The star outside the mention of the right new ideas&the star outside security Bulletin(mention the right vulnerability)-vulnerability warning-the black bar safety net

2012-05-27T00:00:00
ID MYHACK58:62201234001
Type myhack58
Reporter 佚名
Modified 2012-05-27T00:00:00

Description

Statement, This is not what a star outside 0DAY, which at Best, only one in could not find a writable executable directory of a mention of the right ideas. I dare not say that I first found, there may be other people also found, and also in the use.

In fact, numerous examples demonstrate that the lcx-timers that sentence, the details determine success or failure. This is just invasion the penetration of the details of the problem, just I noticed. The following text begins.

Well-known to successfully provide the right to the star outside the host it is necessary to find a writable executable directory, the recent star outside the host directory is set more and more BT, almost no can be written to the executable directory. So another“right ideas”appeared. Looking on the server to install the 3rd party software some file permission issue for the file replacement, replacing the files with our cmd. exe and cscript. exe to mention right after my test found following server commonly used software some file permissions for the Everyone is all the user permissions, you can modify, you can upload the same file name replace, delete, the most important is also can be performed.

The first is our lovely 3 6 0 antivirus.

c:\Program Files\3 6 0\360Safe\AntiSection\mutex. db 3 6 0 antivirus database file

c:\Program Files\3 6 0\360Safe\deepscan\Section\mutex. db 3 6 0 antivirus database file

c:\Program Files\3 6 0\360sd\Section\mutex. db 3 6 0 antivirus database file

c:\Program Files\3 6 0\360Safe\deepscan\Section\mutex. db this file, just install the 3 6 0 anti-virus must exist and have the Everyone permissions. The other 2 files is not necessarily.

c:\Program Files\Helicon\ISAPI_Rewrite3\error. log pseudo-static set software ISAPI Rewrite log file

c:\Program Files\Helicon\ISAPI_Rewrite3\Rewrite. log pseudo-static set software ISAPI Rewrite log file

c:\Program Files\Helicon\ISAPI_Rewrite3\httpd. conf pseudo-static set software ISAPI Rewrite configuration file

Main is ISAPI Rewrite 3.0 version there is a permissions problem, the old version is temporarily not found to have such problems.

c:\Program Files\Common Files\Symantec Shared\Persist. bak Norton AntiVirus event log file

c:\Program Files\Common Files\Symantec Shared\Validate. dat Norton AntiVirus event log file

c:\Program Files\Common Files\Symantec Shared\Persist. Dat Norton AntiVirus event log file

Norton AntiVirus may be limited to a version, I This machine to XP and not found the above file

The following is the last 2 can replace the file

c:\windows\hchiblis.ibl Wah shield Server Management expert file license

c:\Documents and Settings\All Users\Application Data\Hagel Technologies\DU Meter\log. csv

DU Meter traffic statistics log file

Temporarily know more than the file permissions for the Everyone, note that even if you can replace the file in the directory where you do not have access to, it still can be replaced to perform. For example, D:\Program Files\3 6 0\360Safe\deepscan\Section\mutex. db D:\Program Files\3 6 0\360Safe\deepscan\Section directories do not have access to, with a BIN of cattle aspx Malaysia access D:\Program Files\3 6 0\360Safe\deepscan\Sectio display access denied, can the mutex. db file in this directory, you can still upload by cmd. exe change the name of the mutex. db file to be replaced.

As a result not find a writable executable directory, not the anti-view server is installed on the above software, any can upload the same file name to replace the original file for you to mention the right file. So that you can successfully perform.

===========================================================================

The directory or file the permissions are set wrong will cause the invasion!

In order to fundamentally solve the problem,we recommend that all users upgrade to a controlled end of the installation package to 2 0 1 1-3-1 5 version,and click on the set”ASP. net strict security model”,following the question all the settings of the asp. net strict security of user is not affected.

For on server antivirus software,we recommend to install Mcafee,please do not reinstall the 3 6 0,many version 3 6 0 Are there mention of the right questions.

In 2 0 1 1-6-8 star released a new version of the star outside kill the horse scan tool(in the group share or Star outside the background can be downloaded)

In the scan results, we found that in a large number of servers there is the following problem.

File:C:\WINDOWS\TAPI\tsec. ini

Approach:directly completely delete this file(not retained in the Recycle Bin)

3 6 0

File:C:\Program Files\3 6 0\360sd\Section\mutex. db

File:C:\Program Files\3 6 0\360Safe\deepscan\Section\mutex. db

File:C:\Program Files\3 6 0\360Safe\AntiSection\mutex. db

Approach:completely remove the 3 6 0,all 3 6 0 delete after the light left of the file you want to delete

Flash:

File:C:\WINDOWS\system32\Macromed\Flash\Flash10q. ocx

Approach:directly completely deleted(not retained in the Recycle Bin),not in the server upload Flash components

IISrewrite3

File:C:\Program Files\Helicon\ISAPI_Rewrite3\Rewrite. log

File:C:\Program Files\Helicon\ISAPI_Rewrite3\httpd. conf

File:C:\Program Files\Helicon\ISAPI_Rewrite3\error. log

Approach:the three file permissions changed to erveryone read-only permissions(no write permissions)

DU Meter traffic statistics log file

c:\Documents and Settings\All Users\Application Data\Hagel Technologies\DU Meter\log. csv

Processing way:delete it

Norton

c:\Program Files\Common Files\Symantec Shared\Persist. bak

c:\Program Files\Common Files\Symantec Shared\Validate. dat

c:\Program Files\Common Files\Symantec Shared\Persist. Dat

Approach:directly completely remove this software

Wah shield

File:C:\WINDOWS\hchiblis. ibl

Approach:directly completely remove this filtering software,if because of other reason can not delete,permissions can be changed to everyone read and write,can not have everyone permission to run.

Class filter:

文件 :C:\7i24.com\iissafe\log\startandiischeck.txt

文件 :C:\7i24.com\iissafe\log\scanlog.htm

[1] [2] next