以確定此機(jī)已經(jīng)被黑，首先將此IP46加入hosts.deny防止在處理過程中再次破壞，通過日志可以看出，被建立了一個(gè)組screengid84，在/etc/group[root@localhosthome]#nmapStartingNmap4.11()at2012-05-2315:13Interestingportsonlocalhost.local Notshown:1676closedports 22/tcpopen25/tcpopen80/tcpopenhttp111/tcpopenrpcbind900/tcpopenps[root@localhosthome]#ps PID%CPU%MEM VSZRSSTTY STATSTARTTIMECOMMAND 36760.00.0748361236? 0:00crond 36990.00.0201081044 0:00xfs-droppriv-0.0231721284S0:00avahi-daemon:0.023172340S0:00avahi-daemon:0.018440480S0:00492S0:00/sbin/mingetty492S0:00/sbin/mingetty484S0:00/sbin/mingetty488S0:00/sbin/mingetty484S0:00/sbin/mingetty0.825835216992 0:00/usr/bin/python0.0129401192 0:000.03816492 0:00/sbin/mingetty0.0240681740 0:00sshd:0.0660881580 0:00-0.21575285196 0:28/usr/bin/python0.0660841484 0:00-0.0240681696 0:00sshd:0.0660881536S0:00-0.0239041688S0:00sshd:0.0660881572S0:00-0.0239041548S0:00sshd:0.0660841484S0:00-0.0240681704S0:00sshd:0.0660881568S0:00-0.142002092R0:00ps )May2216:53:48localhostsendmail[3647]:q4M8rjFf003627: >,ctladdr=<root@localhost.local >(0/0), relay=.[47],dsn=2.0.0,stat=Sent(okdirdel)May2216:56:30localhostsendmail[3965]:q4M8uU5j003965: ,ctladdr=root(0/0),delay=00:00:00,xdelay=00:00:00,mailer=relay,pri=30083,relay=[][],dsn=2.0.0,stat=Sent(q4M8uUoA003985Messageacceptedfordelivery)May2216:56:32localhostsendmail[3987]:q4M8uUoA003985: >,ctladdr=<root@localhost.local >(0/0), relay=.[33],dsn=2.0.0,stat=Sent(okdirdel)May2216:56:43localhostsendmail[4030]:q4M8uhGd004030: ,ctladdr=root(0/0),delay=00:00:00,xdelay=00:00:00,mailer=relay,pri=30083,relay=[][],dsn=2.0.0,stat=Sent Messageacceptedfordelivery)May2216:56:46localhostsendmail[4035]:q4M8uhR >,ctladdr=<root@localhost.local >(0/0), relay=.[96],dsn=2.0.0,stat=Sent(okdirdel)可以看出，在頻繁給yahoo發(fā)郵件，本以為此人只為盜發(fā)郵件才我的機(jī)器，但是仔細(xì)[root@localhostmail]#crontab-06***/usr/sbin/ xfs:x:43:43:XFontServer:/etc/X11/fs:/sbin/nologinrpcuser:x:29:29:RPCServiceUser:/var/lib/nfs:/sbin/nologin 異常：仔細(xì)看一下bin用戶的登陸s 除了最后一行6:53pmup1:59,6users,loadaverage:0.00,0.00,102processes:101slee,1running,0zombie,0CPUstates:0.7%user,0.6%system,0.0%nice,98.5% Kav,613508Kused, 0Kshrd, Kav, 0Kused, 327072Kcached$<5>$<3>$<2>$<2>Unknowncommand'--hit`h'forhelp$<2>IZERSSSHARESTATLIB%CPU TIME1 576 00.0 0:002 0K- 0 00.0 0:003 34 0 00.0 0:00400000:00500000:00第三行：cpu顯示第五行：swap查看top命令的信息 1 33992Mar312010[root@localhosthome]#ll-ha/usr/bin/topls:invalidoption--hTry`lshelp'formoreinformation.ls命令也被改了findfind/-user122|xargsls- 1 39696Mar12010154152Jan272010162920Mar312010131504Jan2720101212747Mar12010193476Mar12010139696Mar12010/u159536Sep42009131452Mar12010/u112340Sep272009133992Mar312010182628Jan102007/u[root@localhosthome]#mv/bin/lsmv:cannotmove`/bin/ls'to`/bin/ls.bak':Operationnot[root@localhosthome]# 沒有問題啊，文件普通權(quán)限也沒問題，讓起來chattr+i去鎖定文件修改權(quán)限finduser122|xargslsattr a：AppendOnly，系統(tǒng)只允許在這個(gè)文件之后追加數(shù)據(jù)，丌允許任何迚程覆蓋戒截?cái)噙@個(gè)文件。如果 s：SecureDelete0 改掉：finduser122|xargschattrai1：/sbin/ttyload2：/sbin/ttymonttyload&&ttymon-q兩個(gè)迚程（當(dāng)時(shí)沒記錄下來就直接重啟了ll 3414Mar72011 49.9 08855240241272S49.90.2541:24.42發(fā)現(xiàn)這兩個(gè)迚程占用系統(tǒng)資源比較高（我這臺(tái)機(jī)器正常應(yīng)該是無負(fù)載的lsofp 3uIPv4 TCP[root@localhost~]#cat/etc/services|grep #InternetRelay #InternetRelay6667