Network back door aspects _ security related

Source: Internet
Author: User
Tags change settings crypt md5 net send
Are you aggrieved by a hacker attack? When the firewall alarm is sounded, do you choose to silence or give proper warning? When the shot, to borrow some skills to each other a well-meaning "dismount Granville" Bar!

Messenger Service


When the firewall detects that the system is under attack, it usually alarms or records the corresponding data. Like the common Skynet firewall, when it detects that the system is under attack, the Skynet icon in the system tray will appear with a flashing alarm signal, double-click the icon, from the pop-up window, you can get the source of the attacker, trying to "break" from the port, and other information (see Figure 1).
  
Figure 1

Knowing the attacker's IP address, we can try to use the Messenger service to give each other a message, can be a Good Counsel Oh! Windows 2000/XP By default the Messenger service is open, and you can receive messages sent by someone else. Suppose we want to send a messenger message to an attacker, you can open the Command Prompt window and type the net send 218.51.***.*** warning message. If you want to enter more text messages, there is another method in Windows 2000 that opens [Control Panel]→[Management Tools]→[Component Services], right click Services on the local computer, select All Tasks]→[send console messages from the pop-up menu, and after entering the message content, Click the [Add] button, enter the IP address of the receiver, and then click the [Send] button.
 
Note: If the other person does not have the Messenger service open, or if you use a system that does not support messenger services (such as Windows 98), you will receive an error when sending the message.

Where is the intelligence sent?

For a friend who likes to have a taste for software, it must be very enjoyable to download a variety of software on the Internet, but some software is like "wolf in sheep's clothing", they may secretly steal your secret, and then send it to the owner's mailbox. For a software that they do not trust, to know their every move in the network, the key is to their activities of the data packets recorded, trying to find the collection of "intelligence" e-mail address, you can go to an e-mail to understand the situation!

There are more software available to intercept and record network packets the author recommended the use of KfW, this is a firewall software, its most characteristic function is to intercept the designated application of the network packet, will send and receive data one by one, you can save, analyze, master the network software behind every move.

KfW Download Address: http://www8.pconline.com.cn/download/swdetail.phtml?id=7753, after installation, reboot can be used. Different network firewalls are used together, there may be conflict between each other, I suggest you use KfW to shut off other network firewalls.

Starting with early computer intruders, they have struggled to develop techniques or back doors that allow them to return to the system they are invading. The backdoor of most intruders achieves the following purposes: Even if the administrator changes the password, it can still invade again, and minimize the likelihood of the intrusion being discovered.

Most backdoor is managed to evade the log, even if the intruder is using the system can not show that he is online. Sometimes if an intruder thinks that an administrator might detect an installed backdoor, they make the system vulnerable as the only back door, repeatedly breaking the machine.

When we discussed the back door, it was assumed that the hacking hacker had successfully obtained the action of the system after the permission.

1, rhosts++ back door

In a network of UNIX machines, services such as RSH and Rlogin are based on rhosts, and with a simple authentication method, users can easily change settings without requiring a password to enter. The intruder can allow anyone to enter the account from anywhere by entering "+ +" into the rhosts file of the accessible menu user. And when the home directory is shared out of NFS, intruders are more interested in this. These accounts are also the backdoor that intruders invade again. Many people like to use rsh, and the regiment for it usually lacks the ability to log. Many administrators often check "+ +". So the intruder actually sets the host name and username of another account from the Internet, which is not easy to be found.

2, check and time stamp back door

In the early days, many intruders used their own Trojan horse program to replace binary files. The system administrator relies on timestamps and system checksum programs to identify whether a binary file has been changed, such as the UNIX sum program. To this end, the intruder developed a new technology to synchronize the Trojan horse file with the original file timestamp. This is achieved by first dialing the system clock back to the original file time, and then adjusting the Trojan file time to the system time. Once the binary Trojan horse files are in exact sync with the original, the system time can be set back to the current time. The sum program is based on CRC checksum and is easily fooled.

3, Login back door

In Unix, the login program is typically used to authenticate users who are telnet. The intruder retrieves the login's source code and modifies it to check the backdoor password when comparing the input password with the stored password. If a user is typing a backdoor password, it ignores the password that the administrator has set to let you in: This will allow intruders to enter any account, or even the root directory. Because the backdoor password is an access that is generated before the user actually logs in and is logged to utmp and wtmp, the intruder can log in to acquire the shell without exposing the account. After the administrator notices this backdoor, use the "strings" command to search the login program for textual information. In many cases, the backdoor password will betray its true colours. The intruder will also start encrypting or changing the hidden password to invalidate the strings command. So many administrators use MD5 to check and detect such backdoor.

4, Service back door

Almost all Internet services have been used by intruders as backdoor. Some are just connected to a TCP port shell and access can be obtained through a backdoor password. Management Shell should be very aware that those services are running and use MD5 to verify the original service program.

5, Cronjob back door

Cronjob on UNIX can schedule specific programs to run on a schedule. Intruders can join the backdoor shell program to make it run between 1AM and 2AM, so access is available one hours per night. You can also view legitimate programs that run frequently in cronjob, and place the back door at the same time.

6. Library Back Door

Almost all UNIX systems use shared libraries, and some intruders do the backdoor in functions like crypt.c and _crypt.c. A program like login called Crypt (), when using the rear gate to generate a shell so that even if the administrator uses MD5 to check the login program, it can still produce a backdoor function. And many administrators do not check whether the library is being made back door. Another intruder makes a backdoor to open () and file access functions. The back door function reads the original file but executes the Trojan door program. So when MD5 reads these files, the checksum is OK. However, the internal system runtime will execute the version of the Lockheed Trojan. Even the Trojan horse itself can escape the MD5 checksum. For administrators there is a way to find the back door, that is, statically connected MD5 check program, and then run. Static connectors do not use Trojan horses to share libraries.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.