首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第7期->技术专题
整理:roseinmay
日期:2000-05-23
受影响系统
牋牋所有连接互联网的系统都有可能受到此类攻击。
1、简介
牋牋近来,不少大网站纷纷遭到“拒绝服务”式攻击,其中不少的在用的攻击工具都要求攻击者须先取得系统一定的权限,
即攻击者必须利用已知的系统漏洞取得控制权,从而发动进一步的攻击。以下会介绍如何保护你的系统。
2、详细介绍
牋牋以下将介绍TFN等工具的分析与对策,详见本章的后续介绍(二)。
3、解决方案
牋牋(1)首先,各ISP及小型网络服务商必须携手合作,共建安全。因为在互联网世界中,一旦哪怕是其中的一台机器被
牋牋攻破,灾难便会蔓延。攻击者常通过那些非集中的、容易被系统管理员忽略但也需要系统管理员间接维护的机器作为
牋牋跳板,发动攻击。
牋牋(2)其次,要保证您的系统安装了最新的补丁,因为攻击者大多数都是利用已知的漏洞,取得控制权,从而发动
牋牋“分布式拒绝服务”式攻击。
牋牋(3)在发动“拒绝服务”式攻击时,攻击者常采用“源地址哄骗”方式来隐藏自己的真实地址。我们希望各ISP改善
牋牋路由器的过滤功能,以减少哄骗的产生。
牋牋(3)没有哪一家ISP可独立于互联网世界,故强烈建议各ISP对网络或系统的负荷进行评估,从而做出应变方案。
牋牋(4)要对DoS做出迅速反应需要多方的共同努力,在成为下一个受害者前,各ISP必须加强联系并加强应变能力。
牋牋建议从此处下载相关文档:http://www.cert.org/reports/dsit_workshop.pdf
4、攻击检测
牋牋在你的网络上可安装的检测与分析工具有很多,美国国家设备防护中心最近发布了可在多种系统中检测trin00和TFN
的工具。感兴趣的读者可到美国FBI下载:http://www.fbi.gov/nipc/trinoo.htm
牋牋Dave Dittrich也发布了基于PERL脚本的名为gag的工具,可用于分析本地网络的情况。
牋牋互联网安全系统组织也发布了相关的检测trin00和TFN工具的升级版本,感兴趣的读者可到:
http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/122899199.plt
5、防范
牋牋建议各ISP依照发布的安全措施执行,相关论题可到:
http://www.sans.org或http://www.cert.org/security-improvement
----------------------------------------------------------------------
牋牋本文所介绍的攻击工具并非TRIN00或TFN,只是类似于它们的另类“拒绝服务”式攻击工具,它是黑客在
99年月12月22日左右的攻击中所用的主要工具,被攻击的操作系统是Solaris ,Compaq (前身是DEC) and SGI IRIX,
本文对攻击后系统的记录作了分析。
牋牋黑客的攻击方法已从原来的单机方式转向了分布式,ICMP为其主要的通信方式。在本文中所介绍的只能称之
为简单的rootkit式DoS攻击,它能造成类似于TFN的攻击结果,但威力没有那么大。
1、攻击
牋牋黑客利用常见rpc.ttdbserverd, rpc.cmsd, sadmind, rpc.statd的缓存溢出获得机器的root权限,有时,
他们也利用/tmp/bob attack中的一个可导致缓存溢出的变量进行攻击,获得权限。一旦获得了最高权限,他们便上传
攻击工具到其中的一个目录,根据我们以往的经验,它们常用的目录是"...", ".. ", ".lib", /usr/lib/libsof4/...,
and /dev/cdrom, /dev/rmt/diskette,同时,他们也会布下后门,以便进行后续的攻击。他们传来的是solaris的二进
制文件,也就是说,至少有一次,他们企图在compaq上运行solaris的可执行文件。
牋牋文件执行后,会替换/etc/inetd.conf,从而毫无过滤地响应所有的TCP和UDP服务,从而令你的TCP侦测程序无
法运行。
2、解决方案
牋牋为系统装上最新的补丁,然后关闭所有非必需的服务,安装相应的工具,
如 portsentry, logcheck and TCP Wrappers,要想记录非法的更改操作,可用Tripwire这个工具。
3、清除后门
牋牋(1)Tripwire是查找非法后门的最有效工具,它的设置虽然较复杂,但经验告诉我们,这是值得的。
黑客常建的非法目录有 "...", ".. " (点-点-空格), ".lib", /dev/cdrom and /dev/rmt/diskette。
也可用一般的find命令查找,
如:find / -name "..." -print等。
牋牋(2)比较/usr/sbin/in.telnetd 和/usr/sbin/in.fingerd等文件的大小是否与我们下面列出的一样,如果是的话,
那么你的机器上肯定存在后门。要想清除“拒绝服务”工具,请到如下站点下载find_ddos,它们是 http://www.nipc.gov/
以及http://www.fbi.gov/nipc/trioo.htm。
4、攻击工具
牋牋该该工具名为solkit.tar,其中含有如下文件:
-rw-r--r--牋牋1 root牋牋root牋牋2875 May 16 1999牋牋bfile
-rw-r--r--牋牋1 root牋牋root牋牋3036 Jul 2 1999牋牋牋牋bfile2
-rw-r--r--牋牋1 root牋牋root牋牋20118 Jul 2 1999牋牋bfile3
-rwxr-xr-x牋牋1 root牋牋root牋牋114 Jul 2 1999牋牋牋牋clean.sh
-rw-r--r--牋牋1 root牋牋root牋牋3590 May 13 1999牋牋finger.conf
-rwxr-xr-x牋牋1 root牋牋root牋牋21192 May 11 1999牋牋hme
-rwxr-xr-x牋牋1 root牋牋root牋牋9684 Aug 16 16:15牋牋in.fingerd
-rwxr-xr-x牋牋1 root牋牋root牋牋35412 Aug 16 16:15牋牋in.telnetd
-rwxr-xr-x牋牋1 root牋牋root牋牋1062 Jul 2 1999牋牋牋牋install
-rwxr-xr-x牋牋1 root牋牋root牋牋21184 May 11 1999牋牋le
-rwxr-xr-x牋牋1 root牋牋root牋牋86 Jun 30 1999牋牋牋牋script
-rwxr-xr-x牋牋1 root牋牋root牋牋1172 Jul 30 18:16牋牋secure.sh
-rwxr-xr-x牋牋1 root牋牋daemon牋牋153600 Dec 28 16:34牋牋solkit.tar
-rwxr-xr-x牋牋1 root牋牋root牋牋11520 May 13 1999牋牋sunsmurf
-rwxr-xr-x牋牋1 root牋牋root牋牋10488 May 13 1999牋牋syn
5、深入分析
(1)bfile
该文件中以xxx.xxx.xxx.0 或xxx.xxx.xxx.255形式定义网络地址,以下是那些可能会对受害人发出巨量攻击数据包的
网络地址。该工具共包含有1848个网络地址,在文件中找到的子网地址如下所列:
# more bfile
206.0.193.255
206.1.32.255
206.2.50.255
206.3.159.255
206.4.97.255
206.5.81.255
206.6.125.255
206.7.195.255
206.9.168.255
206.12.90.255
206.13.40.255
(2)clean.sh
# removes our files
rm -rf solkit.tar
rm -rf secure.sh
rm -rf install
rm -rf clean.sh
echo "=> clean0red!! heh. "
从上面可知,在攻击工具安装后,进行了现场清除工作,不留痕迹。
(3)finger.conf
本文件是/etc/inet/inetd.conf的内容,它允许用户 telnetd, ftp, 标准的 r命令, uucp, finger,及基于标准UDP协议的命令
(chargen, etc.),在这里攻击者禁止了可能在机器上运行的TCP侦测程序,
后面我们还会讨论in.telnetd 和 in.fingerd 都是留了后门的。
#
#ident牋牋"@(#)牋牋inetd.conf 1.22 95/07/14 SMI"牋牋/* SVr4.0 1.5?/
#
#
# Configuration file for inetd(1M).牋牋See inetd.conf(4).
#
# To re-configure the running inetd process, edit this file, then
# send the inetd process a SIGHUP.
#
# Syntax for socket-based Internet services:
#?牋牋牋?br> #
# Syntax for TLI-based Internet services:
#
#牋牋tli牋牋
#
# Ftp and telnet are standard Internet services.
#
ftp牋牋stream牋牋tcp牋牋nowait牋牋root牋牋/usr/sbin/in.ftpd牋牋in.ftpd
telnet牋牋stream牋牋tcp牋牋nowait牋牋root牋牋/usr/sbin/in.telnetd牋牋in.telnetd
#
# Tnamed serves the obsolete IEN-116 name server protocol.
#
name牋牋dgram牋牋udp牋牋wait牋牋root牋牋/usr/sbin/in.tnamed牋牋in.tnamed
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
shell牋牋stream牋牋tcp牋牋nowait牋牋root牋牋/usr/sbin/in.rshd牋牋in.rshd
login牋牋stream牋牋tcp牋牋nowait牋牋root牋牋/usr/sbin/in.rlogind牋?in.rlogind
exec牋牋stream牋牋tcp牋牋nowait牋牋root牋牋/usr/sbin/in.rexecd牋牋in.rexecd
comsat牋牋dgram牋牋udp牋牋wait牋牋root牋牋/usr/sbin/in.comsat牋牋in.comsat
talk牋牋dgram牋牋udp牋牋wait牋牋root牋牋/usr/sbin/in.talkd牋牋in.talkd
#
# Must run as root (to read /etc/shadow); "-n" turns off logging in utmp/wtmp.
#
uucp牋牋stream牋牋tcp牋牋nowait牋牋root牋牋/usr/sbin/in.uucpd牋牋in.uucpd
#
# Tftp service is provided primarily for booting.?Most sites run this
# only on machines acting as "boot servers."
#
#tftp牋牋dgram牋牋udp牋牋wait牋牋root牋牋/usr/sbin/in.tftpd牋牋in.tftpd
-s /tftpboot
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers."?Many sites choose to disable
# some or all of these services to improve security.
#
finger牋牋stream牋牋tcp牋牋nowait牋牋root牋牋/usr/sbin/in.fingerd牋牋in.fingerd
牋牋牋牋牋牋牋牋^^^^ |--This is what makes the finger trojan work
#systat stream牋牋tcp牋牋nowait牋牋root牋牋/usr/bin/ps牋牋牋牋ps -ef
#netstatstream牋牋tcp牋牋nowait牋牋root牋牋/usr/bin/netstat牋牋netstat -f inet
#
# Time service is used for clock synchronization.
#
time牋牋stream牋牋tcp牋牋nowait牋牋root牋牋internal
time牋牋dgram牋牋udp牋牋wait牋牋root牋牋internal
#
# Echo, discard, daytime, and chargen are used primarily for testing.
#
echo牋牋stream牋牋tcp牋牋nowait牋牋root牋牋internal
echo牋牋dgram牋牋udp牋牋wait牋牋root牋牋internal
discard牋牋stream牋牋tcp牋牋nowait牋牋root牋牋internal
discard牋牋dgram牋牋udp牋牋wait牋牋root牋牋internal
daytime牋牋stream牋牋tcp牋牋nowait牋牋root牋牋internal
daytime牋牋dgram牋牋udp牋牋wait牋牋root牋牋internal
chargen牋牋stream牋牋tcp牋牋nowait牋牋root牋牋internal
chargen牋牋dgram牋牋udp牋牋wait牋牋root牋牋internal
#
#
# RPC services syntax:
#?牋
#
#牋can be either "tli" or "stream" or "dgram".
# For "stream" and "dgram" assume that the endpoint is a socket descriptor.
#牋can be either a nettype or a netid or a "*". The value is
# first treated as a nettype. If it is not a valid nettype then it is
# treated as a netid. The "*" is a short-hand way of saying all the
# transports supported by this system, ie. it equates to the "visible"
# nettype. The syntax for is:
#牋牋牋 *| |{[,]}
# For example:
#
# Solstice system and network administration class agent server
#
# Rquotad supports UFS disk quotas for NFS clients
#
#
# The rusers service gives out user information.?Sites concerned
# with security may choose to disable it.
#
#
# The spray server is used primarily for testing.
#
#
# The rwall server allows others to post messages to users on this machine.
#
#
# Rstatd is used by programs such as perfmeter.
#
#
# The rexd server provides only minimal authentication and is often not run
#
#
# by files in /var/spool/calendar
#
#
# Sun ToolTalk Database Server
#
#
# UFS-aware service daemon
#
#
# Sun KCMS Profile Server
#
#
# Sun Font Server
#
fs牋牋stream?tcp wait nobody /usr/openwin/lib/fs.auto?fs
(4)hme, le
牋牋这些程序不过是对esniff.c 作了改动,以使其可运行于SUN hme,le,我们曾发现该文件名有时叫"update".
用命令 "strings hme" 可得如下输出:
rlogin
telnet
smtp
-- TCP/IP LOG -- TM: %s --
PATH: %s(%s) =>
%s(%s)
STAT: %s, %d pkts, %d bytes [%s]
DATA:
:
(%d)
PKT: (%s %04X)
%s[%s] =>
%s[%s]
DATA LIMIT
TH_FIN
TH_RST
IDLE TIMEOUT
SIGNAL
Log ended at => %s
sigalrm:?TIMEOUT
%s:牋alarm
%s:牋getmsg
%s:牋MORECTL|MOREDATA
%s:牋MORECTL
%s:牋MOREDATA
getmsg: control portion length < sizeof (long):牋%d
unexpected dlprim error
dlattachreq:牋putmsg
dlokack
dlokack:牋response ctl.len too short:牋%d
dlokack:牋DL_OK_ACK was not M_PCPROTO
dlokack:牋short response ctl.len:牋%d
dlbindreq:牋putmsg
dlbindack
dlbindack:牋DL_OK_ACK was not M_PCPROTO
dlbindack:牋short response ctl.len:牋%d
dlpromiscon:牋putmsg
/dev/hme
DLIOCRAW
bufmod
push bufmod
SBIOCSTIME
SBIOCSCHUNK
I_FLUSH
finished getmsg() = %i
c6Lqd3Dvn2l3s牋<----This appears to be an encrypted password string (osmium1)
(%s)UP?
Output file cant be opened
filtering out smtp connections.
filtering out telnet connections.
filtering out rsh/rlogin connections.
filtering out ftp connections.
Usage: %s [-d x] [-s] [-f] [-l] [-t] [-i interface] [-o file]
-d int牋爏et new data limit (128 default)
-s牋牋牋牋牋牋filter out smtp connections
-f牋牋牋牋牋牋filter out ftp connections
-l牋牋牋牋牋牋filter out rlogin/rsh connections
-t牋牋牋牋牋牋filter out telnet connections
-o
Using logical device %s [%s]
Output to %s.%s%s
stdout
牋牋(debug)
牋牋Backgrounding
[Cannot bg with debug on]
Log started at => %s [pid %d]
(5)in.fingerd
cnxos收有产生此文件的源代码?EB分析,感兴趣者可下载,以=CF率浅绦虮嘈凑叩乃得鳎?
/* bleah, this is a trapdoor replacement for a standard =usr/etc/in.fingerd
* or /sbin/fingerd or whatever.. it should work on most systems i guess =ith
* a few minor adjustments of the paths... *BUT* in order for it to work =0D
* it must run as root, so you have to change the following like in
* /etc/inetd.conf
* finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd
* to look like this:
* finger stream tcp nowait root /usr/etc/in.fingerd in.fingerd
*牋牋牋牋牋牋牋牋牋牋牋牋牋燸^^^ - THIS IS WHAT YOU CHANGE
* NOTE: if the system is running xinetd, you have to change the entry =0D
*牋牋in /etc/xinetd.conf - i'll leave that up to you, it's a different
*牋牋format, but doesn't take a rocket scientist to figure out
*牋牋to find if the site is running xinetd or inetd, simply:
*牋牋grep inetd /etc/rc
*
* CREDITS:
*牋? I used the source for 'Zap2' or something silly for the cloak =tuff
*牋? As you can see i used the BSD fingerd source
*牋? I got the idea for this from something Panzer Boy said once to =e.
*牋? I wrote the rest of the code.
*牋? Tested for me by max-q - i didn't want to break any of my systems =]
*牋? I heard that someone else did something like this before, but i =ever
*牋牋牋牋saw it so i figured i'd distribute this..
*
* HOW IT WORKS:
*牋燞ow this program works is that you can send a remote site commands =0D
*牋燽y fingering certain users.. i've made up a set of userid's that =ach
*牋爌erform a separate command... these are trivial to change, just =ook
*牋爁or the definition, and change it.. woo woo.. the default userid's =0D
*牋燼re:
*牋燾md_adduser - add special user to the passwd file (if it doesn't =xist)
*牋燾md_stealth - 'cloak' the special user (remove from utmp, and wtmp) =0D
*牋燾md_deluser - delete the special user from the passwd file
*牋燾md_rootsh?- create the root shell
*牋燾md_cleanup - delete the special user and erase the root shell.
*
* NOTES:
*牋燚on't be stupid, most sites run tcp wrappers now adays, check for =0D
*牋爕our logs in /usr/adm/messages /usr/adm/syslog or any log file
*牋爄n /etc/syslog.conf that looks like it might contain wrapper logs =0D
*
* TO COMPILE:
*牋燾c -s -o fingerd fingerd.c
*牋燦OTE: This program was written for sunos 4.1.3_U1, so for any other =0D
*牋牋platform paths and maybe some code may need to be changed..
*牋牋if you can figure out how, you shouldn't be playing with this
*牋牋program.
*牋燜OR LINUX:
*牋牋cc -s -DLINUX -o fingerd fingerd.c
*
* MORE NOTES:
*牋營 got the idea for this program from something panzer boy told me =e
*牋燿id once, i dunno if this was what he said, i forgot already, but =0D
*牋爄t was something like this and i thought it would be fun to write, =o
*牋爃ere it is..
*
*牋燭he login user created when you finger cmd_adduser is 'haqrbob'
*牋爓ith the password 'IBl0G0atz' - if you don't like this, change
*牋爐he #defines.. - note that this account does not has root priv's =0D
*牋爐his is incase the site has root logins dissabled on certain tty's =0D
*牋?no secure field in /etc/ttytab) - just log into the account, and =0D
*牋爐hen create a root shell...
*
* That's about it..
*牋? pluvius@dhp.com?- note, io.org starting charging money for =ccounts
*牋牋instead of being free.. so you can't email me there.
*牋牋pluvius@dhp.com will do for now until i get an
*牋牋account somewhere that i don't care if it gets
*牋牋hacked, and that has a reliable connection (>=t1)
*牋牋send me your feedback, patches for other O/S's or whatever the hell =0D
*牋牋you want.
*/
该文件编译执行后会输出如?C2语句:
getpeername
cterm100
finger
pipe
/usr/bin/finger
No local finger program found
fork
fdopen
/bin/sh
update
%s:
(6)in.telnetd
牋牋=CB