Tapping into the Linux system, many intruders often begin to indulge in.
This is another reason why a technical request higher. Let's take a look at some commonly used classic tools. 1. the extension from here: backdoor and connection tool (1) the meaning of Httptunnel Tunnel is a tunnel, usually known as HTTP within herself HTTPTunnel, its principle is to masquerade as HTTP data forms to pass through the firewall, in fact, it is in the HTTP request to create a bidirectional virtual data connection to pass through the firewall. Said simpler, meaning that both sides of the firewall to establish a conversion program, will the original needs to be sent or received packets encapsulated into HTTP request format FIB firewall, so it does not require other proxy server and direct through the firewall. HTTPTunnel consists of two programs: htc and htc hts, which is the client, and hts is a server-side, let's see how I use them. For example, open the FTP machine of IP are IP 192.168.10.231, local machine because the firewall is 192.168.10.226, local machine cannot connect to the FTP site. What you can now consider use HTTPTunnel. Process: step 1: start the HTTPTunnel on local machine to the client. Use Netstat look native now open ports, will find 8888 port is listening. Step 2: start at offset machine HTTPTunnel in server-side, and execute the command "hts-flocalhost: 2180", this command mean, the native of 21 port full of data sent through port 80, and open relay 80 ports as listening port, then use Neststat look at his machine, you will find port 80 now also in the listening state. Step 3: in the local machine with FTP connections native of port 8888, will find already connected to the other side of the machine. So, why do people see is 127.0.0.1 instead 192.168.10.231? because we are connected to this computer, the firewall port 8888 will certainly not have response, if not to outsourcing, LAN firewall certainly do not know. Now connections native of port 8888, FTP packets regardless of the control of information or data information, is htc disguised as HTTP packets and then made in the past, firewall, this is normal data, equivalent to deceive a firewall. It is important to note that this trick of using other machines, that is to say to his machine starts a hts, he provides services such as FTP, redirect to the firewall allow 80 port, which can bypass the firewall! certainly someone may ask, if the other side of the machine itself has the WWW service, which means that he is listening on port 80, so will the benefits of conflict? HTTPTunnel lies in the fact that, even if his machine before port 80 open, now it doesn't suffer any problem, redirect the tunnel service will be free! (2) Tcp_wrapper Tcp_wrapper is a free WietseVenema development software. Tcp_wrapper was born a little story about 1990, author of the server where the University is a foreign hackers repeatedly violated, because the victim host hard drive data repeatedly rm-rf/command entire erasing, so look for clues in the extremely difficult, until one night author in the work of the process inadvertently found that hackers constantly injured finger, reading the victim's host. Thus, an idea was born: to design a software so that it can intercept launched finger requested IP, username, etc. Venema quickly into the work, but also the resulting! Tcp_wrapper since Tcp_wrapper with wide range of applications is becoming a standard security tools. Through it, an administrator enables inetd services for monitoring and filtering. After a successful compile and install Tcp_wrapper, generates a tcpd program, it can in the inetd.conf the control file replace in.telnetd location so that whenever a telnet connection request, the tcpd will intercept the request, the application fetches the administrator sets access control file that conforms to the requirements, you will leave the connection in-place to truly in.telnetd program, follow-up by in.telnetd completed. If the connection is initiated ip does not conform to the access control settings in the file, you will interrupt the connection request, refused telnet service. Tcp_wrapper access control implementation is to rely on two files: hosts.allow and hosts.deny. If we edit/etc/syslog.conf file, joined the logging functions, i.e.: # tcpwrapperlog local3.info/var/log/tcplog editing is finished, save the file, will generate/var/log tcplog file, note the file read-write property, you should only have to read and write permissions to the root. Then ps-ef | grepsyslogd, find out the syslogd process number, kill-HUP restart syslogd process the changes to take effect. Here, we can advance look at the future generation of tcplog file content, as follows: Jul3122: 00: 52www.test.orgin.telnetd [4365]: connectfrom10.68.32.1Jul3122: 02: 10www.test.orgin.telnetd [4389]: connectfrom10.68.32.5Jul3122: 04: 58www.test.orgin.ftpd [6606]: connectfrom10.68.32.3Aug202: 11 07www.test.orgin.rshd [13660]: connectfrom10.68.32.5Aug202: 11 07www.test.orgin.rlogind [13659]: connectfrom10.68.32.1 from the above we can see that you have installed the Tcp_wrapper's hosts, the system of every connection, both records Tcp_wrapper, it includes the time, service, status, ip, etc, to attack this great reference value, however, be sure to remember to clear the log. (3) rootkit tools: LRK Rootkit appeared in the early 90s of the 20th century, it is an attacker to hide their tracks and retain root access tools. Typically, an attacker to remotely attack or password guessing gain access to the system. Then, the attacker will invade the host install rootkit, then he will pass the rootkit backdoor checks the system for other users to log in, if only you, the attacker started cleaning up the relevant information in the log. By rootkit sniffer for other system users and passwords, an attacker may leverage this information into other systems. If an attacker were able to correctly install rootkit and reasonably clean up the log files, system administrators will be very difficult to detect system has been penetrated, until one day otherwise system administrator and contact him or sniffer log filling up the disk full, he would have noticed already calamity. However, in the system recovery and clean-up process, the most commonly used command such as ps, df and ls already cannot be trusted. Many rootkit is a program called the FIX, before installing rootkit, attackers can use this procedure to make a snapshot of the system binaries, and then install the replacement procedure. FIX according to the original process faked alternative program of three timestamp (mtime, ctime, and atime), date, permission, belongs to the user and user group membership. If an attacker were able to accurately use these excellent application, and when installing rootkit behavior prudence will let system administrators are hard to find. Here we show a very typical for Linux system LRK version 6. LinuxRootkit6 is an open source rootkit, after years of development, more and more perfect LinuxRootkit features, with more and more of the features. Below we briefly LinuxRootkit contains various tools. First, hide the whereabouts of intruders. In order to hide the intruder's whereabouts, the author is Michael Myers LinuxRootkitIV ingenuity, has prepared a number of system commands instead of the program, use these procedures to replace the previous system command, to hide the intruder. These programs include: ls, find, du these programs block shows the intruder and calculate the intruder file takes up space. Before compiling, intruders can set their own file ROOTKIT_FILES_FILE where default is/dev/ptyr. Note If you use the compile time option, you can SHOWFLAG use ls-/command lists all files. The program also has the ability to automatically hide all name: ptyr, hack.dir and W4r3z files. Ps, top, pidof these programs use to hide all or an intruder-related processes. Netstat hide out/in the specified IP address or port of network data flow range. Killall does not kill the invaders hidden process. Ifconfig if an intruder launched a sniffer, this procedure prevents the display of PROMISC tag, enable system administrators to find the network interface is in promiscuous mode. Hide the attacker crontab crontab entries. Tcpd block to log some connection. Syslogd to filter out certain connections in the log. Secondly, backdoors. Trojan programs can provide for local user; a Trojan backdoor can network monitoring program for remote users with inetd, rsh, ssh, and other services by the back door version. With the version of the upgrade, the feature is also increasingly LinuxRootkitIV powerful, feature rich and more. Generally include the following network services: chfn local regular user privileges program. Run chfn, it prompts you to enter new username, if the user enters his password, rookit permissions was elevated to the root. Chsh local user permissions, procedures. Running chsh, it prompts for a new shell, if the user enters his password, rootkit permissions was elevated to the root. Passwd and above two programs of the same. In the prompt you to enter a new password, if you enter a password, rookit can become root privileges. Login to allow the use of any account password to log in through the rootkit. If you use the root account login is rejected, you can try rewt. When you use the back door, this program is also able to suppress logging command history. Inetd inetd program, the Trojan attacker provides remote access service. Rshd to attacker-supplied remote shell service. Attackers use rsh-lrootkitpasswOrdhostcommand command you can start a remote rootshell. Sshd to an attacker's backdoor ssh service. Play tool program. Above all do not belong to the type of programs can be categorized as the types that implement some, such as: log cleanup, packet sniffing, and remote shell port bindings, and other features, including: fix file property to false. Linsniffer packet sniffer program. Sniffchk a simple script that checks the system bashshell in is a sniffer running. Login to allow the use of any account password to log in through the rootkit. If you use the root account login is rejected, you can try rewt. When you use the back door, this program is also able to suppress logging command history. Z2utmp/wtmp/lastlog log cleanup tool. You can delete the utmp/wtmp/lastlog log files for all entries of a user name. However, if you used Linux system you need to manually modify its source code, set the log file location. Bindshell in a port binding shell services, the default port is 12497. A remote attacker to provide shell service. (4) netcat-this is a simple and useful tool, can use TCP or UDP network connections to read and write data. It is designed to be a stable backdoor tool, able to directly by other programs and scripts easily driven. At the same time, it is also a powerful network debugging and exploration tool, able to establish you need almost all types of network connections, there are several very interesting built-in functionality. 2. find traces of under Linux: Log tool for sophisticated attackers, after entering the system, should also be aware of their own "clues" and clear these marks, the nature and need to know about some of the log tool. (1) logceck logchek can automatically check the log file, periodically check the log file to identify violations of safety rules and exceptions. It put the normal log information removed, put some problematic logs retained, then email the information to the system administrator. Logcheck logtail program remember last used have already read the log file location, and then from this location started processing the new log information. Logcheck mainly by following a few key documents: logcheck.sh executable script file, record check those log files logcheck, etc, we can put it to run crontab in timing. Logcheck.hacking is checked pattern file logcheck. And the following files, from top to bottom order. This file indicates that the invasion of the activities of modality. This file represents a logcheck.violations, contrary to the common sense of the activities of modality. Priority is less than the above that the schema file. Logcheck.violations.ignore this file and the above logcheck.violations priority is relative, is what we are not concerned with the problem of pattern files. Logcheck.ignore this is checking the last pattern file. If you do not have and the first three matches the schema file, nor does it match the schema file, the output to the report. Logtail record log file information. Logcheck first runtime reads the related log files of all content, Logtail in your log file directory to each interested log files a logfile.offset offset file so that the next time you check this offset. Logcheck is executed, will not be ignored by the content sent by mail to the system administrator specifies logcheck.sh. (2) logrotate General Linux release are with this tool. It can automatically enable log rotation, delete the oldest log is saved, it from the configuration file is the/etc/logrotate.conf, we can in this file sets the log cycle period, the number of log backups, and how to back up the log, and so on. In/etc/logrotate.d directory, including some of the tools of log rotation settings file, syslog, and so, in these files specify how the/etc/logrotate.conf do log rotation, you can also add other in this file to loop other services logs. (3) swatc swatch is a real-time log monitoring tool, we can set up an event of interest. Swatch has two operation modes: one can check the log is finished, another can continuously monitor the new information in the log. Swatch provides a number of ways, including email notifications, ringing, Terminal output, various colors, and so on. Before installation, you must ensure that the system supports perl. Swatch software focuses on configuration file, the text file to tell swatchmessage swatch need to monitor what log, you need to look for a trigger, and when triggered by the action to be performed. When the swatch discovery and swatchmessage triggers defined in the regular expression match, it will perform in swatchrc notification procedures defined in. Of course, the software described above is only a few Linux sea only beautiful shells, as more users join the ranks of Linux, we believe that excellent Hack will also be more and more, which in turn will also promote the gradual maturing Linux operating system, we will wait and see.
No comments:
Post a Comment