乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-12: 细节已通知厂商并且等待厂商处理中 2015-03-12: 厂商已经确认,细节仅向厂商公开 2015-03-22: 细节向核心白帽子及相关领域专家公开 2015-04-01: 细节向普通白帽子公开 2015-04-11: 细节向实习白帽子公开 2015-04-26: 细节向公众公开
皮皮网某服务配置不当(导致可从服务端替换客户端更新文件植入后门)
5台更新配置服务器的rsync服务可匿名访问
122.228.68.155:873122.228.68.154:873122.228.68.152:873122.228.68.153:873122.228.68.144:873
rsync 122.228.68.155::ppquery_sctdrwxr-xr-x 4096 2015/03/06 00:26:21 .-rw-r--r-- 1189 2015/03/06 00:25:03 234.ini-rw-r--r-- 1191 2015/03/06 00:25:53 240.ini-rw-r--r-- 1191 2015/03/06 00:25:53 241.ini-rw-r--r-- 1191 2015/03/06 00:25:53 242.ini-rw-r--r-- 1191 2015/03/06 00:25:53 243.ini-rw-r--r-- 1191 2015/03/06 00:25:53 244.ini-rw-r--r-- 1191 2015/03/06 00:25:53 245.ini-rw-r--r-- 1191 2015/03/06 00:25:53 246.ini-rw-r--r-- 1191 2015/03/06 00:25:53 247.ini-rw-r--r-- 1194 2015/03/06 00:25:53 248.ini-rw-r--r-- 1191 2015/03/06 00:25:53 249.ini-rw-r--r-- 1191 2015/03/06 00:25:53 250.ini-rw-r--r-- 1189 2015/03/06 00:25:03 271.ini-rw-r--r-- 1189 2015/03/06 00:25:03 297.ini-rw-r--r-- 1189 2015/03/06 00:25:03 407.ini-rw-r--r-- 1189 2015/03/06 00:25:03 409.ini-rw-r--r-- 1189 2015/03/06 00:25:03 430.ini-rw-r--r-- 1189 2015/03/06 00:25:03 497.ini-rw-r--r-- 1189 2015/03/06 00:25:03 525.ini-rw-r--r-- 1189 2015/03/06 00:25:03 529.ini-rw-r--r-- 317 2015/03/06 00:25:03 all_desk_link.ini-rw-r--r-- 313 2015/01/09 13:48:51 all_desk_link_fsfm_qm.ini-rw-r--r-- 309 2015/01/09 13:44:57 all_desk_link_fsfm_qm.ini~-rw-r--r-- 227 2014/12/05 21:56:53 all_desk_link_hazg.ini-rw-r--r-- 319 2015/02/12 13:43:14 all_desk_link_hazg_fsfm.ini-rw-r--r-- 314 2015/02/12 13:42:33 all_desk_link_hazg_fsfm.ini~-rw-r--r-- 317 2014/12/05 21:57:03 all_desk_link_hazg_jstm.ini-rw-r--r-- 314 2015/02/01 21:23:36 all_desk_link_hazg_qm.ini-rw-r--r-- 314 2015/02/01 21:23:01 all_desk_link_hazg_qm.ini~-rw-r--r-- 315 2014/12/05 21:57:12 all_desk_link_hazg_xxd.ini-rw-r--r-- 224 2014/09/04 12:17:58 all_desk_link_jstm.ini-rw-r--r-- 312 2014/12/10 13:29:26 all_desk_link_jstm_xxd.ini-rw-r--r-- 313 2015/01/13 11:02:04 all_desk_link_qm_fsfm.ini-rw-r--r-- 313 2015/01/13 11:01:00 all_desk_link_qm_fsfm.ini~-rw-r--r-- 314 2014/12/23 13:35:43 all_desk_link_qm_hazg.ini-rw-r--r-- 309 2014/12/26 10:23:15 all_desk_link_qm_xxd.ini-rw-r--r-- 223 2014/08/25 21:18:34 all_desk_link_sgh.ini-rw-r--r-- 222 2014/09/18 17:35:54 all_desk_link_xxd.ini-rw-r--r-- 317 2015/03/06 00:24:51 all_desk_link_zsg_hazg.ini-rw-r--r-- 314 2015/03/06 00:24:12 all_desk_link_zsg_hazg.ini~-rw-r--r-- 448 2014/12/26 16:22:08 all_desk_src.ini-rw-r--r-- 444 2014/12/26 16:21:12 all_desk_src.ini~-rwxr-xr-x 404 2014/08/22 17:18:01 batch_pro.sh-rwxr-xr-x 439 2015/03/06 00:25:49 batch_temp.sh-rwxr-xr-x 377 2015/02/12 13:44:56 batch_temp.sh~-rw-r--r-- 108 2014/08/22 17:18:01 clean.ini-rw-r--r-- 309 2015/03/06 00:25:03 def_desk_link.ini-rw-r--r-- 305 2015/01/09 13:50:08 def_desk_link_fsfm_qm.ini-rw-r--r-- 301 2015/01/09 13:49:18 def_desk_link_fsfm_qm.ini~-rw-r--r-- 219 2014/12/05 21:57:23 def_desk_link_hazg.ini-rw-r--r-- 311 2015/02/12 13:44:17 def_desk_link_hazg_fsfm.ini-rw-r--r-- 306 2015/02/12 13:43:39 def_desk_link_hazg_fsfm.ini~-rw-r--r-- 309 2014/12/05 21:57:35 def_desk_link_hazg_jstm.ini-rw-r--r-- 306 2015/02/01 21:24:17 def_desk_link_hazg_qm.ini-rw-r--r-- 306 2015/02/01 21:23:57 def_desk_link_hazg_qm.ini~-rw-r--r-- 307 2014/12/05 21:57:47 def_desk_link_hazg_xxd.ini-rw-r--r-- 216 2014/09/04 12:20:34 def_desk_link_jstm.ini-rw-r--r-- 304 2014/12/10 13:32:25 def_desk_link_jstm_xxd.ini-rw-r--r-- 305 2015/01/13 11:02:15 def_desk_link_qm_fsfm.ini-rw-r--r-- 305 2015/01/13 11:01:22 def_desk_link_qm_fsfm.ini~-rw-r--r-- 306 2014/12/23 13:36:14 def_desk_link_qm_hazg.ini-rw-r--r-- 301 2014/12/26 10:24:23 def_desk_link_qm_xxd.ini-rw-r--r-- 215 2014/09/04 12:20:38 def_desk_link_sgh.ini-rw-r--r-- 214 2014/10/17 14:35:34 def_desk_link_xxd.ini-rw-r--r-- 309 2015/03/06 00:23:52 def_desk_link_zsg_hazg.ini-rw-r--r-- 306 2015/03/06 00:22:13 def_desk_link_zsg_hazg.ini~-rw-r--r-- 1170 2015/03/06 00:25:03 default.ini-rw-r--r-- 1170 2014/11/24 15:52:24 default_1.ini-rw-r--r-- 1170 2014/11/24 15:52:24 default_2.ini-rw-r--r-- 1170 2014/11/24 15:52:24 default_3.ini-rw-r--r-- 785 2014/08/22 17:18:01 force.ini-rwxr-xr-x 683 2014/12/26 18:05:18 gen.sh-rwxr-xr-x 409 2014/12/26 16:19:15 gen.sh~-rwxr-xr-x 730 2014/12/02 16:36:28 gen_all_by_para.sh-rwxr-xr-x 561 2014/09/16 16:16:07 gen_def_desklink.sh-rwxr-xr-x 562 2014/09/16 16:16:20 gen_desklink.sh-rwxr-xr-x 945 2014/09/16 16:15:14 gen_fulllink.sh-rw-r--r-- 783 2014/08/22 17:18:01 hao123-rw-r--r-- 927 2015/01/20 23:33:52 id2url.conf-rw-r--r-- 422 2014/12/02 16:29:12 id2url.conf.20141202-rw-r--r-- 926 2015/01/06 15:39:29 id2url.conf~-rw-r--r-- 1014 2014/10/21 15:38:51 id_source.ini-rw-r--r-- 477 2015/01/12 20:39:19 live_share_task.ini-rw-r--r-- 476 2015/01/08 16:28:29 live_share_task.ini~-rw-r--r-- 305 2015/01/12 20:39:25 live_share_task_pop.ini-rw-r--r-- 304 2015/01/08 16:29:33 live_share_task_pop.ini~-rw-r--r-- 485 2015/01/12 20:39:30 live_share_task_wang.ini-rw-r--r-- 486 2015/01/12 20:39:35 live_share_task_wang.ini.cnc-rw-r--r-- 485 2015/01/08 16:29:40 live_share_task_wang.ini.cnc~-rw-r--r-- 484 2015/01/08 16:29:37 live_share_task_wang.ini~-rw-r--r-- 564 2014/08/22 17:18:01 pi_def.ini-rwxr-xr-x 393 2014/08/22 17:18:01 replace.sh-rw-r--r-- 1061 2014/08/22 17:18:01 sample.ini-rw-r----- 3593 2015/02/06 22:33:10 sct.conf-rw-r----- 3305 2015/01/31 23:53:23 sct.conf~
cat 525.ini[h]#how many timestimes=2#interval minutesint_min=5#delay daysdd=0#force fix interval minutesffit=1440fdd=0fa=1#0: not fix; 1: fix has same domain only; 2: fix has argment only; 3: fix all beside white list; 4: fix allmod=4brs=|firefox.exe|qqbrowser.exe|chrome.exe|liebao.exe|iexplore.exe|theworld.exe|maxthon.exe|sogouexplorer.exe|opera/launcher.exe|baidubrowser.exe|2345explorer.exe|url=www.hao123.com/?tn=94472661_hao_pgu0=www.3600.com/?src=lm&ls=n431da8d38fu1=www.2345.com/?k34511517u2=www.duba.com/?un_449343_1173u3=www.88488.com/?sign=rec|www.hao123.com/?tn=94472661_hao_pg#ie home pagefhp=0#url#hpu=fit=10#fix other browser linkflnk=1#url#lnku=#fix interval minutes#flnkit=1440#create Internet Explorer.lnk on desktopcdlnk=0#url#dlnku=#interval minutesdlnkit=144000#only change if existmon=1[d]cn=3it=14400odmax=10=hao123www.hao123.com/?tn=94472661_hao_pg|www.hao123.com/favicon.ico|00_wl=0_cn=0#delay days0_dd=0#interval minutes0_it=1440001=[]|gc.pipi.cn/desktop/zsglw1.html|afm.pipi.cn/pfup/zsg.ico|01_dd=01_it=1440002=[|gc.pipi.cn/desktop/hazg1.html|www.pipi.cn/pfup/hazg2.ico|02_dd=02_it=144000
cat pi_def.ini[r]stra=maximumcn=1it=1dd=0[0]id=61dd=0;ln=goodpic_600.tmp;pa=/verysilentmd5=a5cfb4ca7f74d913f0396abc5ba9497curl=http://dl.shenmatv.cn/goodpic_dae_600.exehk=HKCR\goodPic\DefaultIcon\[1]id=102url=http://kkupd.gamebox.duowan.com/client/package/38_47/gamebox_setup.exehk=HKCU\Software\duowan\gamebox\InstallDir[2]id=57url=http://dl.pipi.cn/sp/pipi_jiangshen.exehk=HKLM\SOFTWARE\Jiangshen\pipi\delay=300[3]id=170url=http://www.yunduan.cn/update/bfc/bfcmpasetup_ff28_0.exehk=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\bfcmpa.exe\
cat sct.conf//lsharelshare_ver_file=/home/public/KmPPQueryService/etc/live_share_version.ini#lshare_task_file=/home/public/KmPPQueryService/etc/sct/live_share_task.inilshare_task_file=0-250:/home/public/KmPPQueryService/etc/sct/live_share_task.ini|250-1000:/home/public/KmPPQueryService/etc/sct/live_share_task_wang.ini#lshare_task_file=0-250:/home/public/KmPPQueryService/etc/sct/live_share_task.ini|250-1000:/home/public/KmPPQueryService/etc/sct/live_share_task_pop.inilshare_enable=1lshare_inst_days=0lshare_ex_city=|�|lshare_clk_minver=16974592lshare_clk_reduce=0#not use{{lshare_percent=100lshare_clk_permill=80lshare_webclk_permill=200lshare_clk_permill2=250lshare_webclk_permill2=250#}}#clean_sct_app_build_ver=3178can_set_iehp=1desklnk_boot_only=0fix_favorite=1//desktop shortcutgiven_�=/home/public/KmPPQueryService/etc/sct/clean.inigiven_201=home/public/KmPPQueryService/etc/sct/clean.inigiven_0=/home/public/KmPPQueryService/etc/sct/default.inigiven_271=/home/public/KmPPQueryService/etc/sct/271.inigivenddays_271=1given_525=/home/public/KmPPQueryService/etc/sct/525.inigiven_234=/home/public/KmPPQueryService/etc/sct/234.inigiven_430=/home/public/KmPPQueryService/etc/sct/430.inigiven_529=/home/public/KmPPQueryService/etc/sct/529.inigiven_407=/home/public/KmPPQueryService/etc/sct/407.inigiven_409=/home/public/KmPPQueryService/etc/sct/409.inigiven_297=/home/public/KmPPQueryService/etc/sct/297.inigiven_497=/home/public/KmPPQueryService/etc/sct/497.ini//whiteurl#whiteurl=www.hao123.com|tn|98227422_hao_pg|29065018_253_hao_pg|93890339_hao_pg|98723078_hao_pg|29065018_254_hao_pg|//config urlgivenurl_�=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v1.conf|5ec58330c977d92902d3b83c221b0c90givenurl_0=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v1.conf|5ec58330c977d92902d3b83c221b0c90givenurl_p1=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v2.conf|0a889d49e85540ed43efa033625f4b4cgivenurl_p2=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v2.conf|0a889d49e85540ed43efa033625f4b4cgivenurl_p3=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v2.conf|0a889d49e85540ed43efa033625f4b4cgivenurl_p4=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v2.conf|0a889d49e85540ed43efa033625f4b4cgivenurl_p5=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v2.conf|0a889d49e85540ed43efa033625f4b4c#givenurl_0=http://www.pipi.cn/pfup/jfcheck/jfcheck.conf|ef17cce7b9c0e7802c79a7d82739def9#givenurl_0=http://www.pipi.cn/pfup/jfcheck/jfcheck_v7.conf|432eea1a971cca7cd998ef2c8364f2e1pushinst_0=/home/public/KmPPQueryService/etc/sct/pi_def.inipushinstddays_0=0//clk cc domainsclk_cookie_domains=|acxiom-online.com|serving-sys.com|utmz|utmb|utma|optimix.asia|kejet.net|h5po.cn|pagechoice.net|cnzz.mmstat.com|CNZZDATA|cnzz.com|miaozhen.com|mediav.com|_smtz|_smta|_smtp|_smtt|_smtz|allyes.com|HMACCOUNT|_ga|Hm_lvt_|Hm_lpvt_|admaster.com.cn|doubleclick.net|acs86.com|mlt01.com|icast.cn|admckid|admaster.com.cn|_smtz|_smta|_smtp|_smtt|viewlist|clicklist|given_240=/home/public/KmPPQueryService/etc/sct/240.inigiven_241=/home/public/KmPPQueryService/etc/sct/241.inigiven_242=/home/public/KmPPQueryService/etc/sct/242.inigiven_243=/home/public/KmPPQueryService/etc/sct/243.inigiven_244=/home/public/KmPPQueryService/etc/sct/244.inigiven_245=/home/public/KmPPQueryService/etc/sct/245.inigiven_246=/home/public/KmPPQueryService/etc/sct/246.inigiven_247=/home/public/KmPPQueryService/etc/sct/247.inigiven_248=/home/public/KmPPQueryService/etc/sct/248.inigiven_249=/home/public/KmPPQueryService/etc/sct/249.inigiven_250=/home/public/KmPPQueryService/etc/sct/250.ini
下线或删除
危害等级:高
漏洞Rank:15
确认时间:2015-03-12 21:27
感谢大侠:)
暂无