Skip to content

Microsoft Windows远程桌面协议3389代码执行漏洞

Microsoft Windows是微软发布的非常流行的操作系统。 Microsoft Windows XP SP2与SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2及R2 SP1,与Windows 7 Gold与SP1版本中的远程桌面协议(RDP)实现中存在漏洞,该漏洞源于没有正确处理内存中的数据包。远程攻击者可通过发送特制RDP数据包触发访问(1)没有正确初始化或者(2)已被删除的对象,执行任意代码。也称‘Remote Desktop Protocol Vulnerability’。 该漏洞已有修复补丁,如果未能及时安装补丁可采取以下临时修复措施: 方法一:禁用终端服务、远程桌面、远程协助和 Windows Small Business Server 2003 远程工作网站功能; 方法二:在企业周边防火墙中屏蔽TCP端口3389; 方法三:在运行 Windows Vista、Windows 7、Windows Server 2008 和 Windows Server 2008 R2 的受支持版本的系统上启用网络级别身份验证。

目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接: http://technet.microsoft.com/zh-cn/security/bulletin/ms12-020

来源: MS 名称: MS12-020 链接:http://technet.microsoft.com/security/bulletin/MS12-020

来源:SECUNIA 名称:48353 链接:http://secunia.com/advisories/48353

Posted in 安全通告.

Tagged with , .

rev="post-1379" No comments

By C1G 2012/04/11

DELL R410远程管理ip引起的arp问题

arpwatch 命令: 跟踪以太网地址和IP地址配对情况,通过E-mail的形式报告当前的变化。arpwatch使用pcap来监听本网卡和ARP数据包 参数

-d 输出调试信息 -N 使报告不能正常进行 -f<文件> 监听的ARP记录 -i<网卡接口> 指定监听的网卡 -n 指定附加的本地网络 -r<文件> 不从网络上监听ARP信息,而是从文件中读取ARP的记录信息 -u 指定用户和用户组 -e 发送邮件给指定用户,非默认的root用户 -s 指定用户名作为返回地址,而不是默认的用户root

【系统报告信息】

ethernet broadcast :主机的MAC地址是广播地址 ip broadcast :主机的IP地址是广播地址 bogon :源IP地址不是本地子网地址 ethernet mismatch :源MAC地址与ARP数据包里面的地址不匹配 reused old ethernet address :MAC 地址发送变化 suppressed DECnet flip flop :禁止“flip flop”报告

本地的内网为192.168.0.0/24 服务器dell r410 系统centos5.x centos6.x

开启arpwatch #arpwatch

#tail -f /var/log/messages

Apr 1 11:58:06 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41 Apr 1 11:58:11 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62 Apr 1 11:58:23 c1g arpwatch: bogon 192.168.0.283 83:22:d6:a1:ad:31 Apr 1 11:58:29 c1g arpwatch: new station 220.188.155.1 0:23:e2:e1:ff:82 Apr 1 11:58:29 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:49:bc:79 Apr 1 11:58:31 c1g arpwatch: bogon 192.168.0.120 c4:ca:d9:b6:4f:8 Apr 1 11:58:33 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3:ef:30 Apr 1 11:58:37 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41 Apr 1 11:58:41 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62 Apr 1 11:58:59 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:49:bc:79 Apr 1 11:59:04 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3:ef:30 Apr 1 11:59:07 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41 Apr 1 11:59:11 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62

bogon 表示源IP地址不是本地子网地址 多台机器日志中都可以查到多个mac地址占用192.168.0.120 192.168.0.120这个ip我并没有配过 很奇怪的是mac就固定的这几个,不像是arp攻击

Apr 1 11:58:31 c1g arpwatch: bogon 192.168.0.120 c4:ca:d9:b6:4f:8 Apr 1 11:58:59 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:49:bc:79 Apr 1 11:59:04 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3:ef:30 Apr 1 11:59:07 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41 Apr 1 11:59:11 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62

仔细对比的日志中的mac地址和现用的eth1相差一位; 联想到手上的一台r410启动时好像出现过192.168.0.120这个ip; 查了下资料dell的远程管理ip地址默认为192.168.0.120; 立马测试了下,在启动到SAS后,按ctrl+c进入IP管理disabled此项 再启动后就少了这个mac地址,证明有效

Posted in IDC, Linux 命令, 安全.

Tagged with , , , .

rev="post-1373" 1 comment

By C1G 2012/04/10

入侵监测软件chkrootkit 安装

rootkit是入侵者经常使用的工具,这类工具可以隐秘、令用户不易察觉的建立了一条能够总能够入侵系统或者说对系统进行实时控制的途径.chkrootkit是可以查找系统是否被安装rootkit的工具,当然无法100%的查出,在系统被安装之后,或者说服务器开放之前就把它装好吧. http://www.chkrootkit.org官方网站 目前最新版为chkrootkit-0.49 官方可能无法正常下载,可以用我博客里的地址https://blog.c1gstudio.com/lempelf/chkrootkit-0.49.tar.gz 测试系统为centos5.8

一.安装

wget https://blog.c1gstudio.com/lempelf/chkrootkit-0.49.tar.gz tar zxvf chkrootkit.tar.gz cd chkrootkit make sense cd .. mv -f chkrootkit- /usr/local/chkrootkit chown -R root:root /usr/local/chkrootkit chmod -R 700 /usr/local/chkrootkit

二.运行

有些命令是当前目录下运行需cd到chkrootkit目录 cd /usr/local/chkrootkit ./chkrootkit

ROOTDIR is `/’ Checking `amd’… not found Checking `basename’… not infected Checking `biff’… not found Checking `chfn’… not infected Checking `chsh’… not infected Checking `cron’… not infected Checking `crontab’… not infected Checking `date’… not infected Checking `du’… not infected Checking `dirname’… not infected Checking `echo’… not infected Checking `egrep’… not infected Checking `env’… not infected Checking `find’… not infected Checking `fingerd’… not found Checking `gpm’… not infected Checking `grep’… not infected Checking `hdparm’… not infected Checking `su’… not infected Checking `ifconfig’… not infected Checking `inetd’… not tested Checking `inetdconf’… not found Checking `identd’… not found Checking `init’… not infected Checking `killall’… not infected Checking `ldsopreload’… not infected Checking `login’… not infected Checking `ls’… not infected Checking `lsof’… not infected Checking `mail’… not infected Checking `mingetty’… not infected Checking `netstat’… not infected Checking `named’… not found Checking `passwd’… not infected Checking `pidof’… not infected Checking `pop2’… not found Checking `pop3’… not found Checking `ps’… not infected Checking `pstree’… not infected Checking `rpcinfo’… not infected Checking `rlogind’… not found Checking `rshd’… not found Checking `slogin’… not infected Checking `sendmail’… not infected Checking `sshd’… not infected Checking `syslogd’… not infected Checking `tar’… not infected Checking `tcpd’… not infected Checking `tcpdump’… not infected Checking `top’… not infected Checking `telnetd’… not infected Checking `timed’… not found Checking `traceroute’… not infected Checking `vdir’… not infected Checking `w’… not infected Checking `write’… not infected Checking `aliens’… no suspect files Searching for sniffer’s logs, it may take a while… nothing found Searching for HiDrootkit’s default dir… nothing found Searching for t0rn’s default files and dirs… nothing found Searching for t0rn’s v8 defaults… nothing found Searching for Lion Worm default files and dirs… nothing found Searching for RSHA’s default files and dir… nothing found Searching for RH-Sharpe’s default files… nothing found Searching for Ambient’s rootkit (ark) default files and dirs… nothing found Searching for suspicious files and dirs, it may take a while… /usr/lib/python2.4/config/.relocation-tag /usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/.libgcrypt.so.11.hmac /lib/.libssl.so.0.9.8e.hmac /lib/.libcrypto.so.0.9.8e.hmac /lib/.libssl.so.6.hmac /lib/.libcrypto.so.6.hmac Searching for LPD Worm files and dirs… nothing found Searching for Ramen Worm files and dirs… nothing found Searching for Maniac files and dirs… nothing found Searching for RK17 files and dirs… nothing found Searching for Ducoci rootkit… nothing found Searching for Adore Worm… nothing found Searching for ShitC Worm… nothing found Searching for Omega Worm… nothing found Searching for Sadmind/IIS Worm… nothing found Searching for MonKit… nothing found Searching for Showtee… nothing found Searching for OpticKit… nothing found Searching for T.R.K… nothing found Searching for Mithra… nothing found Searching for LOC rootkit… nothing found Searching for Romanian rootkit… nothing found Searching for HKRK rootkit… nothing found Searching for Suckit rootkit… nothing found Searching for Volc rootkit… nothing found Searching for Gold2 rootkit… nothing found Searching for TC2 Worm default files and dirs… nothing found Searching for Anonoying rootkit default files and dirs… nothing found Searching for ZK rootkit default files and dirs… nothing found Searching for ShKit rootkit default files and dirs… nothing found Searching for AjaKit rootkit default files and dirs… nothing found Searching for zaRwT rootkit default files and dirs… nothing found Searching for Madalin rootkit default files… nothing found Searching for Fu rootkit default files… nothing found Searching for ESRK rootkit default files… nothing found Searching for rootedoor… nothing found Searching for ENYELKM rootkit default files… nothing found Searching for common ssh-scanners default files… nothing found Searching for suspect PHP files… /tmp/pear/download/Archive_Tar-1.3.9/Archive/Tar.php /tmp/pear/download/XML_Util-1.2.1/tests/AllTests.php /tmp/pear/download/XML_Util-1.2.1/Util.php /tmp/pear/download/XML_Util-1.2.1/examples/example2.php /tmp/pear/download/XML_Util-1.2.1/examples/example.php /tmp/pear/download/Archive_Tar-1.3.7/Archive/Tar.php /tmp/pear/download/Structures_Graph-1.0.4/tests/testCase/BasicGraph.php /tmp/pear/download/Structures_Graph-1.0.4/tests/AllTests.php /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph.php /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Node.php /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Manipulator/AcyclicTest.php /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Manipulator/TopologicalSorter.php /tmp/pear/download/PEAR-1.9.1/PEAR5.php /tmp/pear/download/PEAR-1.9.1/PEAR/REST/10.php /tmp/pear/download/PEAR-1.9.1/PEAR/REST/13.php /tmp/pear/download/PEAR-1.9.1/PEAR/REST/11.php /tmp/pear/download/PEAR-1.9.1/PEAR/Builder.php /tmp/pear/download/PEAR-1.9.1/PEAR/Downloader/Package.php /tmp/pear/download/PEAR-1.9.1/PEAR/FixPHP5PEARWarnings.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Data.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Doc.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Php.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Cfg.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Src.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Www.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Test.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Common.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Script.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Ext.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role.php /tmp/pear/download/PEAR-1.9.1/PEAR/Packager.php /tmp/pear/download/PEAR-1.9.1/PEAR/Validator/PECL.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer.php /tmp/pear/download/PEAR-1.9.1/PEAR/Config.php /tmp/pear/download/PEAR-1.9.1/PEAR/Registry.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Install.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Mirror.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Remote.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Build.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Config.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Registry.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Pickle.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Channels.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Auth.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Test.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Common.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Package.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile.php /tmp/pear/download/PEAR-1.9.1/PEAR/RunTest.php /tmp/pear/download/PEAR-1.9.1/PEAR/Autoloader.php /tmp/pear/download/PEAR-1.9.1/PEAR/Frontend.php /tmp/pear/download/PEAR-1.9.1/PEAR/Validate.php /tmp/pear/download/PEAR-1.9.1/PEAR/ErrorStack.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Replace/rw.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Unixeol/rw.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Postinstallscript.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Windowseol/rw.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Replace.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Unixeol.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Windowseol.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Common.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Postinstallscript/rw.php /tmp/pear/download/PEAR-1.9.1/PEAR/ChannelFile/Parser.php /tmp/pear/download/PEAR-1.9.1/PEAR/Common.php /tmp/pear/download/PEAR-1.9.1/PEAR/XMLParser.php /tmp/pear/download/PEAR-1.9.1/PEAR/Downloader.php /tmp/pear/download/PEAR-1.9.1/PEAR/DependencyDB.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2/rw.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2/Validator.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Generator/v2.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Generator/v1.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v1.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Parser/v2.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Parser/v1.php /tmp/pear/download/PEAR-1.9.1/PEAR/REST.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command.php /tmp/pear/download/PEAR-1.9.1/PEAR/Dependency2.php /tmp/pear/download/PEAR-1.9.1/PEAR/Exception.php /tmp/pear/download/PEAR-1.9.1/PEAR/Frontend/CLI.php /tmp/pear/download/PEAR-1.9.1/PEAR/ChannelFile.php /tmp/pear/download/PEAR-1.9.1/scripts/peclcmd.php /tmp/pear/download/PEAR-1.9.1/scripts/pearcmd.php /tmp/pear/download/PEAR-1.9.1/System.php /tmp/pear/download/PEAR-1.9.1/PEAR.php /tmp/pear/download/PEAR-1.9.1/OS/Guess.php /tmp/pear/download/Console_Getopt-1.2.3/Console/Getopt.php /tmp/pear/download/PEAR-1.9.4/PEAR5.php /tmp/pear/download/PEAR-1.9.4/PEAR/REST/10.php /tmp/pear/download/PEAR-1.9.4/PEAR/REST/13.php /tmp/pear/download/PEAR-1.9.4/PEAR/REST/11.php /tmp/pear/download/PEAR-1.9.4/PEAR/Builder.php /tmp/pear/download/PEAR-1.9.4/PEAR/Downloader/Package.php /tmp/pear/download/PEAR-1.9.4/PEAR/FixPHP5PEARWarnings.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Data.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Doc.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Php.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Cfg.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Src.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Www.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Test.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Common.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Script.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Ext.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role.php /tmp/pear/download/PEAR-1.9.4/PEAR/Packager.php /tmp/pear/download/PEAR-1.9.4/PEAR/Validator/PECL.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer.php /tmp/pear/download/PEAR-1.9.4/PEAR/Config.php /tmp/pear/download/PEAR-1.9.4/PEAR/Registry.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Install.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Mirror.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Remote.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Build.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Config.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Registry.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Pickle.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Channels.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Auth.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Test.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Common.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Package.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile.php /tmp/pear/download/PEAR-1.9.4/PEAR/RunTest.php /tmp/pear/download/PEAR-1.9.4/PEAR/Autoloader.php /tmp/pear/download/PEAR-1.9.4/PEAR/Frontend.php /tmp/pear/download/PEAR-1.9.4/PEAR/Validate.php /tmp/pear/download/PEAR-1.9.4/PEAR/ErrorStack.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Replace/rw.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Unixeol/rw.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Postinstallscript.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Windowseol/rw.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Replace.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Unixeol.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Windowseol.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Common.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Postinstallscript/rw.php /tmp/pear/download/PEAR-1.9.4/PEAR/ChannelFile/Parser.php /tmp/pear/download/PEAR-1.9.4/PEAR/Common.php /tmp/pear/download/PEAR-1.9.4/PEAR/XMLParser.php /tmp/pear/download/PEAR-1.9.4/PEAR/Downloader.php /tmp/pear/download/PEAR-1.9.4/PEAR/DependencyDB.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2/rw.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2/Validator.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Generator/v2.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Generator/v1.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v1.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Parser/v2.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Parser/v1.php /tmp/pear/download/PEAR-1.9.4/PEAR/REST.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command.php /tmp/pear/download/PEAR-1.9.4/PEAR/Dependency2.php /tmp/pear/download/PEAR-1.9.4/PEAR/Exception.php /tmp/pear/download/PEAR-1.9.4/PEAR/Frontend/CLI.php /tmp/pear/download/PEAR-1.9.4/PEAR/ChannelFile.php /tmp/pear/download/PEAR-1.9.4/scripts/peclcmd.php /tmp/pear/download/PEAR-1.9.4/scripts/pearcmd.php /tmp/pear/download/PEAR-1.9.4/System.php /tmp/pear/download/PEAR-1.9.4/PEAR.php /tmp/pear/download/PEAR-1.9.4/OS/Guess.php /tmp/pear/download/Console_Getopt-1.3.1/Console/Getopt.php /tmp/pear/download/Structures_Graph-1.0.3/tests/testCase/BasicGraph.php /tmp/pear/download/Structures_Graph-1.0.3/tests/AllTests.php /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph.php /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Node.php /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Manipulator/AcyclicTest.php /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Manipulator/TopologicalSorter.php Searching for anomalies in shell history files… Warning: `//root/.mysql_history’ is linked to another file Checking `asp’… not infected Checking `bindshell’… not infected Checking `lkm’… chkproc: nothing detected chkdirs: nothing detected Checking `rexedcs’… not found Checking `sniffer’… eth0: not promisc and no PF_PACKET sockets Checking `w55808’… not infected Checking `wted’… chkwtmp: nothing deleted Checking `scalper’… not infected Checking `slapper’… not infected Checking `z2’… chklastlog: nothing deleted Checking `chkutmp’… chkutmp: nothing deleted Checking `OSX_RSPLUG’… not infected

以上文件没有问题,出现INFECTED那就要小心了 ./chkrootkit | grep INFECTED

三.自动运行

创建每日运行脚本,发现问题后自动发送邮件 vi chkrootkitcron.sh

#!/bin/bash TOOLKITSPATH=/usr/local MAILUSER=root@localhost file_chkrootkit_log=chkrootkitcron.log servername=`hostname` date=`date +%Y-%m-%d` cd ${TOOLKITSPATH}/chkrootkit ./chkrootkit > ${file_chkrootkit_log} [ ! -z “$(grep INFECTED ${file_chkrootkit_log})” ] && \ grep INFECTED ${file_chkrootkit_log} | mail -s “[chkrootkit] report in ${servername} ${date}” ${MAILUSER}

放入crontab中

echo “40 5 * * * cd /opt/shell && /bin/sh ./chkrootkitcron.sh > /dev/null 2>&1” >> /var/spool/cron/root

Posted in 安全.

Tagged with , .

rev="post-1365" No comments

By C1G 2012/04/09

限制/tmp分区的执行权限

Linux的提权rootkit基本都是已编译的执行文件。禁止其在/tmp下的运行可降低黑客入侵的可能性。 Perl、PHP脚本属于解释型语言,可通过perl/php命令直接调用,即使脚本存放于/tmp也不受限制。

先以有独立/tmp分区的为例

1.mount 查看一下/tmp为default

/dev/mapper/VolGroup00-LogVol01 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/mapper/VolGroup01-LogVol00 on /opt type ext3 (rw) /dev/mapper/VolGroup00-LogVol03 on /var type ext3 (rw) /dev/mapper/VolGroup00-LogVol02 on /tmp type ext3 (rw) /dev/sda1 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

2.给/tmp加上(nosuid,noexec) vi /etc/fstab

/dev/VolGroup00/LogVol01 / ext3 defaults 1 1 /dev/VolGroup01/LogVol00 /opt ext3 defaults 1 2 /dev/VolGroup00/LogVol03 /var ext3 defaults 1 2 /dev/VolGroup00/LogVol02 /tmp ext3 defaults,nosuid,noexec 1 2 LABEL=/boot /boot ext3 defaults 1 2 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 /dev/VolGroup00/LogVol00 swap swap defaults 0 0

3.依据fstab重新载入/tmp mount -oremount /tmp

4.再次查看 mount

/dev/mapper/VolGroup00-LogVol01 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/mapper/VolGroup01-LogVol00 on /opt type ext3 (rw) /dev/mapper/VolGroup00-LogVol03 on /var type ext3 (rw) /dev/mapper/VolGroup00-LogVol02 on /tmp type ext3 (rw,noexec,nosuid) /dev/sda1 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

5.执行文件测试 vi test.sh

#!/bin/bash echo ‘/tmp test’

chmod u+x ./test.sh ./test.sh -bash: ./test.sh: /bin/bash: bad interpreter: Permission denied

6.迁移/var/tmp目录

mv /var/tmp/* /tmp/ rm -fr /var/tmp ln -s /tmp /var/tmp

对不存在独立/tmp分区的可以用dd创建个10G大小文件作/tmp

cd /usr/ dd if=/dev/zero of=Tmp bs=1024 count=10000000 mkfs -t ext3 /usr/Tmp mkdir /tmp_backup cp -ar /tmp /tmp_backup mount -o loop,rw,noexec,nosuid /usr/Tmp /tmp cp -ar /tmp_backup/tmp/* /tmp/ chmod 0777 /tmp chmod +t /tmp rm -rf /tmp_backup #放入fstab 中启动加载 echo “/usr/Tmp /tmp ext3 loop,rw,noexec,nosuid 0 0” >> /etc/fstab

Posted in 安全.

Tagged with , .

rev="post-1360" No comments

By C1G 2012/04/06

linux基本安全配置设置脚本1.2发布

依据linux基本安全配置手册 方便设置一些基本的linux安全设置

更新============= 兼容centos/rhel 6 tty,ctrlaltdel,ipv6 关闭服务可以使用白名单,更可靠 限制su的用户组修正兼容性(充许su的用户需用gpasswd命令添加,sudoer不受限制)

#vi autosafe.sh

#!/bin/bash ######################################################################### # # File: autosafe.sh # Description: # Language: GNU Bourne-Again SHell # Version: 1.2 # Date: 2012-3-30 # Corp.: c1gstudio # Author: c1g # WWW: https://blog.c1gstudio.com ### END INIT INFO ############################################################################### if [[ ! -n ${WORKUSER} ]]; then WORKUSER=c1g fi if [[ ! -n ${SSHPORT} ]]; then SSHPORT=22 fi V_DELUSER=”adm lp sync shutdown halt mail news uucp operator games gopher ftp” V_DELGROUP=”adm lp mail news uucp games gopher mailnull floppy dip pppusers popusers slipusers daemon” V_PASSMINLEN=8 V_HISTSIZE=30 V_TMOUT=300 V_GROUPNAME=suadmin #V_SERVICE Not working since Version 1.2 V_SERVICE=”acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmail setroubleshoot snmpd xfs xinetd yppasswdd ypserv yum-updatesd tog-pegasus” V_TTY=”3|4|5|6″ V_TTY6=”1-2″ V_SUID=( ‘/usr/bin/chage’ ‘/usr/bin/gpasswd’ ‘/usr/bin/wall’ ‘/usr/bin/chfn’ ‘/usr/bin/chsh’ ‘/usr/bin/newgrp’ ‘/usr/bin/write’ ‘/usr/sbin/usernetctl’ ‘/bin/traceroute’ ‘/bin/mount’ ‘/bin/umount’ ‘/sbin/netreport’ ) linuxvar=`cat /etc/issue.net |head -n1` linuxvar=${linuxvar#*release} linuxvar=${linuxvar:1:1} version=1.2 safe_deluser(){ echo “delete user …” for i in $V_DELUSER ;do echo “deleting $i”; userdel $i ; done } safe_delgroup(){ echo “delete group …” for i in $V_DELGROUP ;do echo “deleting $i”; groupdel $i; done } safe_password(){ echo “change password limit …” echo “/etc/login.defs” echo “PASS_MIN_LEN $V_PASSMINLEN” sed -i “/^PASS_MIN_LEN/s/5/$V_PASSMINLEN/” /etc/login.defs } safe_history(){ echo “change history limit …” echo “/etc/profile” echo “HISTSIZE $V_HISTSIZE” sed -i “/^HISTSIZE/s/1000/$V_HISTSIZE/” /etc/profile } safe_logintimeout(){ echo “change login timeout …” echo “/etc/profile” echo “TMOUT=$V_TMOUT” sed -i “/^HISTSIZE/a\TMOUT=$V_TMOUT” /etc/profile } safe_bashhistory(){ echo “denied bashhistory …” echo “/etc/skel/.bash_logout” echo ‘rm -f $HOME/.bash_history’ if egrep “bash_history” /etc/skel/.bash_logout > /dev/null then echo ‘warning:existed’ else echo ‘rm -f $HOME/.bash_history’ >> /etc/skel/.bash_logout fi } safe_addgroup(){ echo “groupadd $V_GROUPNAME …” groupadd $V_GROUPNAME } safe_sugroup(){ echo “permit $V_GROUPNAME use su …” echo “/etc/pam.d/su” echo “auth sufficient pam_rootok.so debug” echo “auth required pam_wheel.so group=$V_GROUPNAME” echo “gpasswd -a $WORKUSER $V_GROUPNAME” if egrep “auth required pam_wheel.so” /etc/pam.d/su > /dev/null then echo ‘warning:existed’ else sed -i “/^#%PAM/a\auth required pam_wheel.so group=${V_GROUPNAME}” /etc/pam.d/su sed -i “/^#%PAM/a\auth sufficient pam_rootok.so debug” /etc/pam.d/su gpasswd -a $WORKUSER $V_GROUPNAME fi } safe_sudoer(){ echo “permit $WORKUSER use sudo …” echo “/etc/sudoers” echo “$WORKUSER ALL=(ALL) ALL” if [ -n $WORKUSER ] then if egrep “$WORKUSER” /etc/sudoers > /dev/null then echo “warning:existed! ” else echo “$WORKUSER ALL=(ALL) ALL” >> /etc/sudoers echo ‘export PATH=$PATH:/sbin:/usr/sbin’ >> /etc/bashrc echo ‘export LDFLAGS=”-L/usr/local/lib -Wl,-rpath,/usr/local/lib”‘ >> /etc/bashrc echo ‘export LD_LIBRARY_PATH=”/usr/local/lib”‘ >> /etc/bashrc fi else echo “warning:skip! ” fi } safe_denyrootssh(){ echo “denied root login …” echo “/etc/ssh/sshd_config” echo “PermitRootLogin no” sed -i ‘/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/’ /etc/ssh/sshd_config } safe_changesshport(){ echo “change ssh port …” echo “/etc/ssh/sshd_config” echo “Port $SSHPORT” if egrep “Port $SSHPORT” /etc/ssh/sshd_config > /dev/null then echo “warning:existed! ” else echo “Port $SSHPORT” >> “/etc/ssh/sshd_config” fi } safe_stopservice(){ echo “stop services …” for i in $V_SERVICE ;do service $i stop; done } safe_closeservice(){ echo “close services autostart …” for i in $V_SERVICE ;do chkconfig $i off; done } safe_closeservicewhite(){ echo “close services autostart …” for i in `ls /etc/rc3.d/S*` do CURSRV=`echo $i|cut -c 15-` echo $CURSRV case $CURSRV in crond | irqbalance | microcode_ctl | network | sshd | syslog | rsyslog | snmpd | fail2ban | ntpd | lvm2-monitor | iptables | auditd | kdump | sysstat | memcached | smartd | nagios | local | sphinx ) ;; *) echo “change $CURSRV to off” chkconfig –level 235 $CURSRV off service $CURSRV stop ;; esac done } safe_tty(){ echo “close tty …” if [ ${linuxvar} == 6 ]; then echo “/etc/init/start-ttys.conf” echo “/etc/sysconfig/init” echo “ACTIVE_CONSOLES=/dev/tty[${V_TTY6}]” echo “init q” #close tty #initctl stop tty TTY=/dev/tty6 sed -i “/^env ACTIVE_CONSOLES/s/\[1-6\]/\[${V_TTY6}\]/” /etc/init/start-ttys.conf sed -i “/^ACTIVE_CONSOLES/s/\[1-6\]/\[1-2\]/” /etc/sysconfig/init else echo “/etc/inittab” echo “#3:2345:respawn:/sbin/mingetty tty3” echo “#4:2345:respawn:/sbin/mingetty tty4” echo “#5:2345:respawn:/sbin/mingetty tty5” echo “#6:2345:respawn:/sbin/mingetty tty6” sed -i “/^[${V_TTY}]:2345/s/^/#/” /etc/inittab echo “init q” fi init q } safe_ctrlaltdel(){ echo “close ctrl+alt+del to restart server …” if [ ${linuxvar} == 6 ]; then echo “/etc/init/control-alt-delete.conf” echo ‘#exec /sbin/shutdown -r now “Control-Alt-Delete pressed”‘ echo “init q” sed -i ‘/^exec/s/^/#/’ /etc/init/control-alt-delete.conf else echo “/etc/inittab” echo “#ca::ctrlaltdel:/sbin/shutdown -t3 -r now” echo “init q” sed -i ‘/^ca::/s/^/#/’ /etc/inittab fi init q } safe_ipv6(){ echo “close ipv6 …” if [ ${linuxvar} == 6 ]; then echo ‘”alias net-pf-10 off” >> /etc/modprobe.d/ipv6.conf’ echo ‘”options ipv6 disable=1″ >> /etc/modprobe.d/ipv6.conf’ cat > /etc/modprobe.d/ipv6.conf > /etc/modprobe.conf’ echo ‘”alias ipv6 off” >> /etc/modprobe.conf’ if egrep “alias net-pf-10 off” /etc/modprobe.conf > /dev/null then echo “warning:existed! ” else echo “alias net-pf-10 off” >> /etc/modprobe.conf echo “alias ipv6 off” >> /etc/modprobe.conf fi fi echo ‘/sbin/chkconfig ip6tables off’ echo ‘”NETWORKING_IPV6=no” >> /etc/sysconfig/network’ /sbin/chkconfig –level 35 ip6tables off if egrep “NETWORKING_IPV6=no” /etc/sysconfig/network > /dev/null then echo “warning:existed! ” else echo “NETWORKING_IPV6=no” >> /etc/sysconfig/network fi } safe_selinux(){ echo “disable selinux …” echo “sed -i ‘/SELINUX/s/enforcing/disabled/’ /etc/selinux/config ” sed -i ‘/SELINUX/s/enforcing/disabled/’ /etc/selinux/config echo “selinux is disabled,you must reboot!” } safe_vim(){ echo “edit vim …” echo “alias vi=’vim'” sed -i “8 s/^/alias vi=’vim’/” /root/.bashrc cat >/root/.vimrc” echo “” echo ” deluser delete user” echo ” delgroup delete group” echo ” password change password limit” echo ” history change history limit” echo ” logintimeout change login timeout” echo ” bashhistory denied bashhistory” echo ” addgroup groupadd $V_GROUPNAME” echo ” sugroup permit $V_GROUPNAME use su” echo ” denyrootssh denied root login” echo ” stopservice stop services use black list” echo ” closeservice close services use black list” echo ” closeservicewhite close & stop services use white list” echo ” tty close tty” echo ” ctrlaltdel close ctrl+alt+del” echo ” ipv6 close ipv6″ echo ” selinux disabled selinux” echo ” vim edit vim” echo ” lockfile lock user&services” echo ” unlockfile unlock user&services” echo ” chmodinit init script only for root” echo ” chmodcommand remove SUID” echo ” version ” echo “” ;; esac

设置权限

chmod u+x ./autosafe.sh

运行脚本

./autosafe.sh deluser ./autosafe.sh delgroup …..

猛击下载脚本 autosafe1.2.sh

其它参考 linux基本安全配置手册 iptables 默认安全规则脚本

Posted in shell.

Tagged with , , .

rev="post-1356" No comments

By C1G 2012/03/30

centos/rhel 5和6的一点区别

1.安装时,rehl5一般都是在定制完系统后才开始格式化盘,安装相关的包,而rhel6则格式化完硬盘才开始定制系统。 2.rhel6修改ifcfg-eth0文件,保存后网络会马上生效,而不会像以前版本修改后改变需要重启网络 3.centos6.2开始网卡ifcfg-eth0改成ifcfg-em1 4./etc/inittab 文件里相关设定分成了小文件

System initialization is started by /etc/init/rcS.conf

#

Individual runlevels are started by /etc/init/rc.conf

#

Ctrl-Alt-Delete is handled by /etc/init/control-alt-delete.conf

#

Terminal gettys are handled by /etc/init/tty.conf and /etc/init/serial.conf,

with configuration in /etc/sysconfig/init.

5./etc/modprobe.conf不再存在,而是分成/etc/modprobe.d/ 下小文件 6.在RHEL 5.5中系统硬盘在分完区后可以直接使用partprobe更新分区,使内核识别分区。 在RHEL6中分区完毕后使用partprobe无法更新分区,必须重新启动服务器后,分区才可以被正常挂载。 2012-4-10更新 7.mailx由8.1 6/6/93升级成Heirloom Mail version 12.4 7/29/08

=============2012-5-11更新 内核ip_conntrack参数改成,nf_conntrack 在/etc/sysctl.conf中使用老的参数,再用sysctl -p生效会报错

error: “net.ipv4.netfilter.ip_conntrack_max” is an unknown key error: “net.ipv4.netfilter.ip_conntrack_tcp_timeout_established” is an unknown key

改为

net.nf_conntrack_max = 655360 net.netfilter.nf_conntrack_tcp_timeout_established = 36000

参考:http://www.myfreelinux.com/?p=743&cpage=2&replytocom=223803

Posted in LINUX.

Tagged with , .

rev="post-1350" No comments

By C1G 2012/03/30

Lempelf一键安装包更新1.0.3

Lempelf一键安装包是什么?

Lempelf一键安装包是用Shell编写的在Linux平台快速安装常用服务的Shell程序。

ChangeLog 主要修复1.0.3的bug

2012-3-28 发布Lempelf 1.0.3 Bugfix:awstats安装完成后的提示域名地址 Bugfix:nginx安装失败 ./scripts/setup_nginx.sh 第21行文件名修正 Bugfix:php启动时找不到mysqlclient.so.18 (echo “/opt/mysql/lib” > /etc/ld.so.conf.d/mysql.conf && ldconfig) Bugfix:64位下secure日志中的PAM错误 修改/etc/pam.d/su 中路径 Bugfix:centos6的tty,ctrl+alt+del,ipv6 Bugfix:限制可以su的用户 需要su的用户需用gpasswd 添加到组 Change:nginx日志改为保留1月 Feature:新增scripts/firstlog.sh 用于生成文件及运行信息供日后对比

2012-3-23 发布Lempelf 1.0.2 php的magic_quotes_gpc 设为on yum增加cmake mysql升级为Percona-Server-5.5.20-rel24.1 增加/tmp/mysql.sock软链接 php升级成5.2.17并打上hash补丁 隐藏nginx版本号为1.0 nginx.conf中隐藏版本号 修改autosafe.sh中自动运行的服务 升级pcre到pcre-8.30 phpmyadmin更新至phpMyAdmin-3.4.10.1-all-languages

2012-3-28 16:00再次更新 2012-3-30 14:30再次更新 2012-3-30 18:00再次更新

https://blog.c1gstudio.com/lempelfpage

Posted in Lempelf一键包.

Tagged with .

rev="post-1340" No comments

By C1G 2012/03/28

Lempelf一键包更新 1.0.2

Lempelf一键安装包是什么?

Lempelf一键安装包是用Shell编写的在Linux平台快速安装常用服务的Shell程序。

ChangeLog 主要提升性能及安全

2012-3-23 发布Lempelf 1.0.2 php的magic_quotes_gpc 设为on yum增加cmake mysql升级为Percona-Server-5.5.20-rel24.1 增加/tmp/mysql.sock软链接 php升级成5.2.17并打上hash补丁 隐藏nginx版本号为1.0 nginx.conf中隐藏版本号 修改autosafe.sh中自动运行的服务 升级pcre到pcre-8.30 phpmyadmin更新至phpMyAdmin-3.4.10.1-all-languages

https://blog.c1gstudio.com/lempelfpage

Posted in Lempelf一键包.

Tagged with .

rev="post-1332" No comments

By C1G 2012/03/23

phpMyAdmin 3.3.X and 3.4.X 含有注入漏洞

测试过受影响版本 phpmyadmin versions: 3.3.6, 3.3.10, 3.4.0, 3.4.5, 3.4.7

另3.0也有sql注入漏洞

目前最新稳定版为phpMyAdmin 3.4.10.1 注意升级 http://www.phpmyadmin.net/home_page/downloads.php

参考: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4107 http://www.secforce.com/blog/2012/01/cve-2011-4107-poc-phpmyadmin-local-file-inclusion-via-xxe-injection/

Posted in 安全通告.

Tagged with , .

rev="post-1325" No comments

By C1G 2012/03/23

PHP一句话木马及查杀

常见的木马基本上有如下特征 1.接收外部变量 常见如:$_GET,$_POST 更加隐蔽的$_FILES,$_REQUEST…

2.执行函数 获取数据后还需执行它 常见如:eval,assert,preg_replace 隐藏变种:

include($_POST[‘a’]); $hh = “p”.”r”.”e”.”g”.”_”.”r”.”e”.”p”.”l”.”a”.”c”.”e”; $hh(“/[discuz]/e”,$_POST[‘h’],”Access”); @preg_replace(‘/ad/e’,’@’.str_rot13(‘riny’).'($b4dboy)’, ‘add’);

使用urldecode,gzinflate,base64_decode等加密函数

3.写入文件 获取更多的权限 如:copy,file_get_contents,exec

一般的建议是打开safe_mode 或使用disable_functions 等来提升安全性; 可能有些程序无法正常运行,基本的安全设置 php.ini中

expose_php = OFF register_globals = Off display_errors = Off cgi.fix_pathinfo=0 magic_quotes_gpc = On allow_url_fopen = Off allow_url_include = Off 配置open_basedir

查找木马脚本 查找隐藏特征码及入口可以找出大部分的木马.

#!/bin/bash findpath=./ logfile=findtrojan.log echo -e $(date +%Y-%m-%d_%H:%M:%S)” start\r” >>$logfile echo -e ‘============changetime list==========\r\n’ >> ${logfile} find ${findpath} -name “*.php” -ctime -3 -type f -exec ls -l {} \; >> ${logfile} echo -e ‘============nouser file list==========\r\n’ >> ${logfile} find ${findpath} -nouser -nogroup -type f -exec ls -l {} \; >> ${logfile} echo -e ‘============php one word trojan ==========\r\n’ >> ${logfile} find ${findpath} -name “*.php” -exec egrep -I -i -C1 -H ‘exec\(|eval\(|assert\(|system\(|passthru\(|shell_exec\(|escapeshellcmd\(|pcntl_exec\(|gzuncompress\(|gzinflate\(|unserialize\(|base64_decode\(|file_get_contents\(|urldecode\(|str_rot13\(|\$_GET|\$_POST|\$_REQUEST|\$_FILES|\$GLOBALS’ {} \; >> ${logfile} #使用使用-l 代替-C1 -H 可以只打印文件名 echo -e $(date +%Y-%m-%d_%H:%M:%S)” end\r” >>$logfile more $logfile

Posted in 安全, 技术.

Tagged with , .

rev="post-1316" 2 comments

By C1G 2012/03/21