donc premier point trouver son ip :
par flemme, j'utilise un vieux fichier texte contenant le resultat d'un "dig www.pcteam.posse-press.com" :
QUOTE |
; <<>> DiG 9.2.1 <<>> @ns.easynet.fr pcteam.posse-press.com ;; global options: printcmd ;; connection timed out; no servers could be reached debian:~# dig pcteam.posse-press.com ANY ; <<>> DiG 9.2.1 <<>> pcteam.posse-press.com ANY ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16244 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;pcteam.posse-press.com. IN ANY ;; ANSWER SECTION: pcteam.posse-press.com. 7200 IN MX 10 relay.siris.net. pcteam.posse-press.com. 7200 IN A 195.154.234.67 ;; AUTHORITY SECTION: posse-press.com. 7200 IN NS lbind01p.siris.net. posse-press.com. 7200 IN NS sbind02p.siris.net. ;; ADDITIONAL SECTION: lbind01p.siris.net. 4746 IN A 194.183.192.98 sbind02p.siris.net. 4746 IN A 194.183.203.185 ;; Query time: 1176 msec ;; SERVER: 192.168.0.7#53(192.168.0.7) ;; WHEN: Sun Feb 1 14:37:27 2004 ;; MSG SIZE rcvd: 187 |
et ensuite, je m'amuse ave telnet sur l'ip indiqué : 195.154.234.67
QUOTE |
HEAD / HTTP/1.0 HTTP/1.1 302 Found Date: Fri, 27 Feb 2004 13:17:45 GMT Server: Apache/1.3.6 (Unix) PHP/4.0.1 mod_perl/1.21 mod_ssl/2.2.8 OpenSSL/0.9.2b Location: http://pcteam.posse-press.com/ Connection: close Content-Type: text/html |
donc je connais leur serveur et sa version (c'est bien : c'est de l'apache mais pas à jour ...)
donc je lance google : comme ça
et j'obtiens ça :
QUOTE |
Shared memory permissions lead to local privilege escalation CAN-2002-0839 The permissions of the shared memory used for the scoreboard allows an attacker who can execute under the Apache UID to send a signal to any process as root or cause a local denial of service attack. Affects: 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0 |
bon, y a pas à dire, mais bon, heureusement que je ne suis pas du genre malicious hacker ...
m'enfin, un bon point : cette fois çi, ils ont pensé à garder le domaine posse-press.com dans le DNS histoire de pouvoir reçevoir des emails ...