Another weak password on Netease caused Getshell
Simple, a weak password, simple and crude.
Check http: // 123.58.179.79/whois to verify that this ip Belongs To Netease.
An LNMP installation completed interface
The phpinfo and phpmyadmin interfaces are deleted or renamed, but lnmp installation has a pureftpd option.
Visit to see
http://123.58.179.79/ftp
It was not deleted.
According to experience, most of such one-click installation environments have weak passwords, so we tried to crack the pureftpd.
Sure, the password is out in less than one minute.
Qwer1234 later found that the password killed mysql and ssh.
Next, simply add an ftp account, connect to it through ftp, and upload the shell.
The directory file of the entire server is clear at a glance
Quickly find the web directory and upload webshell
Due to the security mode of php, direct command execution is not allowed, but there is still a solution.
However, there is no need to check the password of mysql through webshell. The password of mysql is the same as that of ssh, which is a tragedy of qwer1234. Use this password to directly connect to ssh.
Ssh port 8822
Root @ hz-10-39 :~ # Ifconfigeth0 Link encap: Ethernet HWaddr 00: 16: 3e: 1f: 49: 9e inet addr: 123.58.179.79 Bcast: Illegal Mask: 255.255.0 inet6 addr: fe80: 216: 3eff: fe1f: 499e/64 Scope: Link up broadcast running multicast mtu: 1500 Metric: 1 RX packets: 43826199 errors: 0 dropped: 0 overruns: 0 frame: 0 TX packets: 12728656 errors: 0 dropped: 0 overruns: 0 carrier: 0 collisions: 0 txqueuelen: 1000 RX bytes: 2927723085 (2.7 GiB) TX bytes: 22349112694 (20.8 GiB) Interrupt: 23eth1 Link encap: ethernet HWaddr 00: 16: 3e: 07: 6c: e3 inet addr: 10.130.10.39 Bcast: 10.130.10.255 Mask: 255.255.255.0 inet6 addr: fe80: 216: 3eff: fe07: 6s1/ 64 Scope: link up broadcast running multicast mtu: 1500 Metric: 1 RX packets: 40729827 errors: 0 dropped: 0 overruns: 0 frame: 0 TX packets: 5274253 errors: 0 dropped: 0 overruns: 0 carrier: 0 collisions: 0 txqueuelen: 1000 RX bytes: 1992192046 (1.8 GiB) TX bytes: 285304962 (272.0 MiB) Interrupt: 22lo Link encap: Local Loopback inet addr: 127.0.0.1 Mask: 255.0.0.0 inet6 addr: 1/128 Scope: Host up loopback running mtu: 16436 Metric: 1 RX packets: 1328959 errors: 0 dropped: 0 overruns: 0 frame: 0 TX packets: 1328959 errors: 0 dropped: 0 overruns: 0 carrier: 0 collisions: 0 txqueuelen: 0 RX bytes: 197728577 (188.5 MiB) TX bytes: 197728577 (188.5 MiB) the appropriate Intranet
Root: x: 0: 0: root:/bin/bashdaemon: x: 1: 1: daemon:/usr/sbin:/bin/shbin: x: 2: 2: bin:/bin/shsys: x: 3: 3: sys:/dev:/bin/shsync: x: 4: 65534: sync:/bin: /bin/syncgames: x: 5: 60: games:/usr/games:/bin/shman: x: 6: 12: man:/var/cache/man: /bin/shlp: x: 7: 7: lp:/var/spool/lpd:/bin/shmail: x: 8: mail:/var/mail: /bin/shnews: x: 9: 9: news:/var/spool/news:/bin/shuucp: x: 10: 10: uucp:/var/spool/uucp: /bin/shproxy: x: 13: 13: proxy:/bin/shwww-data: x: 33: 33: www-data:/var/www: /bin/shbackup: x: 34: 34: backup:/var/backups:/bin/shlist: x: 38: 38: Mailing List Manager:/var/list: /bin/shirc: x: 39: 39: ircd:/var/run/ircd:/bin/shgnats: x: 41: 41: Gnats Bug-Reporting System (admin ): /var/lib/gnats:/bin/shnobody: x: 99: 99: nobody:/nonexistent:/bin/shlibuuid: x: 100: 101 :: /var/lib/libuuid:/bin/shsshd: x: 101: 65534:/var/run/sshd:/usr/sbin/nologinstrong: x: 1000: 4 :: /home/strong:/bin/shxiongx: x: 1002: 4:/home/xiongx:/bin/shxgtai: x: 1003: 4:/home/xgtai: /bin/shntp: x: 102: 104:/home/ntp:/bin/falseDebian-exim: x: 103: 105:/var/spool/exim4: /bin/falsemessagebus: x: 104: 106:/var/run/example:/bin/falsenagios: x: 1006: 1006:/home/nrpe: /sbin/nologinbjzhangxin: x: 1009: 100:/home/bjzhangxin:/bin/shbjanduo: x: 1011: 4:/home/bjanduo:/bin/shfabric: x: 1012: 100:/home/fabric:/bin/shmysql: x: 1013: 1007:/home/mysql:/sbin/nologinwww: x: 1014: 1008: :/home/www:/sbin/nologinbjzhangfeng: x: 1015: 4:/home/bjzhangfeng:/bin/sh Intranet
The directory file of the entire server is clear at a glance
Quickly find the web directory and upload webshell
root@hz-10-39:~# ifconfigeth0 Link encap:Ethernet HWaddr 00:16:3e:1f:49:9e inet addr:123.58.179.79 Bcast:123.58.179.255 Mask:255.255.255.0 inet6 addr: fe80::216:3eff:fe1f:499e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:43826199 errors:0 dropped:0 overruns:0 frame:0 TX packets:12728656 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2927723085 (2.7 GiB) TX bytes:22349112694 (20.8 GiB) Interrupt:23eth1 Link encap:Ethernet HWaddr 00:16:3e:07:6c:e3 inet addr:10.130.10.39 Bcast:10.130.10.255 Mask:255.255.255.0 inet6 addr: fe80::216:3eff:fe07:6ce3/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:40729827 errors:0 dropped:0 overruns:0 frame:0 TX packets:5274253 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1992192046 (1.8 GiB) TX bytes:285304962 (272.0 MiB) Interrupt:22lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1328959 errors:0 dropped:0 overruns:0 frame:0 TX packets:1328959 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:197728577 (188.5 MiB) TX bytes:197728577 (188.5 MiB)
Proper Intranet
root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/shman:x:6:12:man:/var/cache/man:/bin/shlp:x:7:7:lp:/var/spool/lpd:/bin/shmail:x:8:8:mail:/var/mail:/bin/shnews:x:9:9:news:/var/spool/news:/bin/shuucp:x:10:10:uucp:/var/spool/uucp:/bin/shproxy:x:13:13:proxy:/bin:/bin/shwww-data:x:33:33:www-data:/var/www:/bin/shbackup:x:34:34:backup:/var/backups:/bin/shlist:x:38:38:Mailing List Manager:/var/list:/bin/shirc:x:39:39:ircd:/var/run/ircd:/bin/shgnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/shnobody:x:99:99:nobody:/nonexistent:/bin/shlibuuid:x:100:101::/var/lib/libuuid:/bin/shsshd:x:101:65534::/var/run/sshd:/usr/sbin/nologinstrong:x:1000:4::/home/strong:/bin/shxiongx:x:1002:4::/home/xiongx:/bin/shxgtai:x:1003:4::/home/xgtai:/bin/shntp:x:102:104::/home/ntp:/bin/falseDebian-exim:x:103:105::/var/spool/exim4:/bin/falsemessagebus:x:104:106::/var/run/dbus:/bin/falsenagios:x:1006:1006::/home/nrpe:/sbin/nologinbjzhangxin:x:1009:100::/home/bjzhangxin:/bin/shbjanduo:x:1011:4::/home/bjanduo:/bin/shfabric:x:1012:100::/home/fabric:/bin/shmysql:x:1013:1007::/home/mysql:/sbin/nologinwww:x:1014:1008::/home/www:/sbin/nologinbjzhangfeng:x:1015:4::/home/bjzhangfeng:/bin/sh
Solution:
You know.