分布式拒绝服务攻击工具mstream(4)

核心提示： 似乎没有库文件、内核模块或PAM模块被替换，/etc/passwd和/etc/shadow最近被修改过-rw-r--r-- 1 root wheel 849 Feb 17 00:57 /mnt/etc/passwd-rw--- 1 root wheel 884 Feb 17 00:57 /

似乎没有库文件、内核模块或PAM模块被替换。

/etc/passwd和/etc/shadow最近被修改过
-rw-r--r-- 1 root wheel 849 Feb 17 00:57 /mnt/etc/passwd
-rw------- 1 root wheel 884 Feb 17 00:57 /mnt/etc/passwd-
-r-------- 1 root wheel 794 Feb 17 00:57 /mnt/etc/shadow
-r-------- 1 root wheel 658 Nov 15 10:07 /mnt/etc/shadow-

/etc/shadow的备份文件于11月5日创建，这给了我们一个何时增加帐号的线索
www:MyjKA0KGHplq6:11004:0:99999:7:::
login1:MyjKA0KGHplq6:11004:0:99999:7:::
web:af47L/OTL7K6.:11004:0:99999:7:::
x::11004:0:99999:7:::

我没有试图破解这些口令，仅仅试着以"x"登录，失败了。

/etc/services和/etc/inetd.conf被改变
/etc/services:
a 1111/tcp
/etc/inetd.conf
a stream tcp nowait root /usr/sbin/tcpd in.telnetd

同样，我并示试图登录它

译注: 如果这样，我们可以大范围扫描1111/TCP，结合前面那个RID下面三个文件是现在所能找到的惟一含有相关信息的日志文件
/.bash_history:
nslookup
cd /bin
w
ps x
ftp 192.168.0.1 21
w
/var/log/secure:
Mar 29 18:39:18 herc in.ftpd[824]: connect from 10.156.97.157
Mar 29 19:29:15 herc in.ftpd[876]: connect from 10.156.97.111
Mar 29 19:49:58 herc in.ftpd[882]: connect from 10.156.97.111
Mar 29 19:50:21 herc in.ftpd[887]: connect from 10.156.97.111
Mar 31 14:58:14 herc in.telnetd[4224]: connect from 10.54.115.105
Apr 3 23:54:02 herc in.telnetd[10403]: connect from 10.72.135.165
Apr 4 05:44:34 herc in.telnetd[11235]: connect from 10.103.26.127
Apr 4 08:28:28 herc in.ftpd[11397]: connect from 10.31.68.158
Apr 4 11:36:16 herc in.ftpd[11565]: connect from 10.31.68.158
Apr 7 05:33:32 herc in.telnetd[16737]: connect from 10.22.82.6
Apr 7 07:32:19 herc in.telnetd[16849]: connect from 10.22.82.6
Apr 7 07:33:01 herc in.telnetd[16851]: connect from 10.22.82.6
Apr 7 07:33:20 herc in.ftpd[16852]: connect from 10.22.82.6
Apr 7 07:34:11 herc in.ftpd[16855]: connect from 10.22.82.6
Apr 7 07:35:22 herc in.ftpd[16859]: connect from 10.22.82.6
Apr 7 07:37:02 herc in.rlogind[16860]: connect from 10.22.82.2
Apr 7 07:37:12 herc in.fingerd[16863]: connect from 10.22.82.2
Apr 7 07:37:18 herc in.rexecd[16866]: connect from 10.22.82.2
Apr 7 07:37:22 herc in.rshd[16867]: connect from 10.22.82.2
Apr 7 07:37:24 herc in.telnetd[16868]: connect from 10.22.82.2
Apr 7 07:37:30 herc in.ftpd[16870]: connect from 10.22.82.2
Apr 8 13:53:02 herc in.ftpd[19028]: connect from 10.247.49.53
Apr 10 23:00:05 herc in.ftpd[23304]: connect from 10.8.148.36
Apr 10 23:07:51 herc in.ftpd[23347]: connect from 10.8.148.36
Apr 13 06:50:02 herc in.telnetd[27895]: connect from 10.215.99.125
Apr 13 10:52:27 herc in.ftpd[28170]: connect from 10.114.238.145
Apr 13 10:55:50 herc in.ftpd[28171]: connect from 10.114.238.145
Apr 13 11:02:39 herc in.ftpd[28217]: connect from 10.114.238.145
Apr 16 16:29:47 herc in.ftpd[1734]: connect from 10.161.208.34
Apr 16 16:30:10 herc in.ftpd[1737]: connect from 10.161.208.34
Apr 23 18:59:36 herc in.telnetd[14746]: connect from 10.27.211.234
Apr 24 17:02:03 herc in.telnetd[16505]: connect from 10.79.16.203
/var/log/wtmp (reverse chronological order):
root pts/2 :0 Mon Apr 24 18:05 still logged in
root pts/0 :0 Mon Apr 24 17:24 still logged in
ftp ftp XXXXXX-XXXXXXXX. Thu Apr 13 10:02 - 10:02 (00:00)
ftp ftp XXXXXX-XXXXXXXX. Thu Apr 13 09:55 - 09:56 (00:00)
ftp ftp XXXXXXX-X.XXXXXX Mon Apr 10 22:07 - 22:09 (00:01)
ftp ftp XXX.XXX.82.6 Fri Apr 7 06:34 - 06:35 (00:00)
ftp ftp XXX.XXX.82.6 Fri Apr 7 06:33 - 06:34 (00:00)
ftp ftp XXXXX.XX-XXXXXXX Tue Apr 4 10:36 - 10:36 (00:00)
ftp ftp XXXXXXXX-XXXX.XX Wed Mar 29 19:50 - 19:50 (00:00)
ftp ftp XXXXXXXX-XXXX.XX Wed Mar 29 19:29 - 19:29 (00:00)
reboot system boot Wed Mar 29 16:17 (26+20:09)