linux安全

http://drops.wooyun.org/　　最专业的安全知识分享平台

 

最佳的策略是采用分层的方法，即将“老当益壮”的程序，如Snort、 iptables等老前辈与psad、Apparmor、SELinuxu等一些新生力量结合起来，借助强大的分析工具，我们就可以始终站在技术的前沿。

IDS新宠：PSAD。Psad是端口扫描攻击检测程序的简称，它作为一个新工具，可以与iptables和Snort等紧密合作，向我们展示所有试图进入网络的恶意企图。
老当益壮：Snort。它是一款轻量级且易于使用的工具，可以独立运行，也可以与psad和iptables 一起使用
简洁方便：chkrootkit和rootkit。Rootkit检测程序chkrootkit和rootkit Hunter也算是老牌的rootkit检测程序了
多面手：Tripwire。Tripwire是一款入侵检测和数据完整性产品

 

CGI漏洞

CGI是Common Gateway Interface（公用网关接口）的简称，并不特指一种语言。
Web服务器的安全问题主要包括：1）Web服务器软件编制中的BUG；2）服务器配置的错误。可能导致CGI源代码泄漏，物理路径信息泄漏，系统敏感信息泄漏或远程执行任意命令。CGI语言漏洞分为以下几类：配置错误、边界条件错误、访问验证错误、来源验证错误、输入验证错误、策略错误、使用错误等等。CGI漏洞大多分为一下几种类型：暴露不该暴露的信息、执行不该执行的命令、溢出。

 

---

 

一次利用show files类cgi漏洞成功入侵uta.edu的经历

http://www.chinaunix.net/bbsjh/19/23.html　　cgi漏洞利用

 

httpd的error_log分析

[Mon Apr 06 04:45:39 2015] [error] [client 46.28.206.148] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

[Mon Apr 06 04:56:57 2015] [error] [client 70.46.57.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi

[Mon Apr 06 04:57:01 2015] [error] [client 70.46.57.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

[Tue Apr 07 01:18:45 2015] [error] [client 97.91.223.228] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi

[Tue Apr 07 01:18:49 2015] [error] [client 97.91.223.228] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

第一步获取域名与ip关系

[Tue Apr 07 11:32:01 1010 /dev/pts/0 192.168.2.250 ~]#ping www.fltdz.com
PING www.fltdz.com (58.64.136.166) 56(84) bytes of data.
64 bytes from 58.64.136.166: icmp_seq=1 ttl=48 time=79.6 ms
64 bytes from 58.64.136.166: icmp_seq=2 ttl=48 time=76.2 ms
64 bytes from 58.64.136.166: icmp_seq=3 ttl=48 time=63.2 ms
^C
--- www.fltdz.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2245ms
rtt min/avg/max/mdev = 63.245/73.044/79.639/7.069 ms

第二步请出瑞士军刀nc（netcat）
[Tue Apr 07 11:32:47 1011 /dev/pts/0 192.168.2.250 ~]#yum install nc

我用get / http/1.1来取得他的webserver的相关信息
[Tue Apr 07 11:32:47 1011 /dev/pts/0 192.168.2.250 ~]#nc -vv 58.64.136.166 80
Connection to 58.64.136.166 80 port [tcp/http] succeeded!
输入下面，然后两次回车
GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Server: nginx/1.0.2
Date: Tue, 07 Apr 2015 03:43:36 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close

ac
<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.0.2</center>
</body>
</html>

0

[Tue Apr 07 11:33:59 1012 /dev/pts/0 192.168.2.250 ~]#

第三步由于信息量太少请出扫描器之王nmap
[Tue Apr 07 11:46:16 1015 /dev/pts/0 192.168.2.250 ~]yum install nmap
[Tue Apr 07 11:46:16 1015 /dev/pts/0 192.168.2.250 ~]#nmap -sS -O -vv 192.168.2.2

Starting Nmap 5.51 ( http://nmap.org ) at 2015-04-07 11:46 CST
Initiating ARP Ping Scan at 11:46
Scanning 192.168.2.2 [1 port]
Completed ARP Ping Scan at 11:46, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:46
Completed Parallel DNS resolution of 1 host. at 11:46, 0.09s elapsed
Initiating SYN Stealth Scan at 11:46
Scanning 192.168.2.2 [1000 ports]
Discovered open port 111/tcp on 192.168.2.2
Discovered open port 22/tcp on 192.168.2.2
Discovered open port 5500/tcp on 192.168.2.2
Discovered open port 5801/tcp on 192.168.2.2
Discovered open port 5666/tcp on 192.168.2.2
Discovered open port 10000/tcp on 192.168.2.2
Discovered open port 5901/tcp on 192.168.2.2
Discovered open port 2049/tcp on 192.168.2.2
Discovered open port 1521/tcp on 192.168.2.2
Discovered open port 6001/tcp on 192.168.2.2
Discovered open port 10003/tcp on 192.168.2.2
Discovered open port 80/tcp on 192.168.2.2
Completed SYN Stealth Scan at 11:46, 1.10s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.2.2
Retrying OS detection (try #2) against 192.168.2.2
Retrying OS detection (try #3) against 192.168.2.2
Retrying OS detection (try #4) against 192.168.2.2
Retrying OS detection (try #5) against 192.168.2.2
Nmap scan report for 192.168.2.2
Host is up (0.00023s latency).
Scanned at 2015-04-07 11:46:25 CST for 13s
Not shown: 988 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
1521/tcp  open  oracle
2049/tcp  open  nfs
5500/tcp  open  hotline
5666/tcp  open  nrpe
5801/tcp  open  vnc-http-1
5901/tcp  open  vnc-1
6001/tcp  open  X11:1
10000/tcp open  snet-sensor-mgmt
10003/tcp open  documentum_s
MAC Address: E4:1F:13:80:ED:2C (IBM)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.51%D=4/7%OT=22%CT=1%CU=34628%PV=Y%DS=1%DC=D%G=Y%M=E41F13%TM=552
OS:3531E%P=x86_64-redhat-linux-gnu)SEQ(SP=108%GCD=1%ISR=109%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=
OS:16A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST1
OS:1NW7%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=4
OS:0%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=16
OS:4%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 39.383 days (since Fri Feb 27 02:34:52 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros

Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.87 seconds
           Raw packets sent: 1103 (52.326KB) | Rcvd: 1076 (46.626KB)
[Tue Apr 07 11:46:38 1016 /dev/pts/0 192.168.2.250 ~]#