Unable to authentificate using the PAM backdoor on CentOS 6.x

[bogdanstoica35]

I have succesfully installed vlany on a clean centos box (a kvm vps), centos 6.8 x64 distro with the latest updates (the minimal install). Nothing else is running on that vps since is was specifically created to test your rootkit.

I am using sh ssh.sh username localhost port (it connects to the sshd daemon to the backdoor ssh port specified during rootkit install). But the user/pass combination always fails.

Any help would be really appreciated!

Keep developing this really nice rootkit!

[unixfox]

Already reported here: #5 (comment)

[mempodippy]

Apologies. Will look at version changes more in-depth tomorrow. Only went on small assumptions. :/
unixfox, the issue still stands... I do have a solution to fix the problem, but there is a better solution than an easy fix which I would rather choose over the prior option. I'll see what happens...
Will resolve this small mistake on my behalf tomorrow.

[bogdanstoica35]

Thank you. Is there other method to remotely connect to a server where the rk was installed except for the ssh? I mean like connectin from my linux box to the server? Also when using the ssh backdoor port are there any logs saved?

[bogdanstoica35]

Btw until the ssh/pam backdoor is fixed, how can I connect to the the sever where the rk was installed using netcat supposing low port is 10000 and high port is 10004 (that was configured during rk install)

Thanks again!

[bogdanstoica35]

Not sure if you have changed anything in the rootkit but know the error changed (I have used the latest version from github a new fresh centos 6 vps minimal install)

root@pve1:/opt# ./ssh.sh bogdan 172.16.100.50 8197
Connecting to PAM backdoor @ host 172.16.100.50 on hidden PAM port 8197 as sweed29
Press enter to continue
sweed29@172.16.100.50's password:
sweed29@172.16.100.50's password:
Failed to connect. bind probably still alive - wait a minute and try again.

I thought is good to share this information with you.

PS: How do I connect using netcat to get a shell?

[mempodippy]

The bug might actually be fixed. I ran into this bug a couple of times using ssh.sh to connect, but could connect without it, suggesting ssh.sh is the perpetrator in this situation.. I'd always fix it locally and forget to update it on the repo. Pull the latest commit and try again.

If you can install a web server (shouldn't be done in a real situation if there's not already one installed) and use the snodew backdoor, it will give you a reverse root shell assuming suid bins aren't disabled on the box. The accept backdoor doesn't work in most situations. Since the accept backdoor is somewhat deprecated, I'd like to only work on the accept backdoor if it's absolutely vital - but in time I probably will make updates and improvements to it.
nc -p [source_port] [host] [service port]
Of course, add the --ssl flag if you installed the backdoor to go through SSL.

Edit: I'm working on my own local version, and I'm making significant changes to it. Said changes are mostly optimisation, couple of changes to hooks and functions, may just resolve and improve the accept backdoor while I'm doing that.

[bogdanstoica35]

root@pve1:/opt# sh ssh.sh sweed29 172.16.100.51 8197
Connecting to PAM backdoor @ host 172.16.100.51 on hidden PAM port 8197 as sweed29
Press enter to continuessh.sh: 15: read: arg count
root@pve1:/opt# sweed29@172.16.100.51's password:
Permission denied, please try again.
sweed29@172.16.100.51's password:
Permission denied, please try again.
sweed29@172.16.100.51's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

For some reason now it tries to login using the private key. I have checked and I have no private key generated for that user on my local box and user sweed29 does not actually exist on the remote box (where to rootkit is installed).

I have managed to connect using the nc -p 10000 host 22 (there is no web server installed) but that shell seems to be limited to just a few commands. So I really think that a working ssh backdoor is the way to go.

Thank you for all your efforts. Maybe I am not doing something right but it's still not working.

I have spinned a new clean centos 6.8 minimal install vm and got the source from git, and installed (I have destroyed the previous vm).

[unixfox]

@bogdanstoica35 It isn't trying to authenticate using private key, the listing at the end (Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)) is just the authentications methods available for your openssh server.

@mempodippy Did you tried to install vlany on CentOS 5.11 because it doesn't want to install because of this error:

Traceback (most recent call last):
  File "config.py", line 11, in ?
    print "Usage: {0} <install> <lib name> <xattr 1> <xattr 2> <username> <plaintext password> <pam port> <ssl backdoor status> <accept shell password> <low> <high> <execve password> <environ var> <ptrace bug status>".format(sys.argv[0])
AttributeError: 'str' object has no attribute 'format'
Configuration failed. Exiting.

I think it's because the python version of CentOS 5 is a bit old (Python 2.4.3 (#1, Jan 9 2013, 06:47:03)) and str.format is available since python 2.6 (http://stackoverflow.com/a/792745/4297304).

[mempodippy]

That's annoying... Will update a fix to that problem soon.

[unixfox]

@mempodippy I fixed the issue (#14), I'm currently testing if vlany is working fine on CentOS 5.11.

[unixfox]

It fails on Configuration failed. Exiting. without additional errors, really strange... I think it get stuck with the config.py program.
PS: I'm using the config.py with my fix.

[mempodippy]

config.py uses str.format very frequently, especially when setting up const.h.
It'll take about 5-10 minutes to replace the uses of str.format with the older compatible method of formatting strings, it just looks nasty lol..
unixfox, give me a second, check email. 😄

[unixfox]

@mempodippy There are so many lol, I'll try convert them tomorrow (it's 1am UTC+1 for me) because it fails too with a quick try (5a7d300).

[mempodippy]

Appreciated, and it's quite late here too. Will be up later so I'll probably catch up on small changes and work on my local version a bit.