Linux Server intrusion instance analysis (1)

The purpose of this article is not to teach people to intrude into Linux servers, but to improve their own technologies and enhance the security awareness of network administrators. That's all! Careless network administrators should understand that a small mistake may cause the entire network to fall! This article focuses on LPD: network printing service attacks.
First, determine the target, assuming: www.XXX.com
Let's see if it's connected first:
The following is a reference clip:
C: \ ping www.XXX.com Pinging www.XXX.com [202.106.184.200] with 32 bytes of data: Reply from 202.106.184.200: bytes = 32 time = 541 ms TTL = 244 Reply from 202.106.184.200: bytes = 32 time = 620 ms TTL = 244 Reply from 202.106.184.200: bytes = 32 time = 651 ms TTL = 244 Reply from 202.106.184.200: bytes = 32 time = 511 ms TTL = 244 Ping statistics for 202.106.184.200: Packets: Sent = 4, stored ED = 4, Lost = 0 (0% loss), Approxi Mate round trip times in milli-seconds: Minimum = 511 ms, Maximum = 651 ms, Average = 580 ms-not only is it connected, but the speed is not bad ...... Telnet to see the banner:
C: \> telnet www.XXX.com
The connection to the host is lost.
Try again ftp,
The following is a reference segment: C: \> ftp www.XXX.com Connected to www.fbi.gov.tw. 220 XXX-www FTP server (Version wu-2.6.1 (1) Wed Aug 9 05:54:50 EDT 2000) ready. user (www.XXX.com :( none )):
Wu-2.6.1 looks a little eye-catching. This machine is like RedHat7.0! First of all, you must confirm that the stepping stone connecting to Alibaba Cloud:
The following is a reference segment: C: \> telnet xxx. xxx. xxx. xxx Red Hat Linux release 7.0 (Guinness) Kernel 2.2.16-22smp on an i686 login: fetdog Password: bash-2.04 $
Take the nmap scanner and look at its mysteries ~~~
The following is a reference snippet: bash-2.04 $ nmap-sT-O www.XXX.com Starting nmap V. 2.54BETA7 (www.insecure.org/nmap/) WARNING! The following files exist and are readable:/usr/local/sha-services and. /nmap-services. I am choosing/usr/local/share/nmap/s for security reasons. set NMAPDIR =. to give priority to files in irectory Interesting ports on (www.XXX.com): (The 1520 ports scanned but not shown below are in state: closed) port State Service 25/tcp open smtp 79/tcp open finger 80/tcp open http 111/tcp open sunrpc 113 /Tcp open auth 443/tcp open https 513/tcp open login 514/tcp open shell 515/tcp open printer 587/tcp open submission 1024/tcp open kdm TCP Sequence Prediction: class = random positive increments Difficulty = 3247917 (Good luck !) Remote operating system guess: Linux 2.1.122-2.2.16 Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds
There are many opened ports, which means the possibility of intrusion is increased. 79/tcp open finger. Check this vulnerability first, but linux does not have the finger user list vulnerability.
The following is a reference clip:
Bash-2.04 $ finger @ www.XXX.com
[Www.XXX.com]
No one logged on.
Let's take a look at 111/tcp open sunrpc. Rpc vulnerabilities have become popular recently. Do you know if RH7 is available? Let's take a look!
The following is a reference clip:
Bash-2.04 $ rpcinfo-p www.XXX.com
Program vers proto port service
100000 2 tcp 111 rpcbind
100000 2 udp 111 rpcbind
100021 1 udp 1024 nlockmgr
100021 3 udp 1024 nlockmgr
100024 1 udp 1025 status
100024 1 tcp 1024 status

1 2 Next Page