Created
September 13, 2020 13:40
-
-
Save bcoles/b66c0116daa1d1d2623e0d2a2795304f to your computer and use it in GitHub Desktop.
Detect PAM backdoors created by linux-pam-backdoor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Detect PAM backdoors created by linux-pam-backdoor: | |
# https://github.com/zephrax/linux-pam-backdoor | |
# | |
# Note: this will likely only work with PAM version 1.3.0. | |
# --- | |
# $ ./backdoor.sh -v 1.3.0 -p some_s3cr3t_p455word | |
# Automatic PAM Backdoor | |
# PAM Version: 1.3.0 | |
# Password: some_s3cr3t_p455word | |
# ... | |
# Backdoor created. | |
# Now copy the generated ./pam_unix.so to the right directory (usually /lib/security/) | |
# ... | |
# $ ./linux-pam-backdoor-detect | |
# Checking /lib/x86_64-linux-gnu/security/pam_unix.so ... | |
# Found possible backdoor password: some_s3cr3t_p455word | |
# --- | |
# bcoles | |
pam_unix="/lib/x86_64-linux-gnu/security/pam_unix.so" | |
echo "Checking ${pam_unix} ..." | |
start="$(strings "${pam_unix}" | grep "bad username \[%s\]" -A 1 | tail -n 1)" | |
end="$(strings "${pam_unix}" | grep "auth could not identify password for" -B 1 | head -n 1)" | |
if [ "${start}" == "${end}" ]; then | |
echo "Found possible backdoor password: ${start}" | |
else | |
echo "No backdoor found" | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment