Before the order
Mobile phone sent to the server was invaded the news, this makes a person feel a face meng, this server is not what important things, there is nothing on how will be engaged? You can’t be weak if you’re fucked,
The back door of the February
Boot for analysis. As soon as I logged into the server, I remembered that WHEN I did the test, I directly built a file uploading range on the server. It was very uncomfortable. This is what you deserve. I have no choice but to find the horse first. First, I found the Trojan back door in the folder of Upload, and then I found an “undead horse” when I checked the hidden files.
Shell. PHP is a PHP ice Pony. If you need to do traffic analysis, you can’t trace back to the source. Config. PHP has no problem with the “undead horse”, it will regenerate when deleted. Next must also trace back to the source ah, operation traffic is encrypted. Config. PHP has no problem with the “undead horse”, it will regenerate when deleted.
- 1. Create a directory with the same name as undead horses.
- 2. Write a use
ignore_user_abort(true)Function of the script that has been competing to write and delete the undead horse file, whichusleep()The time must be less than the undead horseusleep()Time will do the trick. - 3. If you have high permissions, restart Apache and delete it.
- 4. If you do not have permission to restart, kill it
www-dataAll child processes of the user.
Mysql > select * from WWW -data; mysql > select * from WWW -data
ps aux | grep www-data | awk '{print $2}' | xargs kill -9
Copy the codeThen rm -f.config.php clears the undead horse.
Counterattack roots
After we cleared the back door, there should be no problem after another inspection. Wondering if I could trace back to the hacker, I first looked at the history and then looked at the Apache log. He deleted it. Ok, but also can only say that this hacker is a little back, this is usually do the test with the server, before using this server to do the test to several files added a traffic monitoring WAF, open WAF generated log records, but also really captured it attack records, captured its IP.
Take this IP to carry out a small step online inquiry, long before was marked as a puppet machine, it seems to be a veteran.
Conquer the Puppet machine
1, Network security learning route 2, electronic books (white hat) 3, security factory internal video 4, 100 SRC documents 5, common security comprehensive questions 6, CTF competition classic topic analysis 7, complete kit 8, Emergency response notes
After knowing the target machine, I took out NMAP for a wave of scanning, and found that the target port 3306 was actually exposed, and the port 80 access page was also nothing.
SSH weak passwords and Mysql weak passwords were not considered for the first time, because they are rarely encountered. At the same time, according to the judgment of the results of micro-step query, so the first time to guess that this website must be “ten thousand horses galloping”, so the sacrifice of a modified scanning tool for its detection, the result is really there is a horse. Here we use a modified dirSearch with some common backdoor names added to its configuration dictionary.
Look from the scan results in addition to the two existing horse has a 2. PHP, visit the page is blank, then eighty percent sure is a hacker legacy pony back door, then himself wrote a small script to the back door in order to detect and first found a backdoor password online dictionary, and then load this kind of horse password before hackers, finally use the script as follows:
Dict = open(' dict ','r') dict_list = dict.readlines() print("[+]) GET 2.POST") type = input("") if int(type)==1: for I in dict_list: data = {i.trip ():'phpinfo(); '} res = requests.get(url,data) if '$_SERVER' in res.text: print(i.strip()) if int(type)==2: for i in dict_list: data = {i.strip():'phpinfo(); '} res = requests.post(url,data) if '$_SERVER' in res.text: print(i.strip())Copy the code
It’s the same code as the stud’s horse, so let’s get on his horse and hit him
Social worker art black hand portrait
After I got on the horse, I was rummaging through the cabinet, because the port detection in front of me knew there was MySQL service, and the idea at that time was to find the MySQL login password. MYD: MySQL\data\ MySQL\ user.MYD: MySQL\data\ MySQL\ user.MYD: MySQL\data\ MySQL\ user. This file is sought because it holds the username and password hashes for user database logins. The user name is root.
For the file password hash to get me to explain, existing first * this is representative of the password hash length must be 40, and the file beginning there are four different password hash, each a separate item, find two of them are 26 and 14, stitching together just 40, is the MySQL login password hash value. Getting the password hash and sending it to cmD5 is a wave of cracking.
After cracking the password results, this password should also be considered a weak password, is not often used, anyway, CMD5 database exists, here no longer ridicule. Then the user name and password were used to access the database.
After entering, I looked at the database. There were few contents and it seemed that they were not often used. However, I still found something after a careful search, the password did not type, md5 decryption is “123456”, it should be registered by the registrant at that time, but the user and mail in front of the code, these two messages are somewhat interesting. As shown in the figure below.
Got the user value, it seems that it should be his common network ID when registering, but it is not sure whether this ID is left by the original owner of the machine or the hacker. So I googled the ID. There wasn’t a lot of information, but there was a defunct blog. Look at this QQ, try to add a friend, found that this is obviously a small, space content is updated once or twice more advertising.
Look at the first of this trumpet, what QQ car hall of honor and so on, as if you can also help brush Q coins, but it seems to be a long time ago information. That makes it look like the guy who hacked the server is a bit of a wild card. Then in line with the psychology of continuing to explore, I added him once QQ, the result did not reply for several days, estimate this number he all want to become invalid. There’s no way to go back to that abandoned blog and do some research.
This blog is common to WordPress, so the general operation: Then the default WordPress user name is admin. Then the password dictionary is generated. Because the MySQL database also got a password before, and then checked his common ID in the social worker database, and got an old password. But I don’t know if it’s his. Finally, combined with its ID history password and Mysql login password, using the social worker password dictionary generation tool to generate a combined password dictionary, take out BurpSuite is a shed.
See the result in the heart laughed out of the sound, log in to see the mailbox address confirmation prompt, this mailbox is still a QQ mailbox, this should be a large hacker.
Then tried to add a friend, at least make sure this is a common number, a SVIP big man. There was no verification either, so it was agreed the next day.
Then there is nothing to say, the space dynamic easily exposed a lot of his information, positioning the location of special buildings to get the general location once visited, but also turned to six months ago in the space to send a notice to change the mobile phone number, and then look at the space message, everyone called him Old Xu.
To recap the information available so far:
Mobile phone number, approximate location, date of birth, last name.
Use the mobile phone number to pay alipay for transfer, and then check the name, see if you can get the full name.
We found that the name only had two characters when we checked it, we already knew the last name, what was prompted was the first name, let us fill in the last name, we fill in the last name “Xu”, the verification passed, and the complete name was obtained.
Then took the mobile phone number to search for some time, found that there is a microblog account, in the microblog account information bar and got a birthday, guess microblog this is correct, QQ information card is false.
To guess a wave of SFZ, the following is the guessing process at that time: As the basic area of the hacker is determined by checking the buildings in the hacker’s life photos, we use SFZ area number of XX town, XX County, XX Province to construct the front part of SFZ. Through inquiry, we find that the area number is 51****, and the date of birth is 19911023 written in the microblog information. Only the last four digits are uncertain. Since the hacker is male, it is certain that SFZ number 17 is odd. The 17th digit is 1-3-5-7-9. The last digit is 0-1-2-3-4-5-6, 7-8-9-10. The 15th and 16th digits are 0 to 9. So we are going to use Ali’s SFZ real-name authentication API for enumeration verification.
Finally wrote a script batch blasting, successfully matched to the real SFZ.
import urllib,urllib2,sysimport sslhost = 'https://idcard.market.alicloudapi.com'path = '/lianzhuo/idcard'method = 'GET'appcode = '2e1ac42e**************4f8258e438'querys = 'cardno=5*****19911023'name = '&name=*****'bodys = {}for i in range(5000):url = host + path + '?' + querys + str(i) + namerequest = urllib2.Request(url)request.add_header('Authorization', 'APPCODE ' + appcode)ctx = ssl.create_default_context()ctx.check_hostname = Falsectx.verify_mode = ssl.CERT_NONEresponse = urllib2.urlopen(request, context=ctx)content = response.read()if (content):print(content)Copy the code
Finally, we can find this person. Before finishing, we can comb the information and analyze the hacker’s portrait:
Name: xu * sex: male age: 29 home address: * * * * * *, * * province county town * * phone number: 1 * * * * * * * * * * date of birth: 19911023 SFZ: 5 * * * * * * * * * 19911023Copy the codeconclusion
1. Do not easily put sensitive services on the public network server, but do a good job in security.
2, in the traceability analysis, encounter puppet machine can consider the way of ceng horse use.
3, database password hash value acquisition, search for sensitive information.
4. Social worker inquiry: Google search, QQ data, careful correlation analysis.