A service of Pipi network is improperly configured (as a result, the client can be replaced to update files and implant backdoors)

A service of Pipi network is improperly configured (as a result, the client can be replaced to update files and implant backdoors)

A service of Pipi network is improperly configured (as a result, the client can be replaced to update files and implant backdoors)

The rsync service of five Update Configuration servers can be accessed anonymously.

122.228.68.155:873122.228.68.154:873122.228.68.152:873122.228.68.153:873122.228.68.144:873

rsync 122.228.68.155::ppquery_sctdrwxr-xr-x        4096 2015/03/06 00:26:21 .-rw-r--r--        1189 2015/03/06 00:25:03 234.ini-rw-r--r--        1191 2015/03/06 00:25:53 240.ini-rw-r--r--        1191 2015/03/06 00:25:53 241.ini-rw-r--r--        1191 2015/03/06 00:25:53 242.ini-rw-r--r--        1191 2015/03/06 00:25:53 243.ini-rw-r--r--        1191 2015/03/06 00:25:53 244.ini-rw-r--r--        1191 2015/03/06 00:25:53 245.ini-rw-r--r--        1191 2015/03/06 00:25:53 246.ini-rw-r--r--        1191 2015/03/06 00:25:53 247.ini-rw-r--r--        1194 2015/03/06 00:25:53 248.ini-rw-r--r--        1191 2015/03/06 00:25:53 249.ini-rw-r--r--        1191 2015/03/06 00:25:53 250.ini-rw-r--r--        1189 2015/03/06 00:25:03 271.ini-rw-r--r--        1189 2015/03/06 00:25:03 297.ini-rw-r--r--        1189 2015/03/06 00:25:03 407.ini-rw-r--r--        1189 2015/03/06 00:25:03 409.ini-rw-r--r--        1189 2015/03/06 00:25:03 430.ini-rw-r--r--        1189 2015/03/06 00:25:03 497.ini-rw-r--r--        1189 2015/03/06 00:25:03 525.ini-rw-r--r--        1189 2015/03/06 00:25:03 529.ini-rw-r--r--         317 2015/03/06 00:25:03 all_desk_link.ini-rw-r--r--         313 2015/01/09 13:48:51 all_desk_link_fsfm_qm.ini-rw-r--r--         309 2015/01/09 13:44:57 all_desk_link_fsfm_qm.ini~-rw-r--r--         227 2014/12/05 21:56:53 all_desk_link_hazg.ini-rw-r--r--         319 2015/02/12 13:43:14 all_desk_link_hazg_fsfm.ini-rw-r--r--         314 2015/02/12 13:42:33 all_desk_link_hazg_fsfm.ini~-rw-r--r--         317 2014/12/05 21:57:03 all_desk_link_hazg_jstm.ini-rw-r--r--         314 2015/02/01 21:23:36 all_desk_link_hazg_qm.ini-rw-r--r--         314 2015/02/01 21:23:01 all_desk_link_hazg_qm.ini~-rw-r--r--         315 2014/12/05 21:57:12 all_desk_link_hazg_xxd.ini-rw-r--r--         224 2014/09/04 12:17:58 all_desk_link_jstm.ini-rw-r--r--         312 2014/12/10 13:29:26 all_desk_link_jstm_xxd.ini-rw-r--r--         313 2015/01/13 11:02:04 all_desk_link_qm_fsfm.ini-rw-r--r--         313 2015/01/13 11:01:00 all_desk_link_qm_fsfm.ini~-rw-r--r--         314 2014/12/23 13:35:43 all_desk_link_qm_hazg.ini-rw-r--r--         309 2014/12/26 10:23:15 all_desk_link_qm_xxd.ini-rw-r--r--         223 2014/08/25 21:18:34 all_desk_link_sgh.ini-rw-r--r--         222 2014/09/18 17:35:54 all_desk_link_xxd.ini-rw-r--r--         317 2015/03/06 00:24:51 all_desk_link_zsg_hazg.ini-rw-r--r--         314 2015/03/06 00:24:12 all_desk_link_zsg_hazg.ini~-rw-r--r--         448 2014/12/26 16:22:08 all_desk_src.ini-rw-r--r--         444 2014/12/26 16:21:12 all_desk_src.ini~-rwxr-xr-x         404 2014/08/22 17:18:01 batch_pro.sh-rwxr-xr-x         439 2015/03/06 00:25:49 batch_temp.sh-rwxr-xr-x         377 2015/02/12 13:44:56 batch_temp.sh~-rw-r--r--         108 2014/08/22 17:18:01 clean.ini-rw-r--r--         309 2015/03/06 00:25:03 def_desk_link.ini-rw-r--r--         305 2015/01/09 13:50:08 def_desk_link_fsfm_qm.ini-rw-r--r--         301 2015/01/09 13:49:18 def_desk_link_fsfm_qm.ini~-rw-r--r--         219 2014/12/05 21:57:23 def_desk_link_hazg.ini-rw-r--r--         311 2015/02/12 13:44:17 def_desk_link_hazg_fsfm.ini-rw-r--r--         306 2015/02/12 13:43:39 def_desk_link_hazg_fsfm.ini~-rw-r--r--         309 2014/12/05 21:57:35 def_desk_link_hazg_jstm.ini-rw-r--r--         306 2015/02/01 21:24:17 def_desk_link_hazg_qm.ini-rw-r--r--         306 2015/02/01 21:23:57 def_desk_link_hazg_qm.ini~-rw-r--r--         307 2014/12/05 21:57:47 def_desk_link_hazg_xxd.ini-rw-r--r--         216 2014/09/04 12:20:34 def_desk_link_jstm.ini-rw-r--r--         304 2014/12/10 13:32:25 def_desk_link_jstm_xxd.ini-rw-r--r--         305 2015/01/13 11:02:15 def_desk_link_qm_fsfm.ini-rw-r--r--         305 2015/01/13 11:01:22 def_desk_link_qm_fsfm.ini~-rw-r--r--         306 2014/12/23 13:36:14 def_desk_link_qm_hazg.ini-rw-r--r--         301 2014/12/26 10:24:23 def_desk_link_qm_xxd.ini-rw-r--r--         215 2014/09/04 12:20:38 def_desk_link_sgh.ini-rw-r--r--         214 2014/10/17 14:35:34 def_desk_link_xxd.ini-rw-r--r--         309 2015/03/06 00:23:52 def_desk_link_zsg_hazg.ini-rw-r--r--         306 2015/03/06 00:22:13 def_desk_link_zsg_hazg.ini~-rw-r--r--        1170 2015/03/06 00:25:03 default.ini-rw-r--r--        1170 2014/11/24 15:52:24 default_1.ini-rw-r--r--        1170 2014/11/24 15:52:24 default_2.ini-rw-r--r--        1170 2014/11/24 15:52:24 default_3.ini-rw-r--r--         785 2014/08/22 17:18:01 force.ini-rwxr-xr-x         683 2014/12/26 18:05:18 gen.sh-rwxr-xr-x         409 2014/12/26 16:19:15 gen.sh~-rwxr-xr-x         730 2014/12/02 16:36:28 gen_all_by_para.sh-rwxr-xr-x         561 2014/09/16 16:16:07 gen_def_desklink.sh-rwxr-xr-x         562 2014/09/16 16:16:20 gen_desklink.sh-rwxr-xr-x         945 2014/09/16 16:15:14 gen_fulllink.sh-rw-r--r--         783 2014/08/22 17:18:01 hao123-rw-r--r--         927 2015/01/20 23:33:52 id2url.conf-rw-r--r--         422 2014/12/02 16:29:12 id2url.conf.20141202-rw-r--r--         926 2015/01/06 15:39:29 id2url.conf~-rw-r--r--        1014 2014/10/21 15:38:51 id_source.ini-rw-r--r--         477 2015/01/12 20:39:19 live_share_task.ini-rw-r--r--         476 2015/01/08 16:28:29 live_share_task.ini~-rw-r--r--         305 2015/01/12 20:39:25 live_share_task_pop.ini-rw-r--r--         304 2015/01/08 16:29:33 live_share_task_pop.ini~-rw-r--r--         485 2015/01/12 20:39:30 live_share_task_wang.ini-rw-r--r--         486 2015/01/12 20:39:35 live_share_task_wang.ini.cnc-rw-r--r--         485 2015/01/08 16:29:40 live_share_task_wang.ini.cnc~-rw-r--r--         484 2015/01/08 16:29:37 live_share_task_wang.ini~-rw-r--r--         564 2014/08/22 17:18:01 pi_def.ini-rwxr-xr-x         393 2014/08/22 17:18:01 replace.sh-rw-r--r--        1061 2014/08/22 17:18:01 sample.ini-rw-r-----        3593 2015/02/06 22:33:10 sct.conf-rw-r-----        3305 2015/01/31 23:53:23 sct.conf~

cat 525.ini[h]#how many timestimes=2#interval minutesint_min=5#delay daysdd=0#force fix interval minutesffit=1440fdd=0fa=1#0: not fix; 1: fix has same domain only; 2: fix has argment only; 3: fix all beside white list; 4: fix allmod=4brs=|firefox.exe|qqbrowser.exe|chrome.exe|liebao.exe|iexplore.exe|theworld.exe|maxthon.exe|sogouexplorer.exe|opera/launcher.exe|baidubrowser.exe|2345explorer.exe|url=www.hao123.com/?tn=94472661_hao_pgu0=www.3600.com/?src=lm&ls=n431da8d38fu1=www.2345.com/?k34511517u2=www.duba.com/?un_449343_1173u3=www.88488.com/?sign=rec|www.hao123.com/?tn=94472661_hao_pg#ie home pagefhp=0#url#hpu=fit=10#fix other browser linkflnk=1#url#lnku=#fix interval minutes#flnkit=1440#create Internet Explorer.lnk on desktopcdlnk=0#url#dlnku=#interval minutesdlnkit=144000#only change if existmon=1[d]cn=3it=14400odmax=10=hao123www.hao123.com/?tn=94472661_hao_pg|www.hao123.com/favicon.ico|00_wl=0_cn=0#delay days0_dd=0#interval minutes0_it=1440001=[]|gc.pipi.cn/desktop/zsglw1.html|afm.pipi.cn/pfup/zsg.ico|01_dd=01_it=1440002=[|gc.pipi.cn/desktop/hazg1.html|www.pipi.cn/pfup/hazg2.ico|02_dd=02_it=144000

 

 

cat pi_def.ini[r]stra=maximumcn=1it=1dd=0[0]id=61dd=0;ln=goodpic_600.tmp;pa=/verysilentmd5=a5cfb4ca7f74d913f0396abc5ba9497curl=http://dl.shenmatv.cn/goodpic_dae_600.exehk=HKCR\goodPic\DefaultIcon\[1]id=102url=http://kkupd.gamebox.duowan.com/client/package/38_47/gamebox_setup.exehk=HKCU\Software\duowan\gamebox\InstallDir[2]id=57url=http://dl.pipi.cn/sp/pipi_jiangshen.exehk=HKLM\SOFTWARE\Jiangshen\pipi\delay=300[3]id=170url=http://www.yunduan.cn/update/bfc/bfcmpasetup_ff28_0.exehk=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\bfcmpa.exe\

 

cat sct.conf//lsharelshare_ver_file=/home/public/KmPPQueryService/etc/live_share_version.ini#lshare_task_file=/home/public/KmPPQueryService/etc/sct/live_share_task.inilshare_task_file=0-250:/home/public/KmPPQueryService/etc/sct/live_share_task.ini|250-1000:/home/public/KmPPQueryService/etc/sct/live_share_task_wang.ini#lshare_task_file=0-250:/home/public/KmPPQueryService/etc/sct/live_share_task.ini|250-1000:/home/public/KmPPQueryService/etc/sct/live_share_task_pop.inilshare_enable=1lshare_inst_days=0lshare_ex_city=|?|lshare_clk_minver=16974592lshare_clk_reduce=0#not use{{lshare_percent=100lshare_clk_permill=80lshare_webclk_permill=200lshare_clk_permill2=250lshare_webclk_permill2=250#}}#clean_sct_app_build_ver=3178can_set_iehp=1desklnk_boot_only=0fix_favorite=1//desktop shortcutgiven_?=/home/public/KmPPQueryService/etc/sct/clean.inigiven_201=home/public/KmPPQueryService/etc/sct/clean.inigiven_0=/home/public/KmPPQueryService/etc/sct/default.inigiven_271=/home/public/KmPPQueryService/etc/sct/271.inigivenddays_271=1given_525=/home/public/KmPPQueryService/etc/sct/525.inigiven_234=/home/public/KmPPQueryService/etc/sct/234.inigiven_430=/home/public/KmPPQueryService/etc/sct/430.inigiven_529=/home/public/KmPPQueryService/etc/sct/529.inigiven_407=/home/public/KmPPQueryService/etc/sct/407.inigiven_409=/home/public/KmPPQueryService/etc/sct/409.inigiven_297=/home/public/KmPPQueryService/etc/sct/297.inigiven_497=/home/public/KmPPQueryService/etc/sct/497.ini//whiteurl#whiteurl=www.hao123.com|tn|98227422_hao_pg|29065018_253_hao_pg|93890339_hao_pg|98723078_hao_pg|29065018_254_hao_pg|//config urlgivenurl_?=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v1.conf|5ec58330c977d92902d3b83c221b0c90givenurl_0=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v1.conf|5ec58330c977d92902d3b83c221b0c90givenurl_p1=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v2.conf|0a889d49e85540ed43efa033625f4b4cgivenurl_p2=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v2.conf|0a889d49e85540ed43efa033625f4b4cgivenurl_p3=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v2.conf|0a889d49e85540ed43efa033625f4b4cgivenurl_p4=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v2.conf|0a889d49e85540ed43efa033625f4b4cgivenurl_p5=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v2.conf|0a889d49e85540ed43efa033625f4b4c#givenurl_0=http://www.pipi.cn/pfup/jfcheck/jfcheck.conf|ef17cce7b9c0e7802c79a7d82739def9#givenurl_0=http://www.pipi.cn/pfup/jfcheck/jfcheck_v7.conf|432eea1a971cca7cd998ef2c8364f2e1pushinst_0=/home/public/KmPPQueryService/etc/sct/pi_def.inipushinstddays_0=0//clk cc domainsclk_cookie_domains=|acxiom-online.com|serving-sys.com|utmz|utmb|utma|optimix.asia|kejet.net|h5po.cn|pagechoice.net|cnzz.mmstat.com|CNZZDATA|cnzz.com|miaozhen.com|mediav.com|_smtz|_smta|_smtp|_smtt|_smtz|allyes.com|HMACCOUNT|_ga|Hm_lvt_|Hm_lpvt_|admaster.com.cn|doubleclick.net|acs86.com|mlt01.com|icast.cn|admckid|admaster.com.cn|_smtz|_smta|_smtp|_smtt|viewlist|clicklist|given_240=/home/public/KmPPQueryService/etc/sct/240.inigiven_241=/home/public/KmPPQueryService/etc/sct/241.inigiven_242=/home/public/KmPPQueryService/etc/sct/242.inigiven_243=/home/public/KmPPQueryService/etc/sct/243.inigiven_244=/home/public/KmPPQueryService/etc/sct/244.inigiven_245=/home/public/KmPPQueryService/etc/sct/245.inigiven_246=/home/public/KmPPQueryService/etc/sct/246.inigiven_247=/home/public/KmPPQueryService/etc/sct/247.inigiven_248=/home/public/KmPPQueryService/etc/sct/248.inigiven_249=/home/public/KmPPQueryService/etc/sct/249.inigiven_250=/home/public/KmPPQueryService/etc/sct/250.ini

 

Solution:

Deprecate or delete