KS3C被黑？能怎样查？

kelvin225

一直连接着桌面的，突然到了注销页面，看了后好像多了个账户，上次那个漏洞怎样查的？系统是DD的
QQ截图20170422223828.png (19.04 KB, 下载次数: 0)

2017-4-22 22:41 上传

点击文件名下载附件

jshkk

是这个吗？

1. #!/usr/bin/python
   
2. 
   
3. import binascii
   
4. import socket
   
5. import argparse
   
6. import struct
   
7. import threading
   
8. 
   
9. 
   
10. # Packets
    
11. negotiate_protocol_request = binascii.unhexlify("00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200")
    
12. session_setup_request = binascii.unhexlify("00000088ff534d4273000000001807c00000000000000000000000000000fffe000040000dff00880004110a000000000000000100000000000000d40000004b000000000000570069006e0064006f007700730020003200300030003000200032003100390035000000570069006e0064006f007700730020003200300030003000200035002e0030000000")
    
13. tree_connect_request = binascii.unhexlify("00000060ff534d4275000000001807c00000000000000000000000000000fffe0008400004ff006000080001003500005c005c003100390032002e003100360038002e003100370035002e003100320038005c00490050004300240000003f3f3f3f3f00")
    
14. trans2_session_setup = binascii.unhexlify("0000004eff534d4232000000001807c00000000000000000000000000008fffe000841000f0c0000000100000000000000a6d9a40000000c00420000004e0001000e000d0000000000000000000000000000")
    
15. 
    
16. # Arguments
    
17. parser = argparse.ArgumentParser(description="Detect present of DOUBLEPULSAR implant\n\nAuthor: Luke Jennings\nWebsite: https://countercept.com\n推特: @countercept", formatter_class=argparse.RawTextHelpFormatter)
    
18. group = parser.add_mutually_exclusive_group(required=True)
    
19. group.add_argument('--ip', help='Single IP address to check')
    
20. group.add_argument('--file', help='File containing a list of IP addresses to check')
    
21. parser.add_argument('--timeout', help="Timeout on connection for socket in seconds", default=None)
    
22. parser.add_argument('--verbose', help="Verbose output for checking of commands", action='store_true')
    
23. parser.add_argument('--threads', help="Number of connection threads when checking file of IPs (default 10)", default="10")
    
24. 
    
25. args = parser.parse_args()
    
26. ip = args.ip
    
27. filename = args.file
    
28. timeout = args.timeout
    
29. verbose = args.verbose
    
30. num_threads = int(args.threads)
    
31. semaphore = threading.BoundedSemaphore(value=num_threads)
    
32. print_lock = threading.Lock()
    
33. 
    
34. 
    
35. def print_status(ip, message):
    
36.     global print_lock
    
37. 
    
38.     with print_lock:
    
39.         print "[*] [%s] %s" % (ip, message)
    
40. 
    
41. 
    
42. def check_ip(ip):
    
43.     global negotiate_protocol_request, session_setup_request, tree_connect_request, trans2_session_setup, timeout, verbose
    
44. 
    
45.     # Connect to socket
    
46.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    
47.     s.settimeout(float(timeout) if timeout else None)
    
48.     host = ip
    
49.     port = 445
    
50.     s.connect((host, port))
    
51. 
    
52.     # Send/receive negotiate protocol request
    
53.     if verbose:
    
54.         print_status(ip, "Sending negotation protocol request")
    
55.     s.send(negotiate_protocol_request)
    
56.     s.recv(1024)
    
57. 
    
58.     # Send/receive session setup request
    
59.     if verbose:
    
60.         print_status(ip, "Sending session setup request")
    
61.     s.send(session_setup_request)
    
62.     session_setup_response = s.recv(1024)
    
63. 
    
64.     # Extract user ID from session setup response
    
65.     user_id = session_setup_response[32:34]
    
66.     if verbose:
    
67.         print_status(ip, "User ID = %s" % struct.unpack("<H", user_id)[0])
    
68. 
    
69.     # Replace user ID in tree connect request packet
    
70.     modified_tree_connect_request = list(tree_connect_request)
    
71.     modified_tree_connect_request[32] = user_id[0]
    
72.     modified_tree_connect_request[33] = user_id[1]
    
73.     modified_tree_connect_request = "".join(modified_tree_connect_request)
    
74. 
    
75.     # Send tree connect request
    
76.     if verbose:
    
77.         print_status(ip, "Sending tree connect")
    
78.     s.send(modified_tree_connect_request)
    
79.     tree_connect_response = s.recv(1024)
    
80. 
    
81.     # Extract tree ID from response
    
82.     tree_id = tree_connect_response[28:30]
    
83.     if verbose:
    
84.         print_status(ip, "Tree ID = %s" % struct.unpack("<H", tree_id)[0])
    
85. 
    
86.     # Replace tree ID and user ID in trans2 session setup packet
    
87.     modified_trans2_session_setup = list(trans2_session_setup)
    
88.     modified_trans2_session_setup[28] = tree_id[0]
    
89.     modified_trans2_session_setup[29] = tree_id[1]
    
90.     modified_trans2_session_setup[32] = user_id[0]
    
91.     modified_trans2_session_setup[33] = user_id[1]
    
92.     modified_trans2_session_setup = "".join(modified_trans2_session_setup)
    
93. 
    
94.     # Send trans2 sessions setup request
    
95.     if verbose:
    
96.         print_status(ip, "Sending trans2 session setup")
    
97.     s.send(modified_trans2_session_setup)
    
98.     final_response = s.recv(1024)
    
99. 
    
100.     s.close()
     
101. 
     
102.     # Check for 0x51 response to indicate DOUBLEPULSAR infection
     
103.     if final_response[34] == "\x51":
     
104.         with print_lock:
     
105.             print "[+] [%s] DOUBLEPULSAR DETECTED!!!" % ip
     
106.     else:
     
107.         with print_lock:
     
108.             print "[-] [%s] No presence of DOUBLEPULSAR" % ip
     
109. 
     
110. 
     
111. def threaded_check(ip_address):
     
112.     global semaphore
     
113. 
     
114.     try:
     
115.         check_ip(ip_address)
     
116.     except Exception as e:
     
117.         with print_lock:
     
118.             print "[ERROR] [%s] - %s" % (ip_address, e)
     
119.     finally:
     
120.         semaphore.release()
     
121. 
     
122. 
     
123. if ip:
     
124.     check_ip(ip)
     
125. if filename:
     
126.     with open(filename, "r") as fp:
     
127.         for line in fp:
     
128.             semaphore.acquire()
     
129.             ip_address = line.strip()
     
130.             t = threading.Thread(target=threaded_check, args=(ip_address,))
     
131.             t.start()
     
132. 
     
133. 
     

复制代码