任务名称:未命名
[192.168.0.32]
扫描模块索引
路由信息
开放端口
NetBios信息
Snmp信息
RPC信息
Finger信息
CGI/IIS漏洞
数据库信息
Ftp信息
POP3信息
Smtp信息
Telnet信息
补丁扫描
插件扫描信息
--------------------------------------------------------------------------------
开放端口
开放端口7 [Echo ]
开放端口9 [Discard ]
开放端口13 [Daytime ]
开放端口21 [File Transfer [Control] ]
开放端口23 [Telnet ]
开放端口53 [Domain Name Server ]
开放端口135 [DCE endpoint resolution ]
开放端口443 [https MCom ]
开放端口80 [World Wide Web HTTP ]
开放端口119 [Network News Transfer Protocol ]
开放端口8080[Standard HTTP Proxy ]
开放端口25 [Simple Mail Transfer ]
开放端口110 [Post Office Protocol - Version 3 ]
--------------------------------------------------------------------------------
NetBios信息
网络共享资源
E$
描述:默认共享
类型:IPC$ or Adin$
IPC$
描述:远程 IPC
类型:IPC$ or Adin$
NETLOGON
描述:Logon server share
类型:磁盘
CertConfig
描述:证书服务配置
类型:磁盘
mspclnt
描述:
类型:磁盘
ADMIN$
描述:远程管理
类型:IPC$ or Adin$
SYSVOL
描述:Logon server share
类型:磁盘
用户组列表
用户名列表
--------------------------------------------------------------------------------
Snmp信息
Snmp口令:public
--------------------------------------------------------------------------------
RPC信息
--------------------------------------------------------------------------------
Finger信息
--------------------------------------------------------------------------------
CGI/IIS漏洞
/?PageServices
/default.asp
/?wp-cs-dump
/?wp-html-rend
/?wp-start-ver
/?wp-stop-ver
/?wp-uncheckout
/?wp-usr-prop
/?wp-ver-diff
/?wp-verify-link
/?wp-ver-info
/default.asp%81
--------------------------------------------------------------------------------
数据库信息
SQL SERVER
MySQL
--------------------------------------------------------------------------------
Ftp信息
版本:lztx-cn Microsoft FTP Service (Version 5.0).
支持匿名登陆
--------------------------------------------------------------------------------
POP3信息
版本:cnweb POP3 ready
--------------------------------------------------------------------------------
SMTP信息
版本:cnweb ESMTP ready
无需认证
--------------------------------------------------------------------------------
Telnet信息
--------------------------------------------------------------------------------
插件扫描信息
--------------------------------------------------------------------------------
全部模块扫描完毕
查看统计信息 查看解决方案
--------------------------------------------------
XP系统的引导过程:
1、电源自检程序开始运行
2、主引导记录被装入内存,并且程序开始执行
3、活动分区的引导扇区被装入内存
4、NTLDR从引导扇区被装入并初始化
5、将处理器的实模式改为32位平滑内存模式
6、NTLDR开始运行适当的小文件系统驱动程序。小文件系统驱动程序是建立在NTLDR内部的,它能读FAT或NTFS。
7、NTLDR读boot.ini文件
8、NTLDR装载所选操作系统 (NTLDR文件的说明:NTLDR是一个隐藏的,只读的系统文件,用来装载操作系统。
NTLDR文件的提取:NTLDR文件是WinXP的引导文件,当此文件丢失时启动系统会提示其缺失并要求按任意键重新启动,不能正确进入WinXP系统。在故障恢复控制台下可以提取到该文件,这个文件存在于安装光盘的i386目录中,提取方法如下:
进入系统故障恢复控制台,转到C盘,输入“copy X\I386\NTLDR”(注:这里的X为光驱盘符)并回车,如果系统提示要否覆盖则按下“Y”,之后输入exit命令退出控制台重新启动即可。
)
*如果NT/XP被选择,,NTLDR运行Ntdetect.com
*对于其他的操作系统,NTLDR装载并运行Bootsect.dos然后向它传递控制。
windows NT过程结束。
9.Ntdetect.com 搜索计算机硬件并将列表传送给NTLDR,以便将这些信息写进HKE Y_LOCAL_MACHINEHARDWARE中。
10.然后NTLDR装载Ntoskrnl.exe,Hal.dll和系统信息集合。
11.Ntldr搜索系统信息集合,并装载设备驱动配置以便设备在启动时开始工作
12.Ntldr把控制权交给Ntoskrnl.exe,这时,启动程序结束,装载阶段开始
利用光盘再次安装时进行修复,注意不是要真正安装,在进行到复制文件时即关机退出,然后再重启,重启时按住F8,这时应出现两个XP(或2000)的启动选项,选择原来的XP进入后,处理一下BOOT.ini文件即可,比较麻烦,这是在NTLDR文件没有备份,而又只有一台机子的状况下的处理的办法.
------------------------------------------------------
Options
Advisories
US-CERT Vulnerability Notes Database
Incident Notes
Current Activity
Related
Summaries
Tech Tips
AirCERT
Employment Opportunities
more links
CERT Statistics
Vulnerability Disclosure Policy
CERT Knowledgebase
System Administrator courses
CSIRT courses
Other Sources of Security Information
Channels
Message
Visit wap.cert.org for wireless advisories.
Related Sites
CERT® Advisory CA-2002-30 Trojan Horse tcpdump and libpcap Distributions
Original issue date: November 13, 2002
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Overview
The CERT/CC has received reports that several of the released source code distributions of the libpcap and tcpdump packages were modified by an intruder and contain a Trojan horse.
We strongly encourage sites that use, redistribute, or mirror the libpcap or tcpdump packages to immediately verify the integrity of their distribution.
I. Description
The CERT/CC has received reports that some copies of the source code for libpcap, a packet acquisition library, and tcpdump, a network sniffer, have been modified by an intruder and contain a Trojan horse.
The following distributions were modified to include the malicious code:
tcpdump
md5sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz
md5sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz
libpcap
md5sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz
These modified distributions began to appear in downloads from the HTTP server www.tcpdump.org on or around Nov 11 2002 10:14:00 GMT. The tcpdump development team disabled download of the distributions containing the Trojan horse on Nov 13 2002 15:05:19 GMT. However, the availability of these distributions from mirror sites is unknown. At this time, it does not appear that related projects such as WinPcap and WinDump contain this Trojan horse.
The Trojan horse version of the tcpdump source code distribution contains malicious code that is run when the software is compiled. This code, executed from the tcpdump configure script, will attempt to connect (via wget, lynx, or fetch) to port 80/tcp on a fixed hostname in order to download a shell script named services. In turn, this downloaded shell script is executed to generate a C file (conftes.c), which is subsequently compiled and run.
When executed, conftes.c makes an outbound connection to a fixed IP address (corresponding to the fixed hostname used in the configure script) on port 1963/tcp and reads a single byte. Three possible values for this downloaded byte are checked, each causing conftes.c to respond in different ways:
'A' will cause the Trojan horse to exit
'D' will cause the Trojan to fork itself, spawn a shell, and redirect this shell to the connected IP address (Note that communication to and from this shell is obfuscated by XORing all bytes with the constant 0x89.)
'M' will cause the Trojan horse to close the connection and sleep for 3600 seconds
To mask the activity of this Trojan horse in tcpdump, libpcap, the underlying packet-capture library of tcpdump, has been modified (gencode.c) to explicitly ignore all traffic on port 1963 (i.e., a BPF expression of "not port 1963").
II. Impact
An intruder operating from (or able to impersonate) the remote address specified in the malicious code could gain unauthorized remote access to any host that compiled a version of tcpdump with this Trojan horse. The privilege level under which this malicious code would be executed would be that of the user who compiled the source code.
III. Solution
We encourage sites using libpcap and tcpdump to verify the authenticity of their distribution, regardless of where it was obtained.
Where to get libpcap and tcpdump
While the compromise of these distributions is being investigated, the tcpdump and libpcap maintainers recommend using the following distribution sites:
sourceforge.net/projects/tcpdump/
sourceforge.net/projects/libpcap/
Sites that mirror the source code are encouraged to verify the integrity of their sources. We also encourage users to inspect any and all other software that may have been downloaded from the compromised site. Note that it is not sufficient to rely on the timestamps or sizes of the file when trying to determine whether or not you have a copy of the Trojan horse version.
Verifying checksums
The MD5 hashes of the vendor suggested updates for libpcap and tcpdump are as follows:
tcpdump
md5sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz
libpcap
md5sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz
As a matter of good security practice, the CERT/CC encourages users to verify, whenever possible, the integrity of downloaded software. For more information, see
www.cert.org/incident_notes/IN-2001-06.html
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.
Conectiva
We have checked all our released libpcap and tcpdump packages and confirmed that they do not contain the trojan code.
Debian
Problematic packages are only distributed in Debian/unstable. I have examined both source packages and they did not contain the trojan code the HLUG reported on their web page. Hence, I guess that Debian distributes safe source.
MontaVista Software, Inc.
We have examined our sources, and our software does not contain this trojan. We are not vulnerable to this advisory.
SuSE
SuSE Linux products are not vulnerable.
--------------------------------------------------------------------------------
Feedback can be directed to the author: Roman Danyliw, Chad Dougherty.
--------------------------------------------------------------------------------
This document is available from: www.cert.org/advisories/CA-2002-30.html
--------------------------------------------------------------------------------
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
www.cert.org/
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
--------------------------------------------------------------------------------
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
--------------------------------------------------------------------------------
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
Revision History
November 13, 2002: Initial release
[192.168.0.32]
扫描模块索引
路由信息
开放端口
NetBios信息
Snmp信息
RPC信息
Finger信息
CGI/IIS漏洞
数据库信息
Ftp信息
POP3信息
Smtp信息
Telnet信息
补丁扫描
插件扫描信息
--------------------------------------------------------------------------------
开放端口
开放端口7 [Echo ]
开放端口9 [Discard ]
开放端口13 [Daytime ]
开放端口21 [File Transfer [Control] ]
开放端口23 [Telnet ]
开放端口53 [Domain Name Server ]
开放端口135 [DCE endpoint resolution ]
开放端口443 [https MCom ]
开放端口80 [World Wide Web HTTP ]
开放端口119 [Network News Transfer Protocol ]
开放端口8080[Standard HTTP Proxy ]
开放端口25 [Simple Mail Transfer ]
开放端口110 [Post Office Protocol - Version 3 ]
--------------------------------------------------------------------------------
NetBios信息
网络共享资源
E$
描述:默认共享
类型:IPC$ or Adin$
IPC$
描述:远程 IPC
类型:IPC$ or Adin$
NETLOGON
描述:Logon server share
类型:磁盘
CertConfig
描述:证书服务配置
类型:磁盘
mspclnt
描述:
类型:磁盘
ADMIN$
描述:远程管理
类型:IPC$ or Adin$
SYSVOL
描述:Logon server share
类型:磁盘
用户组列表
用户名列表
--------------------------------------------------------------------------------
Snmp信息
Snmp口令:public
--------------------------------------------------------------------------------
RPC信息
--------------------------------------------------------------------------------
Finger信息
--------------------------------------------------------------------------------
CGI/IIS漏洞
/?PageServices
/default.asp
/?wp-cs-dump
/?wp-html-rend
/?wp-start-ver
/?wp-stop-ver
/?wp-uncheckout
/?wp-usr-prop
/?wp-ver-diff
/?wp-verify-link
/?wp-ver-info
/default.asp%81
--------------------------------------------------------------------------------
数据库信息
SQL SERVER
MySQL
--------------------------------------------------------------------------------
Ftp信息
版本:lztx-cn Microsoft FTP Service (Version 5.0).
支持匿名登陆
--------------------------------------------------------------------------------
POP3信息
版本:cnweb POP3 ready
--------------------------------------------------------------------------------
SMTP信息
版本:cnweb ESMTP ready
无需认证
--------------------------------------------------------------------------------
Telnet信息
--------------------------------------------------------------------------------
插件扫描信息
--------------------------------------------------------------------------------
全部模块扫描完毕
查看统计信息 查看解决方案
--------------------------------------------------
XP系统的引导过程:
1、电源自检程序开始运行
2、主引导记录被装入内存,并且程序开始执行
3、活动分区的引导扇区被装入内存
4、NTLDR从引导扇区被装入并初始化
5、将处理器的实模式改为32位平滑内存模式
6、NTLDR开始运行适当的小文件系统驱动程序。小文件系统驱动程序是建立在NTLDR内部的,它能读FAT或NTFS。
7、NTLDR读boot.ini文件
8、NTLDR装载所选操作系统 (NTLDR文件的说明:NTLDR是一个隐藏的,只读的系统文件,用来装载操作系统。
NTLDR文件的提取:NTLDR文件是WinXP的引导文件,当此文件丢失时启动系统会提示其缺失并要求按任意键重新启动,不能正确进入WinXP系统。在故障恢复控制台下可以提取到该文件,这个文件存在于安装光盘的i386目录中,提取方法如下:
进入系统故障恢复控制台,转到C盘,输入“copy X\I386\NTLDR”(注:这里的X为光驱盘符)并回车,如果系统提示要否覆盖则按下“Y”,之后输入exit命令退出控制台重新启动即可。
)
*如果NT/XP被选择,,NTLDR运行Ntdetect.com
*对于其他的操作系统,NTLDR装载并运行Bootsect.dos然后向它传递控制。
windows NT过程结束。
9.Ntdetect.com 搜索计算机硬件并将列表传送给NTLDR,以便将这些信息写进HKE Y_LOCAL_MACHINEHARDWARE中。
10.然后NTLDR装载Ntoskrnl.exe,Hal.dll和系统信息集合。
11.Ntldr搜索系统信息集合,并装载设备驱动配置以便设备在启动时开始工作
12.Ntldr把控制权交给Ntoskrnl.exe,这时,启动程序结束,装载阶段开始
利用光盘再次安装时进行修复,注意不是要真正安装,在进行到复制文件时即关机退出,然后再重启,重启时按住F8,这时应出现两个XP(或2000)的启动选项,选择原来的XP进入后,处理一下BOOT.ini文件即可,比较麻烦,这是在NTLDR文件没有备份,而又只有一台机子的状况下的处理的办法.
------------------------------------------------------
Options
Advisories
US-CERT Vulnerability Notes Database
Incident Notes
Current Activity
Related
Summaries
Tech Tips
AirCERT
Employment Opportunities
more links
CERT Statistics
Vulnerability Disclosure Policy
CERT Knowledgebase
System Administrator courses
CSIRT courses
Other Sources of Security Information
Channels
Message
Visit wap.cert.org for wireless advisories.
Related Sites
CERT® Advisory CA-2002-30 Trojan Horse tcpdump and libpcap Distributions
Original issue date: November 13, 2002
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Overview
The CERT/CC has received reports that several of the released source code distributions of the libpcap and tcpdump packages were modified by an intruder and contain a Trojan horse.
We strongly encourage sites that use, redistribute, or mirror the libpcap or tcpdump packages to immediately verify the integrity of their distribution.
I. Description
The CERT/CC has received reports that some copies of the source code for libpcap, a packet acquisition library, and tcpdump, a network sniffer, have been modified by an intruder and contain a Trojan horse.
The following distributions were modified to include the malicious code:
tcpdump
md5sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz
md5sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz
libpcap
md5sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz
These modified distributions began to appear in downloads from the HTTP server www.tcpdump.org on or around Nov 11 2002 10:14:00 GMT. The tcpdump development team disabled download of the distributions containing the Trojan horse on Nov 13 2002 15:05:19 GMT. However, the availability of these distributions from mirror sites is unknown. At this time, it does not appear that related projects such as WinPcap and WinDump contain this Trojan horse.
The Trojan horse version of the tcpdump source code distribution contains malicious code that is run when the software is compiled. This code, executed from the tcpdump configure script, will attempt to connect (via wget, lynx, or fetch) to port 80/tcp on a fixed hostname in order to download a shell script named services. In turn, this downloaded shell script is executed to generate a C file (conftes.c), which is subsequently compiled and run.
When executed, conftes.c makes an outbound connection to a fixed IP address (corresponding to the fixed hostname used in the configure script) on port 1963/tcp and reads a single byte. Three possible values for this downloaded byte are checked, each causing conftes.c to respond in different ways:
'A' will cause the Trojan horse to exit
'D' will cause the Trojan to fork itself, spawn a shell, and redirect this shell to the connected IP address (Note that communication to and from this shell is obfuscated by XORing all bytes with the constant 0x89.)
'M' will cause the Trojan horse to close the connection and sleep for 3600 seconds
To mask the activity of this Trojan horse in tcpdump, libpcap, the underlying packet-capture library of tcpdump, has been modified (gencode.c) to explicitly ignore all traffic on port 1963 (i.e., a BPF expression of "not port 1963").
II. Impact
An intruder operating from (or able to impersonate) the remote address specified in the malicious code could gain unauthorized remote access to any host that compiled a version of tcpdump with this Trojan horse. The privilege level under which this malicious code would be executed would be that of the user who compiled the source code.
III. Solution
We encourage sites using libpcap and tcpdump to verify the authenticity of their distribution, regardless of where it was obtained.
Where to get libpcap and tcpdump
While the compromise of these distributions is being investigated, the tcpdump and libpcap maintainers recommend using the following distribution sites:
sourceforge.net/projects/tcpdump/
sourceforge.net/projects/libpcap/
Sites that mirror the source code are encouraged to verify the integrity of their sources. We also encourage users to inspect any and all other software that may have been downloaded from the compromised site. Note that it is not sufficient to rely on the timestamps or sizes of the file when trying to determine whether or not you have a copy of the Trojan horse version.
Verifying checksums
The MD5 hashes of the vendor suggested updates for libpcap and tcpdump are as follows:
tcpdump
md5sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz
libpcap
md5sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz
As a matter of good security practice, the CERT/CC encourages users to verify, whenever possible, the integrity of downloaded software. For more information, see
www.cert.org/incident_notes/IN-2001-06.html
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.
Conectiva
We have checked all our released libpcap and tcpdump packages and confirmed that they do not contain the trojan code.
Debian
Problematic packages are only distributed in Debian/unstable. I have examined both source packages and they did not contain the trojan code the HLUG reported on their web page. Hence, I guess that Debian distributes safe source.
MontaVista Software, Inc.
We have examined our sources, and our software does not contain this trojan. We are not vulnerable to this advisory.
SuSE
SuSE Linux products are not vulnerable.
--------------------------------------------------------------------------------
Feedback can be directed to the author: Roman Danyliw, Chad Dougherty.
--------------------------------------------------------------------------------
This document is available from: www.cert.org/advisories/CA-2002-30.html
--------------------------------------------------------------------------------
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
www.cert.org/
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
--------------------------------------------------------------------------------
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
--------------------------------------------------------------------------------
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
Revision History
November 13, 2002: Initial release
回复Comments
{commenttime}{commentauthor}
{CommentUrl}
{commentcontent}