During attacks, hackers use other systems to achieve their goals, such as attacks against the next goal and exploitation of computers themselves. This article describes how hackers use computers that are encroached on and how security administrators can respond.
In addition to computers directly operated by hackers, Hackers often exploit and control other computers during and after the attack. They either use this to achieve the purpose of the attack, or use these computers for other purposes. This article summarizes and describes various hacker methods to use other computers. It is hoped that network and system administrators can better prevent these attacks by understanding these methods.
I. Use of bots
Bots are used by hackers to describe computers on the Internet that are vulnerable to attacks and control.
1.1 data retrieved
Principles
This is the first thing hackers need to do after a computer is completely cracked and under full control. Many hackers claim that they are not malicious. They are only interested in computer security. When they enter others' computers, they will not perform operations such as destruction, deletion, or tampering. There are even more "kindly" hackers who patch these computers for enhanced security.
But they all avoided a problem, that is, how to process the data stored on these computers. It is true that the damage to others' computers is not very significant for most hackers, but they do not have any objection to getting the data from bots back and saving them. At this time, the hacker said, "No destruction" is not enough. According to the basic principles of computer security, when any of the "integrity, availability, and confidentiality" of data is being damaged, security should be deemed to have been compromised. User information, network topology, trade secrets, financial statements, military intelligence, and other types of data that need to be kept confidential may be stored on occupied computers, when hackers obtain the data (even if they only view the content of the data without downloading it), they destroy the confidentiality. In actual situations, many commercial and political espionage are in this category. They just silently take your data without any damages, and cover up the traces of their actions as much as possible. These hackers want to obtain valuable data for a long time without being noticed. This is actually the most terrible attack.
Many hackers install FTP software on "bots" or open FTP services, and then download their data. However, the installation of software and open services can easily be recorded in various types of logs in the system, this vulnerability may be detected. Instead, hackers who do not want to be noticed will build their own FTP server so that "bots" can upload their data as clients.
Defense methods
To prevent data from being stolen, consider that the computer itself is not broken. If you are an iron bucket, water may not leak, and hackers will not be able to gain any access permissions on your computer on your network. Of course, the vast majority of leaks will be eliminated (please note that, at this time, it may be leaked! For example, data is sent out by hackers ). Let's take a look at how to enhance the operating system of our computer. These methods are effective for all attack methods that require prior control and will not be repeated in subsequent chapters.
Simply put, for Windows, Unix, or Linux operating systems, you can consider physical security, file systems, account management, network settings, and application services, here we will not discuss in detail the comprehensive security protection solution, but provide some simple and practical system security check items. This is a necessary condition for security, not a sufficient condition.
Physical security
Simply put, physical security is whether your computer's physical environment is reliable, whether it will be subject to natural disasters (such as fire, flood, lightning, etc.) and man-made damage (theft, damage). Physical security is not solely the responsibility of the system or network administrator. It also requires the collaboration of other departments of the company, such as the administration and security personnel. However, this is the basis of other security measures, therefore, our network administrators should pay close attention to this issue. In particular, it is necessary to ensure that all important equipment and servers should be concentrated in the IDC room, and relevant system should be formulated. Irrelevant personnel are not allowed to enter the IDC room. Network administrators do not enter the data center unless otherwise specified. They must be able to manage the data center from a specified terminal.
If important servers are exposed to external entities that everyone can access, no matter how powerful your password is, all kinds of operating systems can use a floppy disk or a CD to start and crack the password.
File System Security
Whether the permissions of files and directories are set correctly. You must reset the permissions of important files in the system;
In Unix and Linux systems, pay attention to the setuid and setgid permissions of files, and check whether inappropriate files are granted with these permissions;
Account System Security
Whether the account information, user name, and password comply with the rules is complex enough. Do not grant permissions to unnecessary persons;
Su and sudo can be reasonably used in Unix/Linux;
Disable useless accounts;
Network System Security
Disable all unnecessary services. Needless to say, each open service is like an open door, which may be quietly accessed by hackers;
Network interface features. Note that the NIC should not be in the mixed mode of the listener;
Prevent DoS network settings. Prohibit IP Forwarding, do not forward targeted broadcast, restrict multiple hosts, ignore and not send redirection packets, disable timestamp response, do not respond to Echo broadcast, Address Mask broadcast, do not forward set source route to speed up the ARP table expiration time, increase the size of the unconnected queue, and increase the size of the connected queue;
Disable the r * and telnet commands and use encrypted SSH for remote management;
Security Settings for NIS/NIS +;
Sets NFS security;
Application Service Security
Application Services are the cause of the existence of servers, and often cause problems. Because there are too many types of application services, we cannot describe them one by one here. Please pay attention to this information. If possible, I will continue to provide some relevant knowledge in the future. Certainly, no application is completely secure and must be reset by us.
Data theft prevention can also be used to prevent hackers from stealing data and data after they intrude into the computer. This is access control and encryption. System Access control requires software implementation. It can restrict root permissions and set important data to be inaccessible to the root even if hackers become root. There are many encryption methods, which are not detailed here. files are stored in the hard disk in the form of ciphertext through encryption. If they cannot be decrypted correctly, they are a bunch of meaningless characters, even if hackers get it, it's useless.
1.2 invalid proxy
Principles
Proxy technology plays a major role in improving Internet access speed and efficiency. Based on this technology, Internet access optimization technologies such as Cache Server have emerged, however, the Proxy is also used by hackers to conduct illegal activities. Hackers set "zombie" as a Proxy for two purposes. First, they use it to better access the Internet and perform WWW browsing; the second is to bypass some access restrictions by using the special location of this Proxy "zombie.
Ordinary WWW Proxy is actually very common on the Internet. Some computers provide WWW Proxy services for all computers free of charge and openly. If hackers want a suitable Proxy, you don't need to attack your computer and install the Proxy software on your own. You just need to use these ready-made Proxy computers. There are a lot of software such as Proxy Hunter on the site. You can enter a certain network segment to automatically search for an existing Proxy computer. Although the Proxy itself will not be attacked, running the Proxy service will cause a great burden when the number of client connections is large. In addition, some attacks, such as Unicode, Lotus Notes, and ASP, are also carried out through the HTTP protocol. Eventually, the attacker will regard the Proxy server as the source of the attack. In other words, the Proxy server will be the scapegoat for these attackers. Therefore, it is best not to provide open Proxy services to the outside, even if it is open as needed, it should be strictly limited.
Using Proxy to bypass some access restrictions is also common in the use of "bots. For example, a company does not allow employees to use QQ chat to improve work efficiency. It instructs the company to restrict access to the UDP 8000 port from the inside out to the firewall, in this way, the QQ server on the Internet cannot be connected externally for chatting. However, hackers can bypass this restriction by using their own QQ Proxy.
The settings and usage of QQ Proxy are the same as those of WWW Proxy. When the QQ Proxy on the Internet is available, hackers can access the UDP port 18000 of the QQ Proxy in the company. This is not prohibited. QQ Proxy will access the target-QQ server as a client, and then transfer the information from UDP port 18000 to the hacker computer. In this way, hackers use Proxy to achieve a breakthrough in access restrictions.
You can also use this principle to bypass other protocol restrictions, such as WWW, ICQ, MSN, Yahoo Messager, and AOL, as long as the Proxy software is supported.
Defense methods
When we set up any type of Proxy server, we should restrict the client and do not provide irrelevant personnel with the permission to use it. This improves the server efficiency and eliminates the possibility of hackers using our Proxy for attacks.
To prevent internal personnel from using external proxies, You can strictly restrict them on the firewall and only access the services specified by the external site. Of course, this may cause business inconvenience. Therefore, we must consider it in a specific environment and make a comprehensive trade-off.
1.3 hacker communication platform
Principles
This is another major feature of "bots". Hackers like to set some "bots" hosted in IDCs as their own BBS/E-mail servers, these computers generally have high CPU speed, large memory, sufficient hard disk space, and high network speed, which can be well supported by functions required by hackers. Hackers are distributed in all corners of the world. Apart from some fixed hacker organizations, many hackers only communicate via the Internet, such as through email or online chat ", exchange attacks and other technologies to show your admiration. It is no surprise that many hackers and friends who have been dealing with each other for many years have never met each other in real life.
You will ask if it is okay for hackers to directly send emails and access ICQ? Why take the risk of attacking other computers as a communication platform. Please note that hackers spread some information that cannot be known by others. For example, "I have already controlled the backbone router of the XXX provincial network. Do you want to copy its route table? "If such content is intercepted on any email server or chat server, it is morally obligated to remind the network administrator of the attack, therefore, using public network communication means is not reliable for hackers, and hackers must keep them confidential :-). What should we do? Since hackers control "bots" and become the second "parent" of "bots", they are eligible to set them as communication servers with their permissions. On such a communication platform, hackers are much less likely to be found. The highest control permission allows hackers to conceal these activities. Another form of exploitation is the FTP server, which allows hackers to upload and download hacking software for mutual communication.
When hackers exchange information on bots, a large amount of network communication is generated, especially when uploading and downloading through FTP. If you find your internal and external