Programmers, please do not compete for the job of the system administrator

Programmers, please do not compete for the job of the system administrator

Programmers, please do not compete for the job of the system administrator

Author: Tian Yi (sery@163.com)

I received a text message from my buddy. The content is as follows:

In addition, the Haidian Branch sent a letter to us asking the server maintainer to fix the vulnerability and provide background vulnerability files and vulnerability attack logs. Archive all files for me to bring to the Haidian branch next Monday.

It seems that the problem is serious. Hurry up and ask. Then the system information and logon permissions are required.

Log on to the system, first view the system process, and the output is as follows (Saving space, omitted part ):

From the output, we can see two problems: one is lazy using lampp suites, and the other is obviously infiltrated. Lampp is easy to install, but it is easy to maintain later. In terms of usage habits, experienced System Administrators rarely use lampp kits in the production environment. Therefore, most of the programmers who use lampp kits compete for system administrators. You need to know that everything has two sides. The front side saves trouble, and the back end inevitably takes trouble. On the contrary, the front side consumes time and saves time in the future. Some Programmers think it is easy to execute an installation command, instead of exploring the essence. Once a fault occurs, they must make corrections from a bunch of messy configurations, it is time-consuming and labor-consuming for a person without much experience.

Next, let's take a look at what the trojan will do. Write down the process Number of the suspicious process on the front, and then execute the command

Netstat-anp | grep 20904. The output is as follows:

Tcp 0 0 2018.5.183.178: 12273 202.0.190.89: 80 ESTABLISHED 20904/s64 Tcp 0 0 2018.5.183.178: 30215 202.0.188.113: 80 ESTABLISHED 20904/s64 Tcp 255 0 2018.5.183.178: 25725 86.149.147.85: 8686 CLOSE_WAIT 20904/s64 Tcp 0 0 2018.5.183.178: 25998 202.0.38.31: 80 ESTABLISHED 20904/s64 Tcp 0 0 2018.5.183.178: 52828 202.0.188.105: 80 ESTABLISHED 20904/s64 Tcp 0 0 2018.5.183.178: 33785 202.0.188.33: 80 ESTABLISHED 20904/s64

This output shows that the local machine is directing traffic to addresses such as 202.0.190.89 and 202.0.38.31. This operation may involve traffic, program downloading, or leeching.

Maliciously guess, will this programmer also like to use the root account to connect to the database? First, find the location of the website root document and execute grep DocumentRoothttpd. conf. The obtained path is/opt/lampp/htdocs. Go to this directory and find the config file. php, open it, my god. Some content is as follows (for real reproduction, the garbled code is not processed here, and paste it directly ):

<? Php /* [SupeSite] (C) 2007-2009 Comsenz Inc. $ Id: config. new. php 10885 2008-12-30 07: 47: 03Z zhaofei $ */ $ _ SC = array (); // --------------- SupeSite ?? --------------- $ _ SC ['dbhost'] = 'localhost'; // SupeSite ???? α? (? °? ±? μ? Ocalhost) $ _ SC ['dbuser'] = 'root'; // SupeSite ????? §? $ _ SC ['dbpw '] = 'wscykjw2010'; // SupeSite ????? $ _ SC ['dbname'] = 'wscykjw2013 '; // SupeSite ???? $ _ SC ['tablepre'] = 'supe _ '; // SupeSite ± ??? (2 ????? μ ??????) $ _ SC ['pconnect '] = 0; // SupeSite ????? Á ??? 0 = 1 ?? 1 = ′ $ _ SC ['dbcharset'] = 'utf8'; // SupeSite ???? · $ _ SC ['siteurl'] = ''; // SupeSite3 ???? μ? RL ·??? ·? Parameters ????? Http ://? A? μ ?? URL scheme ????????? RL? Why? β2 ???? /? Why? 1 ?? Why ??? α ± ?? Too many ?? Http://www.yourwebsite.com/supesite ?? // --------------- Discuz !?? --------------- $ _ SC ['dbhost _ bbs '] = 'localhost'; // Discuz !?????? α ?? Why ??? μ? Iscuz !??? SupeSite ?? Why? 1 ???? MySQL ·?? ± T ??? Why? 1 ·??? 2 ?? μ? YSQL ·? Discuz !???? μ ?? 3? YSQL · $ _ SC ['dbuser _ bbs '] = 'root'; // Discuz !????? §? $ _ SC ['dbpw _ bbs '] = 'wscykjw2010'; // Discuz !????? $ _ SC ['dbname _ bbs '] = ''; // Discuz !???? (? 1upeSite ° 2 ??????? T ?? ′?? $ _ SC ['tablepre _ bbs '] = 'cdb _'; // Discuz! ± ??? $ _ SC ['pconnect _ bbs '] = '0'; // Discuz !????? Á ??? 0 = 1 ?? 1 = ′ $ _ SC ['dbcharset _ bbs '] = 'utf8'; // Discuz !???? · $ _ SC ['bbsver '] = '';//?? ° Fen (?? Discuz !?? μ? Fen Yu? =? ￡ O7) $ _ SC ['bbsurl'] = '';//?? URL μ? ·? Parameters ????? Http ://? A? μ ?? URL scheme ????????? RL? Why? β2 ???? / $ _ SC ['bbsattachurl'] = '';//?????? URL μ? ·(??? 3 ??????????? Why ?? 1? Why ?? 3 ????? Hope? Parameters ????????) // --------------- UCenter HOME ?? --------------- $ _ SC ['dbhost _ uch'] = 'localhost'; // UCenter HOME ???? α? $ _ SC ['dbuser _ uch'] = 'root'; // UCenter HOME ????? §? $ _ SC ['dbpw _ uch'] = 'wscykjw2010'; // UCenter HOME ????? $ _ SC ['dbname _ uch'] = ''; // UCenter HOME ???? $ _ SC ['tablepre _ uch'] = 'uchome _ '; // UCenter HOME ± ??? $ _ SC ['pconnect _ uch '] = '0'; // UCenter HOME ????? Á ??? 0 = 1 ?? 1 = ′ $ _ SC ['dbcharset _ uch'] = 'utf8'; // UCenter HOME ???? · $ _ SC ['url url'] = ''; // UCenter HOME URL μ? ·? Parameters ????? Http ://? A? μ ?? URL scheme ????????? RL? Why? β2 ???? / $ _ SC ['attattachurl'] = ''; // UCenter HOME ???? URL μ? ·(??? 3 ????????? Why ?? 1? Why ?????? Hope? Parameters ????????)

Really have a programmer style, so cute root account!

I still remember one of the tricks programmers love to use: directory permissions all users can read, write, and execute, that is 777. Fortunately, it is not a computer invented by the Chinese, or it will be 999. Go to the website root directory/opt/lampp/htdocs, execute pwd to confirm, and then execute ls-al to output the following:

Total 2724 Drwxrwxrwx 29 root 4096 Jun 21. Drwxr-xr-x 20 root 4096 Jul 29 2013 .. Drwxr-xr-x 2 nobody 4096 Jun 15... -Rwxrwxrwx 1 root 16384 Jul 18 2013. config. php. swp -Rwxrwxrwx 1 root 190 Jul 22 2013. htaccess -Rw-r -- 1 root 8 Jul 29 2013 1.html -Rwxrwxrwx 1 root 1123419 Jan 1 2012 1.mp3 -Rwxrwxrwx 1 root 70814 Dec 16 2011 1.swf Drwxrwxrwx 5 root 4096 Jul 28 2013 admin -Rwxrwxrwx 1 root 5454 May 27 2010 admincp. php -Rwxrwxrwx 1 root 2106 Mar 9 2009 announcement. php Drwxrwxrwx 2 root 4096 Jul 28 2013 api Drwxrwxrwx 7 root 4096 Feb 24 attachments -Rwxrwxrwx 1 root 848 Dec 31 2008 batch. ad. php -Rwxrwxrwx 1 root 9703 Sep 22 2009 batch. comment. php -Rwxrwxrwx 1 root 10912 Sep 23 2009 batch. common. php -Rwxrwxrwx 1 root 1689 Sep 16 2009 batch. download. php -Rwxrwxrwx 1 root 6639 Feb 25 2009 batch. epitome. php -Rwxrwxrwx 1 root 266 Mar 25 2009 batch. formhash. php -Rwxrwxrwx 1 root 3372 Dec 31 2008 batch.html. php -Rwxrwxrwx 1 root 4491 Feb 18 2009 batch. insertimage. php -Rwxrwxrwx 1 root 2630 Dec 31 2008 batch. javascript. php -Rwxrwxrwx 1 root 3261 Oct 22 2009 batch. login. php -Rwxrwxrwx 1 root 3218 Sep 16 2009 batch. modeldownload. php -Rwxrwxrwx 1 root 6842 Sep 22 2009 batch. panel. php -Rwxrwxrwx 1 root 12100 Aug 31 2009 batch. postnews. php -Rwxrwxrwx 1 root 3534 May 27 2010 batch. search. php -Rwxrwxrwx 1 root 2360 Sep 22 2009 batch. secboard. php -Rwxrwxrwx 1 root 1555 Nov 4 2009 batch. tagshow. php -Rwxrwxrwx 1 root 3027 Feb 18 2009 batch. thumb. php -Rwxrwxrwx 1 root 14074 Aug 31 2009 batch. upload. php -Rwxrwxrwx 1 root 1942 Aug 31 2009 bbs. php .......................... The remainder is omitted .....................................

My god, this programmer is so hard! Thank you for your support.

Please note that the output directory contains a directory... Note: There are three points, which are suspicious and confusing. I believe that this cute programmer will be confused. Let's take a look. There are a lot of files in Xixi:

-Rw-r -- 1 nobody 8008 May 23 06:47 cb2.php -Rw-r -- 1 nobody 468348 Jan 1 1970 index.html -Rw-r -- 1 nobody 6186 May 23 06:47 old.txt -Rw-r -- 1 nobody 5948 May 23 06:47 old2.txt -Rw-r -- 1 nobody 1289 May 23 06:47 pass.txt -Rwxr-xr-x 1 nobody 20044 May 23 06:47 s64 -Rw-r -- 1 nobody 1711 May 23 06:47 user.txt -Rw-r -- 1 nobody 149 Jun 15 vulnerables.txt

Remember that there is an s64 process on the front, and it is hidden here. Remember to use find to search for any other information. Open several files and check whether they are all Trojan-related files.

If you are idle, let's look at the system account. There are also a few lines that are not right. The content is:

Dovecot: x: 101: 104:/home/dovecot:/bin/bash Nx: x: 102: 105:/usr/NX/home/nx:/usr/NX/bin/nxserver WebSphere master: x: 3004: 100:/home/webmaster:/bin/bash

Review his history. There is a line of content: 806/usr/local/mysql/bin/mysqldump-uroot-pwscykjw>/opt/SQL. SQL. This directly writes the root password in the command line parameters. This saves you trouble when hackers come in. You don't have to work hard to get the database directly.

Here we take an intruded website as an example. Almost all the mistakes were made. I hope that inexperienced programmers should not easily compete for the job of the system administrator across the border. The mess you leave must be cleaned up by the system administrator. Thank you!