Example Demo site security vulnerability Analysis and recommendations report

Two days ago at the request of the boss to the company a channel to do a log analysis

Note: XXX represents a domain name or a certain information

First, log records analysis

Vulnerability 1: File Upload vulnerability risk level: very serious

Through the log analysis, found that hackers in February 22, 2014 with http://xxx/css_edit/css.php (later changed to cssx.php) file upload vulnerability, access to Webshell permissions, and the server on the Trojan horse program.

Hackers in February 27, 2014 and March 3, 2014 by remote operation of Trojan horse program, implantation malicious "always color templates_c/templates.php."

Vulnerability 2: Database file Exposure risk level: severe

http://xxx/configuration.php1205

http://xxx/configuration.php140304, etc.

Operational personnel incorrectly backs up data files

The following specific log records

 
 

	  
  
  
 
   
 
    
The code is as follows
 
    
Copy Code
 
   
 
   
 
    
1.80.76.136--[22/feb/2014:16:01:26 +0800] "get/css_edit/css.php http/1.1" 45841 1.80.76.136--[22/feb/2014:16:01 : +0800] "post/css_edit/css.php http/1.1" 45969 1.80.76.136--[22/feb/2014:16:03:30 +0800] "post/css_edit/css.ph  P http/1.1 "45943 1.80.76.136--[22/feb/2014:16:06:43 +0800]" post/css_edit/css.php http/1.1 "200 45958 1.80.76.136 --[22/feb/2014:16:06:47 +0800] "get/css_edit/css.php http/1.1" 45841 1.80.76.136--[22/feb/2014:16:09:41 +0800] "Get/css_edit/css.php http/1.1" 404 214 1.80.76.136--[22/feb/2014:19:17:11 +0800] "get/css_edit/css-bak/css.php HTTP/ 1.1 "500-1.80.76.136--[22/feb/2014:19:17:44 +0800]" Post/css_edit/css-bak/css.php?2=assert http/1.1 "200 458 1.80.76 .136--[22/feb/2014:19:17:50 +0800] "Post/css_edit/css-bak/css.php?2=assert http/1.1" 3463 222.90.106.49--[27/fe B/2014:19:55:17 +0800] "Post/css_edit/css-bak/css.php?2=assert http/1.1" 3297 222.90.106.49--[27/feb/ 2014:19:55:25 +0800] "post/css_edit/Css-bak/css.php?2=assert http/1.1 "222.90.106.49--[27/feb/2014:19:55:27 +0800]" post/css_edit/css-bak/ Css.php?2=assert http/1.1 "734 222.90.106.49--[27/feb/2014:19:55:42 +0800]" post/css_edit/css-bak/css.php?2= Assert http/1.1 "1370 222.90.106.49--[27/feb/2014:19:55:54 +0800]" Post/css_edit/css-bak/css.php?2=assert http/1. 1 "4123 222.90.106.49--[27/feb/2014:19:56:07 +0800]" Post/css_edit/css-bak/css.php?2=assert http/1.1 "200 4187 222 .90.106.49--[27/feb/2014:19:56:15 +0800] "Post/css_edit/css-bak/css.php?2=assert http/1.1" 200 996 222.90.106.49--[ 27/feb/2014:19:56:17 +0800] "Post/css_edit/css-bak/css.php?2=assert http/1.1" 1088 222.90.106.49--[27/feb/ 2014:19:56:25 +0800] "Post/css_edit/css-bak/css.php?2=assert http/1.1" 830 222.90.106.49--[27/feb/2014:19:56:51 + 0800] "Post/css_edit/css-bak/css.php?2=assert http/1.1" 33488 222.90.106.49--[27/feb/2014:19:57:11 +0800] "post/c Ss_edit/css-bak/css.php?2=assert http/1.1 "200 2222.90.106.49--[27/feb/2014:19:57:12 +0800] "Post/css_edit/css-bak/css.php?2=assert http/1.1" 200 73 222.90.106.49 --[27/feb/2014:19:57:17 +0800] "Post/css_edit/css-bak/css.php?2=assert http/1.1" 273 222.90.106.49--[27/feb/201 4:19:57:20 +0800] "Post/css_edit/css-bak/css.php?2=assert http/1.1" 1.86.179.21--[03/mar/2014:13:26:43 +0800] " Post/css_edit/css-bak/css.php?2=assert http/1.1 "47454 1.86.179.21--[03/mar/2014:13:27:08 +0800]" post/css_edit/ Css-bak/css.php?2=assert http/1.1 "1.86.179.21--[03/mar/2014:13:27:21 +0800]" post/css_edit/css-bak/css.php?2 =assert http/1.1 "7 1.86.179.21--[03/mar/2014:13:27:21 +0800]" Post/css_edit/css-bak/css.php?2=assert http/1.1 "50 0 161 1.86.179.21--[03/mar/2014:13:27:38 +0800] "Post/css_edit/css-bak/css.php?2=assert http/1.1" 500 161 1.86.179.21 --[03/mar/2014:13:28:57 +0800] "Post/css_edit/css-bak/css.php?2=assert http/1.1" 161 1.86.179.21--[03/mar/2014:1 3:29:02 +0800] "post/css_edIt/css-bak/css.php?2=assert http/1.1 "161 1.86.179.21--[03/mar/2014:13:30:28 +0800]" post/css_edit/css-bak/ Css.php?2=assert http/1.1 "200-1.86.179.21--[03/mar/2014:13:30:32 +0800]" Post/css_edit/css-bak/css.php?2=assert HT tp/1.1 "200-1.86.179.21--[03/mar/2014:13:30:35 +0800]" Post/css_edit/css-bak/css.php?2=assert HTTP/1.1 "200-1.86.1 79.21--[03/mar/2014:13:30:47 +0800] "Post/css_edit/css-bak/css.php?2=assert http/1.1" 200 6
 
     
 
      
 
     
 
 
   
 
  
 
 
Ii. demonstration of intrusion points

Intrusion point: http://xxx/css_edit/cssx.php

Generate file Address: http://xxx/css_edit/s.php

XXX in March 2014 13 enhanced security policy prohibits most PHP risk functions and restricted site directories, but this serious vulnerability has not yet been repaired and can be exploited.

Third, try to leave the Trojan by hackers remote connection server

Get File Management Permissions screenshot

Get Database Permissions screenshot

and tried to crack the MD5

Successfully cracked, the password is very simple

Background address: Http://xxx/administrator

Case: User name Gjy password gjy123

Iv. database data and log analysis

Baidu included channel "Always Color": The current database data and log, the search has not found "always color" malicious data.

V. Security recommendations:

1, backup data, filter the data again is to save the malicious code, compared to all the files to find all Trojans or reload applications.

2, to repair the loopholes mentioned above.

3, it is possible that hackers through the Webshell permission to obtain system privileges, modify the system management password.

4, the application background administrator password as far as possible 8 digits (digital character special character composition).

5, backup files can not be backed up within the site