如何通過strace獲取ftp的用戶名和密碼

原創 1105472011 2019-02-22 15:13

     通過ftp協議傳輸的文件是不加密的,因此可以通過strace或是wireshark分析出ftp登錄的用戶明和密碼,這裏介紹下strace抓取ftp用戶名和密碼的方法

找出ftp進程的pid

wKiom1S8-fyhrGUDAABhKz_NWM0892.jpg

在root用戶下執行

strace -p 31687 -f

然後使用FlashFxp登錄ftp服務器

[pid 32607] recvfrom(0, "USER www\r\n", 4096, MSG_PEEK, NULL, NULL) = 10 
[pid 32607] read(0, "USER www\r\n", 10) = 10 
[pid 32607] write(0, "331 Please specify the password."..., 34) = 34 
[pid 32607] rt_sigaction(SIGALRM, {0x2b49cc8f2ca0, ~[RTMIN RT_1], SA_RESTORER, 0x2b49cdf612d0}, NULL, 8) = 0 
[pid 32607] alarm(300) = 300 
[pid 32607] recvfrom(0, "PASS www34!\r\n", 4096, MSG_PEEK, NULL, NULL) = 13 
[pid 32607] read(0, "PASS www34!\r\n", 13) = 13 
[pid 32607] write(4, "\1", 1) = 1 
[pid 32607] write(4, "\3\0\0\0", 4) = 4 
[pid 32606] <... read resumed> "\1", 1) = 1 
[pid 32607] write(4, "www", 3) = 3 
[pid 32606] read(3, <unfinished ...> 
[pid 32607] write(4, "\6\0\0\0", 4 <unfinished ...> 
[pid 32606] <... read resumed> "\3\0\0\0", 4) = 4 
[pid 32607] <... write resumed> ) = 4 
[pid 32606] read(3, <unfinished ...> 
[pid 32607] write(4, "www34!", 6 <unfinished ...> 
[pid 32606] <... read resumed> "www", 3) = 3 
[pid 32607] <... write resumed> ) = 6 
[pid 32607] write(4, "\0\0\0\0", 4 <unfinished ...> 
[pid 32606] read(3, <unfinished ...> 
[pid 32607] <... write resumed> ) = 4 
[pid 32607] write(4, "\0\0\0\0", 4 <unfinished ...> 
[pid 32606] <... read resumed> "\6\0\0\0", 4) = 4 
[pid 32607] <... write resumed> ) = 4 
[pid 32606] read(3, "www34!", 6) = 6 
[pid 32607] read(4, <unfinished ...> 
[pid 32606] read(3, "\0\0\0\0", 4) = 4 
[pid 32606] read(3, "\0\0\0\0", 4) = 4 
[pid 32606] stat("/etc/pam.d", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 
[pid 32606] open("/etc/pam.d/vsftpd", O_RDONLY) = 5 
[pid 32606] fstat(5, {st_mode=S_IFREG|0644, st_size=329, ...}) = 0 
[pid 32606] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b49cc8ff000 
[pid 32606] read(5, "#%PAM-1.0\nsession optional "..., 4096) = 329 
[pid 32606] open("/lib64/security/pam_keyinit.so", O_RDONLY) = 6 
[pid 32606] read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\7\0\0\0\0\0\0"..., 832) = 832 
[pid 32606] fstat(6, {st_mode=S_IFREG|0755, st_size=6808, ...}) = 0 
[pid 32606] mmap(NULL, 2102160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x2b49cfa24000 
[pid 32606] mprotect(0x2b49cfa26000, 2093056, PROT_NONE) = 0 
[pid 32606] mmap(0x2b49cfc25000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x1000) = 0x2b49cfc25000 
[pid 32606] close(6) = 0 
[pid 32606] open("/lib64/security/pam_listfile.so", O_RDONLY) = 6 
[pid 32606] read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\f\0\0\0\0\0\0"..., 832) = 832 
[pid 32606] fstat(6, {st_mode=S_IFREG|0755, st_size=10744, ...}) = 0 
[pid 32606] mmap(NULL, 2106072, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x2b49cfc26000 
[pid 32606] mprotect(0x2b49cfc28000, 2097152, PROT_NONE) = 0 
[pid 32606] mmap(0x2b49cfe28000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x2000) = 0x2b49cfe28000 
[pid 32606] close(6) = 0 
[pid 32606] open("/lib64/security/pam_shells.so", O_RDONLY) = 6 
[pid 32606] read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\7\0\0\0\0\0\0"..., 832) = 832 
[pid 32606] fstat(6, {st_mode=S_IFREG|0755, st_size=5408, ...}) = 0 
[pid 32606] mmap(NULL, 2100736, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x2b49cfe29000 
[pid 32606] mprotect(0x2b49cfe2a000, 2093056, PROT_NONE) = 0 
[pid 32606] mmap(0x2b49d0029000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0) = 0x2b49d0029000 
[pid 32606] close(6) = 0 
[pid 32606] open("/etc/pam.d/system-auth", O_RDONLY) = 6 
[pid 32606] fstat(6, {st_mode=S_IFREG|0644, st_size=844, ...}) = 0 
[pid 32606] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b49d002a000 
[pid 32606] read(6, "#%PAM-1.0\n# This file is auto-ge"..., 4096) = 844 
[pid 32606] open("/lib64/security/pam_env.so", O_RDONLY) = 7 
[pid 32606] read(7, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\n\0\0\0\0\0\0"..., 832) = 832 
[pid 32606] fstat(7, {st_mode=S_IFREG|0755, st_size=11504, ...}) = 0 
[pid 32606] mmap(NULL, 2106768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x2b49d002b000 
[pid 32606] mprotect(0x2b49d002e000, 2093056, PROT_NONE) = 0 
[pid 32606] mmap(0x2b49d022d000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x2000) = 0x2b49d022d000 
[pid 32606] close(7) = 0 
[pid 32606] open("/lib64/security/pam_unix.so", O_RDONLY) = 7 
[pid 32606] read(7, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200%\0\0\0\0\0\0"..., 832) = 832 
[pid 32606] fstat(7, {st_mode=S_IFREG|0755, st_size=48824, ...}) = 0 
[pid 32606] mmap(NULL, 2193416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x2b49d022e000 
[pid 32606] mprotect(0x2b49d0239000, 2097152, PROT_NONE) = 0 
[pid 32606] mmap(0x2b49d0439000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0xb000) = 0x2b49d0439000 
[pid 32606] mmap(0x2b49d043a000, 47112, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2b49d043a000 
[pid 32606] close(7) = 0 
[pid 32606] open("/etc/ld.so.cache", O_RDONLY) = 7 
[pid 32606] fstat(7, {st_mode=S_IFREG|0644, st_size=147291, ...}) = 0 
[pid 32606] mmap(NULL, 147291, PROT_READ, MAP_PRIVATE, 7, 0) = 0x2b49d0446000 
[pid 32606] close(7) = 0 
[pid 32606] open("/usr/lib64/libcrack.so.2", O_RDONLY) = 7 
[pid 32606] read(7, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@8 S9\0\0\0"..., 832) = 832 
[pid 32606] fstat(7, {st_mode=S_IFREG|0755, st_size=40904, ...}) = 0 
[pid 32606] mmap(NULL, 2148896, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x2b49d046a000 
[pid 32606] mprotect(0x2b49d0472000, 2097152, PROT_NONE) = 0 
[pid 32606] mmap(0x2b49d0672000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x8000) = 0x2b49d0672000 
[pid 32606] mmap(0x2b49d0673000, 14880, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2b49d0673000 
[pid 32606] close(7) = 0 
[pid 32606] munmap(0x2b49d0446000, 147291) = 0 
[pid 32606] open("/lib64/security/pam_succeed_if.so", O_RDONLY) = 7 
[pid 32606] read(7, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\v\0\0\0\0\0\0"..., 832) = 832 
[pid 32606] fstat(7, {st_mode=S_IFREG|0755, st_size=12272, ...}) = 0 
[pid 32606] mmap(NULL, 2107600, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x2b49d0677000 
[pid 32606] mprotect(0x2b49d067a000, 2093056, PROT_NONE) = 0 
[pid 32606] mmap(0x2b49d0879000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x2000) = 0x2b49d0879000 
[pid 32606] close(7) = 0 
[pid 32606] open("/lib64/security/pam_deny.so", O_RDONLY) = 7 
[pid 32606] read(7, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\4\0\0\0\0\0\0"..., 832) = 832 
[pid 32606] fstat(7, {st_mode=S_IFREG|0755, st_size=4040, ...}) = 0 
[pid 32606] mmap(NULL, 2099440, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x2b49d087a000 
[pid 32606] mprotect(0x2b49d087b000, 2093056, PROT_NONE) = 0 
[pid 32606] mmap(0x2b49d0a7a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0) = 0x2b49d0a7a000 
[pid 32606] close(7) = 0 
[pid 32606] read(6, "", 4096) = 0 
[pid 32606] close(6) = 0 
[pid 32606] munmap(0x2b49d002a000, 4096) = 0 
[pid 32606] open("/etc/pam.d/system-auth", O_RDONLY) = 6 
[pid 32606] fstat(6, {st_mode=S_IFREG|0644, st_size=844, ...}) = 0 
[pid 32606] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b49d002a000 
[pid 32606] read(6, "#%PAM-1.0\n# This file is auto-ge"..., 4096) = 844 
[pid 32606] open("/lib64/security/pam_permit.so", O_RDONLY) = 7 
[pid 32606] read(7, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\5\0\0\0\0\0\0"..., 832) = 832 
[pid 32606] fstat(7, {st_mode=S_IFREG|0755, st_size=4416, ...}) = 0 
[pid 32606] mmap(NULL, 2099744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x2b49d0b3e000 
[pid 32606] mprotect(0x2b49d0b3f000, 2093056, PROT_NONE) = 0 
[pid 32606] mmap(0x2b49d0d3e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0) = 0x2b49d0d3e000 
[pid 32606] close(7) = 0 
[pid 32606] read(6, "", 4096) = 0 
[pid 32606] close(6) = 0 
[pid 32606] munmap(0x2b49d002a000, 4096) = 0 
[pid 32606] open("/etc/pam.d/system-auth", O_RDONLY) = 6 
[pid 32606] fstat(6, {st_mode=S_IFREG|0644, st_size=844, ...}) = 0 
[pid 32606] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b49d002a000 
[pid 32606] read(6, "#%PAM-1.0\n# This file is auto-ge"..., 4096) = 844 
[pid 32606] open("/lib64/security/pam_limits.so", O_RDONLY) = 7 
[pid 32606] read(7, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\20\0\0\0\0\0\0"..., 832) = 832 
[pid 32606] fstat(7, {st_mode=S_IFREG|0755, st_size=15048, ...}) = 0 
[pid 32606] mmap(NULL, 2110376, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0x2b49d0d3f000 
[pid 32606] mprotect(0x2b49d0d42000, 2097152, PROT_NONE) = 0 
[pid 32606] mmap(0x2b49d0f42000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x3000) = 0x2b49d0f42000 
[pid 32606] close(7) = 0 
[pid 32606] read(6, "", 4096) = 0 
[pid 32606] close(6) = 0 
[pid 32606] munmap(0x2b49d002a000, 4096) = 0 
[pid 32606] open("/lib64/security/pam_loginuid.so", O_RDONLY) = 6 
[pid 32606] read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\10\0\0\0\0\0\0"..., 832) = 832 
[pid 32606] fstat(6, {st_mode=S_IFREG|0755, st_size=6584, ...}) = 0 
[pid 32606] mmap(NULL, 2101912, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x2b49d0f43000 
[pid 32606] mprotect(0x2b49d0f44000, 2097152, PROT_NONE) = 0 
[pid 32606] mmap(0x2b49d1144000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x1000) = 0x2b49d1144000 
[pid 32606] close(6) = 0 
[pid 32606] read(5, "", 4096) = 0 
[pid 32606] close(5) = 0 
[pid 32606] munmap(0x2b49cc8ff000, 4096) = 0 
[pid 32606] open("/etc/pam.d/other", O_RDONLY) = 5 
[pid 32606] fstat(5, {st_mode=S_IFREG|0644, st_size=154, ...}) = 0 
[pid 32606] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b49cc8ff000 
[pid 32606] read(5, "#%PAM-1.0\nauth required "..., 4096) = 154 
[pid 32606] read(5, "", 4096) = 0 
[pid 32606] close(5) = 0 
[pid 32606] munmap(0x2b49cc8ff000, 4096) = 0 
[pid 32606] open("/etc/hosts", O_RDONLY) = 5 
[pid 32606] fcntl(5, F_GETFD) = 0 
[pid 32606] fcntl(5, F_SETFD, FD_CLOEXEC) = 0 
[pid 32606] fstat(5, {st_mode=S_IFREG|0644, st_size=261, ...}) = 0 
[pid 32606] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b49cc8ff000 
[pid 32606] read(5, "# Do not remove the following li"..., 4096) = 261 
[pid 32606] read(5, "", 4096) = 0 
[pid 32606] close(5) = 0 
[pid 32606] munmap(0x2b49cc8ff000, 4096) = 0 
[pid 32606] socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5 
[pid 32606] connect(5, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("202.96.128.166")}, 28) = 0 
[pid 32606] fcntl(5, F_GETFL) = 0x2 (flags O_RDWR) 
[pid 32606] fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0 
[pid 32606] poll([{fd=5, events=POLLOUT}], 1, 0) = 1 ([{fd=5, revents=POLLOUT}]) 
[pid 32606] sendto(5, "oI\1\0\0\1\0\0\0\0\0\0\00282\003246\00296\003132\7in-ad"..., 44, MSG_NOSIGNAL, NULL, 0) = 44 
[pid 32606] poll([{fd=5, events=POLLIN}], 1, 5000) = 0 (Timeout) 
[pid 32606] poll([{fd=5, events=POLLOUT}], 1, 0) = 1 ([{fd=5, revents=POLLOUT}]) 
[pid 32606] sendto(5, "oI\1\0\0\1\0\0\0\0\0\0\00282\003246\00296\003132\7in-ad"..., 44, MSG_NOSIGNAL, NULL, 0) = 44 
[pid 32606] poll([{fd=5, events=POLLIN}], 1, 5000) = 0 (Timeout) 
[pid 32606] close(5) = 0 
[pid 32606] lstat("/etc/vsftpd/ftpusers", {st_mode=S_IFREG|0600, st_size=125, ...}) = 0 
[pid 32606] open("/etc/vsftpd/ftpusers", O_RDONLY) = 5 
[pid 32606] fstat(5, {st_mode=S_IFREG|0600, st_size=125, ...}) = 0 
[pid 32606] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b49cc8ff000 
[pid 32606] read(5, "# Users that are not allowed to "..., 4096) = 125 
[pid 32606] read(5, "", 4096) = 0 
[pid 32606] close(5) = 0 
[pid 32606] munmap(0x2b49cc8ff000, 4096) = 0 
[pid 32606] open("/etc/passwd", O_RDONLY) = 5 
[pid 32606] fcntl(5, F_GETFD) = 0 
[pid 32606] fcntl(5, F_SETFD, FD_CLOEXEC) = 0 
[pid 32606] fstat(5, {st_mode=S_IFREG|0644, st_size=1920, ...}) = 0 
[pid 32606] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b49cc8ff000 
[pid 32606] read(5, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1920 
[pid 32606] read(5, "", 4096) = 0 
[pid 32606] close(5) = 0 
[pid 32606] munmap(0x2b49cc8ff000, 4096) = 0 
[pid 32606] getuid() = 0 
[pid 32606] open("/etc/passwd", O_RDONLY) = 5 
[pid 32606] fcntl(5, F_GETFD) = 0 
[pid 32606] fcntl(5, F_SETFD, FD_CLOEXEC) = 0 
[pid 32606] fstat(5, {st_mode=S_IFREG|0644, st_size=1920, ...}) = 0 
[pid 32606] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b49cc8ff000 
[pid 32606] read(5, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1920 
[pid 32606] read(5, "", 4096) = 0 
[pid 32606] close(5) = 0 
[pid 32606] munmap(0x2b49cc8ff000, 4096) = 0 
[pid 32606] open("/etc/passwd", O_RDONLY) = 5 
[pid 32606] fcntl(5, F_GETFD) = 0 
[pid 32606] fcntl(5, F_SETFD, FD_CLOEXEC) = 0 
[pid 32606] fstat(5, {st_mode=S_IFREG|0644, st_size=1920, ...}) = 0 
[pid 32606] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b49cc8ff000 
[pid 32606] read(5, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1920 
[pid 32606] read(5, "", 4096) = 0 
[pid 32606] close(5) = 0 
[pid 32606] munmap(0x2b49cc8ff000, 4096) = 0 
[pid 32606] sendto(4, "<81>Jan 19 20:23:55 vsftpd[31687"..., 82, MSG_NOSIGNAL, NULL, 0) = 82 
[pid 32606] access("/var/run/utmpx", F_OK) = -1 ENOENT (No such file or directory) 
[pid 32606] open("/var/run/utmp", O_RDONLY) = 5 
[pid 32606] fcntl(5, F_GETFD) = 0 
[pid 32606] fcntl(5, F_SETFD, FD_CLOEXEC) = 0 
[pid 32606] lseek(5, 0, SEEK_SET) = 0 
[pid 32606] alarm(0) = 0 
[pid 32606] rt_sigaction(SIGALRM, {0x2b49ce037880, [], SA_RESTORER, 0x2b49cdf612d0}, {0x2b49cc8f2ce0, ~[KILL STOP RTMIN RT_1], SA_RESTORER, 0x2b49cdf612d0}, 8) = 0 
[pid 32606] alarm(1) = 0 
[pid 32606] fcntl(5, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 
[pid 32606] read(5, "\10\0\0\0\320\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\2\0\0\0\0\0\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\1\0\0\0005N\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\10\0\0\0\30\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\6\0\0\0\215\24\0\0tty1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\6\0\0\0\216\24\0\0tty2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\6\0\0\0\217\24\0\0tty3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\6\0\0\0\220\24\0\0tty4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\6\0\0\0\221\24\0\0tty5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\5\0\0\0\223\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\5\0\0\0\224\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\7\0\0\0\237}\0\0pts/0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\10\0\0\0\374v\0\0pts/1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\7\0\0\0\342}\0\0pts/2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\7\0\0\0\37\177\0\0pts/3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\10\0\0\0o{\0\0pts/4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\10\0\0\0>p\0\0pts/5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\10\0\0\0\233p\0\0pts/6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\10\0\0\0D9\0\0pts/7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\10\0\0\0z9\0\0pts/8\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\10\0\0\0\2619\0\0pts/9\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\10\0\0\0\3239\0\0pts/10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\10\0\0\0\3719\0\0pts/11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\10\0\0\0\":\0\0pts/12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\10\0\0\0j:\0\0pts/13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "\10\0\0\0\334:\0\0pts/14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 
[pid 32606] read(5, "", 384) = 0 
[pid 32606] fcntl(5, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 
[pid 32606] alarm(0) = 1 
[pid 32606] rt_sigaction(SIGALRM, {0x2b49cc8f2ce0, ~[KILL STOP RTMIN RT_1], SA_RESTORER, 0x2b49cdf612d0}, NULL, 8) = 0 
[pid 32606] close(5) = 0 
[pid 32606] getuid() = 0 
[pid 32606] geteuid() = 0 
[pid 32606] sendto(4, "<85>Jan 19 20:23:55 vsftpd[31687"..., 142, MSG_NOSIGNAL, NULL, 0) = 142 
[pid 32606] open("/etc/passwd", O_RDONLY) = 5 
[pid 32606] fcntl(5, F_GETFD) = 0 
[pid 32606] fcntl(5, F_SETFD, FD_CLOEXEC) = 0 
[pid 32606] fstat(5, {st_mode=S_IFREG|0644, st_size=1920, ...}) = 0 
[pid 32606] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b49cc8ff000 
[pid 32606] read(5, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1920 
[pid 32606] read(5, "", 4096) = 0 
[pid 32606] close(5) = 0 
[pid 32606] munmap(0x2b49cc8ff000, 4096) = 0 
[pid 32606] sendto(4, "<82>Jan 19 20:23:55 vsftpd[31687"..., 107, MSG_NOSIGNAL, NULL, 0) = 107 
[pid 32606] select(0, NULL, NULL, NULL, {1, 835576}) = 0 (Timeout) 
[pid 32606] socket(PF_NETLINK, SOCK_RAW, 9) = 5 
[pid 32606] fcntl(5, F_SETFD, FD_CLOEXEC) = 0 
[pid 32606] socket(PF_NETLINK, SOCK_RAW, 0) = 6 
[pid 32606] bind(6, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 
[pid 32606] getsockname(6, {sa_family=AF_NETLINK, pid=32606, groups=00000000}, [12]) = 0 
[pid 32606] sendto(6, "\24\0\0\0\26\0\1\3]\367\274T\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 
[pid 32606] recvmsg(6, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"<\0\0\0\24\0\2\0]\367\274T^\177\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 128 
[pid 32606] recvmsg(6, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"@\0\0\0\24\0\2\0]\367\274T^\177\0\0\n\200\200\376\1\0\0\0\24\0\1\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 128 
[pid 32606] recvmsg(6, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0]\367\274T^\177\0\0\0\0\0\0\1\0\0\0\24\0\1\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20 
[pid 32606] close(6) = 0 
[pid 32606] readlink("/proc/self/exe", "/usr/sbin/vsftpd"..., 4095) = 16 
[pid 32606] sendto(5, "\220\0\0\0L\4\5\0\2\0\0\0\0\0\0\0PAM: authenticat"..., 144, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 144 
[pid 32606] poll([{fd=5, events=POLLIN}], 1, 500) = 1 ([{fd=5, revents=POLLIN}]) 
[pid 32606] recvfrom(5, "$\0\0\0\2\0\0\0\2\0\0\0^\177\0\0\0\0\0\0\220\0\0\0L\4\5\0\2\0\0\0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 
[pid 32606] recvfrom(5, "$\0\0\0\2\0\0\0\2\0\0\0^\177\0\0\0\0\0\0\220\0\0\0L\4\5\0\2\0\0\0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 
[pid 32606] close(5) = 0 
[pid 32606] munmap(0x2b49cfa24000, 2102160) = 0 
[pid 32606] munmap(0x2b49cfc26000, 2106072) = 0 
[pid 32606] munmap(0x2b49cfe29000, 2100736) = 0 
[pid 32606] munmap(0x2b49d002b000, 2106768) = 0 
[pid 32606] munmap(0x2b49d022e000, 2193416) = 0 
[pid 32606] munmap(0x2b49d046a000, 2148896) = 0 
[pid 32606] munmap(0x2b49d0677000, 2107600) = 0 
[pid 32606] munmap(0x2b49d087a000, 2099440) = 0 
[pid 32606] munmap(0x2b49d0b3e000, 2099744) = 0 
[pid 32606] munmap(0x2b49d0d3f000, 2110376) = 0 
[pid 32606] munmap(0x2b49d0f43000, 2101912) = 0 
[pid 32606] nanosleep({1, 0}, {1, 0}) = 0 
[pid 32606] write(3, "\2", 1) = 1 
[pid 32606] read(3, <unfinished ...> 
[pid 32607] <... read resumed> "\2", 1) = 1 
[pid 32607] nanosleep({1, 0}, {1, 0}) = 0 
[pid 32607] write(0, "530 Permission denied.\r\n", 24) = 24 
[pid 32607] rt_sigaction(SIGALRM, {0x2b49cc8f2ca0, ~[RTMIN RT_1], SA_RESTORER, 0x2b49cdf612d0}, NULL, 8) = 0 
[pid 32607] alarm(300) = 286

通過以上輸出我們可以分析出,用戶通過username/password www/www34! 登錄ftp服務器,登錄失敗返回530 Permission denied.



發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

strace使用參數

devops 2019-02-23 00:00:48

YumRepo Error: All mirror URLs are not using

lovelei 2019-02-23 13:55:14

在RedHat5中架設基於虛擬用戶的FTP服務器

hkb178149081 2019-02-23 13:53:02

vsftpd的基本學習

Monkey001 2019-02-23 13:22:48

[DC工程項目之ASA5540/5550 Failover測試

aleenlee 2019-02-23 12:55:21

ftp

嘻嘻可愛 2019-02-23 00:41:56

FTP服務

hulong988 2019-02-23 00:41:10

Remote desktop manager安裝使用說明

guozy51 2019-02-23 00:26:15

FTP

yy阿爃呀 2019-02-23 00:19:34

詳解vsftpd搭建ftp和ftps

時光的印記 2019-02-23 00:18:22

Linux下搭建FTP服務器

海底小縱隊 2019-02-23 00:07:30

vsftpd+pam+mysql

echoroot 2019-02-22 23:58:43

FTP

Joah_Li 2019-02-22 23:51:08

ftp: connect: Connection refused 解決方法

a3z2008 2019-02-22 23:32:54

FTP服務搭建

LavenDer7n 2019-02-22 23:22:29