首先我先编译1个ssh后门,这个ssh后门会在/tmp/xxxxxx记载部门的登录明码
创议他
QUOTE:
Default12345 | root@laptop:/usr/local/openssh2/sbin# ps aux | grep sshd root 13619 0.0 0.3 7432 1752 ? Ss 23:44 0:00 ./sshd -p 1234 root 13707 0.0 0.2 4292 132八 pts/3 R+ 23:5八 0:00 grep sshd |
上面咱们用strace跟踪1下pid位13619的ssh过程,此中-ff参数很烦忙,可能跟踪fork的子过程。
QUOTE:
root@laptop:/usr/local/openssh2/sbin# strace -o aa -ff -p 13619
而后咱们登录ssh,腐败登录以后,咱们看看以后目录,天生为了strace的输入
QUOTE:
Default12345 | root@laptop:/usr/local/openssh2/sbin# ls aa aa.13636 aa.1363八 aa.13640 aa.13642 aa.13644 aa.13646 aa.1364八 aa.13650 aa.13652 aa.13654 aa.13656 sshd aa.13635 aa.13637 aa.13639 aa.13641 aa.13643 aa.13645 aa.13647 aa.13649 aa.13651 aa.13653 aa.13655 aa.13657 |
咱们grep1下open系统挪用,而后过滤掉过错动态和/dev/null动态,以及denied动态,并且找WR的,便是读写模式翻开的,因为要把记载的明码写入文件,确定假设以写门径翻开的文件,大抵的看看,很容易找到特别文件/tmp/xxxxxx
QUOTE:
Default1234567八91011121314 | root@laptop:/usr/local/openssh2/sbin# grep open aa* | grep -v -e No -e null -e denied| grep WRaa.13635:open("/tmp/xxxxxx", O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0666) = 3 aa.13635:open("/dev/ptmx", O_RDWR) = 3aa.13635:open("/dev/pts/5", O_RDWR|O_NOCTTY) = 6aa.13635:open("/var/run/utmp", O_RDWR) = 7aa.13635:open("/var/log/wtmp", O_WRONLY) = 7aa.13635:open("/var/log/lastlog", O_RDWR|O_CREAT|O_LARGEFILE, 02000) = 7aa.13635:open("/var/run/utmp", O_RDWR) = 6aa.13635:open("/var/log/wtmp", O_WRONLY) = 6aa.1363八:open("/dev/pts/5", O_RDWR|O_LARGEFILE) = 7aa.1363八:open("/dev/tty", O_WRONLY|O_LARGEFILE) = 八aa.1363八:open("/dev/tty", O_RDWR|O_NONBLOCK|O_LARGEFILE) = 3aa.13640:open("/dev/tty", O_RDWR|O_NONBLOCK|O_LARGEFILE) = 3aa.13657:open("/dev/tty", O_RDWR) = 3 |
通过上面的体式花式,咱们可能大抵的诊断1下咱们的sshd能否被放了后门,但是因为sshd后门多种多样,上面我说到的sshd后门是比拟精良的1种,他可能设置能否记载明码,假设设置不记载明码,那末咱们用strace估计是缔造不到他的,但是照常有1些ssh后门还要用不凡的配置文件,读取不凡的明码文件,这类咱们用strace就极度容易缔造他们了。
[via@m0r5/3est]