宜搜多台服务器沦陷 | wooyun-2015-091991| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-091991

漏洞标题：宜搜多台服务器沦陷

漏洞作者：我了个去

提交时间：2015-01-16 11:52

修复时间：2015-03-02 11:54

公开时间：2015-03-02 11:54

漏洞类型：系统/服务运维配置不当

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-01-16：细节已通知厂商并且等待厂商处理中
2015-01-16：厂商已经确认，细节仅向厂商公开
2015-01-26：细节向核心白帽子及相关领域专家公开
2015-02-05：细节向普通白帽子公开
2015-02-15：细节向实习白帽子公开
2015-03-02：细节向公众公开

简要描述：

早些时候的漏洞补丁不及时，getshell and getsystemroot,后期运维检查不到位，一直没发现。

详细说明：

早些时候 www2.easou.com s2漏洞 getshell 获取root权限
翻看.ssh/ 目录下文件破解shadow文件，普通用户密码通用，成功登录多台服务器，由于内核版本过低，均成功提权。
涉及到机器：
root@maf!x:/root$ hostname
szmlserver208.easou.com
root@maf!x:/root$ ifconfig |grep -i "inet addr"
inet addr:120.197.93.208 Bcast:120.197.93.223 Mask:255.255.255.224
inet addr:10.13.32.208 Bcast:10.13.35.255 Mask:255.255.252.0
inet addr:127.0.0.1 Mask:255.0.0.0
root@maf!x:/root$ hostname
bjserver13_20.easou.com
root@maf!x:/root$ ifconfig |grep -i "inet addr"
inet addr:118.145.13.20 Bcast:118.145.13.63 Mask:255.255.255.192
inet addr:10.21.13.20 Bcast:10.21.15.255 Mask:255.255.252.0
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr:118.145.13.22 Mask:255.255.255.255
root@maf!x:/root$ hostname
bjserver13_17.easou.com
root@maf!x:/root$ ifconfig |grep -i "inet addr"
inet addr:118.145.13.17 Bcast:118.145.13.63 Mask:255.255.255.192
inet addr:10.21.13.17 Bcast:10.21.15.255 Mask:255.255.252.0
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr:118.145.13.22 Mask:255.255.255.255
root@maf!x:/root$ hostname
szmlserver207.easou.com
root@maf!x:/root$ ifconfig |grep -i "inet addr"
inet addr:120.197.93.207 Bcast:120.197.93.223 Mask:255.255.255.224
inet addr:10.13.32.207 Bcast:10.13.35.255 Mask:255.255.252.0
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr:120.197.93.209 Mask:255.255.255.255
root@maf!x:/root$ hostname
szmlserver206.easou.com
root@maf!x:/root$ ifconfig |grep -i "inet addr"
inet addr:120.197.93.206 Bcast:120.197.93.223 Mask:255.255.255.224
inet addr:10.13.32.206 Bcast:10.13.35.255 Mask:255.255.252.0
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr:120.197.93.209 Mask:255.255.255.255
root@maf!x:/root$ hostname
szmlserver205.easou.com
root@maf!x:/root$ ifconfig |grep -i "inet addr"
inet addr:120.197.93.205 Bcast:120.197.93.223 Mask:255.255.255.224
inet addr:10.13.32.205 Bcast:10.13.35.255 Mask:255.255.252.0
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr:120.197.93.209 Mask:255.255.255.255
inet addr:120.197.93.213 Mask:255.255.255.255
内核版本：rhel4 2.6.18-128.el5

漏洞证明：

共计6台服务器：
120.197.93.208 19643 root:asdfasdfasdfasdfasdfasdf
120.197.93.205 6033 root:whoami.so
118.145.13.20 6033 root:whoami.so
118.145.13.17 6033 root:whoami.so
120.197.93.206 6033 root:whoami.so
120.197.93.207 6033 root:whoami.so

修复方案：

修改弱口令，升级服务器内核清除后门 rkclean 附上脚本

#!/bin/sh
#!/bin/bash
BLK='[1;30m'
DRED='[0;31m'
DGRN='[0;32m'
DBLU='[0;34m'
DWHI='[0;37m'
BLU='[1;34m'
RES='[0m'
BAD_SNIFFER_FILES_1="/usr/local/lib/dsniff.services
                     /etc/cron.daily/dnsquery
					 /usr/lib/popauth"
BAD_SNIFFER_FILES_2="/usr/local/lib/dsniff.services
                     /etc/cron.daily/dnsquery
					 /usr/lib/popauth"
BAD_SSHPATCH_DIRS="/usr/sbin/.backup/
                   /usr/share/ssh/
                   /etc/var/
                   /etc/rpm/ssh/
				   /usr/include/linux/
				   /usr/include/linux/pam/"
BAD_SSHPATCH_FILES="/bin/ceva
                    /usr/include/shup.h
                    /bin/zcut
                    /usr/bin/zmuie
                    /usr/bin/zap
					/usr/sbin/rd
                    /sbin/shs
                    /sbin/misc
                    /usr/sbin/sshdold
                    /usr/include/arpa/suid
                    /etc/rpm/sshdOLD
                    /etc/rpm/sshOLD
                    /usr/sbin/desnfread
					/usr/sbin/sshd_configold
					/usr/sbin/sshdold"
BAD_SNIFFER_FILES="/etc/rc.d/init.d/log.sub
                   /dev/hdal
                   /dev/hdal/clog
                   /dev/hdal/slog
                   /dev/httpd
                   /dev/linux
                   /dev/noemi
                   /dev/saux
                   /dev/saux.h
                   /etc/gshadow--
                   /etc/rc.d/init.d/keys.sub
                   /etc/ssh/.sshd_auth
                   /etc/sysctl1
                   /lib/libcap
                   /lib/libtcl-206.so
                   /lib/libutil-205.so
                   /root/ssh.log
                   /root/sshd2.log
                   /tmp/.lost+found
                   /tmp/ssh.log
                   /usr/bin/tcp.log
                   /usr/games/.blane
                   /usr/games/help
                   /usr/include/cti2.h
                   /usr/include/gd2.h
                   /usr/include/glob2.h
                   /usr/include/gpm2.h
                   /usr/include/gpmh2.h
                   /usr/include/libssh.h
                   /usr/include/linux/dump.h
                   /usr/include/netda.h
                   /usr/include/pthread2x.h
                   /usr/include/pwd2.h
                   /usr/include/ssh.h
                   /usr/include/zaux.h
                   /usr/lib/+c0d.init
                   /usr/lib/.sshd.h
                   /usr/lib/libcrypto.sh
                   /usr/lib/libfl.so
                   /usr/lib/libfptsk.so
                   /usr/lib/libice.log
                   /usr/lib/libshlog
                   /usr/lib/libsnf.log
                   /usr/lib/libsocryp.so.9.c.7
                   /usr/lib/treeball.so
                   /usr/local/games/.log
                   /usr/local/include/uconf.h
                   /usr/share/man/man1/.error
                   /usr/share/man/man1/sshd.1
                   /usr/share/passwd.h
                   /usr/share/sshd.sync
                   /usr/share/system.sync
                   /var/html/lol
                   /var/run/.xD-user
                   /var/run/pppd.lock
                   /var/run/sshd.sync
                   /var/tmp/lotfree_pass.txt"
play()
{
        INDENT=2; TEXT=""
        ECHOCMD="printf"
        while [ $# -ge 1 ]; do
        case $1 in
    --color)
        shift
        case $1 in
        RED)   COLOR=$DRED ;;
        GREEN) COLOR=$DGRN ;;
        esac
        ;;
    --result)
        shift
        RESULT=$1
        ;;
    --text)
        shift
        TEXT=$1
        ;;
    *)
        echo "INVALID OPTION (Display): $1"
        exit 1
        ;;
        esac
        shift
  done
  if [ ! "${TEXT}" = "" ]; then
      LINESIZE=`echo "${TEXT}" | wc -c | tr -d ' '`
      SPACES=`expr 50 - ${INDENT} - ${LINESIZE}`
      ${ECHOCMD} "\033[${INDENT}C${TEXT}\033[${SPACES}C[ ${COLOR}${RESULT}${RES} ]\n"
  fi
}
title()
{
    printf " ${DBLU}    RootKit Search And Remove Tool ...      ${RES}\n"
    printf " ${DBLU} *Version          : ${DGRN}2.0/2012        ${RES}\n"
    printf " ${DBLU} *Made by          : ${DGRN}Jericho         ${RES}\n"
    printf " ${DBLU}=========================================== ${RES}\n"
}
banners()
{
    clear
    printf " ${DBLU}=========================================== ${RES}\n"
    printf "       ${DGRN}  #########      ##                   ${RES}\n"
    printf "       ${DGRN}  #########     ### #########         ${RES}\n"
    printf "       ${DGRN}     ###      ####  #########         ${RES}\n"
    printf "       ${DGRN}     ###     ####      ###            ${RES}\n"
    printf "       ${DGRN}     ###    #######    ###            ${RES}\n"
    printf "       ${DGRN}     ###   #######     ###            ${RES}\n"
    printf "       ${DGRN}     ###     ####      ###            ${RES}\n"
    printf "       ${DGRN}   #####    ####       ###            ${RES}\n"
    printf "       ${DGRN}   #####  ####         ###            ${RES}\n"
    printf "       ${DGRN}     ### ####          ###            ${RES}\n"
    printf "       ${DBLU}             *Jericho Security Team*  ${RES}\n"
    printf " ${DBLU}=========================================== ${RES}\n"
}
uidchk()
{
  if [ "$(id -u)" != "0" ]; then
    title
    printf " ${DRED}  !!! WARNING !!! WARNING !!! WARNING !!!   ${RES}\n"
    printf " ${DRED} You must run this script as root or uid 0  ${RES}\n"
    printf " ${DBLU}=========================================== ${RES}\n"
    exit 1
  fi
}
########
banners
uidchk
title
########
    printf "\n  ${DBLU}Searching for SHV v5/6/7 RootKit ...   ${RES}\n"
if [ -f /etc/sh.conf ]; then
    SHV5_pass=`cat /etc/sh.conf |cut -d" " -f1 |head -n1 2>/dev/null` 2>/dev/null
    SHV5_port=`cat /lib/libsh.so/shdcf |grep Port |cut -d" " -f2 2>/dev/null` 2>/dev/null
    play --text "${DBLU}SHV v5/6/7 RootKit ...${RES}" --result FOUND --color RED
    printf "  --> ${DBLU}Encrypted Password: ${DRED}${SHV5_pass} ${DBLU}... ${RES}\n"
    printf "  --> ${DBLU}Port of RK        : ${DRED}${SHV5_port} ${DBLU}... ${RES}\n"
    printf "  --> ${DBLU}Closing port      : ${DRED}${SHV5_port} ${DBLU}... ${RES}\n"	
    /sbin/iptables -I INPUT -p tcp --dport ${SHV5_port} -j DROP 2>/dev/null
    /sbin/iptables -I OUTPUT -p tcp --dport ${SHV5_port} -j DROP 2>/dev/null
    printf "  --> ${DBLU}Chenging atributtes of files owned by the SHV RK v5/6/7 ... ${RES}\n"
    chattr -isua /lib/libsh.so/* 2>/dev/null
    chattr -isua /lib/libsh.so 2>/dev/null
    chattr -isua /usr/lib/libsh/.backup/* 2>/dev/null
    chattr -isua /usr/lib/libsh/.backup 2>/dev/null
    chattr -isua /usr/lib/libsh/.sniff/* 2>/dev/null
    chattr -isua /usr/lib/libsh/.sniff 2>/dev/null
    chattr -isua /usr/lib/libsh/utilz/* 2>/dev/null
    chattr -isua /usr/lib/libsh/utilz 2>/dev/null	
    chattr -isua /usr/lib/libsh/* 2>/dev/null
    chattr -isua /usr/lib/libsh 2>/dev/null
    chattr -isua /dev/srd0 2>/dev/null
    chattr -isua /etc/sh.conf 2>/dev/null
    chattr -isua /sbin/ttyload 2>/dev/null
    chattr -isua /sbin/ttymon 2>/dev/null
    chattr -isua /usr/sbin/ttyload 2>/dev/null
    printf "  --> ${DBLU}Copy files from SHV RK v5/6/7 backup Directory back to the System ... ${RES}\n"
    cp -f /usr/lib/libsh/.backup/dir /usr/bin/dir 2>/dev/null
    cp -f /usr/lib/libsh/.backup/find /usr/bin/find 2>/dev/null
    cp -f /usr/lib/libsh/.backup/ifconfig /sbin/ifconfig 2>/dev/null
    cp -f /usr/lib/libsh/.backup/ls /bin/ls 2>/dev/null
    cp -f /usr/lib/libsh/.backup/lsof /usr/sbin/lsof 2>/dev/null
    cp -f /usr/lib/libsh/.backup/md5sum /usr/bin/md5sum 2>/dev/null
    cp -f /usr/lib/libsh/.backup/netstat /bin/netstat 2>/dev/null
#   cp -f /usr/lib/libsh/.backup/ps /bin/ps 2>/dev/null
    cp -f /usr/lib/libsh/.backup/pstree /usr/bin/pstree 2>/dev/null
    cp -f /usr/lib/libsh/.backup/top /usr/bin/top 2>/dev/null
    printf "  --> ${DBLU}Removing files and folders owned by SHV RK v5/6/7 ... ${RES}\n"
    rm -rf /lib/libsh.so/* 2>/dev/null
    rm -rf /lib/libsh.so 2>/dev/null
    rm -rf /usr/lib/libsh/.backup/* 2>/dev/null
    rm -rf /usr/lib/libsh/.backup 2>/dev/null
    rm -rf /usr/lib/libsh/.sniff/* 2>/dev/null
    rm -rf /usr/lib/libsh/.sniff 2>/dev/null
    rm -rf /usr/lib/libsh/utilz/* 2>/dev/null
    rm -rf /usr/lib/libsh/utilz 2>/dev/null	
    rm -rf /usr/lib/libsh/* 2>/dev/null
    rm -rf /usr/lib/libsh 2>/dev/null
    rm -rf /dev/srd0 2>/dev/null
    rm -rf /etc/sh.conf 2>/dev/null
#   rm -rf /lib/libproc.a 2>/dev/null
#   rm -rf /lib/libproc.so.2.0.6 2>/dev/null
    rm -rf /lib/lidps1.so 2>/dev/null
    rm -rf /sbin/ttyload 2>/dev/null
    rm -rf /sbin/ttymon 2>/dev/null
    rm -rf /usr/include/file.h 2>/dev/null
    rm -rf /usr/include/hosts.h 2>/dev/null
    rm -rf /usr/include/libmsrpc.h 2>/dev/null
    rm -rf /usr/include/log.h 2>/dev/null
    rm -rf /usr/include/proc.h 2>/dev/null
    rm -rf /usr/sbin/ttyload 2>/dev/null
    printf "  --> ${DBLU}Killing processes owned by SHV RK v5/6/7/ ... ${RES}\n"
    printf "  --> ${DBLU}Run 'ps -x' and kill PiD's of ${DRED}ttyload ${DBLU}and ${DRED}ttymon ${DBLU}... ${RES}\n"
    kill -9 -q `pidof ttyload` >/dev/null 2>&1
    kill -9 -q `pidof ttymon` >/dev/null 2>&1
    kill -9 -q `ps x |grep ttyload |grep -v grep |awk '{print $1}'` >/dev/null 2>&1
    kill -9 -q `ps x |grep ttymon |grep -v grep |awk '{print $1}'` >/dev/null 2>&1
    printf "  --> ${DBLU}SHV RootKIt v5/6/7 Cleaning Done ... ${RES}\n"
    printf " ${DBLU}=========================================== ${RES}\n"
else
    play --text "${DBLU}SHV v5/6/7 RootKit ...${RES}" --result NOTFOUND --color GREEN
    printf " ${DBLU}=========================================== ${RES}\n"
fi
############################################################################################
    printf "\n  ${DBLU}Searching for SHV v4 RootKit ...   ${RES}\n"
if [ -f /etc/ld.so.hash ]; then
    SHV4_pass=`cat /etc/ld.so.hash |cut -d" " -f1 |head -n1 2>/dev/null` 2>/dev/null
    SHV4_port=`cat /lib/security/.config/ssh/sshd_config |grep Port |cut -d" " -f2 2>/dev/null` 2>/dev/null
    play --text "${DBLU}SHV v4 RootKit ...${RES}" --result FOUND --color RED
    printf "  --> ${DBLU}Encrypted Password: ${DRED}${SHV4_pass} ${DBLU}... ${RES}\n"
    printf "  --> ${DBLU}Port of RK        : ${DRED}${SHV4_port} ${DBLU}... ${RES}\n"
    printf "  --> ${DBLU}Closing port      : ${DRED}${SHV4_port} ${DBLU}... ${RES}\n"	
    /sbin/iptables -I INPUT -p tcp --dport ${SHV4_port} -j DROP 2>/dev/null
    /sbin/iptables -I OUTPUT -p tcp --dport ${SHV4_port} -j DROP 2>/dev/null
    printf "  --> ${DBLU}Chenging atributtes of files owned by the SHV RK v4 ... ${RES}\n"
    chattr -isua /lib/ldd.so/* 2>/dev/null
    chattr -isua /lib/ldd.so 2>/dev/null
    chattr -isua /lib/security/* 2>/dev/null
    chattr -isua /lib/security 2>/dev/null
    chattr -isua /lib/security/.config/* 2>/dev/null
    chattr -isua /lib/security/.config 2>/dev/null
    chattr -isua /lib/security/.config/ssh/* 2>/dev/null
    chattr -isua /lib/security/.config/ssh 2>/dev/null
    chattr -isua /usr/include/file.h 2>/dev/null
    chattr -isua /usr/include/hosts.h 2>/dev/null
    chattr -isua /usr/include/log.h 2>/dev/null
    chattr -isua /usr/include/proc.h 2>/dev/null
    chattr -isua /usr/sbin/xntps 2>/dev/null
    chattr -isua /dev/srd0 2>/dev/null
    chattr -isua /etc/ld.so.hash 2>/dev/null
    chattr -isua /etc/ttyhash 2>/dev/null
    chattr -isua /lib/libext-2.so.7 2>/dev/null
    chattr -isua /lib/lidps1.so 2>/dev/null
    chattr -isua /lib/libproc.a 2>/dev/null
    chattr -isua /lib/libproc.so.2.0.6 2>/dev/null
    printf "  --> ${DBLU}Removing files and folders owned by SHV RK v4 ... ${RES}\n"
    rm -rf /lib/ldd.so/* 2>/dev/null
    rm -rf /lib/ldd.so 2>/dev/null
    rm -rf /lib/security/* 2>/dev/null
    rm -rf /lib/security 2>/dev/null
    rm -rf /lib/security/.config/* 2>/dev/null
    rm -rf /lib/security/.config 2>/dev/null
    rm -rf /lib/security/.config/ssh/* 2>/dev/null
    rm -rf /lib/security/.config/ssh 2>/dev/null
    rm -rf /usr/include/file.h 2>/dev/null
    rm -rf /usr/include/hosts.h 2>/dev/null
    rm -rf /usr/include/log.h 2>/dev/null
    rm -rf /usr/include/proc.h 2>/dev/null
    rm -rf /lib/libproc.a 2>/dev/null
    rm -rf /lib/libproc.so.2.0.6 2>/dev/null
    rm -rf /etc/ttyhash 2>/dev/null
    rm -rf /lib/libext-2.so.7 2>/dev/null
    rm -rf /lib/lidps1.so 2>/dev/null
    rm -rf /dev/srd0 2>/dev/null
    rm -rf /etc/ld.so.hash 2>/dev/null
    rm -rf /usr/sbin/xntps 2>/dev/null
    printf "  --> ${DBLU}Killing processes owned by SHV RK v4 ... ${RES}\n"
    printf "  --> ${DBLU}Run 'ps -x' and kill PiD's of ${DRED}xntps ${DBLU}, ${DRED}nscd ${DBLU}and ${DRED}mountd ${DBLU}... ${RES}\n"
    kill -9 -q `pidof xntps` >/dev/null 2>&1
    kill -9 -q `pidof nscd` >/dev/null 2>&1
    kill -9 -q `pidof mountd` >/dev/null 2>&1
    kill -9 -q `ps x |grep xntps |grep -v grep |awk '{print $1}'` >/dev/null 2>&1
    kill -9 -q `ps x |grep nscd |grep -v grep |awk '{print $1}'` >/dev/null 2>&1
    kill -9 -q `ps x |grep mountd |grep -v grep |awk '{print $1}'` >/dev/null 2>&1
    printf "  --> ${DBLU}SHV RootKIt v4 Cleaning Done ... ${RES}\n"
    printf " ${DBLU}=========================================== ${RES}\n"
else
    play --text "${DBLU}SHV v4 RootKit ...${RES}" --result NOTFOUND --color GREEN
    printf " ${DBLU}=========================================== ${RES}\n"
fi
############################################################################################
    printf "\n  ${DBLU}Searching for ICE RootKit ...   ${RES}\n"
if [ -f /usr/include/iceconf.h ]; then
    ICE_pass=``
    ICE_port=`cat /usr/include/iceconf.h |grep Port |cut -d" " -f2 2>/dev/null` 2>/dev/null
    play --text "${DBLU}ICE RootKit ...${RES}" --result FOUND --color RED
    printf "  --> ${DBLU}Encrypted Password: ${DRED}${ICE_pass} ${DBLU}... ${RES}\n"
    printf "  --> ${DBLU}Port of RK        : ${DRED}${ICE_port} ${DBLU}... ${RES}\n"
	printf "  --> ${DBLU}Closing port      : ${DRED}${ICE_port} ${DBLU}... ${RES}\n"	
    /sbin/iptables -I INPUT -p tcp --dport ${ICE_port} -j DROP 2>/dev/null
    /sbin/iptables -I OUTPUT -p tcp --dport ${ICE_port} -j DROP 2>/dev/null
    printf "  --> ${DBLU}Chenging atributtes of files owned by the ICE RK ... ${RES}\n"
    chattr -isua /usr/lib/libice.log 2>/dev/null
    chattr -isua /usr/bin/"smbd -D" 2>/dev/null
    chattr -isua /usr/include/iceconf.h 2>/dev/null
    chattr -isua /usr/include/icekey.h 2>/dev/null
    chattr -isua /usr/include/icepid.h 2>/dev/null
    chattr -isua /usr/include/iceseed.h 2>/dev/null
    printf "  --> ${DBLU}Removing files and folders owned by ICE RK ... ${RES}\n"
    rm -rf /usr/bin/"smbd -D" 2>/dev/null
    rm -rf /usr/include/iceconf.h 2>/dev/null
    rm -rf /usr/include/icekey.h 2>/dev/null
    rm -rf /usr/include/iceseed.h 2>/dev/null
    rm -rf /usr/lib/libice.log 2>/dev/null
    printf "  --> ${DBLU}Killing processes owned by ICE RK ... ${RES}\n"
    printf "  --> ${DBLU}Run 'ps -x' and kill PiD's of ${DRED}smbd -D ${DBLU}... ${RES}\n"
    kill -9 -q `cat /usr/include/icepid.h 2>/dev/null` >/dev/null 2>&1
    kill -9 -q `ps x |grep smbd |grep D | grep -v grep |awk '{print $1}'` >/dev/null 2>&1	
    rm -rf /usr/include/icepid.h 2>/dev/null
    printf "  --> ${DBLU}ICE RootKIt Cleaning Done ... ${RES}\n"
    printf " ${DBLU}=========================================== ${RES}\n"
else
    play --text "${DBLU}ICE RootKit ...${RES}" --result NOTFOUND --color GREEN
    printf " ${DBLU}=========================================== ${RES}\n"
fi
############################################################################################
    printf "\n  ${DBLU}Searching for TORN RootKit ...   ${RES}\n"
if [ -f /etc/ttyhash ]; then
    TORN_pass=`cat /etc/ttyhash |cut -d" " -f1 |head -n1 2>/dev/null` 2>/dev/null
    TORN_port=`cat /usr/info/.t0rn/shdcf |grep Port |cut -d" " -f2 2>/dev/null` 2>/dev/null
    play --text "${DBLU}TORN RootKit ...${RES}" --result FOUND --color RED
    printf "  --> ${DBLU}Encrypted Password: ${DRED}${TORN_pass} ${DBLU}... ${RES}\n"
    printf "  --> ${DBLU}Port of RK        : ${DRED}${TORN_port} ${DBLU}... ${RES}\n"
	printf "  --> ${DBLU}Closing port      : ${DRED}${TORN_port} ${DBLU}... ${RES}\n"	
    /sbin/iptables -I INPUT -p tcp --dport ${TORN_port} -j DROP 2>/dev/null
    /sbin/iptables -I OUTPUT -p tcp --dport ${TORN_port} -j DROP 2>/dev/null
    printf "  --> ${DBLU}Chenging atributtes of files owned by the TORN RK ... ${RES}\n"
    chattr -isua /dev/.lib/lib/lib/dev/* 2>/dev/null
    chattr -isua /dev/.lib/lib/lib/dev 2>/dev/null
    chattr -isua /dev/.lib/lib/lib/* 2>/dev/null
    chattr -isua /dev/.lib/lib/lib 2>/dev/null
    chattr -isua /dev/.lib/lib/* 2>/dev/null
    chattr -isua /dev/.lib/lib 2>/dev/null
    chattr -isua /dev/.lib/lib/scan/* 2>/dev/null
    chattr -isua /dev/.lib/lib/scan 2>/dev/null
    chattr -isua /dev/.lib/* 2>/dev/null
    chattr -isua /dev/.lib 2>/dev/null
    chattr -isua /usr/info/.t0rn/* 2>/dev/null
    chattr -isua /usr/info/.t0rn 2>/dev/null
    chattr -isua /usr/man/man1/man1/lib/.lib/.backup/* 2>/dev/null
    chattr -isua /usr/man/man1/man1/lib/.lib/.backup 2>/dev/null
    chattr -isua /usr/man/man1/man1/lib/.lib/* 2>/dev/null
    chattr -isua /usr/man/man1/man1/lib/.lib 2>/dev/null
    chattr -isua /usr/man/man1/man1/lib/* 2>/dev/null
    chattr -isua /usr/man/man1/man1/lib 2>/dev/null
    chattr -isua /usr/man/man1/man1/* 2>/dev/null
    chattr -isua /usr/man/man1/man1 2>/dev/null
    chattr -isua /usr/man/man1/* 2>/dev/null
    chattr -isua /usr/man/man1 2>/dev/null
    chattr -isua /usr/man/* 2>/dev/null
    chattr -isua /usr/man 2>/dev/null
    chattr -isua /usr/src/.puta/* 2>/dev/null
    chattr -isua /usr/src/.puta 2>/dev/null
    chattr -isua /etc/ttyhash 2>/dev/null
    chattr -isua /usr/sbin/nscd 2>/dev/null
    chattr -isua /usr/info/.t0rn 2>/dev/null
    printf "  --> ${DBLU}Removing files and folders owned by TORN RK ... ${RES}\n"
    rm -rf /dev/.lib/lib/lib/dev/* 2>/dev/null
    rm -rf /dev/.lib/lib/lib/dev 2>/dev/null
    rm -rf /dev/.lib/lib/lib/* 2>/dev/null
    rm -rf /dev/.lib/lib/lib 2>/dev/null
    rm -rf /dev/.lib/lib/* 2>/dev/null
    rm -rf /dev/.lib/lib 2>/dev/null
    rm -rf /dev/.lib/lib/scan/* 2>/dev/null
    rm -rf /dev/.lib/lib/scan 2>/dev/null
    rm -rf /dev/.lib/* 2>/dev/null
    rm -rf /dev/.lib 2>/dev/null
    rm -rf /usr/info/.t0rn/* 2>/dev/null
    rm -rf /usr/info/.t0rn 2>/dev/null
    rm -rf /usr/man/man1/man1/lib/.lib/.backup/* 2>/dev/null
    rm -rf /usr/man/man1/man1/lib/.lib/.backup 2>/dev/null
    rm -rf /usr/man/man1/man1/lib/.lib/* 2>/dev/null
    rm -rf /usr/man/man1/man1/lib/.lib 2>/dev/null
    rm -rf /usr/man/man1/man1/lib/* 2>/dev/null
    rm -rf /usr/man/man1/man1/lib 2>/dev/null
    rm -rf /usr/man/man1/man1/* 2>/dev/null
    rm -rf /usr/man/man1/man1 2>/dev/null
    rm -rf /usr/man/man1/* 2>/dev/null
    rm -rf /usr/man/man1 2>/dev/null
    rm -rf /usr/man/* 2>/dev/null
    rm -rf /usr/man 2>/dev/null
    rm -rf /usr/src/.puta/* 2>/dev/null
    rm -rf /usr/src/.puta 2>/dev/null
    rm -rf /etc/ttyhash 2>/dev/null
    rm -rf /usr/sbin/nscd 2>/dev/null
    rm -rf /usr/info/.t0rn 2>/dev/null
    printf "  --> ${DBLU}Killing processes owned by TORN RK ... ${RES}\n"
    printf "  --> ${DBLU}Run 'ps -x' and kill PiD's of ${DRED}nscd ${DBLU}... ${RES}\n"
    kill -9 -q `pidof nscd` >/dev/null 2>&1
    kill -9 -q `ps x |grep nscd |grep -v grep |awk '{print $1}'` >/dev/null 2>&1
    printf "  --> ${DBLU}TORN RootKIt Cleaning Done ... ${RES}\n"
    printf " ${DBLU}=========================================== ${RES}\n"
else
    play --text "${DBLU}TORN RootKit ...${RES}" --result NOTFOUND --color GREEN
    printf " ${DBLU}=========================================== ${RES}\n"
fi
############################################################################################
    printf "\n  ${DBLU}Searching for some SSH Patch Parts ...   ${RES}\n"
if [ -f /usr/lib/libutil1.2.1.2.so ]; then
    play --text "${DBLU}File /usr/lib/libutil1.2.1.2.so${RES}" --result FOUND --color RED
    chattr -isua /usr/lib/libutil1.2.1.2.so 2>/dev/null
    rm -rf /sbin/hwclock 2>/dev/null
    cp -f /usr/lib/libutil1.2.1.2.so /sbin/hwclock 2>/dev/null
    rm -rf /usr/lib/libutil1.2.1.2.so 2>/dev/null
    printf "  --> ${DBLU}File /usr/lib/libutil1.2.1.2.so Cleaned ... ${RES}\n"
else
    play --text "${DBLU}File /usr/lib/libutil1.2.1.2.so${RES}" --result NOTFOUND --color GREEN
fi
if [ -e "/sbin/syslogd " ]; then
    play --text "${DBLU}File \"/sbin/syslogd \"${RES}" --result FOUND --color RED
    chattr -isua "/sbin/syslogd " 2>/dev/null
    rm -rf "/sbin/syslogd " 2>/dev/null
    printf "  --> ${DBLU}File \"/sbin/syslogd \" Cleaned ... ${RES}\n"
else
    play --text "${DBLU}File \"/sbin/syslogd \"${RES}" --result NOTFOUND --color GREEN
fi
if [ -e "/usr/include/linux/sounds.h" ]; then
    play --text "${DBLU}File /usr/include/linux/sounds.h${RES}" --result FOUND --color RED
    chattr -isua /usr/include/linux/sounds.h 2>/dev/null
    rm -rf /usr/include/linux/sounds.h 2>/dev/null
    cat /etc/rc.sysinit |grep -v sounds.h |grep -v /usr/include/linux/sounds.h >/tmp/rcsystmp 2>/dev/null
    mv /tmp/rcsystmp /etc/rc.sysinit -f 2>/dev/null
    printf "  --> ${DBLU}File /usr/include/linux/sounds.h Cleaned ... ${RES}\n"
else
    play --text "${DBLU}File /usr/include/linux/sounds.h${RES}" --result NOTFOUND --color GREEN
fi
###################################
for fil in $BAD_SSHPATCH_FILES
do
 if [ -f $fil ]; then
    play --text "${DBLU}File $fil ${RES}" --result FOUND --color RED	
    chattr -isua $fil 2>/dev/null
    rm -rf $fil 2>/dev/null
    printf "  --> ${DBLU}File $fil erased ... ${RES}\n"
 else
    play --text "${DBLU}File $fil ${RES}" --result NOTFOUND --color GREEN
 fi
done
###################################
for fil in $BAD_SSHPATCH_DIRS
do
 if [ -f $fil ]; then
    play --text "${DBLU}Directory $fil ${RES}" --result FOUND --color RED	
    chattr -isua $fil 2>/dev/null
    rm -rf $fil 2>/dev/null
    printf "  --> ${DBLU}Directory $fil erased ... ${RES}\n"
 else
    play --text "${DBLU}Directory $fil ${RES}" --result NOTFOUND --color GREEN
 fi
done
    printf " ${DBLU}=========================================== ${RES}\n"
###################################
    printf "\n  ${DBLU}Searching for Known Sniffer Files ...   ${RES}\n"
for fil in $BAD_SNIFFER_FILES
do
 if [ -f $fil ]; then
    play --text "${DBLU}File $fil ${RES}" --result FOUND --color RED	
    chattr -isua $fil 2>/dev/null
	cat $fil
    cat $fil >>/tmp/sniffer-log.txt 2>/dev/null
    rm -rf $fil 2>/dev/null
    printf "  --> ${DBLU}File $fil erased ... ${RES}\n"
 else
    play --text "${DBLU}File $fil ${RES}" --result NOTFOUND --color GREEN
 fi
done
###################################
    printf "\n  ${DBLU}RootKit Cleaning Script Finished ...   ${RES}\n"
    printf " ${DBLU}=========================================== ${RES}\n"
###################################

这其实也是一种提示，漏洞修复后，要进行深入检查（服务器有没有被提权，有没有殃及其他服务及应用是否会引起连锁反应？）。

版权声明：转载请注明来源我了个去@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-01-16 11:56

厂商回复：

谢谢指出，我们会及时改正

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-091991

漏洞标题：宜搜多台服务器沦陷

相关厂商：easou.com

漏洞作者：我了个去

提交时间：2015-01-16 11:52

修复时间：2015-03-02 11:54

公开时间：2015-03-02 11:54

漏洞类型：系统/服务运维配置不当

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源我了个去@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-091991

漏洞标题：宜搜多台服务器沦陷

相关厂商：easou.com

漏洞作者： 我了个去

提交时间：2015-01-16 11:52

修复时间：2015-03-02 11:54

公开时间：2015-03-02 11:54

漏洞类型：系统/服务运维配置不当

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-091991"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 我了个去@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：我了个去

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源我了个去@乌云