Serv-u| attack
Before reading this article, there are a few points to note
1, everyone user Full Control directory on the server must not appear
2, the permissions on the Web directory are independent of the general situation is read and write, no running rights
3, IPSec made a limited access to the relevant ports
Serv-u Local default management port, with default administrator login new domain and user to execute command, serv-u v3.x above version default local management port is: 127.0.0.1:43958, so can only local connection, default administrator:
Localadministrator, default password: #l @ $ak #.lk;0@p, which is integrated within serv-u, can be connected with guest permissions and managed for Serv-u, as shown in Figure 1
Prevention methods and Countermeasures:
SERV-U V6 The following version can be directly modified with UltraEdit file ServUDaemon.exe and ServUAdmin.exe, the default password can be modified to equal length of other characters on it, with
UltraEdit turn on ServUAdmin.exe to find the last B6ab (43958 of 16) and replace it with a custom port such as 3930 (12345), but because serv-u V6 the following version has a remote buffer overflow vulnerability, it is not recommended to use
Serv-u V6 above version can be added localsetupportno=12345 in Servudaemon.ini, can change the default management port, use IPSec to restrict any IP access 12345 port visit
Q, that is, increase the 12345-port block, if not change the default port, increase the 43958-port block, if the "Use Settings Change Password" button, that is, add in the Servudaemon.ini
Localsetuppassword=ah6a0ed50add0a516da36992db43f3aa39 such as MD5 password, if you do not modify the default management password, the original #l@ $ak #.lk;0@p is still saved only when the password is empty to use, Plus the management port of the limited localsetupportno=12345, of course, the program will also change the port
Set directory permissions to prevent the use of Webshell to run the EXP program by removing the user's execution permissions from the Web directory IIS, but this method has some limitations, you need to set a lot of directories, can not have a little omission, if there is a directory setting error, will result in the ability to upload and run exp in this directory, because permissions on the Web are independent and generally read and write. No running rights. Then upload other files for execution success is unlikely, modify the Serv-u installation directory C:\Program files\ Serv-u permissions (such as this directory, but for the sake of security, please do not use the default directory), the group of Administrators full control, deny Guests group users access to the Serv-u directory, which is to prevent users from using Webshell to download ServUDaemon.exe, with UltraEdit Open analysis Serv-u account password, and modify compile upload run, that the work done before does not function, because here the default management port in the program file has been modified, has also been modified in Servudaemon.ini so that the default administrator is not connected
The last one, because the serv-u is run with the system permission by default for service startup, it is possible to be elevated by privilege. Only need to change the Serv-u startup user to a user group, then there will be no more so-called privilege elevation. However, it is important to note that this low privileged user must have full control over the Serv-u installation directory and the directory or disk that provides the FTP service have. After testing found that the use of ordinary groups of users started serv-u is not to increase the user and delete users, everything else is normal