引用:
[root@victimroot]#/sbin/ttymon
[root@victimroot]#/sbin/ttymon--help
[root@victimroot]#/sbin/ttymon-h
|
这么不听话?strings你。我这里略去一些没用的信息
引用:
[root@victimroot]#strings/sbin/ttymon
Usage:%s
Portsaresettosendandreceiveonport179
dst:DestinationAddress
src:SourceAddress
size:Sizeofpacketwhichshouldbenolargerthan1024shouldallowforxtraheaderinfothruroutes
num:packets
Couldnotresolve%sfucknut
ICMP
jess
tc:unknownhost
3.3.3.3
mservers
lamersucks
skillz
ttymon
./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
|
通过他的关键字找找,不难发现ttymon应该是一个修改过的ddos程序,是一个打路由器的东西,看来这位兄弟心挺大的。
Dameonic.cisatheoreticalrouterbaseddenialofserviceattackthat
exploitsaweaknesswithintheBorderGatewayProtocol(BGP).Ifamalici
oususersendsspoofedmalformedpacketstoaneighboringrouter,thepeerwill
ignoreitandpossiblykillthesessionentirely.WrittenonaUltra5runningLinuxZ
oot,thishasbeencompiledonLinux,OpenBSD,Solariswithoutproblems. |
程序在
http://packetstormsecurity.org/0008-exploits/daemonic.c出于对这位道友野心的好奇,我下了这个程序回来编译一下
引用:
[fatb@baoz~]$./a
Daemonic-BGPKiller[TheoriesinDoS]www.AntiOffline.com/TID/
Usage:./a
Portsaresettosendandreceiveonport179
radd:AddressofrouterrunningBGP[victim]
sradd:SourceaddressofneighborrouterrunningBGP[attacker]
bgsize:Sizeofpacketwhichshouldbenolargerthan1024shouldallowforxtraheaderinfothruroutes
num:pulverizationspersecond
|
对比两个地方,一个是直接执行程序返回的信息,前者是不显示任何信息,后者显示帮助,第二个就是strings的输出,明显前者输出内容多,我猜测后面部分包含控制密码。还有更重要的是,这个ttymon起了rawsocket听包,这个rawsocket必定是用来接收控制者指令,并执行相应的ddos操作的一个通道,后面的事情大家自己想象吧,呵呵。
引用:
[root@victimroot]#file/etc/sh.conf
/etc/sh.conf:ASCIItext
[root@victimroot]#cat/etc/sh.conf
6465d1b20c0c4cd408e34e68e630bc7a-
|
这个应该是md5之后的ssh密码了。
下面的是t0rnV8里的东西了,12点多了,还没吃饭,没什么心情去跟这个低级的rootkit了,也不想知道下面的内容是什么,估计是encode之后的ssh密码吧,我猜的。
引用:
[root@victimroot]#file/dev/srd0
/dev/srd0:ASCIItext
[root@victimroot]#cat/dev/srd0
j+JNfnYdtqa7trq6gh+4ixPhLDBbLT6Ku5uVVJ/mxxzobTlPUCEeEzdxglyNos
4IvejtbRNdAMxP/d7NhBeFseisPX5oloDE5z1e2ZjQtsM
S0uF0BrCRaiyuNhbD+TxyiCkfPxeS6/f3KYGvy0+9uf96H
ZCHbJRHzwU0BoEWZW66Kw9fmiWgMTnPV7ZmNC2ww
DrWCrrUVHlVO0ETRpEzDLr4+eRoYKQ4cF1IYuZIuKJvpL8
u0zFWEQVd4aHHRV8MZ6Kw9fmiWgMTnPV7ZmNC2ww
m8Y0WvJzHApXJkPWqGlLXkQEgP7I+Z00g5rfl4JVTHHVS3
ccyoWJvoHxARS2Az4+6Kw9fmiWgMTnPV7ZmNC2ww
Nx2BGzQcgwNk5wkHvIbDS+akciYGKpBOpkfbml2dEhlnyl
baCJUtkIZtodypSCex6Kw9fmiWgMTnPV7ZmNC2ww
7Tuu8KGtjaBucg6CylE0jLx5gHLMf67ZIFShF/vnuKNoRf
JqqJhR5/4k+4vDqwlW6Kw9fmiWgMTnPV7ZmNC2ww
aeC6nDWmqSBSLAn74IG+scDyaeQhcyttGosc5AHjaJjsS7
dk2xyaySZVyBz4xsJLvejtbRNdAMxP/d7NhBeFseisPX5o
loDE5z1e2ZjQtsM
Z1Adpyun9XhDlWlkphlGxvqi7D+VzU2gaIcSV3F5SvtUf
b9WXOCPgW4fLKozFRr18GdivriXhV99Urg+qyUS5OisPX
5oloDE5z1e2ZjQtsM
XnGWwt8gbkh3WioGunOBNlnN29dPwkm4N1UqS3mZ7V5C2D
SuxCWu5vgapmla+YFx6Kw9fmiWgMTnPV7ZmNC2ww
+KrS/TlnD5nr0P/iOvN/aN+jWY2xtLoIpAN70/2NlvfnnA
pDPhNqf9Y82i7BX/UHVWRY+R8hmtWPTN9aYJrjduisPX5oloDE5z1e2ZjQtsM
|
继续看,这个就是他的老巢了,SHV5的默认目录,里面来来去去就那些东西,.backup里的是原来的elf程序,回头我们把这些东西cp回去就完事了。
引用:
[root@victimroot]#ls-alh/usr/lib/libsh
total104K
drwxr-xr-x6rootroot4.0KNov1716:45.
drwxr-xr-x133rootroot68KNov1810:13..
drwxr-xr-x2rootroot4.0KNov819:33.backup
-rwxr-xr-x11221142.4KJan302006.bashrc
-rwxr-xr-x11221141.8KFeb192003hide
drwxr-xr-x2rootroot4.0KNov819:33.owned
-rwxr-xr-x11221141.3KFeb192003shsb
drwxr-xr-x2rootroot4.0KNov819:33.sniff
drwxr-xr-x2rootroot4.0KFeb192003utils
[root@victimroot]#ls/usr/lib/libsh/.backup/
dirfindifconfiglslsofmd5sumnetstatpspstreeslocatetop
|