Backdoor attacks and defense (1)

Recently, qq and sina North America have been attacked, and many of the attacked hosts are bot-what is a meat machine? It is the server where the backdoor program is placed. Let's see how a server is buried.

There are endless crises and traps hidden in the vast network of users in the digital world quietly. One of the most famous traps is the "backdoor ".

Content of this article
Principle Analysis
Necessary Conditions for backdoor generation
 
Backdoor enabled Conditions
How to hide Backdoor programs
 
Attack practices
Defense skills
 

Principle Analysis

What is a backdoor? A backdoor is also called a Back Door. When talking about it, you have to first mention the related knowledge: As we all know, a computer has 65535 ports. If you think of a computer as a room, the 65535 ports can be regarded as the 65535 door opened by the computer for external connection. Why do we need so many doors? Because the master's transaction is very busy, in order to deal with a lot of socializing at the same time, it decides that each door is only for one socializing job. Therefore, some doors are specially opened by the host to greet the guests (provide services), and some are opened by the host to visit the guests (access remote services)-theoretically, the rest of the doors should be closed, but for various reasons, some doors are quietly opened without the owner's knowledge. As a result, there was a good opportunity to enter, and the host's privacy was stabbed, and life was disturbed, and even things in the house were made a wolf. This quietly opened door is the "backdoor" that we will talk about today ". Of course, this is just a metaphor. In fact, in addition to port connections, you can also use serial/parallel port and wireless device connection to intrude into the system, the following "Port" refers to various external interfaces ).

Necessary Conditions for backdoor generation

The following three conditions are required for backdoors:

1. it must be connected to other terminal nodes in some way-because the backdoor is accessed from other nodes, therefore, you must use twisted pair wires, optical fiber cables, serial/parallel ports, Bluetooth, infrared devices, and other devices on the target machine to connect to the physical signal to access the port. Only when the access is successful can both parties communicate with each other and the attack has the opportunity to intrude.
2. by default, the target machine must open more than one port for external access-because a machine without any ports by default cannot connect to the communication, however, if the open port cannot be accessed from outside, no intrusion can be performed.
3. There is a program design or human negligence on the target machine. As a result, attackers can execute programs with high permissions. Not an account with any permissions can be used. Only accounts with certain permissions that meet the requirements of the operating system can modify the registry, log records, and other related modifications.

The above three requirements are easily met for an ordinary computer connected to the internet. Computers connected to the Internet use pppoe, ppp, and other methods to connect to the network, and multiple ports are opened by default. As for Operating System bugs and human negligence, it is more common-that is to say, any computer we use usually has the possibility of being placed with backdoors. Therefore, we need to be vigilant and take appropriate defense measures.

Backdoor enabled Conditions

After understanding the necessary conditions for backdoors, let's take a look at the scenarios under which these backdoors are enabled:

1. built-in services of the operating system;
2. Network Protocol bundling;
3. Software compiler production;
4. Post-Attack Vulnerability placement;
5. Social engineering and other related methods;
These five categories are left behind by backdoors. Let's take a closer look:

Services provided by the operating system, such as unix, linux, and Windows 98, Windows 2 k, and xp, are installed by default, multiple services are enabled by default. Common services include telnet server, ssh server, and sendmail. If some service programs are not updated or the security configured by default is insufficient, it is easy to be attacked and thus becomes the channel for attackers to access.

Network Protocol bundle. In this regard, we should record the early Internet-at that time, there were very few machines on the network, mostly the equipment of universities, military and scientific research institutions, and each other was quite "trusting" each other, at that time, the network speed was also slow. No one expected that the network for military scientific research and communication would enter thousands of households at that time, and would not have imagined that a computer with a cheap x86 architecture would have a higher performance than the expensive Minicomputer in the past few decades. Therefore, early network protocols were designed on the premise of "trust", with less security considerations. Currently, the ipv4 protocol used in the source address and other ip packets can be modified at will, and the mac address can be forged freely, therefore, it is quite difficult to trace attackers and implement corresponding defense and blocking measures-this is the "original sin" of various attack methods starting at the end of the last century ".

In addition, some protocols enabled for LAN in the past also have a lot of negligence in security verification, such as netbeui, netbios, and other local network protocols originally used for "trusted, it is unwise to place it in a commercial "untrusted" Interconnected Network. We use netbios for simple analysis: netbios is mainly used to identify resources on the network. The program uses these names to start and end sessions. This Protocol is simple and efficient, but the disadvantage is that information can be obtained without verifying the identity of the other party. In windows, smb and nbt (netbios on TCP/IP) work closely together and use ports 137, 138, and 139: 137 is the netbios name, port 138 is a netbios data packet, and port 139 is a netbios session. This Protocol is required for common "Network neighbors. Since the Protocol originally considered how to transmit data with the highest efficiency and broadcast its own existence to other machines, security verification is relatively weak, and many viruses are transmitted through shared channels, such as the backdoor of love and happy time. This is why tianyuan has always recommended that you use ftp instead of "network sharing. Placing such insecure protocols on insecure networks is to prepare a hidden door for attackers.