Introduction to Security Detection for UNIX and Linux servers

Source: Internet
Author: User
Tags unix domain socket website server ftp client shell account telnet program

In fact, every hacker has his own unique method. I have collected a lot of information about intrusions into the website server, but because of the actual situation, many methods are often ineffective. It can be seen that the situation of each website is different, and intruders need to treat it differently. Assume that the line in Shenzhen is much better than that in Beijing, which makes it easy for the dictionary to use, so that users in Shenzhen can use this advantage to attack passwords online, as a user in Beijing, other methods should be prioritized. For so many intrusion techniques, I refer to an article by Mr. H ackalot, a hacker. Article This section describes the basic steps for website intrusion.
By analyzing the hacking of some home pages, we can find that intruders are most keen to intrude into web servers and FTP servers, because this is the simplest two ways. Assuming that the reader has no knowledge of the UNIX system and web server, the following steps are provided.
1. Understand the systems to be infiltrated

The operating systems used as servers on the network are mainstream in UNIX and Linux. If you want to intrude into these systems, you must have an understanding of them.
Most of the commands used on DOS have corresponding commands on UNIX and Linux (because early dos Development draws on UNIX). The following list shows how to use shell accounts) the most important commands correspond to DOS commands:
Help = Help
CP = copy
MV = move
Ls = dir
Rm = del
Cd = CD
It depends on who is the same as R. On this system Y, the user can enter the who command. To know the information of a user on the system y, you can enter finger. These basic Unix commands allow you to obtain information about your system Y.

2. password cracking
in UNIX operating systems, passwords of all system users are stored in one file, which is stored in the/etc directory, the file name is called passwd. If the reader thinks that the job is to get the file and log on to the system according to the password above, it is a big mistake. The P asswd files in UNIX and Linux are special. The passwords of all accounts in the p asswd files have been re-compiled (that is, the DES encryption method mentioned above ), in addition, these passwords are all compiled in one way (one-way encrypted), which means there is no way to decompile them (decrypt ).
however, some Programs can obtain these original passwords. I recommend a password cracking program "Cracker Jack", which is also a software that uses dictionaries to document dictionary files. First, "Cracker Jack" will compile every value in the dictionary file, and then compare the compiled value with the content in the password file, if the same result is obtained, the corresponding uncompiled password is reported. This software cleverly bypasses the restriction that the password cannot be decompiled, and obtains the password by comparison with brute force. There are many tools that use this principle to obtain passwords. You can search for them on the Internet.

3. Obtain the password file
This is the most difficult part. Obviously, if the Administrator has a password file, he will not put it there to make it easy for others to get it. Intruders must find a good way to get the password file without entering the system. Here I will introduce you to two methods. You can try it and it may be successful.
1. the TC directory will not be locked on the FTP service. For intrusion, you can use the FTP client program to log in with an anonymous account anoymously, and then check whether/etc/passwd sets the read permission anonymously, if any data is backed up immediately, use software decoding.
2. In some systems, there will be a file named phf under the/cgi-bin directory. If there is a file on the server to be infiltrated, it will be much more convenient. Because phf allows users to remote reading of files in the website system, the user can use the browser to capture the P asswd file, as long as in the browser address bar typed URL: Qalias = x % 0a/bin/CAT % 20/etc/passwd, where XXX. XXX. XXX is the website name to be intruded.
If neither method works, the intruders must implement other methods.
In some cases, the second part of the password file found by intruders is X and ,! Or *, it indicates that the password file has been locked, which is one of the methods used by the system administrator to enhance security. However, it is not possible to completely hide the password file. Normally there will be unlocked password files backed up in the system so that intruders can exploit them. For example, intruders usually look for/etc/shadow directories or similar directories, check whether the password file is backed up.

4. Create your own shell account
After two or three key steps, the intruder finally obtained the key password file and cracked the password. Now you can run the telnet program and log on to the host. When a server is connected, the server will display you some information, such as u nix, Linux, Aix, Irix, Ultrix, BSD, and even dos and VAX/VMS; then the login prompt appears on the screen. Then, you can enter the account and password to log on to the system. At this time, intruders can use their UNIX knowledge to do what they like to do.

analyze the password file as follows:
root: 1234 aaab: 0: 1: Operator :/: /bin/CSH
nobody: *: 12345: 12345: //:
daemon: *: 1: 1: //:
SYS :*: 2: 2: // bin/CSH
Sun: 123456hhh: 0: 1: Operator: // bin/CSH
bin: *: 3: 3:/bin:
uucp: *: 4: 8:/var/spool/uucppublic:
News: *: 6: 6 :: /var/spool/news:/bin/CSH
Audit: *: 9:/etc/security/audit:/bin/CSH
Sync :: 1: 1: // bin/Sync
sysdiag: *: 0: 1: Old System
diagnostic:/usr/diag/sysdiag: /usr/diag/sysdiag
sundiag: *: 0: 1: System
diagnostic:/usr/diag/sundiag: /usr/diag/sundiag
Tom: 456lll45uu: 100: 20:/home/Tom:/bin/CSH
JOHN: 456fff76sl: 101: 20: john:/home/John:/bin/CSH
HENRY: austs45yus: 102: 20: Henry:/home/HENRY:/bin/CSH
HARRY: sydusrd5sy: 103: 20: Harry:/home/HARRY:/bin/CSH
STEVEN: ges45yds5ry: 104: 20: STEVEN:/home/STEVEN: /bin/CSH
+: 0: 0:

":" Is divided into several columns, for example, Tom: 456lll45uu: 100: 20: tomchang:/home/Tom:/bin/CSH:
User name: Tom
Password: 456lll45uu
Users n 100
Group N 20
Real name: Tom Chang
Home dir:/home/Tom

Readers can find that the above passwords for nobody, daemon, sys, bin, uucp, news, audit, sysdiag, and sundiag are all *, that is, the passwords of these accounts are locked, it cannot be used directly.

It is worth noting that many systems will have some default accounts and passwords after the first installation, which facilitates speculative hackers. Below are some default accounts and passwords in UNIX.
Account Password
Sys sys/system/bin
Bin sys/bin
Nuucp Anon
Anon anon
User user
Install install
Reboot for "command login"
Demo demo
Sync sync
Guest guest
Daemon daemon

Among them, root mountfsys umountfsys install (with R-Wait sync) and so on are all root-level accounts, that is, they have sysop (System Administrator) permissions.

Finally, it is necessary to introduce UNIX log files. Many intruders do not want to hack into the computer to track them, so what should they do.
System Administrators rely mainly on system logs, which are commonly referred to as log files, to obtain intrusion traces and IP addresses and other information from intruders. Of course, some administrators also use third-party tools to record information that intrude into the computer. Here, we mainly talk about the files that record intrusion traces in UNIX systems.

UNIX systems have multiple versions. Each system has different log files, but most of them should have similar storage locations. The most common location is the following:
/Usr/ADM, Unix of earlier versions;
/Var/adm. The new version uses this location;
/Var/log, which is used by some versions of Solaris, Linux BSD, and Free BSD;
/Etc, most UNIX versions put utmp here, some also put wtmp here, which is also the location of syslog. conf.

The following lists some file functions. Of course, they also vary according to the intruded systems.
Acct or pacct, which records the Command records used by each user;
Access_log is mainly used to run the NCSA httpd on the server. What site will this record file have connected to your server;
Aculog stores the modems records you have dialed out;
Lastlog records the user's recent login records and the initial destination of each user, and sometimes the last unsuccessful login record;
Loginlog, which records abnormal login records;
Messages: records output to the system console. Other information is generated by syslog;
Security, record some cases where uucp system is used to attempt to enter the restricted range;
Sulog: records the use of the su command;
Utmp records all users currently logged on to the system. This file is constantly changing as the user enters and leaves the system;
Utmpx, utmp extension;
Wtmp, which records user logon and exit events;
Syslog, the most important log file, obtained using the syslogd daemon.
Log information:
/Dev/log, a Unix domain socket, receives messages from processes running on a local machine;
/Dev/klog: a device that receives messages from the Unix kernel;
Port 514, an internet socket, receives syslog messages from other machines through UDP;
Uucp, the recorded uucp information, can be updated by the local UCP activity, or can be modified by the action initiated by a remote site, including the call, request, and sender, sending time and sending host;
LPD-errs: logs used to process Printer fault information;
FTP logs: Perform ftpd with the-L option to obtain the record function;
Httpd logs: The httpd server records every web access record in the logs;
History Log. This file stores records of recent commands entered by the user;
Vold. log, which records the error records encountered when using external media.

The above describes the main steps of server intrusion. Readers should have some basic knowledge about it now. It should be emphasized again that it is absolutely impossible for readers to master UNIX systems if they do not understand them.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.