对于SSH crc32 compensation attack detector exploit 的区分

[摘要]////////\\\\! bruteforced h->ident buff distance: 5bfbed88 trying retloc_delta: 35 ....! found h...

////////\\\\!
bruteforced h->ident buff distance: 5bfbed88

trying retloc_delta: 35
....!
found high words of possible return address: 808
trying to exploit
....
trying retloc_delta: 37
.!
found high words of possible return address: 805
trying to exploit
....
trying retloc_delta: 39
......
trying retloc_delta: 3b
......
trying retloc_delta: 3d
!
found high words of possible return address: 804
trying to exploit
....
trying retloc_delta: 3f
......
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

这里看来，攻击攻击相似被"停止"了，返回被攻击系统查看却发现被开了后门。

被测试系统一方再现
=======================

在利用漏洞之前，被测试系统显示标准SSH守护程序运行在22/tcp端口，要被
测试的应用程序运行在2222/tcp端口，两个都在监听状态，而且标准SSH守护
程序有一个外部连接(10.10.10.2:33354)，通过netstat查看如下：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

而在攻击程序"停止"以后，再用netstat查看网络监听状态如下：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:2222 10.10.10.10:32965 ESTABLISHED
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

发现有新的服务在12345/tcp端口监听。

返回攻击者主机，使用netstat查看网络状态，发现程序使用了暴力猜测地址
方式攻击：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED
tcp 0 0 10.10.10.3:2222 10.10.10.10:33075 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33074 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33072 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33071 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33069 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33067 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33066 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33064 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33063 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33062 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33061 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33060 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33059 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33058 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33056 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33055 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33053 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33051 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33050 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33048 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33047 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33046 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33042 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33041 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33040 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33039 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33038 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33036 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33035 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33034 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33033 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33032 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33030 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33029 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33028 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33027 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33024 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33023 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33022 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33021 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33020 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33016 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33014 TIME_WAIT
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

而使用LiSt Open Files ("lsof")[4]工具显示被测试的SSH守护程序开启了一个
新的监听端口：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# lsof -p 9364
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 9364 root cwd DIR 3,3 1024 2 /
sshd 9364 root rtd DIR 3,3 1024 2 /
sshd 9364 root txt REG 3,3 655038 442413 /usr/local/src/ssh-1.2.31/sbin/sshd1
sshd 9364 root mem REG 3,3 340771 30722 /lib/ld-2.1.3.so
sshd 9364 root mem REG 3,3 370141 31107 /lib/libnsl-2.1.3.so
sshd 9364 root mem REG 3,3 66231 31103 /lib/libcrypt-2.1.3.so
sshd 9364 root mem REG 3,3 47008 31113 /lib/libutil-2.1.3.so
sshd 9364 root mem REG 3,3 4101836 31102 /lib/libc-2.1.3.so
sshd 9364 root mem REG 3,3 246652 31109 /lib/libnss_files-2.1.3.so
sshd 9364 root mem REG 3,3 252234 31111 /lib/libnss_nisplus-2.1.3.so
sshd 9364 root mem REG 3,3 255963 31110 /lib/libnss_nis-2.1.3.so
sshd 9364 root mem REG 3,3 67580 31108 /lib/libnss_dns-2.1.3.so
sshd 9364 root mem REG 3,3 169720 31112 /lib/libresolv-2.1.3.so
sshd 9364 root 0u CHR 1,3 4110 /dev/null
sshd 9364 root 1u CHR 1,3 4110 /dev/null
sshd 9364 root 2u CHR 1,3 4110 /dev/null
sshd 9364 root 3u inet 10202 TCP *:12345 (LISTEN)
sshd 9364 root 4u inet 10197 TCP 10.10.10.3:2222->10.10.10.10:33190 (CLOSE_WAIT)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

很明显，攻击程序成功利用此漏洞获得ROOT SHELL，并绑定了一个高端TCP端口。
这样攻击者可以使用任何"telnet"或者"rc"工具连接到此端口并以超级用户的
方式执行任意命令，如下所示：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac ~ >> telnet 10.10.10.3 12345
Trying 10.10.10.3...
Connected to 10.10.10.3.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
date;
Thu Nov 1 18:04:42 PST 2001
netstat -an --inet;
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:12345 10.10.10.10:33077 ESTABLISHED
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
exit;
Connection closed by foreign host.
root@plac ~ >>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[注意]：使用telnet要加";"号，而nc连接不需要。

等攻击者退出以后，被测试系统网络状态返回正常：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

如果syslog日志功能开启了，连接和暴力测试的信息全部会记录下来(注意，这个是
对SSH.com 1.2.31在Red Hat LInux 6.0上的测试 -- 日志标志会和记录OpenSSH
不一样)：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Nov 1 18:46:14 victim sshd[9510]: log: Connection from 10.10.10.10 port 33298
Nov 1 18:46:19 victim sshd[9511]: log: Connection from 10.10.10.10 port 33299
Nov 1 18:46:22 victim sshd[9512]: log: Connection from 10.10.10.10 port 33300
Nov 1 18:46:26 victim sshd[9513]: log: Connection from 10.10.10.10 port 33301
Nov 1 18:46:31 victim sshd[9515]: log: Connection from 10.10.10.10 port 33302
Nov 1 18:46:35 victim sshd[9516]: log: Connection from 10.10.10.10 port 33303
Nov 1 18:46:39 victim sshd[9517]: log: Connection from 10.10.10.10 port 33304
Nov 1 18:46:43 victim sshd[9518]: log: Connection from 10.10.10.10 port 33305
Nov 1 18:46:47 victim sshd[9518]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:46:47 victim sshd[9519]: log: Connection from 10.10.10.10 port 33306
Nov 1 18:46:52 victim sshd[9519]: fatal: Connection closed by remote host.
Nov 1 18:46:53 victim sshd[9520]: log: Connection from 10.10.10.10 port 33307
Nov 1 18:46:57 victim sshd[9521]: log: Connection from 10.10.10.10 port 33308
Nov 1 18:47:01 victim sshd[9522]: log: Connection from 10.10.10.10 port 33309
Nov 1 18:47:06 victim sshd[9523]: log: Connection from 10.10.10.10 port 33310
Nov 1 18:47:10 victim sshd[9524]: log: Connection from 10.10.10.10 port 33311
Nov 1 18:47:14 victim sshd[9525]: log: Connection from 10.10.10.10 port 33312
Nov 1 18:47:19 victim sshd[9526]: log: Connection from 10.10.10.10 port 33313
Nov 1 18:47:24 victim sshd[9527]: log: Connection from 10.10.10.10 port 33314
Nov 1 18:47:24 victim sshd[9527]: fatal: Connection closed by remote host.
Nov 1 18:47:46 victim sshd[9528]: log: Connection from 10.10.10.10 port 33315
Nov 1 18:47:46 victim sshd[9529]: log: Connection from 10.10.10.10 port 33316
Nov 1 18:47:47 victim sshd[9530]: log: Connection from 10.10.10.10 port 33317
Nov 1 18:47:47 victim sshd[9531]: log: Connection from 10.10.10.10 port 33318
Nov 1 18:47:47 victim sshd[9532]: log: Connection from 10.10.10.10 port 33319
Nov 1 18:47:48 victim sshd[9533]: log: Connection from 10.10.10.10 port 33320
Nov 1 18:47:48 victim sshd[9534]: log: Connection from 10.10.10.10 port 33321
Nov 1 18:47:48 victim sshd[9535]: log: Connection from 10.10.10.10 port 33322
Nov 1 18:47:49 victim sshd[9536]: log: Connection from 10.10.10.10 port 33323
Nov 1 18:47:49 victim sshd[9537]: log: Connection from 10.10.10.10 port 33324
Nov 1 18:47:50 victim sshd[9538]: log: Connection from 10.10.10.10 port 33325
Nov 1 18:47:50 victim sshd[9539]: log: Connection from 10.10.10.10 port 33326
Nov 1 18:47:50 victim sshd[9540]: log: Connection from 10.10.10.10 port 33327
Nov 1 18:47:51 victim sshd[9541]: log: Connection from 10.10.10.10 port 33328
Nov 1 18:47:51 victim sshd[9542]: log: Connection from 10.10.10.10 port 33329
Nov 1 18:47:51 victim sshd[9543]: log: Connection from 10.10.10.10 port 33330
Nov 1 18:47:52 victim sshd[9544]: log: Connection from 10.10.10.10 port 33331
Nov 1 18:47:52 victim sshd[9545]: log: Connection from 10.10.10.10 port 33332
Nov 1 18:47:52 victim sshd[9546]: log: Connection from 10.10.10.10 port 33333
Nov 1 18:47:53 victim sshd[9547]: log: Connection from 10.10.10.10 port 33334
Nov 1 18:47:53 victim sshd[9548]: log: Connection from 10.10.10.10 port 33335
Nov 1 18:47:54 victim sshd[9549]: log: Connection from 10.10.10.10 port 33336
Nov 1 18:47:54 victim sshd[9550]: log: Connection from 10.10.10.10 port 33337
Nov 1 18:47:54 victim sshd[9551]: log: Connection from 10.10.10.10 port 33338
Nov 1 18:47:55 victim sshd[9552]: log: Connection from 10.10.10.10 port 33339
Nov 1 18:47:55 victim sshd[9553]: log: Connection from 10.10.10.10 port 33340
Nov 1 18:47:55 victim sshd[9554]: log: Connection from 10.10.10.10 port 33341
Nov 1 18:47:56 victim sshd[9555]: log: Connection from 10.10.10.10 port 33342
Nov 1 18:47:56 victim sshd[9556]: log: Connection from 10.10.10.10 port 33343
Nov 1 18:47:56 victim sshd[9555]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:47:57 victim sshd[9557]: log: Connection from 10.10.10.10 port 33344
Nov 1 18:47:57 victim sshd[9558]: log: Connection from 10.10.10.10 port 33345
Nov 1 18:47:57 victim sshd[9559]: log: Connection from 10.10.10.10 port 33346
Nov 1 18:47:58 victim sshd[9560]: log: Connection from 10.10.10.10 port 33347
Nov 1 18:47:58 victim sshd[9561]: log: Connection from 10.10.10.10 port 33348
Nov 1 18:47:59 victim sshd[9562]: log: Connection from 10.10.10.10 port 33349
Nov 1 18:47:59 victim sshd[9563]: log: Connection from 10.10.10.10 port 33350
Nov 1 18:47:59 victim sshd[9564]: log: Connection from 10.10.10.10 port 33351
Nov 1 18:48:00 victim sshd[9565]: log: Connection from 10.10.10.10 port 33352
Nov 1 18:48:00 victim sshd[9566]: log: Connection from 10.10.10.10 port 33353
Nov 1 18:48:00 victim sshd[9567]: log: Connection from 10.10.10.10 port 33354
Nov 1 18:48:01 victim sshd[9568]: log: Connection from 10.10.10.10 port 33355
Nov 1 18:48:01 victim sshd[9569]: log: Connection from 10.10.10.10 port 33356
Nov 1 18:48:02 victim sshd[9570]: log: Connection from 10.10.10.10 port 33357
Nov 1 18:48:02 victim sshd[9571]: log: Connection from 10.10.10.10 port 33358
Nov 1 18:48:02 victim sshd[9572]: log: Connection from 10.10.10.10 port 33359
Nov 1 18:48:03 victim sshd[9573]: log: Connection from 10.10.10.10 port 33360
Nov 1 18:48:03 victim sshd[9574]: log: Connection from 10.10.10.10 port 33361
Nov 1 18:48:03 victim sshd[9575]: log: Connection from 10.10.10.10 port 33362
Nov 1 18:48:04 victim sshd[9576]: log: Connection from 10.10.10.10 port 33363
Nov 1 18:48:04 victim sshd[9577]: log: Connection from 10.10.10.10 port 33364
Nov 1 18:48:04 victim sshd[9578]: log: Connection from 10.10.10.10 port 33365
Nov 1 18:48:05 victim sshd[9579]: log: Connection from 10.10.10.10 port 33366
Nov 1 18:48:05 victim sshd[9580]: log: Connection from 10.10.10.10 port 33367
Nov 1 18:48:06 victim sshd[9581]: log: Connection from 10.10.10.10 port 33368
Nov 1 18:48:06 victim sshd[9582]: log: Connection from 10.10.10.10 port 33369
Nov 1 18:48:06 victim sshd[9583]: log: Connection from 10.10.10.10 port 33370
Nov 1 18:48:07 victim sshd[9584]: log: Connection from 10.10.10.10 port 33371
Nov 1 18:48:07 victim sshd[9585]: log: Connection from 10.10.10.10 port 33372
Nov 1 18:48:07 victim sshd[9586]: log: Connection from 10.10.10.10 port 33373
Nov 1 18:48:08 victim sshd[9587]: log: Connection from 10.10.10.10 port 33374
Nov 1 18:48:08 victim sshd[9586]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:08 victim sshd[9588]: log: Connection from 10.10.10.10 port 33375
Nov 1 18:48:08 victim sshd[9587]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:08 victim sshd[9589]: log: Connection from 10.10.10.10 port 33376
Nov 1 18:48:08 victim sshd[9588]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9590]: log: Connection from 10.10.10.10 port 33377
Nov 1 18:48:09 victim sshd[9589]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9591]: log: Connection from 10.10.10.10 port 33378
Nov 1 18:48:09 victim sshd[9590]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9592]: log: Connection from 10.10.10.10 port 33379
Nov 1 18:48:09 victim sshd[9591]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:10 victim sshd[9592]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:10 victim sshd[9593]: log: Connection from 10.10.10.10 port 33380
Nov 1 18:48:10 victim sshd[9594]: log: Connection from 10.10.10.10 port 33381
Nov 1 18:48:10 victim sshd[9593]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:11 victim sshd[9595]: log: Connection from 10.10.10.10 port 33382
Nov 1 18:48:11 victim sshd[9594]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:11 victim sshd[9596]: log: Connection from 10.10.10.10 port 33383
Nov 1 18:48:11 victim sshd[9597]: log: Connection from 10.10.10.10 port 33384
Nov 1 18:48:11 victim sshd[9596]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9598]: log: Connection from 10.10.10.10 port 33385
Nov 1 18:48:12 victim sshd[9597]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9599]: log: Connection from 10.10.10.10 port 33386
Nov 1 18:48:12 victim sshd[9598]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9600]: log: Connection from 10.10.10.10 port 33387
Nov 1 18:48:12 victim sshd[9599]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:13 victim sshd[9601]: log: Connection from 10.10.10.10 port 33388
Nov 1 18:48:13 victim sshd[9602]: log: Connection from 10.10.10.10 port 33389
Nov 1 18:48:13 victim sshd[9603]: log: Connection from 10.10.10.10 port 33390
Nov 1 18:48:14 victim sshd[9604]: log: Connection from 10.10.10.10 port 33391
Nov 1 18:48:14 victim sshd[9605]: log: Connection from 10.10.10.10 port 33392
Nov 1 18:48:15 victim sshd[9606]: log: Connection from 10.10.10.10 port 33393
Nov 1 18:48:15 victim sshd[9605]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:48:15 victim sshd[9607]: log: Connection from 10.10.10.10 port 33394
Nov 1 18:48:16 victim sshd[9608]: log: Connection from 10.10.10.10 port 33395
Nov 1 18:48:16 victim sshd[9609]: log: Connection from 10.10.10.10 port 33396
Nov 1 18:48:16 victim sshd[9610]: log: Connection from 10.10.10.10 port 33397
Nov 1 18:48:17 victim sshd[9611]: log: Connection from 10.10.10.10 port 33398
Nov 1 18:48:17 victim sshd[9611]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:48:17 victim sshd[9612]: log: Connection from 10.10.10.10 port 33399
Nov 1 18:48:18 victim sshd[9613]: log: Connection from 10.10.10.10 port 33400
Nov 1 18:48:18 victim sshd[9614]: log: Connection from 10.10.10.10 port 33401
Nov 1 18:58:18 victim sshd[9614]: fatal: Timeout before authentication.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

注意日志条目的最后一条，如果成功利用此漏洞被入侵，认证过程就会停止，因为
此时SHELLCODE的后门程序已经执行，这样你可以连接端口进行任何操作。唯一的
问题是，SSH守护程序(至少SSH.com 1.2.31)会由于认证过程不完整而超时，导致
关闭开启的SHELL。一般在监听shell的父进程关闭只前会有10分钟时间空域。

网络通信信息分析
=====================

在这里使用了Tcpdump来截获上面的攻击行为，记录信息在sshdx.dump，可以被用
来IDS入侵检测系统获得攻击标志信息。如果你的IDS系统不支持tcpdump文件，你
可以使用"tcpreplay"[12]来转换tcpdump信息。

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# tcpdump -s1500 -w sshdx.dump ip host 10.10.10.3 &
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

这样可以很容易的查看SSH守护程序产生的多个连接信息，使用"ngrep"[5]工具可以
辨认出最后连接和插入SHELLCODE的暴力破解攻击信息：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
. . .

T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
SSH-1.5-1.2.31.

T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]
SSH-1.5-OpenSSH_2.2.0p1.

T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
............GA..@.......%....`..P.....D&..2.+7#...1!?..c.r).8.^.h.....
..I..b6..9.f........N..0....:BAh@s.e...H......(.D2.Zg......#.......\.j
W...O$....6.......$...V..;...U.@Y.K2.p<\..o..?..l.........*.p.K<s..,..
.@7.wBBy......1.i..%".....G*g.G.t(......M........[.......J......<.

T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]
............GA..@.....`G.Fg.g.!.i.}..........._.e....=../..6....;....)
T.....

关键词：对于SSH crc32 compensation attack detector exploit 的区分

盾怪网教程：是一个免费提供流行杀毒软件教程、在线学习分享的学习平台！盾怪网教程终结双11 卡顿一键流畅突破网站首页 2345卫士 360杀毒 360安全卫士电脑管家金山毒霸游戏下载软件教程游戏教程电脑系统下载您当前所在位置：下载首页 -> 网站教程
对于SSH crc32 compensation attack detector exploit 的区分时间：2024/10/30作者：未知来源：盾怪网教程人气： [摘要]////////\\\\! bruteforced h->ident buff distance: 5bfbed88 trying retloc_delta: 35 ....! found h... ////////\\\\! bruteforced h->ident buff distance: 5bfbed88 trying retloc_delta: 35 ....! found high words of possible return address: 808 trying to exploit .... trying retloc_delta: 37 .! found high words of possible return address: 805 trying to exploit .... trying retloc_delta: 39 ...... trying retloc_delta: 3b ...... trying retloc_delta: 3d ! found high words of possible return address: 804 trying to exploit .... trying retloc_delta: 3f ...... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 这里看来，攻击攻击相似被"停止"了，返回被攻击系统查看却发现被开了后门。被测试系统一方再现 ======================= 在利用漏洞之前，被测试系统显示标准SSH守护程序运行在22/tcp端口，要被测试的应用程序运行在2222/tcp端口，两个都在监听状态，而且标准SSH守护程序有一个外部连接(10.10.10.2:33354)，通过netstat查看如下： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [root@victim /root]# netstat -an --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 而在攻击程序"停止"以后，再用netstat查看网络监听状态如下： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [root@victim /root]# netstat -an --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN tcp 0 0 10.10.10.3:2222 10.10.10.10:32965 ESTABLISHED tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 发现有新的服务在12345/tcp端口监听。返回攻击者主机，使用netstat查看网络状态，发现程序使用了暴力猜测地址方式攻击： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [root@victim /root]# netstat -an --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED tcp 0 0 10.10.10.3:2222 10.10.10.10:33075 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33074 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33072 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33071 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33069 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33067 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33066 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33064 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33063 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33062 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33061 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33060 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33059 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33058 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33056 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33055 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33053 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33051 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33050 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33048 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33047 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33046 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33042 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33041 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33040 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33039 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33038 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33036 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33035 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33034 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33033 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33032 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33030 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33029 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33028 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33027 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33024 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33023 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33022 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33021 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33020 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33016 TIME_WAIT tcp 0 0 10.10.10.3:2222 10.10.10.10:33014 TIME_WAIT tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 而使用LiSt Open Files ("lsof")[4]工具显示被测试的SSH守护程序开启了一个新的监听端口： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [root@victim /root]# lsof -p 9364 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME sshd 9364 root cwd DIR 3,3 1024 2 / sshd 9364 root rtd DIR 3,3 1024 2 / sshd 9364 root txt REG 3,3 655038 442413 /usr/local/src/ssh-1.2.31/sbin/sshd1 sshd 9364 root mem REG 3,3 340771 30722 /lib/ld-2.1.3.so sshd 9364 root mem REG 3,3 370141 31107 /lib/libnsl-2.1.3.so sshd 9364 root mem REG 3,3 66231 31103 /lib/libcrypt-2.1.3.so sshd 9364 root mem REG 3,3 47008 31113 /lib/libutil-2.1.3.so sshd 9364 root mem REG 3,3 4101836 31102 /lib/libc-2.1.3.so sshd 9364 root mem REG 3,3 246652 31109 /lib/libnss_files-2.1.3.so sshd 9364 root mem REG 3,3 252234 31111 /lib/libnss_nisplus-2.1.3.so sshd 9364 root mem REG 3,3 255963 31110 /lib/libnss_nis-2.1.3.so sshd 9364 root mem REG 3,3 67580 31108 /lib/libnss_dns-2.1.3.so sshd 9364 root mem REG 3,3 169720 31112 /lib/libresolv-2.1.3.so sshd 9364 root 0u CHR 1,3 4110 /dev/null sshd 9364 root 1u CHR 1,3 4110 /dev/null sshd 9364 root 2u CHR 1,3 4110 /dev/null sshd 9364 root 3u inet 10202 TCP :12345 (LISTEN) sshd 9364 root 4u inet 10197 TCP 10.10.10.3:2222->10.10.10.10:33190 (CLOSE_WAIT) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 很明显，攻击程序成功利用此漏洞获得ROOT SHELL，并绑定了一个高端TCP端口。这样攻击者可以使用任何"telnet"或者"rc"工具连接到此端口并以超级用户的方式执行任意命令，如下所示： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= root@plac ~ >> telnet 10.10.10.3 12345 Trying 10.10.10.3... Connected to 10.10.10.3. Escape character is '^]'. id; uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) date; Thu Nov 1 18:04:42 PST 2001 netstat -an --inet; Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.10.10.3:12345 10.10.10.10:33077 ESTABLISHED tcp 0 0 0.0.0.0:12345 0.0.0.0: LISTEN tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 exit; Connection closed by foreign host. root@plac ~ >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [注意]：使用telnet要加";"号，而nc连接不需要。等攻击者退出以后，被测试系统网络状态返回正常： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [root@victim /root]# netstat -an --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 如果syslog日志功能开启了，连接和暴力测试的信息全部会记录下来(注意，这个是对SSH.com 1.2.31在Red Hat LInux 6.0上的测试 -- 日志标志会和记录OpenSSH 不一样)： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Nov 1 18:46:14 victim sshd[9510]: log: Connection from 10.10.10.10 port 33298 Nov 1 18:46:19 victim sshd[9511]: log: Connection from 10.10.10.10 port 33299 Nov 1 18:46:22 victim sshd[9512]: log: Connection from 10.10.10.10 port 33300 Nov 1 18:46:26 victim sshd[9513]: log: Connection from 10.10.10.10 port 33301 Nov 1 18:46:31 victim sshd[9515]: log: Connection from 10.10.10.10 port 33302 Nov 1 18:46:35 victim sshd[9516]: log: Connection from 10.10.10.10 port 33303 Nov 1 18:46:39 victim sshd[9517]: log: Connection from 10.10.10.10 port 33304 Nov 1 18:46:43 victim sshd[9518]: log: Connection from 10.10.10.10 port 33305 Nov 1 18:46:47 victim sshd[9518]: fatal: Local: Corrupted check bytes on input. Nov 1 18:46:47 victim sshd[9519]: log: Connection from 10.10.10.10 port 33306 Nov 1 18:46:52 victim sshd[9519]: fatal: Connection closed by remote host. Nov 1 18:46:53 victim sshd[9520]: log: Connection from 10.10.10.10 port 33307 Nov 1 18:46:57 victim sshd[9521]: log: Connection from 10.10.10.10 port 33308 Nov 1 18:47:01 victim sshd[9522]: log: Connection from 10.10.10.10 port 33309 Nov 1 18:47:06 victim sshd[9523]: log: Connection from 10.10.10.10 port 33310 Nov 1 18:47:10 victim sshd[9524]: log: Connection from 10.10.10.10 port 33311 Nov 1 18:47:14 victim sshd[9525]: log: Connection from 10.10.10.10 port 33312 Nov 1 18:47:19 victim sshd[9526]: log: Connection from 10.10.10.10 port 33313 Nov 1 18:47:24 victim sshd[9527]: log: Connection from 10.10.10.10 port 33314 Nov 1 18:47:24 victim sshd[9527]: fatal: Connection closed by remote host. Nov 1 18:47:46 victim sshd[9528]: log: Connection from 10.10.10.10 port 33315 Nov 1 18:47:46 victim sshd[9529]: log: Connection from 10.10.10.10 port 33316 Nov 1 18:47:47 victim sshd[9530]: log: Connection from 10.10.10.10 port 33317 Nov 1 18:47:47 victim sshd[9531]: log: Connection from 10.10.10.10 port 33318 Nov 1 18:47:47 victim sshd[9532]: log: Connection from 10.10.10.10 port 33319 Nov 1 18:47:48 victim sshd[9533]: log: Connection from 10.10.10.10 port 33320 Nov 1 18:47:48 victim sshd[9534]: log: Connection from 10.10.10.10 port 33321 Nov 1 18:47:48 victim sshd[9535]: log: Connection from 10.10.10.10 port 33322 Nov 1 18:47:49 victim sshd[9536]: log: Connection from 10.10.10.10 port 33323 Nov 1 18:47:49 victim sshd[9537]: log: Connection from 10.10.10.10 port 33324 Nov 1 18:47:50 victim sshd[9538]: log: Connection from 10.10.10.10 port 33325 Nov 1 18:47:50 victim sshd[9539]: log: Connection from 10.10.10.10 port 33326 Nov 1 18:47:50 victim sshd[9540]: log: Connection from 10.10.10.10 port 33327 Nov 1 18:47:51 victim sshd[9541]: log: Connection from 10.10.10.10 port 33328 Nov 1 18:47:51 victim sshd[9542]: log: Connection from 10.10.10.10 port 33329 Nov 1 18:47:51 victim sshd[9543]: log: Connection from 10.10.10.10 port 33330 Nov 1 18:47:52 victim sshd[9544]: log: Connection from 10.10.10.10 port 33331 Nov 1 18:47:52 victim sshd[9545]: log: Connection from 10.10.10.10 port 33332 Nov 1 18:47:52 victim sshd[9546]: log: Connection from 10.10.10.10 port 33333 Nov 1 18:47:53 victim sshd[9547]: log: Connection from 10.10.10.10 port 33334 Nov 1 18:47:53 victim sshd[9548]: log: Connection from 10.10.10.10 port 33335 Nov 1 18:47:54 victim sshd[9549]: log: Connection from 10.10.10.10 port 33336 Nov 1 18:47:54 victim sshd[9550]: log: Connection from 10.10.10.10 port 33337 Nov 1 18:47:54 victim sshd[9551]: log: Connection from 10.10.10.10 port 33338 Nov 1 18:47:55 victim sshd[9552]: log: Connection from 10.10.10.10 port 33339 Nov 1 18:47:55 victim sshd[9553]: log: Connection from 10.10.10.10 port 33340 Nov 1 18:47:55 victim sshd[9554]: log: Connection from 10.10.10.10 port 33341 Nov 1 18:47:56 victim sshd[9555]: log: Connection from 10.10.10.10 port 33342 Nov 1 18:47:56 victim sshd[9556]: log: Connection from 10.10.10.10 port 33343 Nov 1 18:47:56 victim sshd[9555]: fatal: Local: Corrupted check bytes on input. Nov 1 18:47:57 victim sshd[9557]: log: Connection from 10.10.10.10 port 33344 Nov 1 18:47:57 victim sshd[9558]: log: Connection from 10.10.10.10 port 33345 Nov 1 18:47:57 victim sshd[9559]: log: Connection from 10.10.10.10 port 33346 Nov 1 18:47:58 victim sshd[9560]: log: Connection from 10.10.10.10 port 33347 Nov 1 18:47:58 victim sshd[9561]: log: Connection from 10.10.10.10 port 33348 Nov 1 18:47:59 victim sshd[9562]: log: Connection from 10.10.10.10 port 33349 Nov 1 18:47:59 victim sshd[9563]: log: Connection from 10.10.10.10 port 33350 Nov 1 18:47:59 victim sshd[9564]: log: Connection from 10.10.10.10 port 33351 Nov 1 18:48:00 victim sshd[9565]: log: Connection from 10.10.10.10 port 33352 Nov 1 18:48:00 victim sshd[9566]: log: Connection from 10.10.10.10 port 33353 Nov 1 18:48:00 victim sshd[9567]: log: Connection from 10.10.10.10 port 33354 Nov 1 18:48:01 victim sshd[9568]: log: Connection from 10.10.10.10 port 33355 Nov 1 18:48:01 victim sshd[9569]: log: Connection from 10.10.10.10 port 33356 Nov 1 18:48:02 victim sshd[9570]: log: Connection from 10.10.10.10 port 33357 Nov 1 18:48:02 victim sshd[9571]: log: Connection from 10.10.10.10 port 33358 Nov 1 18:48:02 victim sshd[9572]: log: Connection from 10.10.10.10 port 33359 Nov 1 18:48:03 victim sshd[9573]: log: Connection from 10.10.10.10 port 33360 Nov 1 18:48:03 victim sshd[9574]: log: Connection from 10.10.10.10 port 33361 Nov 1 18:48:03 victim sshd[9575]: log: Connection from 10.10.10.10 port 33362 Nov 1 18:48:04 victim sshd[9576]: log: Connection from 10.10.10.10 port 33363 Nov 1 18:48:04 victim sshd[9577]: log: Connection from 10.10.10.10 port 33364 Nov 1 18:48:04 victim sshd[9578]: log: Connection from 10.10.10.10 port 33365 Nov 1 18:48:05 victim sshd[9579]: log: Connection from 10.10.10.10 port 33366 Nov 1 18:48:05 victim sshd[9580]: log: Connection from 10.10.10.10 port 33367 Nov 1 18:48:06 victim sshd[9581]: log: Connection from 10.10.10.10 port 33368 Nov 1 18:48:06 victim sshd[9582]: log: Connection from 10.10.10.10 port 33369 Nov 1 18:48:06 victim sshd[9583]: log: Connection from 10.10.10.10 port 33370 Nov 1 18:48:07 victim sshd[9584]: log: Connection from 10.10.10.10 port 33371 Nov 1 18:48:07 victim sshd[9585]: log: Connection from 10.10.10.10 port 33372 Nov 1 18:48:07 victim sshd[9586]: log: Connection from 10.10.10.10 port 33373 Nov 1 18:48:08 victim sshd[9587]: log: Connection from 10.10.10.10 port 33374 Nov 1 18:48:08 victim sshd[9586]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:08 victim sshd[9588]: log: Connection from 10.10.10.10 port 33375 Nov 1 18:48:08 victim sshd[9587]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:08 victim sshd[9589]: log: Connection from 10.10.10.10 port 33376 Nov 1 18:48:08 victim sshd[9588]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:09 victim sshd[9590]: log: Connection from 10.10.10.10 port 33377 Nov 1 18:48:09 victim sshd[9589]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:09 victim sshd[9591]: log: Connection from 10.10.10.10 port 33378 Nov 1 18:48:09 victim sshd[9590]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:09 victim sshd[9592]: log: Connection from 10.10.10.10 port 33379 Nov 1 18:48:09 victim sshd[9591]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:10 victim sshd[9592]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:10 victim sshd[9593]: log: Connection from 10.10.10.10 port 33380 Nov 1 18:48:10 victim sshd[9594]: log: Connection from 10.10.10.10 port 33381 Nov 1 18:48:10 victim sshd[9593]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:11 victim sshd[9595]: log: Connection from 10.10.10.10 port 33382 Nov 1 18:48:11 victim sshd[9594]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:11 victim sshd[9596]: log: Connection from 10.10.10.10 port 33383 Nov 1 18:48:11 victim sshd[9597]: log: Connection from 10.10.10.10 port 33384 Nov 1 18:48:11 victim sshd[9596]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:12 victim sshd[9598]: log: Connection from 10.10.10.10 port 33385 Nov 1 18:48:12 victim sshd[9597]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:12 victim sshd[9599]: log: Connection from 10.10.10.10 port 33386 Nov 1 18:48:12 victim sshd[9598]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:12 victim sshd[9600]: log: Connection from 10.10.10.10 port 33387 Nov 1 18:48:12 victim sshd[9599]: fatal: Local: crc32 compensation attack: network attack detected Nov 1 18:48:13 victim sshd[9601]: log: Connection from 10.10.10.10 port 33388 Nov 1 18:48:13 victim sshd[9602]: log: Connection from 10.10.10.10 port 33389 Nov 1 18:48:13 victim sshd[9603]: log: Connection from 10.10.10.10 port 33390 Nov 1 18:48:14 victim sshd[9604]: log: Connection from 10.10.10.10 port 33391 Nov 1 18:48:14 victim sshd[9605]: log: Connection from 10.10.10.10 port 33392 Nov 1 18:48:15 victim sshd[9606]: log: Connection from 10.10.10.10 port 33393 Nov 1 18:48:15 victim sshd[9605]: fatal: Local: Corrupted check bytes on input. Nov 1 18:48:15 victim sshd[9607]: log: Connection from 10.10.10.10 port 33394 Nov 1 18:48:16 victim sshd[9608]: log: Connection from 10.10.10.10 port 33395 Nov 1 18:48:16 victim sshd[9609]: log: Connection from 10.10.10.10 port 33396 Nov 1 18:48:16 victim sshd[9610]: log: Connection from 10.10.10.10 port 33397 Nov 1 18:48:17 victim sshd[9611]: log: Connection from 10.10.10.10 port 33398 Nov 1 18:48:17 victim sshd[9611]: fatal: Local: Corrupted check bytes on input. Nov 1 18:48:17 victim sshd[9612]: log: Connection from 10.10.10.10 port 33399 Nov 1 18:48:18 victim sshd[9613]: log: Connection from 10.10.10.10 port 33400 Nov 1 18:48:18 victim sshd[9614]: log: Connection from 10.10.10.10 port 33401 Nov 1 18:58:18 victim sshd[9614]: fatal: Timeout before authentication. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 注意日志条目的最后一条，如果成功利用此漏洞被入侵，认证过程就会停止，因为此时SHELLCODE的后门程序已经执行，这样你可以连接端口进行任何操作。唯一的问题是，SSH守护程序(至少SSH.com 1.2.31)会由于认证过程不完整而超时，导致关闭开启的SHELL。一般在监听shell的父进程关闭只前会有10分钟时间空域。网络通信信息分析 ===================== 在这里使用了Tcpdump来截获上面的攻击行为，记录信息在sshdx.dump，可以被用来IDS入侵检测系统获得攻击标志信息。如果你的IDS系统不支持tcpdump文件，你可以使用"tcpreplay"[12]来转换tcpdump信息。 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # tcpdump -s1500 -w sshdx.dump ip host 10.10.10.3 & =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 这样可以很容易的查看SSH守护程序产生的多个连接信息，使用"ngrep"[5]工具可以辨认出最后连接和插入SHELLCODE的暴力破解攻击信息： =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= . . . T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP] SSH-1.5-1.2.31. T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP] SSH-1.5-OpenSSH_2.2.0p1. T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP] ............GA..@.......%....`..P.....D&..2.+7#...1!?..c.r).8.^.h..... ..I..b6..9.f........N..0....:BAh@s.e...H......(.D2.Zg......#.......\.j W...O$....6.......$...V..;...U.@Y.K2.p<\..o..?..l..........p.K<s..,.. .@7.wBBy......1.i..%".....Gg.G.t(......M........[.......J......<. T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP] ............GA..@.....`G.Fg.g.!.i.}..........._.e....=../..6....;....) T..... 关键词：对于SSH crc32 compensation attack detector exploit 的区分	*软件教程* 聊天工具办公软件杀毒教程系统工具图形图像电脑学习应用软件网络软件苹果应用多媒体区网站教程编程语言安卓教程其它教程 *人气排行* 1怎么通过Canvas标签绘制图形 2xml与html之间的区别有哪一些 3HTML5中的a标签新增了哪一些属性 4怎么打开HTML文件 5怎么在HTML上插入图片 6404 not found是什么意思 7div标签怎么使用的 8HTML与XHTML之间有什么区别 9怎么使用HTML5中的data-属性 10url是什么意思推荐资讯* 1用Php怎么设置LDAP 2html中的textarea属性大全(设置默认值高度自... 3html style标签是什么意思？对于style标签的使... 4html重置按钮为什么会没有反应？ 5搜索栏不支持https的处理方法 6对于HTML5中优化性能的详细说明 7HTML学习之html下文介绍（代码案例） 8好用的67个前端工具、库与资源 9实战Java多线程编程之不提倡的方法 10HTML中font属性的总结
Copyright © 2012-2018 盾怪网教程(http://www.dunguai.com) .All Rights Reserved 网站地图友情链接免责声明：本站资源均来自互联网收集如有侵犯到您利益的地方请及时联系管理删除，敬请见谅! QQ:1006262270 邮箱:kfyvi376850063@126.com 手机版