当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-091991

漏洞标题:宜搜多台服务器沦陷

相关厂商:easou.com

漏洞作者: 我了个去

提交时间:2015-01-16 11:52

修复时间:2015-03-02 11:54

公开时间:2015-03-02 11:54

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-16: 细节已通知厂商并且等待厂商处理中
2015-01-16: 厂商已经确认,细节仅向厂商公开
2015-01-26: 细节向核心白帽子及相关领域专家公开
2015-02-05: 细节向普通白帽子公开
2015-02-15: 细节向实习白帽子公开
2015-03-02: 细节向公众公开

简要描述:

早些时候的漏洞补丁不及时,getshell and getsystemroot,后期运维检查不到位,一直没发现。

详细说明:

早些时候 www2.easou.com s2漏洞 getshell 获取root权限
翻看.ssh/ 目录下文件 破解shadow文件,普通用户密码通用,成功登录多台服务器,由于内核版本过低,均成功提权。
涉及到机器:
root@maf!x:/root$ hostname
szmlserver208.easou.com
root@maf!x:/root$ ifconfig |grep -i "inet addr"
inet addr:120.197.93.208 Bcast:120.197.93.223 Mask:255.255.255.224
inet addr:10.13.32.208 Bcast:10.13.35.255 Mask:255.255.252.0
inet addr:127.0.0.1 Mask:255.0.0.0
root@maf!x:/root$ hostname
bjserver13_20.easou.com
root@maf!x:/root$ ifconfig |grep -i "inet addr"
inet addr:118.145.13.20 Bcast:118.145.13.63 Mask:255.255.255.192
inet addr:10.21.13.20 Bcast:10.21.15.255 Mask:255.255.252.0
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr:118.145.13.22 Mask:255.255.255.255
root@maf!x:/root$ hostname
bjserver13_17.easou.com
root@maf!x:/root$ ifconfig |grep -i "inet addr"
inet addr:118.145.13.17 Bcast:118.145.13.63 Mask:255.255.255.192
inet addr:10.21.13.17 Bcast:10.21.15.255 Mask:255.255.252.0
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr:118.145.13.22 Mask:255.255.255.255
root@maf!x:/root$ hostname
szmlserver207.easou.com
root@maf!x:/root$ ifconfig |grep -i "inet addr"
inet addr:120.197.93.207 Bcast:120.197.93.223 Mask:255.255.255.224
inet addr:10.13.32.207 Bcast:10.13.35.255 Mask:255.255.252.0
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr:120.197.93.209 Mask:255.255.255.255
root@maf!x:/root$ hostname
szmlserver206.easou.com
root@maf!x:/root$ ifconfig |grep -i "inet addr"
inet addr:120.197.93.206 Bcast:120.197.93.223 Mask:255.255.255.224
inet addr:10.13.32.206 Bcast:10.13.35.255 Mask:255.255.252.0
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr:120.197.93.209 Mask:255.255.255.255
root@maf!x:/root$ hostname
szmlserver205.easou.com
root@maf!x:/root$ ifconfig |grep -i "inet addr"
inet addr:120.197.93.205 Bcast:120.197.93.223 Mask:255.255.255.224
inet addr:10.13.32.205 Bcast:10.13.35.255 Mask:255.255.252.0
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr:120.197.93.209 Mask:255.255.255.255
inet addr:120.197.93.213 Mask:255.255.255.255
内核版本:rhel4 2.6.18-128.el5

漏洞证明:

共计6台服务器:
120.197.93.208 19643 root:asdfasdfasdfasdfasdfasdf
120.197.93.205 6033 root:whoami.so
118.145.13.20 6033 root:whoami.so
118.145.13.17 6033 root:whoami.so
120.197.93.206 6033 root:whoami.so
120.197.93.207 6033 root:whoami.so

截图20.png


截图21.png

修复方案:

修改弱口令,升级服务器内核 清除后门 rkclean 附上脚本

#!/bin/sh
#!/bin/bash
BLK='[1;30m'
DRED='[0;31m'
DGRN='[0;32m'
DBLU='[0;34m'
DWHI='[0;37m'
BLU='[1;34m'
RES='[0m'
BAD_SNIFFER_FILES_1="/usr/local/lib/dsniff.services
/etc/cron.daily/dnsquery
/usr/lib/popauth"
BAD_SNIFFER_FILES_2="/usr/local/lib/dsniff.services
/etc/cron.daily/dnsquery
/usr/lib/popauth"
BAD_SSHPATCH_DIRS="/usr/sbin/.backup/
/usr/share/ssh/
/etc/var/
/etc/rpm/ssh/
/usr/include/linux/
/usr/include/linux/pam/"
BAD_SSHPATCH_FILES="/bin/ceva
/usr/include/shup.h
/bin/zcut
/usr/bin/zmuie
/usr/bin/zap
/usr/sbin/rd
/sbin/shs
/sbin/misc
/usr/sbin/sshdold
/usr/include/arpa/suid
/etc/rpm/sshdOLD
/etc/rpm/sshOLD
/usr/sbin/desnfread
/usr/sbin/sshd_configold
/usr/sbin/sshdold"
BAD_SNIFFER_FILES="/etc/rc.d/init.d/log.sub
/dev/hdal
/dev/hdal/clog
/dev/hdal/slog
/dev/httpd
/dev/linux
/dev/noemi
/dev/saux
/dev/saux.h
/etc/gshadow--
/etc/rc.d/init.d/keys.sub
/etc/ssh/.sshd_auth
/etc/sysctl1
/lib/libcap
/lib/libtcl-206.so
/lib/libutil-205.so
/root/ssh.log
/root/sshd2.log
/tmp/.lost+found
/tmp/ssh.log
/usr/bin/tcp.log
/usr/games/.blane
/usr/games/help
/usr/include/cti2.h
/usr/include/gd2.h
/usr/include/glob2.h
/usr/include/gpm2.h
/usr/include/gpmh2.h
/usr/include/libssh.h
/usr/include/linux/dump.h
/usr/include/netda.h
/usr/include/pthread2x.h
/usr/include/pwd2.h
/usr/include/ssh.h
/usr/include/zaux.h
/usr/lib/+c0d.init
/usr/lib/.sshd.h
/usr/lib/libcrypto.sh
/usr/lib/libfl.so
/usr/lib/libfptsk.so
/usr/lib/libice.log
/usr/lib/libshlog
/usr/lib/libsnf.log
/usr/lib/libsocryp.so.9.c.7
/usr/lib/treeball.so
/usr/local/games/.log
/usr/local/include/uconf.h
/usr/share/man/man1/.error
/usr/share/man/man1/sshd.1
/usr/share/passwd.h
/usr/share/sshd.sync
/usr/share/system.sync
/var/html/lol
/var/run/.xD-user
/var/run/pppd.lock
/var/run/sshd.sync
/var/tmp/lotfree_pass.txt"
play()
{
INDENT=2; TEXT=""
ECHOCMD="printf"
while [ $# -ge 1 ]; do
case $1 in
--color)
shift
case $1 in
RED) COLOR=$DRED ;;
GREEN) COLOR=$DGRN ;;
esac
;;
--result)
shift
RESULT=$1
;;
--text)
shift
TEXT=$1
;;
*)
echo "INVALID OPTION (Display): $1"
exit 1
;;
esac
shift
done
if [ ! "${TEXT}" = "" ]; then
LINESIZE=`echo "${TEXT}" | wc -c | tr -d ' '`
SPACES=`expr 50 - ${INDENT} - ${LINESIZE}`
${ECHOCMD} "\033[${INDENT}C${TEXT}\033[${SPACES}C[ ${COLOR}${RESULT}${RES} ]\n"
fi
}
title()
{
printf " ${DBLU} RootKit Search And Remove Tool ... ${RES}\n"
printf " ${DBLU} *Version : ${DGRN}2.0/2012 ${RES}\n"
printf " ${DBLU} *Made by : ${DGRN}Jericho ${RES}\n"
printf " ${DBLU}=========================================== ${RES}\n"
}
banners()
{
clear
printf " ${DBLU}=========================================== ${RES}\n"
printf " ${DGRN} ######### ## ${RES}\n"
printf " ${DGRN} ######### ### ######### ${RES}\n"
printf " ${DGRN} ### #### ######### ${RES}\n"
printf " ${DGRN} ### #### ### ${RES}\n"
printf " ${DGRN} ### ####### ### ${RES}\n"
printf " ${DGRN} ### ####### ### ${RES}\n"
printf " ${DGRN} ### #### ### ${RES}\n"
printf " ${DGRN} ##### #### ### ${RES}\n"
printf " ${DGRN} ##### #### ### ${RES}\n"
printf " ${DGRN} ### #### ### ${RES}\n"
printf " ${DBLU} *Jericho Security Team* ${RES}\n"
printf " ${DBLU}=========================================== ${RES}\n"
}
uidchk()
{
if [ "$(id -u)" != "0" ]; then
title
printf " ${DRED} !!! WARNING !!! WARNING !!! WARNING !!! ${RES}\n"
printf " ${DRED} You must run this script as root or uid 0 ${RES}\n"
printf " ${DBLU}=========================================== ${RES}\n"
exit 1
fi
}
########
banners
uidchk
title
########
printf "\n ${DBLU}Searching for SHV v5/6/7 RootKit ... ${RES}\n"
if [ -f /etc/sh.conf ]; then
SHV5_pass=`cat /etc/sh.conf |cut -d" " -f1 |head -n1 2>/dev/null` 2>/dev/null
SHV5_port=`cat /lib/libsh.so/shdcf |grep Port |cut -d" " -f2 2>/dev/null` 2>/dev/null
play --text "${DBLU}SHV v5/6/7 RootKit ...${RES}" --result FOUND --color RED
printf " --> ${DBLU}Encrypted Password: ${DRED}${SHV5_pass} ${DBLU}... ${RES}\n"
printf " --> ${DBLU}Port of RK : ${DRED}${SHV5_port} ${DBLU}... ${RES}\n"
printf " --> ${DBLU}Closing port : ${DRED}${SHV5_port} ${DBLU}... ${RES}\n"
/sbin/iptables -I INPUT -p tcp --dport ${SHV5_port} -j DROP 2>/dev/null
/sbin/iptables -I OUTPUT -p tcp --dport ${SHV5_port} -j DROP 2>/dev/null
printf " --> ${DBLU}Chenging atributtes of files owned by the SHV RK v5/6/7 ... ${RES}\n"
chattr -isua /lib/libsh.so/* 2>/dev/null
chattr -isua /lib/libsh.so 2>/dev/null
chattr -isua /usr/lib/libsh/.backup/* 2>/dev/null
chattr -isua /usr/lib/libsh/.backup 2>/dev/null
chattr -isua /usr/lib/libsh/.sniff/* 2>/dev/null
chattr -isua /usr/lib/libsh/.sniff 2>/dev/null
chattr -isua /usr/lib/libsh/utilz/* 2>/dev/null
chattr -isua /usr/lib/libsh/utilz 2>/dev/null
chattr -isua /usr/lib/libsh/* 2>/dev/null
chattr -isua /usr/lib/libsh 2>/dev/null
chattr -isua /dev/srd0 2>/dev/null
chattr -isua /etc/sh.conf 2>/dev/null
chattr -isua /sbin/ttyload 2>/dev/null
chattr -isua /sbin/ttymon 2>/dev/null
chattr -isua /usr/sbin/ttyload 2>/dev/null
printf " --> ${DBLU}Copy files from SHV RK v5/6/7 backup Directory back to the System ... ${RES}\n"
cp -f /usr/lib/libsh/.backup/dir /usr/bin/dir 2>/dev/null
cp -f /usr/lib/libsh/.backup/find /usr/bin/find 2>/dev/null
cp -f /usr/lib/libsh/.backup/ifconfig /sbin/ifconfig 2>/dev/null
cp -f /usr/lib/libsh/.backup/ls /bin/ls 2>/dev/null
cp -f /usr/lib/libsh/.backup/lsof /usr/sbin/lsof 2>/dev/null
cp -f /usr/lib/libsh/.backup/md5sum /usr/bin/md5sum 2>/dev/null
cp -f /usr/lib/libsh/.backup/netstat /bin/netstat 2>/dev/null
# cp -f /usr/lib/libsh/.backup/ps /bin/ps 2>/dev/null
cp -f /usr/lib/libsh/.backup/pstree /usr/bin/pstree 2>/dev/null
cp -f /usr/lib/libsh/.backup/top /usr/bin/top 2>/dev/null
printf " --> ${DBLU}Removing files and folders owned by SHV RK v5/6/7 ... ${RES}\n"
rm -rf /lib/libsh.so/* 2>/dev/null
rm -rf /lib/libsh.so 2>/dev/null
rm -rf /usr/lib/libsh/.backup/* 2>/dev/null
rm -rf /usr/lib/libsh/.backup 2>/dev/null
rm -rf /usr/lib/libsh/.sniff/* 2>/dev/null
rm -rf /usr/lib/libsh/.sniff 2>/dev/null
rm -rf /usr/lib/libsh/utilz/* 2>/dev/null
rm -rf /usr/lib/libsh/utilz 2>/dev/null
rm -rf /usr/lib/libsh/* 2>/dev/null
rm -rf /usr/lib/libsh 2>/dev/null
rm -rf /dev/srd0 2>/dev/null
rm -rf /etc/sh.conf 2>/dev/null
# rm -rf /lib/libproc.a 2>/dev/null
# rm -rf /lib/libproc.so.2.0.6 2>/dev/null
rm -rf /lib/lidps1.so 2>/dev/null
rm -rf /sbin/ttyload 2>/dev/null
rm -rf /sbin/ttymon 2>/dev/null
rm -rf /usr/include/file.h 2>/dev/null
rm -rf /usr/include/hosts.h 2>/dev/null
rm -rf /usr/include/libmsrpc.h 2>/dev/null
rm -rf /usr/include/log.h 2>/dev/null
rm -rf /usr/include/proc.h 2>/dev/null
rm -rf /usr/sbin/ttyload 2>/dev/null
printf " --> ${DBLU}Killing processes owned by SHV RK v5/6/7/ ... ${RES}\n"
printf " --> ${DBLU}Run 'ps -x' and kill PiD's of ${DRED}ttyload ${DBLU}and ${DRED}ttymon ${DBLU}... ${RES}\n"
kill -9 -q `pidof ttyload` >/dev/null 2>&1
kill -9 -q `pidof ttymon` >/dev/null 2>&1
kill -9 -q `ps x |grep ttyload |grep -v grep |awk '{print $1}'` >/dev/null 2>&1
kill -9 -q `ps x |grep ttymon |grep -v grep |awk '{print $1}'` >/dev/null 2>&1
printf " --> ${DBLU}SHV RootKIt v5/6/7 Cleaning Done ... ${RES}\n"
printf " ${DBLU}=========================================== ${RES}\n"
else
play --text "${DBLU}SHV v5/6/7 RootKit ...${RES}" --result NOTFOUND --color GREEN
printf " ${DBLU}=========================================== ${RES}\n"
fi
############################################################################################
printf "\n ${DBLU}Searching for SHV v4 RootKit ... ${RES}\n"
if [ -f /etc/ld.so.hash ]; then
SHV4_pass=`cat /etc/ld.so.hash |cut -d" " -f1 |head -n1 2>/dev/null` 2>/dev/null
SHV4_port=`cat /lib/security/.config/ssh/sshd_config |grep Port |cut -d" " -f2 2>/dev/null` 2>/dev/null
play --text "${DBLU}SHV v4 RootKit ...${RES}" --result FOUND --color RED
printf " --> ${DBLU}Encrypted Password: ${DRED}${SHV4_pass} ${DBLU}... ${RES}\n"
printf " --> ${DBLU}Port of RK : ${DRED}${SHV4_port} ${DBLU}... ${RES}\n"
printf " --> ${DBLU}Closing port : ${DRED}${SHV4_port} ${DBLU}... ${RES}\n"
/sbin/iptables -I INPUT -p tcp --dport ${SHV4_port} -j DROP 2>/dev/null
/sbin/iptables -I OUTPUT -p tcp --dport ${SHV4_port} -j DROP 2>/dev/null
printf " --> ${DBLU}Chenging atributtes of files owned by the SHV RK v4 ... ${RES}\n"
chattr -isua /lib/ldd.so/* 2>/dev/null
chattr -isua /lib/ldd.so 2>/dev/null
chattr -isua /lib/security/* 2>/dev/null
chattr -isua /lib/security 2>/dev/null
chattr -isua /lib/security/.config/* 2>/dev/null
chattr -isua /lib/security/.config 2>/dev/null
chattr -isua /lib/security/.config/ssh/* 2>/dev/null
chattr -isua /lib/security/.config/ssh 2>/dev/null
chattr -isua /usr/include/file.h 2>/dev/null
chattr -isua /usr/include/hosts.h 2>/dev/null
chattr -isua /usr/include/log.h 2>/dev/null
chattr -isua /usr/include/proc.h 2>/dev/null
chattr -isua /usr/sbin/xntps 2>/dev/null
chattr -isua /dev/srd0 2>/dev/null
chattr -isua /etc/ld.so.hash 2>/dev/null
chattr -isua /etc/ttyhash 2>/dev/null
chattr -isua /lib/libext-2.so.7 2>/dev/null
chattr -isua /lib/lidps1.so 2>/dev/null
chattr -isua /lib/libproc.a 2>/dev/null
chattr -isua /lib/libproc.so.2.0.6 2>/dev/null
printf " --> ${DBLU}Removing files and folders owned by SHV RK v4 ... ${RES}\n"
rm -rf /lib/ldd.so/* 2>/dev/null
rm -rf /lib/ldd.so 2>/dev/null
rm -rf /lib/security/* 2>/dev/null
rm -rf /lib/security 2>/dev/null
rm -rf /lib/security/.config/* 2>/dev/null
rm -rf /lib/security/.config 2>/dev/null
rm -rf /lib/security/.config/ssh/* 2>/dev/null
rm -rf /lib/security/.config/ssh 2>/dev/null
rm -rf /usr/include/file.h 2>/dev/null
rm -rf /usr/include/hosts.h 2>/dev/null
rm -rf /usr/include/log.h 2>/dev/null
rm -rf /usr/include/proc.h 2>/dev/null
rm -rf /lib/libproc.a 2>/dev/null
rm -rf /lib/libproc.so.2.0.6 2>/dev/null
rm -rf /etc/ttyhash 2>/dev/null
rm -rf /lib/libext-2.so.7 2>/dev/null
rm -rf /lib/lidps1.so 2>/dev/null
rm -rf /dev/srd0 2>/dev/null
rm -rf /etc/ld.so.hash 2>/dev/null
rm -rf /usr/sbin/xntps 2>/dev/null
printf " --> ${DBLU}Killing processes owned by SHV RK v4 ... ${RES}\n"
printf " --> ${DBLU}Run 'ps -x' and kill PiD's of ${DRED}xntps ${DBLU}, ${DRED}nscd ${DBLU}and ${DRED}mountd ${DBLU}... ${RES}\n"
kill -9 -q `pidof xntps` >/dev/null 2>&1
kill -9 -q `pidof nscd` >/dev/null 2>&1
kill -9 -q `pidof mountd` >/dev/null 2>&1
kill -9 -q `ps x |grep xntps |grep -v grep |awk '{print $1}'` >/dev/null 2>&1
kill -9 -q `ps x |grep nscd |grep -v grep |awk '{print $1}'` >/dev/null 2>&1
kill -9 -q `ps x |grep mountd |grep -v grep |awk '{print $1}'` >/dev/null 2>&1
printf " --> ${DBLU}SHV RootKIt v4 Cleaning Done ... ${RES}\n"
printf " ${DBLU}=========================================== ${RES}\n"
else
play --text "${DBLU}SHV v4 RootKit ...${RES}" --result NOTFOUND --color GREEN
printf " ${DBLU}=========================================== ${RES}\n"
fi
############################################################################################
printf "\n ${DBLU}Searching for ICE RootKit ... ${RES}\n"
if [ -f /usr/include/iceconf.h ]; then
ICE_pass=``
ICE_port=`cat /usr/include/iceconf.h |grep Port |cut -d" " -f2 2>/dev/null` 2>/dev/null
play --text "${DBLU}ICE RootKit ...${RES}" --result FOUND --color RED
printf " --> ${DBLU}Encrypted Password: ${DRED}${ICE_pass} ${DBLU}... ${RES}\n"
printf " --> ${DBLU}Port of RK : ${DRED}${ICE_port} ${DBLU}... ${RES}\n"
printf " --> ${DBLU}Closing port : ${DRED}${ICE_port} ${DBLU}... ${RES}\n"
/sbin/iptables -I INPUT -p tcp --dport ${ICE_port} -j DROP 2>/dev/null
/sbin/iptables -I OUTPUT -p tcp --dport ${ICE_port} -j DROP 2>/dev/null
printf " --> ${DBLU}Chenging atributtes of files owned by the ICE RK ... ${RES}\n"
chattr -isua /usr/lib/libice.log 2>/dev/null
chattr -isua /usr/bin/"smbd -D" 2>/dev/null
chattr -isua /usr/include/iceconf.h 2>/dev/null
chattr -isua /usr/include/icekey.h 2>/dev/null
chattr -isua /usr/include/icepid.h 2>/dev/null
chattr -isua /usr/include/iceseed.h 2>/dev/null
printf " --> ${DBLU}Removing files and folders owned by ICE RK ... ${RES}\n"
rm -rf /usr/bin/"smbd -D" 2>/dev/null
rm -rf /usr/include/iceconf.h 2>/dev/null
rm -rf /usr/include/icekey.h 2>/dev/null
rm -rf /usr/include/iceseed.h 2>/dev/null
rm -rf /usr/lib/libice.log 2>/dev/null
printf " --> ${DBLU}Killing processes owned by ICE RK ... ${RES}\n"
printf " --> ${DBLU}Run 'ps -x' and kill PiD's of ${DRED}smbd -D ${DBLU}... ${RES}\n"
kill -9 -q `cat /usr/include/icepid.h 2>/dev/null` >/dev/null 2>&1
kill -9 -q `ps x |grep smbd |grep D | grep -v grep |awk '{print $1}'` >/dev/null 2>&1
rm -rf /usr/include/icepid.h 2>/dev/null
printf " --> ${DBLU}ICE RootKIt Cleaning Done ... ${RES}\n"
printf " ${DBLU}=========================================== ${RES}\n"
else
play --text "${DBLU}ICE RootKit ...${RES}" --result NOTFOUND --color GREEN
printf " ${DBLU}=========================================== ${RES}\n"
fi
############################################################################################
printf "\n ${DBLU}Searching for TORN RootKit ... ${RES}\n"
if [ -f /etc/ttyhash ]; then
TORN_pass=`cat /etc/ttyhash |cut -d" " -f1 |head -n1 2>/dev/null` 2>/dev/null
TORN_port=`cat /usr/info/.t0rn/shdcf |grep Port |cut -d" " -f2 2>/dev/null` 2>/dev/null
play --text "${DBLU}TORN RootKit ...${RES}" --result FOUND --color RED
printf " --> ${DBLU}Encrypted Password: ${DRED}${TORN_pass} ${DBLU}... ${RES}\n"
printf " --> ${DBLU}Port of RK : ${DRED}${TORN_port} ${DBLU}... ${RES}\n"
printf " --> ${DBLU}Closing port : ${DRED}${TORN_port} ${DBLU}... ${RES}\n"
/sbin/iptables -I INPUT -p tcp --dport ${TORN_port} -j DROP 2>/dev/null
/sbin/iptables -I OUTPUT -p tcp --dport ${TORN_port} -j DROP 2>/dev/null
printf " --> ${DBLU}Chenging atributtes of files owned by the TORN RK ... ${RES}\n"
chattr -isua /dev/.lib/lib/lib/dev/* 2>/dev/null
chattr -isua /dev/.lib/lib/lib/dev 2>/dev/null
chattr -isua /dev/.lib/lib/lib/* 2>/dev/null
chattr -isua /dev/.lib/lib/lib 2>/dev/null
chattr -isua /dev/.lib/lib/* 2>/dev/null
chattr -isua /dev/.lib/lib 2>/dev/null
chattr -isua /dev/.lib/lib/scan/* 2>/dev/null
chattr -isua /dev/.lib/lib/scan 2>/dev/null
chattr -isua /dev/.lib/* 2>/dev/null
chattr -isua /dev/.lib 2>/dev/null
chattr -isua /usr/info/.t0rn/* 2>/dev/null
chattr -isua /usr/info/.t0rn 2>/dev/null
chattr -isua /usr/man/man1/man1/lib/.lib/.backup/* 2>/dev/null
chattr -isua /usr/man/man1/man1/lib/.lib/.backup 2>/dev/null
chattr -isua /usr/man/man1/man1/lib/.lib/* 2>/dev/null
chattr -isua /usr/man/man1/man1/lib/.lib 2>/dev/null
chattr -isua /usr/man/man1/man1/lib/* 2>/dev/null
chattr -isua /usr/man/man1/man1/lib 2>/dev/null
chattr -isua /usr/man/man1/man1/* 2>/dev/null
chattr -isua /usr/man/man1/man1 2>/dev/null
chattr -isua /usr/man/man1/* 2>/dev/null
chattr -isua /usr/man/man1 2>/dev/null
chattr -isua /usr/man/* 2>/dev/null
chattr -isua /usr/man 2>/dev/null
chattr -isua /usr/src/.puta/* 2>/dev/null
chattr -isua /usr/src/.puta 2>/dev/null
chattr -isua /etc/ttyhash 2>/dev/null
chattr -isua /usr/sbin/nscd 2>/dev/null
chattr -isua /usr/info/.t0rn 2>/dev/null
printf " --> ${DBLU}Removing files and folders owned by TORN RK ... ${RES}\n"
rm -rf /dev/.lib/lib/lib/dev/* 2>/dev/null
rm -rf /dev/.lib/lib/lib/dev 2>/dev/null
rm -rf /dev/.lib/lib/lib/* 2>/dev/null
rm -rf /dev/.lib/lib/lib 2>/dev/null
rm -rf /dev/.lib/lib/* 2>/dev/null
rm -rf /dev/.lib/lib 2>/dev/null
rm -rf /dev/.lib/lib/scan/* 2>/dev/null
rm -rf /dev/.lib/lib/scan 2>/dev/null
rm -rf /dev/.lib/* 2>/dev/null
rm -rf /dev/.lib 2>/dev/null
rm -rf /usr/info/.t0rn/* 2>/dev/null
rm -rf /usr/info/.t0rn 2>/dev/null
rm -rf /usr/man/man1/man1/lib/.lib/.backup/* 2>/dev/null
rm -rf /usr/man/man1/man1/lib/.lib/.backup 2>/dev/null
rm -rf /usr/man/man1/man1/lib/.lib/* 2>/dev/null
rm -rf /usr/man/man1/man1/lib/.lib 2>/dev/null
rm -rf /usr/man/man1/man1/lib/* 2>/dev/null
rm -rf /usr/man/man1/man1/lib 2>/dev/null
rm -rf /usr/man/man1/man1/* 2>/dev/null
rm -rf /usr/man/man1/man1 2>/dev/null
rm -rf /usr/man/man1/* 2>/dev/null
rm -rf /usr/man/man1 2>/dev/null
rm -rf /usr/man/* 2>/dev/null
rm -rf /usr/man 2>/dev/null
rm -rf /usr/src/.puta/* 2>/dev/null
rm -rf /usr/src/.puta 2>/dev/null
rm -rf /etc/ttyhash 2>/dev/null
rm -rf /usr/sbin/nscd 2>/dev/null
rm -rf /usr/info/.t0rn 2>/dev/null
printf " --> ${DBLU}Killing processes owned by TORN RK ... ${RES}\n"
printf " --> ${DBLU}Run 'ps -x' and kill PiD's of ${DRED}nscd ${DBLU}... ${RES}\n"
kill -9 -q `pidof nscd` >/dev/null 2>&1
kill -9 -q `ps x |grep nscd |grep -v grep |awk '{print $1}'` >/dev/null 2>&1
printf " --> ${DBLU}TORN RootKIt Cleaning Done ... ${RES}\n"
printf " ${DBLU}=========================================== ${RES}\n"
else
play --text "${DBLU}TORN RootKit ...${RES}" --result NOTFOUND --color GREEN
printf " ${DBLU}=========================================== ${RES}\n"
fi
############################################################################################
printf "\n ${DBLU}Searching for some SSH Patch Parts ... ${RES}\n"
if [ -f /usr/lib/libutil1.2.1.2.so ]; then
play --text "${DBLU}File /usr/lib/libutil1.2.1.2.so${RES}" --result FOUND --color RED
chattr -isua /usr/lib/libutil1.2.1.2.so 2>/dev/null
rm -rf /sbin/hwclock 2>/dev/null
cp -f /usr/lib/libutil1.2.1.2.so /sbin/hwclock 2>/dev/null
rm -rf /usr/lib/libutil1.2.1.2.so 2>/dev/null
printf " --> ${DBLU}File /usr/lib/libutil1.2.1.2.so Cleaned ... ${RES}\n"
else
play --text "${DBLU}File /usr/lib/libutil1.2.1.2.so${RES}" --result NOTFOUND --color GREEN
fi
if [ -e "/sbin/syslogd " ]; then
play --text "${DBLU}File \"/sbin/syslogd \"${RES}" --result FOUND --color RED
chattr -isua "/sbin/syslogd " 2>/dev/null
rm -rf "/sbin/syslogd " 2>/dev/null
printf " --> ${DBLU}File \"/sbin/syslogd \" Cleaned ... ${RES}\n"
else
play --text "${DBLU}File \"/sbin/syslogd \"${RES}" --result NOTFOUND --color GREEN
fi
if [ -e "/usr/include/linux/sounds.h" ]; then
play --text "${DBLU}File /usr/include/linux/sounds.h${RES}" --result FOUND --color RED
chattr -isua /usr/include/linux/sounds.h 2>/dev/null
rm -rf /usr/include/linux/sounds.h 2>/dev/null
cat /etc/rc.sysinit |grep -v sounds.h |grep -v /usr/include/linux/sounds.h >/tmp/rcsystmp 2>/dev/null
mv /tmp/rcsystmp /etc/rc.sysinit -f 2>/dev/null
printf " --> ${DBLU}File /usr/include/linux/sounds.h Cleaned ... ${RES}\n"
else
play --text "${DBLU}File /usr/include/linux/sounds.h${RES}" --result NOTFOUND --color GREEN
fi
###################################
for fil in $BAD_SSHPATCH_FILES
do
if [ -f $fil ]; then
play --text "${DBLU}File $fil ${RES}" --result FOUND --color RED
chattr -isua $fil 2>/dev/null
rm -rf $fil 2>/dev/null
printf " --> ${DBLU}File $fil erased ... ${RES}\n"
else
play --text "${DBLU}File $fil ${RES}" --result NOTFOUND --color GREEN
fi
done
###################################
for fil in $BAD_SSHPATCH_DIRS
do
if [ -f $fil ]; then
play --text "${DBLU}Directory $fil ${RES}" --result FOUND --color RED
chattr -isua $fil 2>/dev/null
rm -rf $fil 2>/dev/null
printf " --> ${DBLU}Directory $fil erased ... ${RES}\n"
else
play --text "${DBLU}Directory $fil ${RES}" --result NOTFOUND --color GREEN
fi
done
printf " ${DBLU}=========================================== ${RES}\n"
###################################
printf "\n ${DBLU}Searching for Known Sniffer Files ... ${RES}\n"
for fil in $BAD_SNIFFER_FILES
do
if [ -f $fil ]; then
play --text "${DBLU}File $fil ${RES}" --result FOUND --color RED
chattr -isua $fil 2>/dev/null
cat $fil
cat $fil >>/tmp/sniffer-log.txt 2>/dev/null
rm -rf $fil 2>/dev/null
printf " --> ${DBLU}File $fil erased ... ${RES}\n"
else
play --text "${DBLU}File $fil ${RES}" --result NOTFOUND --color GREEN
fi
done
###################################
printf "\n ${DBLU}RootKit Cleaning Script Finished ... ${RES}\n"
printf " ${DBLU}=========================================== ${RES}\n"
###################################


这其实也是一种提示,漏洞修复后,要进行深入检查(服务器有没有被提权,有没有殃及其他服务及应用 是否会引起连锁反应?)。

版权声明:转载请注明来源 我了个去@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-01-16 11:56

厂商回复:

谢谢指出,我们会及时改正

最新状态:

暂无