Backdoor attacks and defense (3)

Now, let's recall, through which ways can we find the program we are running ??

Ps command to detect backdoor program process
The netstat command detects exceptions on the listening port.
Top view found

Now let's look at the hidden corresponding methods in sequence:

In the top command, only the process name is displayed without the path. We can use the name of a formal process that is like the system, for example, in config. h. Change the tfn2k process name to a name similar to snmpd like snnpd;

Ps command... If there is a way to remove the line about our program in the ps command, isn't it OK ?? OK. Write a shell named ps and drop it to our directory, for example,/home/skylove (simulate it and use a simple one)

First, we name this shell ps and enter the following content.

#! /Bin/sh
/Bin/ps $ * | grep-v tfn-daemon | grep-v grep

Remember to change the shell Permission correctly. Let's explain the meaning of this shell.

$ * Indicates all parameters obtained by the shell. ps $ * indicates that the system's command ps is called and parameters are added to the process list, then, redirect the result to the grep-v tfn-daemon statement, which means that all the processes listed by the ps command above, remove the process that contains the keyword tfn-daemon. The last sentence indicates removing the grep command itself. Of course, this sentence can be used. Okay. Let's take a look at the effect of executing the shell as a whole:

First, we use the system's ps-aux command to list processes and obtain results similar to the following:

Postfix 13922 0.0 1.7 13108 2232? S Oct17 0: 00/usr/sbin/httpd
Skylove 9641 0.0 0.2 1444 284? S tfn-daemon
Postfix 15943 0.0 0.7 3148 988? S pickup-l-t fifo-u
Skylove 17083 0.0 1.4 6800 1784? S/usr/sbin/sshd

Run the./ps-aux command to execute the shell result. The result is as follows:

Postfix 13922 0.0 1.7 13108 2232? S Oct17 0: 00/usr/sbin/httpd
Postfix 15943 0.0 0.7 3148 988? S pickup-l-t fifo-u
Skylove 17083 0.0 1.4 6800 1784? S/usr/sbin/sshd

See ?? The process that shows our Trojan is no longer displayed! In this way, we can hide our processes. In addition, you can successfully execute valid parameters for any real ps command, including the case that there is no parameter-always remember that the backdoor is used to play with "alloy Equipment". Once exposed, the system will be finished!

However, the user on the target machine uses ps when viewing the process, rather than the small shell named ps in our directory !! Don't worry. We will find a solution later ~~~

Tolerance, write a shell called netstat in a similar way.

The following three lines about our shell can no longer be seen.

Now let's solve the problem. When running the above commands, the target user executes the shell we wrote, rather than the real commands in the default/bin path.

We all know that in bash, the command search is based on a variable named PATH to find the PATH in sequence. Therefore, as long as we can make the system search for other paths, search for our path first.

Add the last sentence to modify/etc/profile.

Export PATH = <your PATH>: $ PATH.

In this way, the ps and netstat in your path will be used first.

Log out once and log on again.

If the user uses the echo $ PATH command to view the PATH, the PATH will not be exposed?

Simple. Next we will replace the echo command with shell.

In the same way, make a shell named echo in this directory, chmod 755 it

#! /Bin/sh
If ["$1" = "$ PATH"]; then
/Bin/echo $ PATH | cut-c <your PATH length + 1>-
Fi

That's all!

(Because our directory becomes the first PATH of the $ PATH variable, we need to use it to remove the corresponding number of characters. The cut command is used to represent cut in-c, and the last-indicates that the end is always obtained)

For example, if the path added in my example is/home/skylove, I should write it as 13 + 1 = 14.

My shell should be written

#! /Bin/sh
If ["$1" = "$ PATH"]; then
/Bin/echo $1 | cut-c14-
Fi

The actual PATH needs to be viewed using/bin/echo $ PATH, which is
/Home/skylove:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin: /usr/X11R6/bin:/root/bin

The echo $ PATH command is
/Usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin: /root/bin

(Do not forget that because of the path priority, the first echo is the echo shell in our directory, not the real echo file)

What if the administrator uses which to view the path of ps, netstat, and other commands?

In the same way, since we have forged ps, netstat, and echo, I don't care if I write another shell named which?

(The case statement in the shell above is used to determine whether the input parameter is a transformed file. If not, it is thrown to the normal which for processing)

Okay. For the same chmod 755 file, if you use which to check ps and netstat in the future, the returned files will all be pseudo-real paths ~!

If you want to forge something else, just use the above similar method.

In the last step, we wanted to keep running the tfn2k program, even if the administrator was shut down and restarted, it could still be loaded automatically.-Have you noticed? I saw named in the ps process just now, so we can add a segment in/etc/init. d/named.

Well, here we have basically completed the purpose of disguise. Exit our skylove account and use the previous vulnerability to access the system to obtain the root account, perform the final cleaning on-site work. First, delete/var/log/message and/var/log/secure from the log, then delete ssh (if you want to control it for a long time, you can keep it ), delete our conspicuous account skylove (If your programs are stored in the home where you created the account at the time, remember to go to the chown-R directory first, then we can directly delete our skylove record in/etc/passwd ). Then, clear the log again, confirm that everything is normal, and exit (hide the backdoor again ).

Well, such a backdoor will survive on the target machine. If the administrator of the other party is negligent, so I think this dos attack transmitter will probably have at least two months. In the same way, attackers can search for machines with vulnerabilities everywhere for the above processing, and bury dos attack servers. When necessary, use a client to start and use the server at the same time to attack a server. I think that server may not last for 30 minutes...

　　How to defend

After the complete simulation tool, let's take a look at it with Tian Yuan. Let's think about how to defend against backdoor programs.

First, shut down unnecessary services, because an extra port is equal to an opportunity for an attacker to try, and the unnecessary service may be the culprit of the door-breaking hacker;

Next, select the appropriate network interface. For example, if your mysql service is only for the local machine, you can bind the interface to only 3306 of 127.0.0.1, this avoids the possibility of external connections from other people;

Once again, the public services must be provided with appropriate patches in a timely manner, as I revealed in the first attack simulation-the step of obtaining root permissions is often achieved by using a ready-made vulnerability to find a server with the corresponding bug version of the service software for targeted attacks. Therefore, you need to pay attention to the bug information of the server software at any time and try to upgrade the software to a stable version as soon as possible.

Finally, Once attackers enter, any program or file may be rewritten-in the above example, I used a simple shell to hide it-someone may ask, how can I replace the system file directly? This effect may not be as good as I do (because some network administrators will use software such as chkrootkit to check whether the system file has been changed-the practices above tianyuan have not changed the system file at all, so the effect will be better .) Therefore, if the command does not have a clean backup version after the attack, we recommend that you back up important data, then reinstall the system. Although the find file may be used to find the file of the current day, the attack may not be completed once. How many times is the attack completed? Or is there another foreshadowing? Therefore, the best way to ensure this is to backup data and reinstall the system. From this point, we can also see the importance and necessity of backup at ordinary times.

Network Management and attacks have always been an eternal opposite topic, and network administrators have always been in the weak position-attackers may launch attacks at any time within 24 hours, however, the network administrator cannot prepare for the attack within 24 hours. So what is the solution to this problem? My personal recommendation is to create a separate log server, and the log server uses a safer operating system, such as openbsd. Send the logs of each other server to it, so that even if the server is attacked, it will have the opportunity to find the attacker's behavior and methods in the log, however, it is more difficult for an attacker to attack the log server and work server at the same time.

Backdoor attacks and defense are in fact compared with all kinds of attacks and defense that occur on the Internet at any time.