Douyu TV has unauthorized access from an IP address to the information of more than 20 million users (the host phone QQ lets me watch/kill the information of each video node, etc)

Douyu TV has unauthorized access from an IP address to the information of more than 20 million users (the host phone QQ lets me watch/kill the information of each video node, etc)

I am looking for an internship recently.

The problem starts with an ip address.


There is nothing to worry about. You can visit around. When you are watching douyu, there are quite a lot of good-looking sister-paper live broadcasts, so you can see how secure douyu is.


Enter the information on google until you can see this information.
 

Let's open it.
 

After the test, the id that follows is the room number of the live video and some public information is displayed.

These ip addresses have aroused my attention. These ip addresses must be ip addresses related to live broadcasting.
 

Except 6379, there seems to be nothing worth using. At this time, I thought, maybe two or three ip segments are fighting fish?
 

So to verify my idea, I scanned the content of the previous ip segment.


Hey, the main problem comes from this section.
 

I think it is quite interesting to see this information, so there are many ports such as 6379, because shell is not one by one if the root directory is not found.

The key point of the next breakthrough lies in the cluster system. From the port 80 of this segment, it may be the machine and monitoring content of some clusters.
 

Key issues occur in the following ip addresses:


Http: // 119.90.48.215: 8080/index.html

Http: // 119.90.48.201: 8080/index.html


First, let's talk about this problem,

Storm UI is a cluster system, which is rarely used. The key is to kill some process machines in the cluster. Imagine killing a cluster server at will, maybe it's a live video server or something, so the video is stuck and the danger to the main site can be imagined.
 

The next step is the key to the problem. Due to unauthorized access to the cluster system, many Intranet mysql password accounts are leaked, but we cannot access the Intranet, so it is difficult to make practical use of them, however, I found a password for a mysql server on the public network during the contact process, so I opened a new door.
 

Have you seen it? Key !!

We will try to connect to mysql by using the remote connection tool!
 

There are a lot of databases, and many databases contain many tables. Find one of them.

All are user information. Although there is no password, there are mobile phone numbers and QQ numbers. Imagine what is the greatest threat to an anchor.

Let's look at the number of rows in the table.
 

In October 2015, the total number of users reached more than 20 million. If such information falls into the hands of hackers, it is conceivable that it would be dangerous.

At the same time, the mysql password and information of some internal monitoring servers are also exposed.

There are also a series of phone numbers for insiders of douyu
 

If further penetration is performed, the hazard coefficient is greater.

 

 

Solution:

Comprehensive repair

(Weak or weak: Do you want to find a solution ).