FBI监控上我的raspberry PI?

今天发现raspberry pi上有一个程序是httpd。但是我没有跑着apache服务呀。

#ps -A -o ppid,pid,cmd|grep httpd

ppid pid  cmd

1  6367 /usr/bin/httpd

#ls -al /proc/6367/exe

/proc/6367/exe -> /lib/httpds

#lsof -i

COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

httpds    6367 root    4u  IPv4  11961      0t0  TCP 192.168.14.170:40144->91-143-207-130.ip.welcomeitalia.it:http-alt (ESTABLISHED)

strace跟进去。

#strace -f -T -tt -p 6367

05:40:46.030773 select(5, [4], NULL, NULL, {1200, 0}) = 1 (in [4], left {1108, 664346}) <91.335802>
05:42:17.367639 recv(4, “PING :secured.fbi.gov\r\n”, 4096, 0) = 23 <0.000093>
05:42:17.368122 write(4, “PONG :secured.fbi.gov\n”, 22) = 22 <0.000371>
05:42:17.368855 select(5, [4], NULL, NULL, {1200, 0}) = 1 (in [4], left {1107, 533448}) <92.466658>
05:43:49.836023 recv(4, “PING :secured.fbi.gov\r\n”, 4096, 0) = 23 <0.000095>
05:43:49.836684 write(4, “PONG :secured.fbi.gov\n”, 22) = 22 <0.000382>
05:43:49.837507 select(5, [4], NULL, NULL, {1200, 0}) = 1 (in [4], left {1105, 792285}) <94.207818>
05:45:24.045833 recv(4, “PING :secured.fbi.gov\r\n”, 4096, 0) = 23 <0.000095>
05:45:24.046318 write(4, “PONG :secured.fbi.gov\n”, 22) = 22 <0.000416>
05:45:24.047158 select(5, [4], NULL, NULL, {1200, 0}) = 1 (in [4], left {1107, 330325}) <92.669780>
05:46:56.717450 recv(4, “PING :secured.fbi.gov\r\n”, 4096, 0) = 23 <0.000091>
05:46:56.717930 write(4, “PONG :secured.fbi.gov\n”, 22) = 22 <0.000391>
05:46:56.718686 select(5, [4], NULL, NULL, {1200, 0}) = 1 (in [4], left {1110, 296799}) <89.703303>
05:48:26.422488 recv(4, “PING :secured.fbi.gov\r\n”, 4096, 0) = 23 <0.000094>
05:48:26.422969 write(4, “PONG :secured.fbi.gov\n”, 22) = 22 <0.000392>
05:48:26.423716 select(5, [4], NULL, NULL, {1200, 0}) = 1 (in [4], left {1101, 586166}) <98.413934>
每隔一段时间就会收到服务器的PING:secured.fbi.gov。然后本地程序回应PONG: secured.fbi.gov

把这个程序kill掉。

#kill -9 6367

从程序开始跟踪

#strace -T -tt -f /lib/httpds

03:06:14.933140 connect(4, {sa_family=AF_INET, sin_port=htons(8080), sin_addr=inet_addr(“91.143.207.130″)}, 16) = 0 <0.000072>
03:06:14.933564 setsockopt(4, SOL_SOCKET, SO_LINGER, NULL, 0)                                       = -1 EINVAL (Invalid argument) <0.000820>
03:06:14.936195 setsockopt(4, SOL_SOCKET, SO_REUSEADDR, NULL, 0)                                    = -1 EINVAL (Invalid argument) <0.000089>
03:06:14.937951 setsockopt(4, SOL_SOCKET, SO_KEEPALIVE, NULL, 0)                                    = -1 EINVAL (Invalid argument) <0.000085>
03:06:14.939437 write(4, “NICK AOWME\nUSER VAWN localhost l”…, 47)                                = 47 <0.003726>
03:06:14.944443 select(5, [4], NULL, NULL, {1200, 0})                                               = 1 (in [4], left {1199, 999983}) <0.000199>
03:06:14.946123 recv(4, “:secured.fbi.gov NOTICE AUTH :**”…, 4096, 0)                             = 160 <0.000127>
03:06:14.947541 select(5, [4], NULL, NULL, {1200, 0})                                               = 1 (in [4], left {1199, 611768}) <0.388338>
03:06:15.338985 recv(4, “:secured.fbi.gov 001 AOWME \r\n:se”…, 4096, 0)                           = 279 <0.000107>
03:06:15.341987 write(4, “MODE AOWME -xi\n”, 15)                                                    = 15 <0.000523>
03:06:15.349858 write(4, “JOIN ##..Hckl..## :bleh\n”, 24)                                           = 24 <0.000242>
03:06:15.354050 write(4, “WHO AOWME\n”, 10)                                                         = 10 <0.000108>
03:06:15.357381 select(5, [4], NULL, NULL, {1200, 0})                                               = 1 (in [4], left {1199, 349302}) <0.650980>
03:06:16.009901 recv(4, “:AOWME!VAWN@C786E483.D72C9BF8.26″…, 4096, 0)                             = 62 <0.000094>

此处省略了。程序dns解析ssh.madagent.cc的过程,用tcpdump抓包如下:

06:36:03.229179 IP (tos 0x0, ttl 64, id 60803, offset 0, flags [DF], proto UDP (17), length 61)
192.168.14.170.38082 > 202.106.0.20.53: [udp sum ok] 17227+ A? ssh.madagent.cc. (33)
06:36:03.929384 IP (tos 0x0, ttl 59, id 23763, offset 0, flags [none], proto UDP (17), length 288)
202.106.0.20.53 > 192.168.14.170.38082: [udp sum ok] 17227 q: A? ssh.madagent.cc. 1/4/5 ssh.madagent.cc. [2m] A 91.143.207.130 ns: madagent.cc. [2m] NS ns2.dnsexit.com., madagent.cc. [2m] NS ns1.dnsexit.com., madagent.cc. [2m] NS ns4.dnsexit.com., madagent.cc. [2m] NS ns3.dnsexit.com. ar: ns1.dnsexit.com. [15h20s] AAAA 2604:4300:a:25::2, ns2.dnsexit.com. [8h14m15s] AAAA 2604:4300:a:25::3, ns3.dnsexit.com. [11h16m29s] A 199.192.200.41, ns3.dnsexit.com. [11h16m29s] AAAA 2604:4300:a:25::4, ns4.dnsexit.com. [15h30m32s] AAAA 2604:4300:a:25::5 (260)

程序一开始解析ssh.madagent.cc这个ip。然后连接到这个ip的8080端口。然后本地程序发送

03:06:14.939437 write(4, “NICK AOWME\nUSER VAWN localhost l”…, 47)                                = 47 <0.003726>

03:06:15.341987 write(4, “MODE AOWME -xi\n”, 15)                                                    = 15 <0.000523>
03:06:15.349858 write(4, “JOIN ##..Hckl..## :bleh\n”, 24)                                           = 24 <0.000242>
03:06:15.354050 write(4, “WHO AOWME\n”, 10)                                                         = 10 <0.000108>

最后收到

03:06:16.009901 recv(4, “:AOWME!VAWN@C786E483.D72C9BF8.26″…, 4096, 0)                             = 62 <0.000094>

这应该是一串加密的口令。不太清楚具体的用途。接着就会一直处于

05:53:16.112616 recv(4, “PING :secured.fbi.gov\r\n”, 4096, 0) = 23 <0.000094>
05:53:16.113108 write(4, “PONG :secured.fbi.gov\n”, 22) = 22 <0.000348>
05:53:16.113888 select(5, [4], NULL, NULL, {1200, 0}) = 1 (in [4], left {1104, 973719}) <95.026384>
05:54:51.140772 recv(4, “PING :secured.fbi.gov\r\n”, 4096, 0) = 23 <0.000095>
05:54:51.141252 write(4, “PONG :secured.fbi.gov\n”, 22) = 22 <0.000380>
05:54:51.141994 select(5, [4], NULL, NULL, {1200, 0}) = 1 (in [4], left {1109, 786724}) <90.213379>
05:56:21.355878 recv(4, “PING :secured.fbi.gov\r\n”, 4096, 0) = 23 <0.000094>
05:56:21.356363 write(4, “PONG :secured.fbi.gov\n”, 22) = 22 <0.000421>
05:56:21.357150 select(5, [4], NULL, NULL, {1200, 0}) = 1 (in [4], left {1105, 281515}) <94.718589>
05:57:56.076244 recv(4, “PING :secured.fbi.gov\r\n”, 4096, 0) = 23 <0.000094>
05:57:56.076724 write(4, “PONG :secured.fbi.gov\n”, 22) = 22 <0.000300>
05:57:56.077562 select(5, [4], NULL, NULL, {1200, 0}) = 1 (in [4], left {1108, 554931}) <91.445170>
05:59:27.523240 recv(4, “PING :secured.fbi.gov\r\n”, 4096, 0) = 23 <0.000093>
05:59:27.523716 write(4, “PONG :secured.fbi.gov\n”, 22) = 22 <0.000280>

不过从ssh.madagent.cc来看。或者是黑客利用我的机器做跳板。我被当成肉鸡了。。。我的树莓派没有什么程序呀。。奇了怪了。清除这个东西很简单/lib/httpd,/lib/httpd.pid,/lib/httpds

把这三个程序删了。就没事了。。。secured.fbi.gov。这个有点吓人。