Find a hacker in the UNIX system

Find a hacker in the UNIX system

Article Type: Programming Technical Articles Join Time: October 3, 2002 15:22

General people think that in many OS, UNIX is safe. But we need to know that there is no system to guarantee that it is absolutely safe, and any system will have a place where the hacker is organically multiply, Unix is ​​no exception. In order to protect the security of the network, in addition to the safety measures of the implementation of the routine, you should always pay attention to your system is really safe, whether the hacker is already patron. The following describes how to view the methods of hacker footprints using common commands in the system. 1. Use the W command to view the system information $ w 9:01 PM Up 10:08, 1 User, Load average: 0.08, 0.06, 0.05 user tty login @ idle jcpu pcpu what notes console 10:54 am 9days 28:04 23:29 / USR / DT / BIN / DTSCREEN -MODE BLANK Notes PTS / 2 10:54 AM 10:07 / Sbin / Sh Notes PTS / 4 10:54 AM 10:06 / Sbin / Sh Notes PTS / 5 10:56 AM 9:59 / Sbin / SH The most beginning to display information is to issue the time of the W command, the time after the system is started, and the number of users registered in the system. The last three numbers represent the average load, that is, using the system resource, use the W command to add 0.08 load to the system. The other two numbers represent the average load of the system within the last 5 minutes and fifteen minutes, respectively. Note: When someone is guessing Password, it will greatly increase the average load of the system. 2. Process Billion UNIX system You can make the core generate a record at each process by setting options. The reports generated by these records are called process accounting. It includes information that uses resources, and the command name being executed. If you run the adjustment user ID program, it also includes a username. System administrators can make users pay the machine based on the CPU time of the process accounting, and can also use the process bills to observe which commands have executed. Process accounting and auditing are two yards, and auditing is an event that monitors security sensitive to security. Process accounting does not note the parameters of the command executed, so you can't know which file has been modified, or even know if the execution of this command is successful. But the system administrator can still find some clues in the process bill. Based on system V system and BSD-based systems are different from the methods adopted in process accounting, the command is different. 2.1 System V Accounting In System V, the process account is saved in the / usr / adm / pactt file. ROOT runs / usr / lib / ACCT / Startup to launch process accounting. The daily handling of accounting information can be done by runacct command, which will compress the PACCT file. The monthly processing is completed by the shell program Monacct. Both programs are in the / usr / lib / ACCT directory. The acctcom command can be used to search for content in the PACCT and generate reports. For example: Find all the commands performed by the user "Tommy" at 10:00 to 11:30.

See below: $ acctcom -u Tommy -s 10:00-E 11:30 Start Bef: sat Oct 10 11:30:00 1998 End After: sat Oct 10:00:00 1998 Command Start End Real CPU mean name User TTYNAME TIME TIME (SECS) SIZE (K) Cat Tommy PTS / 3 11:01:13 11:01:13 0.02 0.02 492.00 Mail Tommy PTS / 3 11:01:13 11:01:13 0.02 0.02 876.00 Clear Tommy PTS / 3 11:01:14 11:01:14 0.03 0.01 744.00 ls Tommy PTS / 3 11:01:16 11:01:16 0.03 0.03 776.00 Date Tommy PTS / 3 11:01:23 11:01: 23 0.01 0.01 664.00 acctcom command to tell the system administrator what a user has done anything, not what is doing, and it only lists the command name, no parameters. So, some clues are found, as you can find a process using a large number of CPU times (typical is the guessing process). Several reports can be generated with the shell program runacct. These reports are stored in the / usr / adm / acct / sum directory, and their file name format is RPRTMMDD. The first part of the report contains "change" information, such as process accounting starts and off (close billing may be due to someone wants to hide certain activities), and the change of system time. The second part is the time for each user registers the system and reports about each port, and the number of times "on" and "disconnected" on each port. "On" means a successful registration, "Disconnect" means that the exit system or registration failed. A large number of "disconnected" may mean that some people attempt to invade the system in the test "registration name, password" sequence group. The last part of the report is information about the last registration of the user. This last registration report is updated at all as the user is constantly registering. In the report, it also includes username and final registration time, the earlind the account of the system with the system. This report is very useful for discovering those dead accounts. The administrator may have some strange things here. If someone registers in the system management account (such as bin or sys). 2.2 Billing BSD System Billing BSD System Billing / USR / ETC / Accton program startup. The default accounting file is / usr / adm / acct as long as the process account is launched, the file grows very quickly. BSD has two commands to handle account information. The first one is / usr / etc / ac / etc / accessed registration information in / usr / adm / wtmp file, the second is / usr / etc / sa, producing a summary report for the use of commands, saved in / usr / ADM / savacct file. The BSD system also has a command similar to the acctcom called LastComm. The LastComm command reverse search / usr / adm / acct file, resulting in a result similar to the acctCom command. The BSD billing system is also the same as System V, and there are similar defects (speaking from a security perspective), that is, the parameters of the commands do not reserve the command. Also, the BSD system has no last registration report. Now the two defense measures in front of the two point of defense measures are seen from the perspective of attack: 1. Hacker can hide your records completely by using commands with W, WHO, LAST, PS in the first point. You can't view the above commands. Of course, Hacker has given the ROOT permissions. 2. Even if he is the most stupid, when he can't hide himself, he will delete the entire record file, lest the administrator to check where to log in, and run what instructions run.

But it is obvious, although the administrator (when not installing a third party's review software), you can't know where to attack, but undoubtedly tell the administrator "Your system has been broken." 3. Historical documents: KSH, CSH, SH, BASH, ZSH can save historical documents. The documents are as follows: SH: .sh_history (SH is Bourne Shell) csh: .history ksh: .sh_history bash: .bash_history zsh: .history In the corresponding.profile of the user running the SH and KSH, join history = 100, Specify the .sh_history file saves 100 records that the user is running recently. For CSH, add, set history = 100 in the .cshrc file, then. Users can run the History instruction to view the contents of the history file. For KSH, SH can also run tail -f .sh_history to view, the order is starting from the most recent running instruction. And c shell is to update the file, so you can't use Tail to observe the C shell to execute those commands. These historical files are more useful than process accounting, because the parameters of the command are also reserved, so what the user can do through the context of the command. BTW: .profile is used for Bourne and Korn shell; .login and .cshrc for c shell. 4. Find the program that the owner is root and the S-bit: Do the following instructions as root, find this file to see if there is a suspicious program exists. #Find / -perm -4000 -EXEC / BIN / LS -LAB {} ";" When Hacker enters the system, most of the Buffer Overflow gets the root shell. For example: Solaris's FDFORMAT, UFSDUMP, PING, etc. in Solaris, XLock, DOP in XLock, Digital in SGI, etc. in SGI, etc., which have gave Hacker to Hacker. When Hacker uses these Big Bugs to take the root shell, if they want to invade this system, it is the process of leaving the root shell. At this time, Hakcer is not concerned about whether the original bug is lost, he is no longer needed. With BUG, ​​you only have to run the root shell you left. The following is a simple program to get the root shell: #cat getrootshell.c void main (void) {setuid (0); EXECL ("/ bin / sh", "sh", 0);} After compiling, get bin files . #cc -o getrootshell getRootshell.c #chmod 4777 getrootshell #Chown root: Other getrootshell #ls -al getrootshell -rwsrwxrwx 1 root Other 5 Oct 12 06:14 getRootshell (Note that the whole process is after the rootshell is available ) This Hacker has left the back door in the system. After the next time, you don't need to use the bug of FDFormat, Xlock, DOP, and you can run the getRootshell program directly, you can jump into root. Well dry. Therefore, the administrator should check this type of file. Now, look at the above defense measures: 1. For the History file, you can change the shell type after the Hacker enters the system, so that the History file that saves him later later all instructions has failed.

Therefore, when Hacker enters the system with CRACK-to-account, the instructions knocked in the first section are instructions that change the shell type. EXAMPLE IN DIGITAL UNIX: c: /> telnet xxx.xxx.xxx.xxx Digital Unix (Center) (TTYP5) LOGIN: Tommy Password: Last Login: Sun Oct 11 22:43:51 from HPVC.com Digital Unix V4.0A (Rev. 464); Sat Feb 7 19:54:12 GMT 0800 1998 The Installation Software HAS successfully installed your system There are logfiles that contain a record of your installation These are:.. /var/adm/smlogs/install.cdf - configuration description file /var/adm/smlogs/install.log - general log file / var / ADM / SMLOGS / Install.fs.log - File System Creation logs /var/adm/smlogs/setLD.log - log for the setld (8) Utility /Var/admlogs/fverify.log - Verification Log File Center> chsh Old shell: / bin / sh new shell: KSH Other systems are not listed here. 2. For bin files like getrootshell, Hacker will not really be stupid to this name, and they will hide this type of program in a non-perceived directory, if not the sophisticated administrator will not find. (Note: In general, Hacker does not delete the getrootshell file, because he can't definitely enter the system next time, the bugs can also be used, so that it change root) 5. Find the hidden file to mention when Hacker After obtaining the root permissions, leave some back door files in the system. The most common method is to put in command catalogs such as / bin, / usr / bin, / usr / sbin, but there are other methods hidden.

Such as: $ PWD / EXPORT / HOME / TOMMY $ LS -AL TOTAL 48 DRWXR-XR-X 11 Tommy Other 1024 OCT 13 11:20. Drwxr-xr-x 10 root Other 512 Sep 18 11:11 .. drwxr-xr -X 2 Tommy Other 512 OCT 13 11:18 .. drwxr-xr-x 2 Tommy Other 512 OCT 13 11:18 ... -rw-r - r - 1 Tommy Other 255 Oct 10 23:37 .profile -rw ------- 1 Tommy Other 272 OCT 11 00:19 .sh_history -rw-r - r - 1 Tommy Other 1429 Oct 8 17:35 33acounts DRWX ------ 6 Tommy Other 512 SEP 24 18:24 IBM -RWX ------ 1 Tommy Other 455 Sep 24 16:08 Catcher.c DRWXR-XR-X 2 Tommy Other 512 OCT 13 11:17 CRACK DRWXR-XR-X 2 Tommy Other 512 Oct 12 10:15 Exploit DRWXR-XR-X 2 Tommy Other 512 Oct 13 11:20 Host DRWX ------ 2 Tommy Other 512 Sep 24 15:38 Klaxon -RWX ------ 1 Tommy Other 124 Sep 18 11:07 local.cshrc -rwx ------ 1 Tommy Other 575 Sep 18 11:07 local.login -rwx ------ 1 Tommy Other 560 Sep 18 11:07 local.profile -rwx ------ 1 Tommy Other 4275 Sep 21 20:40 ScanProxy.c DRWX ------ 2 Tommy Other 1024 OCT 7 14:22 Sniff DrwxR-XR-X 2 Tommy Other 512 Oct 12 09:55 SOURCE I believe everyone will Pay attention to a directory with three points "...", this is the simplest way to build a hidden directory, the administrator will find it as long as you leave God, and you can knock down the CD ... instructions can enter this table of Contents. But whether there are two ".." directories, a little "." Is a representative of the current directory, two points ".." is a representative parent directory, but why have two parent directories? something wrong! In fact, Hacker uses a directory established by special characters, as long as the LS directive with parameter B is clear.

$ Ls -Lab DRWXR-XR-X 11 Tommy Other 1024 OCT 13 11:32. drwxr-xr-x 10 Root Other 512 Sep 18 11:11 .. drwxr-xr-x 2 Tommy Other 512 OCT 13 11:18. ./007 DRWXR-XR-X 2 Tommy Other 512 OCT 13 11:18 ... -rw-r - r - 1 Tommy Other 255 Oct 10 23:37 .profile -RW ------- 1 Tommy Other 272 Oct 11 00:19 .sh_history -rw-r - r - R - 1 Tommy Other 1429 Oct 8 17:35 33acounts DRWX ------ 6 Tommy Other 512 Sep 24 18:24 IBM -RWX - ---- 1 Tommy other 455 Sep 24 16:08 catcher.c -rw-r - r - r - 1 Tommy Other 149788 Oct 13 11:32 Core DRWXR-XR-X 2 Tommy Other 512 Oct 13 11:17 CRACK DRWXR-XR-X 2 Tommy Other 512 Oct 12 10:15 Exploit DRWXR-XR-X 2 Tommy Other 512 OCT 13 11:20 h / 007ost DRWX ------ 2 Tommy Other 512 Sep 24 15:38 Klaxon - RWX ------ 1 Tommy Other 124 Sep 18 11:07 local.cshrc -rwx ------ 1 Tommy Other 575 Sep 18 11:07 local.login -rwx ------ 1 Tommy Other 560 Sep 18 11:07 local.profile -rwx ------ 1 Tommy Other 4275 Sep 21 20:40 ScanProxy.c drwx ------ 2 Tommy Other 1024 OCT 7 14:22 Sniff DRWXR-XR- x 2 Tommy Other 512 OCT 12 09:55 Source originally ".." followed by an ASCII character, corresponding to Ctrl g, Hacker used mkdir .. ^ g of instructions, and we also noticed that there is a seemingly Called by the Host directory, in fact, the hidden directory created by MKDIR H ^ GOST command; Hacker can also use the above method (also space bar) to combine hidden directories, for these cases, the administrator should check the directory The content of the file (sometimes it is not HACKER, but the user wants to hide your private files) and do action. If you find an aggressive program in its directory, you can use the question mark "?" Instead of "/ 007" and other invisible characters, such as $ rm -r ..? (Delete ../007 directory) $ RM -r h? OST (Delete H / 007ost catalog) can delete hidden directories such as ".. ^ g". For directory or files with space bar, when deleting it, use quotation marks to prevent shell from filtering it away. $ Ls -al total 6 drwxr-xr-x 3 Tommy Other 512 OCT 13 13:13. Drwxr-xr- x 10 Tommy Other 1024 OCT 13 13:11 .. DRWXR-XR-X 2 Tommy Other 512 Oct 13 13:11 h ost $ rm -r h "" OST 6. Close Unnecessary Service 79 Port The service is running Fingerd, it is serving network users. A remote user can know if there is a user in a host through finger.

This command produces a report based on the annotation field of the corresponding account in the / etc / passwd file. This information may be used by Hacker to guess. It is true that the Fingerd service is right. The fault is very fragile Password, making the program that HACKER does not run the guessing order can also guess Password, so there is no need to open the 79-port for ISP, it should be closed. #vi /etc/inetd.conf in front of the "#" number in front, commenting out of the #finger stream tcp nowait nobody /usr/sbin/in.fingerd in.finger, then find the Inetd process number, kill drop this ID , Restart the inetd process. ? #Ps -ef | grep inetd root 120 1 0 Oct 12 0:00 / usr / sbin / inetd -s root 4806 4764 0 17:31:24 pts / 5 0:00 grep inetd #kill -HUP 120 Author: Flying Article Source: BP Server Bp Hosting BulletProof Hosting Bullet Proof Webhosting Bullet Proof Servers [www.bpchina.org]