Analysis: intrude into computers in Internet cafes

First, there are two different types of Internet cafes in China. One is the traditional internet cafe (the computers in the internet cafe are divided into hosts and extensions, all extensions must be processed by the host before they reach the internet.) The second is the DDN internet cafe, which has no host or extension, all computers in internet cafes share one or more leased lines, but each computer has a static IP address and is directly connected to the internet.

In the second type of internet cafe, because the computer of the internet cafe is directly connected to the internet, there is no problem to use Trojan Horse control. Let's talk about the traditional internet cafe because in the traditional internet cafe, only when the host is connected to nternet, when other extensions in the internet cafe want to communicate with the internet, they must first send a request to the host to run the proxy service program (wingatesygatewinproxy, etc.) on the host) these requests are processed and sent to the internet. When a response is received, the data is sent back to the extension of the request. In this case, the role of the host is not only transmitted through the intermediary, but also acts as a firewall, because all requests to the external (to the internet) or inner (to the extension) must be processed by the host, therefore, all requests must pass through the host to reach the extension, which is why the single machine at home cannot control the extension in this type of Internet cafe.

After most of the Trojan's server programs are executed on one computer, a port is opened on that computer to wait for the client connection. For example, a computer in the internet cafe executes the glacier, then the glaciers open port 7626 on that computer, and then

Is waiting. Here, we need to resolve the internal IP address and the external IP address. In the meat bar of this type, each extension has an internal IP address (allocated by the NIC ), internal IP addresses are mainly used for communication between computers in a local network). In the Internet cafe, all computers have only one external IP address, the external IP address is allocated by the network provider when the host is connected to the internet.

Now, assume that the internal IP address of the computer infected with glaciers is 192.12.12.12, and the external IP address is 61.61.61.61. When a single computer or a computer on the network tries to connect to the glaciers at home, if the IP address used is 192.12.12.12, because the IP address 192.12.12.12 does not exist on the internet at all (several IP addresses are dedicated to setting internal IP addresses), if the IP address does not exist, you will not receive a response.

When you try to connect with the IP address 61.61.61.61, your connection request will first be received by the host of the Internet cafe (the firewall and intermediary function of the host) and the host will not be infected with glaciers, therefore, your connection request will be rejected immediately and the connection will fail. for traditional Internet cafes, most Trojans cannot be controlled by computers in the Internet cafes, let's talk about the possibility of controlling computers in Internet cafes.

As we can see from the above, when the external machine sends a connection request to the extension in the Internet cafe, the host will reject such requests, but what if the extension in the internet cafe sends a connection to a specific IP address? What happens? For example, when an extension uses a browser to view the website www.yahoo.com.cn, it actually sends a request to www.yahoo.com.cn. When www.yahoo.com.cn receives the request, it will respond, then the data is sent back to the extension. First, the data passes through the host because the extension initiates a request. When there is a data response, the proxy service program on the host sends data to that extension. In this case, the connection is established smoothly. By using this principle, you can control the computer in the Internet cafe.

The trojan of vegetables uses this principle and is connected externally by the server program of the Trojan (the traditional Trojan is connected from the client to the server. In addition to the Trojan of vegetables, the irc function in BioNet can also achieve this, but there may be some restrictions.

One function of the Trojan Horse is the irc notification function, that is, when the server program starts, it will generate a connection to the specified irc server, and then in the specified room (channel) in the irc) waiting for commands, this situation is the same as the DoS attacks on the servers that wait for the command, because this connection is sent by the server side (the computer infected with the Trojan, therefore, if the host in the internet cafe does not reject the extension connection (because the default port used by irc is 6667, the server program of the host may not be allowed, the trojan of vegetables uses the ftp port, which is usually not rejected) so that the extension can connect to the irc server.

If the connection can be connected, the connection will have been generated, so that the irc server will not be rejected by the host when sending the command to the extension, although BioNet's commands on the irc server to the Trojan server are limited, at least there are uploads, remote execution and attack commands, although the commands are not rich enough, however, due to restrictions on irc, these functions are good. Another Trojan that can control computers in Internet cafes is remote-anything, which is available only in versions 3.6 and later.

In addition, the remote Trojan must be infected on the host of an Internet cafe. remote on the host acts as a "Gateway" function, and requests to the extension are forwarded to the extension, this function is almost a port redirection function (the so-called port redirection function is to redirect requests to a port to another computer, for example, running a port Redirection Program on the host, this program will redirect all requests to port 7777 of the host to port 7626 of a certain extension. Assume that the internal IP address of the extension is 12.12.12.12 and the extension is infected with glaciers, the port opened is 7626. The external IP address of the host is 13.13.13.13. The port redirection program running on the host will forward requests to port 7777 of port 13.13.13.13 to port 7626 of port 12.12.12.12. When someone sends requests to the host 13.13.13.13.13 when sending a request for a glacier connection at port 7777.

At this time, the port steering program will take effect, and the request will be immediately directed to the server 12.12.12.12. the port 7626 on the extension goes because the extension 12.12.12 is infected with glaciers, so this opportunity will respond immediately, so the connection will generate, that is to say, you can use the ice to control the extension in the internet cafe). The "Gateway" function of remote on the host is similar to the above port steering principle.

Although it is a restriction that remote extensions can be controlled in Internet cafes only when the host is infected with remote, it is always better than that without this function. If the glacier is used, even if the host in the internet cafe is infected with the glacier, the extension is also infected with Trojans. You can only control the host, but you cannot control the extension at all (unless you use one of the extensions in that Internet cafe to control the extension, this is another thing.