Linux Fokirtor Backdoor [新的Linux后门]

日前,赛门铁克发布博客称,在五月的一次安全事件中,发现一名黑客入侵了一个大型物联网托管服务商,并且在内部管理系统上使用了一个有意思的Linux后门 – Fokirtor。

经过赛门铁克研究发现,该后门能够伪装它的通信流量,并伪装成正常的SSH通信流量。该后门支持攻击者运行常用的功能,如执行远程命令、反向链接到C&C服务器,Fokirtor能够监控SSH网络流量,如果检测到流量中存在冒号、感叹号、分号、句号(“:!;.”),一旦检测到流量存在这些字符,Fokirtor代码能够解析除这些字符之外的流量,然后提取经过Blowfish和Base64加密的命令。

当服务器感染该后门后,它从机器上收集以下信息:

1、主机名和IP地址

2、端口

3、密码

4、SSH密钥

5、用户名收集之后对信息进行加密,并发送到攻击者的C&C服务器。

赛门铁克分析师表示,要识别网络中是否存在该后门,可以看流量中是否包含了感叹号字符,正常的SSH流量中是不会包含感叹号的。

Linux Fokirtor Backdoor检测脚本

#!/bin/sh
#
# A simple check to see if running ssh processes contain any string that have
# been designated an indication of Fokirtor by Symantec.
#
# More info here:
# http://www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol
#
# (c) 2013, Kumina bv, [email protected]
#
# You are free to use, modify and distribute this check in any way you see
# fit. Just don't say you wrote it.
#
# This check is created for Debian Squeeze/Wheezy, no idea if it'll work in
# other distros. You'll need gdb-minimal (for gcore) installed.
# We need to be root
if [ `/usr/bin/id -u` -ne 0 ]; then
        echo "You need root for this script. Sorry."
        exit 1
fi
# For all pids of the ssh process, do the check
for pid in `/bin/pidof sshd`; do
        t=$(/bin/mktemp)
        /usr/bin/gdb </dev/null --nx --batch \
          -ex "set pagination off" -ex "set height 0 " -ex "set width 0" \
          -ex "attach $pid" -ex "gcore $t" -ex detach -ex quit
        i=0
        for str in hbt= key= dhost= sp= sk= dip=; do
                /usr/bin/strings $t | /bin/grep "${str}[[:digit:]]"
                if [ $? -eq 0 ]; then
                        i=$(($i + 1))
                fi
        done
        /bin/rm $t
        if [ $i -eq 6 ]; then
                echo "CRITICAL: Fokirtor strings found in sshd process ${pid}!"
                exit 2
        fi
done
echo "OK: No indication of Fokirtor found."
exit 0

相关推荐