How to remove backdore at inittab, left by ISP

Posted by on May 2, 2012 Leave a comment (0) Go to comments

Suddenly I found backdore at our servers, leaved by our dedicated server provider, I will not say it`s name, because we already talk to them, get a big discount and solve this issue.
If their engineer press Alt+ArrowUp he obtain a root console, without login record displayed by lastlog.
dump-utmp help 🙂

r: ~ #aptitude install acct
  r: ~ # dump-utmp /var/log/wtmp

And here is a backdore:

r: ~ # cat /etc/inittab | grep kbre                                                                                                                
  #kb::kbrequest:/bin/echo "Keyboard Request--edit /etc/inittab to let this work."                                                                          
  kb::kbrequest:/sbin/getty -n -l /bin/bash tty12 115200                                                                                                    
  r: ~ #

How to remove it.

 #!/bin/sh
 
  for v in ` mkipsec -l |  awk '{print $1}' | sed s/:/\ / | tr -d '\n' | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g"`;
  do
    s=`echo $v|sed 's/.*\.//'` ;
    printf "$s :\n";
    ssh -q -t  $s "sed -i s/kb\:\:/\#kb\:\:/ /etc/inittab" ;
  done
Linux,

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>