Backdoor and log tools in Linux (1)

After attacking the Linux system, many intruders often get lost. Another reason is that the technical requirements are higher. Next, let's take a look at some common classic tools.

1. Extend from here: backdoors and connection tools

1) Httptunnel

Tunnel is a Tunnel. Generally, HTTPTunnel is called an HTTP channel. Its principle is to disguise data as HTTP data to pass through the firewall. In fact, it creates a two-way virtual data connection in the HTTP request to penetrate the firewall. To put it simply, a conversion program is set up on both sides of the firewall to encapsulate the packets that were originally sent or accepted into the format of HTTP requests and cheat the firewall, therefore, it does not need other proxy servers to directly penetrate the firewall.

HTTPTunnel includes two programs: htc and hts, where htc is the client and hts is the server. Now let's take a look at how I use them. For example, if the IP address of the FTP host is 192.168.10.231 and the IP address of the local host is 192.168.10.226, the local host cannot be connected to the FTP host due to firewall reasons. What should I do? Now we can consider using HTTPTunnel. The process is as follows:

Step 1: Start the HTTPTunnel client on the local machine. Use Netstat to check the current port opened on the local machine, and you will find that port 8888 is listening.

Step 2: Start the HTTPTunnel server on the other machine and run the command "hts-f localhost: 21 80". This command means, all data sent from port 21 of the local machine is forwarded through port 80, port 80 is opened as the listening port, and then Neststat is used to check its machine, port 80 is now listening.

Step 3: use FTP to connect to port 8888 of the local machine, and you will find that the machine has been connected to the other machine. So why do people see 127.0.0.1 instead of 192.168.10.231? Because we are now connecting to port 8888 of the local machine, the firewall will certainly not respond. If the packet is not sent out, the firewall of the local area network will not know. After connecting to port 8888 of the local machine, the FTP data packets, whether control information or data information, are disguised as HTTP data packets by htc and then sent to the firewall. This is normal data, it is equivalent to spoofing the firewall.

It should be noted that the use of this trick requires the cooperation of other machines, that is, to start an hts on his machine and put the services provided by him, for example, redirect FTP to the port 80 allowed by the firewall to bypass the firewall! Someone may ask, if the other machine has the WWW Service itself, that is to say, its port 80 is listening, will this conflict? The advantage of HTTPTunnel is that even if the previous port 80 of his machine is open, there will be no problems now, and the redirection tunnel service will be unobstructed!

2) Tcp_wrapper

Tcp_wrapper is a free software developed by Wietse Venema. The birth of Tcp_wrapper has a small story. In 1990, the server of the university where the author was located was repeatedly infiltrated by a foreign hacker, because the hard disk data of the victim host was repeatedly erased by the rm-rf/command, therefore, it was extremely difficult to find clues until one night when the author accidentally discovered that the hacker was constantly suffering the host from finger and peeking into the work of the victim. Therefore, an idea was born: design a software that allows it to intercept the IP address, user name, and other information that initiates the finger request. Venema was quickly put into work, and Tcp_wrapper was born! Since then, Tcp_wrapper has gradually become a standard security tool with its wide application. The Administrator monitors and filters various inetd services.

After Tcp_wrapper is compiled and installed successfully, a tcpd program is generated, which can be found in inetd. replace in. conf in the control file. the location of telnetd. In this way, whenever a telnet connection request is sent, tcpd intercepts the request and first reads the access control file set by the Administrator, the connection will be transferred to the real in. telnetd program, composed of in. telnetd completes subsequent work. If the ip address initiated by the connection does not comply with the settings in the access control file, the connection request is interrupted and the telnet service is rejected. The implementation of Tcp_wrapper access control relies on two files: hosts. allow and hosts. deny. If we add the log record function when editing the/etc/syslog. conf file, that is:

#tcp wrapper loglocal3.info /var/log/tcplog

After editing, save the file and generate the tcplog file under/var/log. Note that the read/write attribute of this file should only have the read/write permission on the root user. Then ps-ef | grep syslogd, find the syslogd process number, and kill-HUP and restart the syslogd process to make the change take effect. Here, we can take a look at the content of the tcplog file generated in advance, as follows:

Jul 31 22:00:52 www.test.org in.telnetd[4365]: connect from 10.68.32.1Jul 31 22:02:10 www.test.org in.telnetd[4389]: connect from 10.68.32.5Jul 31 22:04:58 www.test.org in.ftpd[4429]: connect from 10.68.32.3Aug 2 02:11:07 www.test.org in.rshd[13660]: connect from 10.68.32.5Aug 2 02:11:07 www.test.org in.rlogind[13659]: connect from 10.68.32.1

From the above we can see that on the host where Tcp_wrapper is installed, Tcp_wrapper records every connection of the system, including time, service, status, ip address, etc, this is of great reference value for attacks. However, remember to clear the logs.