An Analysis Report of the Intrusion Website
[Author: sword_martin Add Time: 2001-9-4 14:13:05]
Source: http://linuxaid.com.cn
Note: This article is occasionally discovered when I browse a security forum. This buddy uses it to ISP part-time network security consultants to exchange free internet access. Of course, his work is doing his own efforts. Otherwise, he will not discover these problems. He found the process of problems and the problem of solving problems, but interesting is that when he found the problem, ISP management The attitude of personnel handling problems. So put this article here, I hope to have a warning and reference to you.
About 9 months ago, I gave an ISP to a security consultant, as a return, I can internet access. My main job is to check the security vulnerabilities of the ISP host online, and crack accounts, etc. Their device configuration is a typical ISP configuration: use RedHat Apache to do a web server, NT iMail Mail server, DNS server is done with two hosts that have the Red Hat and OpenBSD, respectively.
The first machine I checked was a web server running Red Hat5.0. This machine is to run the CGI program for their customers and used to test programs.
When you entered in, everything else outside is normally. I don't know why, UTMP and WTMP two files appear to be destroyed, and as long as I entered the Who or Last command, always returned a lot of spam, after I cleared these two files, the information returned by the program is still The like was destroyed, so the Trojan horse virus in the gaunciter.
At this point, I don't know that the bottom is Trojan or rootkits, and I have carefully viewed it in the system. I finally found such a record in the unshadowed Passwd file:
MOOF :: 0: 0 :: / root: / bin / bash.
This shows that this machine has indeed black.
In the process of checking the file in the system, I found that there is a subdirectory called "..." in the / root directory, there are three files in this case: Sniffer, the latter program and one contain all the intercepted The user name and its password text file. Check out the creation time of these files, their last modification time indicates that this seems to be a year ago.
The hacker program looks more like Linux's rootkit iv, so I downloaded the source code, I want to see how it works, which files have been changed. There is one in its changed file is / bin / login. I compiled / bin / login's Troj code on this black machine, and then viewed with a binary editor where the door password was placed. After found, I use this editor to open a copy of the / bin / login file to find this back door password. After finding it, in order to test this back door password, I log in to another machine, run the Telnet connected to this black machine, enter the root, and the back door password to log in. Wow, I am successful, I log in to the server as root. I used RSH to experiment, and the result is still successfully logged in!
I use E-mail to notify the system administrator and ISP's supervisor. This latter password and method are attached to the letter, and it is recommended to back up all data immediately, clear the machine, install a latest Red Hat Version and patches. They replied that I said they will check it out.
The second machine I check is a primary web server, which is a redhat 5.0 running apahce. The first thing I logged in is to check the Passwd file, but I didn't find a problem this time. However, when I run LAST or WHO, it returned a lot of spam. I checked in the above method, but I didn't find any rootkit files. Finally, I downloaded a / bin / login, through comparison, I found a back door password (different from the previous machine), I can log in with the root.
This doesn't look at the same hacking. All the operations did not leave any traces and couldn't find any rootkit files, except for a Login program infected with Trojan horses. With intuvation, I entered the / dev directory and see if there is any unusual file. List the file list with the LS command, have not found any exceptions, but when I run file *, it shows a few text files not listed in LS. original
These files are rootkit configuration files that indicate which processes, IP addresses, and directory and files should be hidden. In this way, I found that Rootkit and other files and hackers coming from.
These files on the machine indicate that they are only placed on the machine a few months. Of course, I notified the supervisor of system administrators and ISP and attached this back-door password and my suggestion: backup data, reload the operating system and patches. The answer I got is the same: Thank you, we will check ".
This is really frustrating. There are many reasons why I feel frustrated. First, I spent a few hours to check what way they use and how rootkit enters the host, and then find out this back-door password, and finally report this. And provide a way to solve this problem. They have no moves on this.
Second, as a security manager, everything they do is contrary to the safety knowledge I have learned. As long as your machine is black, the first thing you have to do is the data in the backup machine and reinstall the system's patches. This is the only way to ensure full safety.
The last reason is the disappointment of ISP for me to provide ISP. I have online shopping through them, through them, through them online. There is already evidence that hackers have passed the password and may steal other aspects on the network, such as Email. The services they provide are subject to security but they have not done anything. I have already committed ISP's promise - providing reliable services including the protection of users' private information completely lost confidence.
Attachment: ISP may believe that since the hacker has already entered the host, but there is no damage to the operation of the system. It can be seen that this hacker is not "black", and knows that there are not many people in this back door, so this security vulnerability will not How much influence on the system. At the same time, the NMS also believes that these things are too cumbersome, there is no need to re-whole system for this small matter.
Due to many ISPs abroad, there are many birds in the forest, so such a family in many ISPs is more normal. In our country, due to the access business of the Internet monopolized the Internet, once the ISP server has such problems, the negative impact will have a lot. In fact, maybe I have ever had, we don't know.
