Introduction to Security Detection for Unix and Linux servers (1)

Although software engineers who design software for servers are trying to improve system security, hackers are often provided with intrusion opportunities due to varying levels of system administrators or security awareness.

In fact, every hacker has his own unique method. I have collected a lot of information about intrusions into the website server, but because of the actual situation, many methods are often ineffective. It can be seen that the situation of each website is different, and intruders need to treat it differently. Assume that the line in Shenzhen is much better than that in Beijing, which makes it easy for the dictionary to use, so that users in Shenzhen can use this advantage to attack passwords online, as a user in Beijing, other methods should be prioritized. In view of so many intrusion techniques, I will refer to an article by Mr. H ackalot, a hacker's celebrity, to introduce you to the basic steps of website intrusion.

By analyzing the hacking of some home pages, we can find that intruders are most keen to intrude into Web servers and FTP servers, because this is the simplest two ways. Assuming that the reader has no knowledge of the UNIX system and web server, the following steps are provided.

1. Understand the systems to be infiltrated

The operating systems used as servers on the network are mainstream in UNIX and Linux. If you want to intrude into these systems, you must have an understanding of them.

Most of the commands used on DOS have corresponding commands on UNIX and Linux (because early dos Development draws on UNIX). The following list shows how to use SHELL accounts) the most important commands correspond to dos commands:

HELP = HELP

CP = COPY

MV = MOVE

LS = DIR

RM = DEL

CD = CD

It depends on WHO is the same as r. On this system y, the user can enter the WHO command. To know the information of a user on the system y, you can enter FINGER. These basic UNIX commands allow you to obtain information about your system y.

Ii. password cracking

In a UNIX operating system, all users' passwords are stored in one file, which is stored in the/etc directory. The file name is called passwd. If the reader thinks that the job is to get the file and log on to the system according to the password above, it is a big mistake. The p asswd files in UNIX and Linux are special. The passwords of all accounts in the p asswd files have been re-compiled (that is, the DES encryption method mentioned above ), in addition, these passwords are all compiled in one way (one-way encrypted), which means there is no way to decompile them (decrypt ).

However, some programs can still get these original passwords. I recommend a password cracking program "Cracker Jack", which is also a software that uses dictionaries to document dictionary files. First, "Cracker Jack" will compile every value in the dictionary file, and then compare the compiled value with the content in the password file, if the same result is obtained, the corresponding uncompiled password is reported. This software cleverly bypasses the restriction that the password cannot be decompiled, and obtains the password by comparison with brute force. There are many tools that use this principle to obtain passwords. You can search for them on the Internet.

3. Obtain the password file

This is the most difficult part. Obviously, if the Administrator has a password file, he will not put it there to make it easy for others to get it. Intruders must find a good way to get the password file without entering the system. Here I will introduce you to two methods. You can try it and it may be successful.

1. the tc directory will not be locked on the FTP service. For intrusion, you can use the FTP client program to log in with an anonymous account anoymously, and then check whether/etc/passwd sets the read permission anonymously, if any data is backed up immediately, use software decoding.

2. In some systems, there will be a file named PHF under the/cgi-bin directory. If there is a file on the server to be infiltrated, it will be much more convenient. Because PHF allows users to remote reading of files in the website system, the user can use the browser to capture the p asswd file, as long as in the browser address bar typed URL: http://xxx.xxx.xxx/cgi-bin/phf? Qalias = x % 0a/bin/cat % 20/etc/passwd, where xxx. xxx. xxx is the website name to be intruded.

If neither method works, the intruders must implement other methods.

In some cases, the second part of the password file found by intruders is X and ,! Or *, it indicates that the password file has been locked, which is one of the methods used by the system administrator to enhance security. However, it is not possible to completely hide the password file. Normally there will be unlocked password files backed up in the system so that intruders can exploit them. For example, intruders usually look for/etc/shadow directories or similar directories, check whether the password file is backed up.