Histórico de comandos inesperados do servidor Ubuntu

4

Efetue login no meu servidor Ubuntu (15.10) e quando eu verificar o histórico de comandos, vejo alguns deles:

echo Execute SU command begin: && export LANG=en_EN.UTF-8 && su root -c "echo Start command:; /tmp/.sudo_bootstrapd1e403b3-7668-45eb-95a0-78ba6a39c722.sh -a myaccount;echo End command:" && echo Execute SU command end:

Eu deveria estar preocupado?

    
por Luis Zuniga 01.03.2016 / 17:56

1 resposta

3

Eu vi um comportamento semelhante. Consegui pegar uma cópia do arquivo em /tmp antes de ser excluído.

/tmp/.sudo_bootstrap173ee73d-6e31-4a25-85d4-45e73f900a32.sh
#!/bin/sh
#
# Script for adding and removing user from /etc/sudoers file used by sudo
# for bootstrapping perl soap framework 
# NOTES:
# This code assuming that user being added to sudo file has been already created

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin
export PATH

SUDOERS_PATH='/etc /usr/local/etc'
SUDOERS="sudoers"
# FIXME: XXX Add getting owner and perms from file before editing?
MKTEMP_TEMPLATE='/tmp/tmp.XXXXXX'
DEFAULT_MODE="440"
DEFAULT_OWNER="root:root"

#ALLOWED_BINS='perl '
SUDOERS_LOCK_POSTFIX=".lock"
SUDOERS_POSTFIX=' ALL=(root) NOPASSWD: ALL'

err() {
    echo "ERROR: $*" >&2
    exit 1
}

usage() {
    err  "Usage: $0 [-r|-a] username"
    exit 1
}

set_def_perms_on_file() {
    chmod ${DEFAULT_MODE} $1 || err "Can't chmod $1"

    chown ${DEFAULT_OWNER} $1 || err "Can't chown $1"
}

while getopts r:a: _option
do  case "$_option" in
    r)  username="$OPTARG"
        remove=1 ;;
    a)  username="$OPTARG"
        add=1   ;;
    [?]) err "Usage: $0 [-r|-a] username" ;;
    esac
done

# Sanity check for options
if [ -n "$remove" -a -n "$add" ]; then
    usage
elif [ -z "$remove" -a -z "$add" ]; then
    usage
elif [ -z "$username" ]; then
    usage
fi

# Check username for UNIX user name regex
if ! echo $username | grep "^[A-Za-z][A-Za-z0-9_\.\-]*\$*$" >/dev/null 2>&1; then
    err "Supplied username ($username) doesn't match regex"
fi

# Searching sudoers file
for _dir in ${SUDOERS_PATH}; do
    if [ -f "$_dir/$SUDOERS" ]; then
        found_sudoers="$_dir/$SUDOERS"
        break
    fi
done

if [ -z "$found_sudoers" ]; then
    err "Can't find sudoers file"
# Checking if visudo doesn't support 'q' and 'c' flags
elif visudo -qc 2>&1 | grep 'usage' >/dev/null 2>&1; then
    break
elif ! visudo -qc > /dev/null 2>&1; then
    err "$found_sudoers has invalid syntax"
fi

# Sudoers lock file for simu access
sudoers_lock="${found_sudoers}${SUDOERS_LOCK_POSTFIX}"

while [ -f ${sudoers_lock} ]; do
    sleep 1
done   

trap "rm -f ${sudoers_lock}; exit $?" INT TERM EXIT

touch ${sudoers_lock} || err "Can't create lock file: ${sudoers_lock}"

# Default entry
DEFAULTS_OPTION="Defaults"
REQUIRE_TTY_OPTION="requiretty"

default_tty_entry="${DEFAULTS_OPTION}   ${REQUIRE_TTY_OPTION}"
veeam_tty_entry="#.*#Veeam Commented"
user_tty_entry="${DEFAULTS_OPTION}:${username} !${REQUIRE_TTY_OPTION}"
grep_user_tty_entry='echo "${user_tty_entry}" | sed 's/\*/\\*/g'' # Escape '*'

# Sudoers entry
sudoers_entry="$username ${SUDOERS_POSTFIX}"
grep_sudoers_entry='echo "${sudoers_entry}" | sed 's/\*/\\*/g'' # Escape '*'

# Uncommenting if commented by us (deprecated)
if grep "^${veeam_tty_entry}" ${found_sudoers} >/dev/null 2>&1; then
    _tempfile='mktemp -q  ${MKTEMP_TEMPLATE}' || \
    err "Can't create temporary file for disabling requretty option"

    sed -e "s/${veeam_tty_entry}/${default_tty_entry}/g" ${found_sudoers} > ${_tempfile} || \
    err "Can't write substituted sudoers to $_tempfile"

    mv $_tempfile $found_sudoers || err "Can't move $_tempfile to $found_sudoers"
    set_def_perms_on_file $found_sudoers
fi

if [ -n "$add" ]; then
    # Add Defaults:user !requiretty
    if ! grep "^${grep_user_tty_entry}" ${found_sudoers} >/dev/null 2>&1; then
        echo "${user_tty_entry}" >> $found_sudoers || err "Can't add entry to $found_sudoers"
    fi

    # Add rights
    if ! grep "$grep_sudoers_entry" $found_sudoers >/dev/null 2>&1; then
        echo "${sudoers_entry}" >> $found_sudoers || err "Can't add entry to $found_sudoers"
    fi
elif [ -n "$remove"  ]; then 
    _tempfile='mktemp -q  ${MKTEMP_TEMPLATE}' || \
    err "Can't create temporary file" 

    grep -v -e "${grep_sudoers_entry}" -e "${grep_user_tty_entry}" $found_sudoers > $_tempfile || \
    err "Can't write to $_tempfile"

    mv $_tempfile $found_sudoers || err "Can't move $_tempfile to $found_sudoers"
    set_def_perms_on_file $found_sudoers
fi

rm -f ${sudoers_lock} || err "Can't remove lock file: ${sudoers_lock}"
trap - INT TERM EXIT

# Checking if visudo doesn't support 'q' and 'c' flags
if visudo -qc 2>&1 | grep 'usage' >/dev/null 2>&1 ; then
    break   
elif ! visudo -qc > /dev/null 2>&1; then
    err "Syntax of $found_sudoers is wrong"
fi

Como mencionado nos comentários, parece que a Veeam está usando para obter acesso root.

    
por mwfearnley 30.01.2017 / 13:49