首页 / 操作系统 / Linux / Linux Fokirtor Backdoor [新的Linux后门]
日前,赛门铁克发布博客称,在五月的一次安全事件中,发现一名黑客入侵了一个大型物联网托管服务商,并且在内部管理系统上使用了一个有意思的Linux后门 – Fokirtor。经过赛门铁克研究发现,该后门能够伪装它的通信流量,并伪装成正常的SSH通信流量。该后门支持攻击者运行常用的功能,如执行远程命令、反向链接到C&C服务器,Fokirtor能够监控SSH网络流量,如果检测到流量中存在冒号、感叹号、分号、句号(“:!;.”),一旦检测到流量存在这些字符,Fokirtor代码能够解析除这些字符之外的流量,然后提取经过Blowfish和Base64加密的命令。当服务器感染该后门后,它从机器上收集以下信息:1、主机名和IP地址2、端口3、密码4、SSH密钥5、用户名收集之后对信息进行加密,并发送到攻击者的C&C服务器。赛门铁克分析师表示,要识别网络中是否存在该后门,可以看流量中是否包含了感叹号字符,正常的SSH流量中是不会包含感叹号的。Linux Fokirtor Backdoor检测脚本#!/bin/sh # # A simple check to see if running ssh processes contain any string that have # been designated an indication of Fokirtor by Symantec. # # More info here: # http://www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol # # (c) 2013, Kumina bv, info@kumina.nl # # You are free to use, modify and distribute this check in any way you see # fit. Just don"t say you wrote it. # # This check is created for Debian Squeeze/Wheezy, no idea if it"ll work in # other distros. You"ll need gdb-minimal (for gcore) installed. # We need to be root if [ `/usr/bin/id -u` -ne 0 ]; then echo "You need root for this script. Sorry." exit 1 fi # For all pids of the ssh process, do the check for pid in `/bin/pidof sshd`; do t=$(/bin/mktemp) /usr/bin/gdb </dev/null --nx --batch -ex "set pagination off" -ex "set height 0 " -ex "set width 0" -ex "attach $pid" -ex "gcore $t" -ex detach -ex quit i=0 for str in hbt= key= dhost= sp= sk= dip=; do /usr/bin/strings $t | /bin/grep "${str}[[:digit:]]" if [ $? -eq 0 ]; then i=$(($i + 1)) fi done /bin/rm $t if [ $i -eq 6 ]; then echo "CRITICAL: Fokirtor strings found in sshd process ${pid}!" exit 2 fi done echo "OK: No indication of Fokirtor found." exit 010 个 Nginx 的安全提示MijoSearch Joomla Extension外部错误消息信息泄露漏洞相关资讯 Linux后门 Linux Fokirtor Backdoor
易网时代-编程资源站