分布式拒绝服务攻击工具mstream(4)
2006-07-04 20:30:34 来源:WEB开发网似乎没有库文件、内核模块或PAM模块被替换。
/etc/passwd和/etc/shadow最近被修改过-rw-r--r-- 1 root wheel 849 Feb 17 00:57 /mnt/etc/passwd
-rw------- 1 root wheel 884 Feb 17 00:57 /mnt/etc/passwd-
-r-------- 1 root wheel 794 Feb 17 00:57 /mnt/etc/shadow
-r-------- 1 root wheel 658 Nov 15 10:07 /mnt/etc/shadow-
/etc/shadow的备份文件于11月5日创建,这给了我们一个何时增加帐号的线索www:MyjKA0KGHplq6:11004:0:99999:7:::
login1:MyjKA0KGHplq6:11004:0:99999:7:::
web:af47L/OTL7K6.:11004:0:99999:7:::
x::11004:0:99999:7:::
我没有试图破解这些口令,仅仅试着以"x"登录,失败了。
/etc/services和/etc/inetd.conf被改变/etc/services:
a 1111/tcp
/etc/inetd.conf
a stream tcp nowait root /usr/sbin/tcpd in.telnetd
同样,我并示试图登录它
译注: 如果这样,我们可以大范围扫描1111/TCP,结合前面那个RID下面三个文件是现在所能找到的惟一含有相关信息的日志文件/.bash_history:
nslookup
cd /bin
w
ps x
ftp 192.168.0.1 21
w
/var/log/secure:
Mar 29 18:39:18 herc in.ftpd[824]: connect from 10.156.97.157
Mar 29 19:29:15 herc in.ftpd[876]: connect from 10.156.97.111
Mar 29 19:49:58 herc in.ftpd[882]: connect from 10.156.97.111
Mar 29 19:50:21 herc in.ftpd[887]: connect from 10.156.97.111
Mar 31 14:58:14 herc in.telnetd[4224]: connect from 10.54.115.105
Apr 3 23:54:02 herc in.telnetd[10403]: connect from 10.72.135.165
Apr 4 05:44:34 herc in.telnetd[11235]: connect from 10.103.26.127
Apr 4 08:28:28 herc in.ftpd[11397]: connect from 10.31.68.158
Apr 4 11:36:16 herc in.ftpd[11565]: connect from 10.31.68.158
Apr 7 05:33:32 herc in.telnetd[16737]: connect from 10.22.82.6
Apr 7 07:32:19 herc in.telnetd[16849]: connect from 10.22.82.6
Apr 7 07:33:01 herc in.telnetd[16851]: connect from 10.22.82.6
Apr 7 07:33:20 herc in.ftpd[16852]: connect from 10.22.82.6
Apr 7 07:34:11 herc in.ftpd[16855]: connect from 10.22.82.6
Apr 7 07:35:22 herc in.ftpd[16859]: connect from 10.22.82.6
Apr 7 07:37:02 herc in.rlogind[16860]: connect from 10.22.82.2
Apr 7 07:37:12 herc in.fingerd[16863]: connect from 10.22.82.2
Apr 7 07:37:18 herc in.rexecd[16866]: connect from 10.22.82.2
Apr 7 07:37:22 herc in.rshd[16867]: connect from 10.22.82.2
Apr 7 07:37:24 herc in.telnetd[16868]: connect from 10.22.82.2
Apr 7 07:37:30 herc in.ftpd[16870]: connect from 10.22.82.2
Apr 8 13:53:02 herc in.ftpd[19028]: connect from 10.247.49.53
Apr 10 23:00:05 herc in.ftpd[23304]: connect from 10.8.148.36
Apr 10 23:07:51 herc in.ftpd[23347]: connect from 10.8.148.36
Apr 13 06:50:02 herc in.telnetd[27895]: connect from 10.215.99.125
Apr 13 10:52:27 herc in.ftpd[28170]: connect from 10.114.238.145
Apr 13 10:55:50 herc in.ftpd[28171]: connect from 10.114.238.145
Apr 13 11:02:39 herc in.ftpd[28217]: connect from 10.114.238.145
Apr 16 16:29:47 herc in.ftpd[1734]: connect from 10.161.208.34
Apr 16 16:30:10 herc in.ftpd[1737]: connect from 10.161.208.34
Apr 23 18:59:36 herc in.telnetd[14746]: connect from 10.27.211.234
Apr 24 17:02:03 herc in.telnetd[16505]: connect from 10.79.16.203
/var/log/wtmp (reverse chronological order):
root pts/2 :0 Mon Apr 24 18:05 still logged in
root pts/0 :0 Mon Apr 24 17:24 still logged in
ftp ftp XXXXXX-XXXXXXXX. Thu Apr 13 10:02 - 10:02 (00:00)
ftp ftp XXXXXX-XXXXXXXX. Thu Apr 13 09:55 - 09:56 (00:00)
ftp ftp XXXXXXX-X.XXXXXX Mon Apr 10 22:07 - 22:09 (00:01)
ftp ftp XXX.XXX.82.6 Fri Apr 7 06:34 - 06:35 (00:00)
ftp ftp XXX.XXX.82.6 Fri Apr 7 06:33 - 06:34 (00:00)
ftp ftp XXXXX.XX-XXXXXXX Tue Apr 4 10:36 - 10:36 (00:00)
ftp ftp XXXXXXXX-XXXX.XX Wed Mar 29 19:50 - 19:50 (00:00)
ftp ftp XXXXXXXX-XXXX.XX Wed Mar 29 19:29 - 19:29 (00:00)
reboot system boot Wed Mar 29 16:17 (26+20:09)
- ››分布式计算多机部署与配置
- ››分布式单词发音抓取机器人
- ››服务层
- ››分布式网络爬虫关键技术分析与实现一网络爬虫相关...
- ››拒绝凑合看 时下流行观影方式面面观
- ››服务器群集:Windows 2000 和 Windows Server 200...
- ››服务器维护经验谈 图解DHCP故障排除
- ››分布式 DBA: 创建和使用分区表
- ››分布式 Key-Value 存储系统:Cassandra 入门
- ››分布式 DBA: Cursor Stability Isolation Level 的...
- ››拒绝91告别白苹果 iPhone软件安装教程
- ››服务器虚拟化后需要完成的八大关键任务
更多精彩
赞助商链接