The main task after gaining access to an attacked machine is to be persistent. After all, access can be lost due to a reboot of the attacked system, loss of credentials, or blocking of remote access. This scenario uses a bunch of C, systemd and ingenuity.
The program inserts the public key into authorized_keys and deletes the key if it finds a match. At the moment this scenario conditions the use of a systemd-timer. I originally chose the binary name php7-session-clean because in my opinion it integrates inconspicuously into the usual logic when used with the systemd-timer. Clean PHP session files.
- Edit the
config/const.hfile and change the values to your desired values. - Run
make. - Move the binary file to the captured machine.
- Hide for example in
/bin/and run the timer. - Prepare systemd configuration files to your liking.
- Profit =)
You can use your fantasy and change the name of the binary to your taste π₯
- I don't claim to be a super inventive idea or concept π£
- I understand that any average administrator will be able to detect this anomaly π§ββοΈ
- The code was created for academic purposes in learning C π©βπ
- If you want to help, improve, suggest, correct, do it! π
- Give me u star for me β