The intruder has received the host's administrator privileges, please list several ways to leave the Backdoor: (both Windows and Linux system)

Webshell Back Door
XSS Backdoor
Remote control back Door &rootit (windows&linux)
SSH Backdoor
Shift Terminal Server Backdoor
System User account cloning
SQL database Extended Storage type Backdoor
SQL database sandbox mode backdoor
Oralce/mysql Custom Functions
Privileged users of Oralce
File Bundle Type Backdoor
Download system user password hash to local hack
Iis/tomcat/weblogic/apache Application Type rear door
Keyboard record
....
Go back, HEHE.

CollectionThank you (0)share to: 032 Replies

2. # Zhe Xuan (< Primary school graduates >) | 2015-09-25 08:57

   Room key
   随时给你断电

4. The Ghost Five (this ghost five non-ghost five) | 2015-09-25 09:14

   MySQL opens the outer chain

6. 3# Thanks (1) hackbraid | 2015-09-25 10:04

   Up the pose.

8. 4# I am chaps (professional soy sauce) | 2015-09-25 10:15

   Pam Back Door

10. AA Great Doll (? [???]??  [·??·?]?) | 2015-09-25 10:22

    Of course is to record the administrator all the password, and then collect TA's hobbies and habits, then disguised as the opposite sex to get ta's heart.

12. 6# Small Kwai (Baidu Cdn is a what bird, a catch on the hanging) | 2015-09-25 10:46

    I re-install the system, you have any eggs to use.

14. 7# Liu Haigo (? moc.ghuil.www) | 2015-09-25 11:02

    What is Rootit?

16. 8#%230cc (who ' s Your Daddy---lordi) | 2015-09-25 11:27

    @ Little Kwai You're already your girlfriend upstairs ... The reload is not very big ...

18. 9# Small Kwai (Baidu Cdn is a what bird, a catch on the hanging) | 2015-09-25 12:01

    @%230cc 66666

20. 10# Ghost Five (this ghost five non-ghost five) | 2015-09-25 12:05

    Know some information after disguised as computer room Technician Plus server owner QQ tell him you are XXXIP customers? I am the technical customer service of your server have a problem at any time contact of course you have to tell him something in the server something to increase his trust and then when he has problems with the server to find you to solve the problem (no problem can make a point) you can ask him the server password how much he will tell you. .........................................

22. 11# Small City | 2015-09-25 12:47

    Isapi

24. 12#sin (looking for the most elegant solution) | 2015-09-25 14:25

    All traces are cleared after the right or root, but there is a traffic record.
    
    Then, leave a Webshell and try to fit into the normal business.
    Like what:
    After the. NET decompile, the DLL adds a map-type backdoor, saying that some can be rootkit.
    After the Java type compiles the normal jar, add the servlet backdoor.

26. 13#master (One Piece) | 2015-09-25 14:52

    WebDAV

28. 14#EVI1CG (Feel yourself cute) | 2015-09-25 15:18

    Scheduled Tasks
    Mof
    DLL hijacking

30. 15#MUJJ (Why is there tears in my eyes?) Because I'm pretending to be deep) | 2015-09-26 00:00

    Only the next IPMI password is saved.

32. 16# Cheng Yin Small white hat (heart only day University station, return that year did not accept Grace) | 2015-09-26 09:30

    None of your words are in your mouth. Labor Trojan camouflage to the site backup package, site folder, do not kill to do it, unless you find the file one by a, file modification date A change, how do you find a Trojan? Looking for a net horse back door?

34. 17#xsser (10 Yang with length!) | 2015-09-26 13:31

    Put the back door in the data:)

36. 18#k4r1inng (] ' or #) | 2015-09-26 13:42

    Loop Write Shell Orz

38. 19#newline | 2015-09-26 13:58

    Reveal their methods when you must be careful, perhaps when the other people to detect the location of the basis.

40. 20#, I got a Go | 2015-09-26 14:05

    @newline enemies:)

42. 21#beenquiver | 2015-09-26 21:33

    It's better to give a specific command or code.

43. 22#_evil (Popular science is a kind of commonweal behavior) | 2015-09-27 10:04

    I say win:
           The most important thing is to sign, the driver signature is no problem is to install the horse. For server Win2008 above) The signature has been fixed and the NDIS port multiplexing is resolved.
    
           iis6.0-iis7.5 Use the IIS filter feature to leave a "port multiplexing"
    
            combine Yuange This [link href= "http://blog.sina.com.cn/s/blog_85e506df0102vo9s.html"]unicode[/link] Leave a backdoor
    
           attrib Add a hidden file, dir and other commands can not see.
    
           Windows many DLLs. In the system32 directory, look for one, then replace, and change the properties.
    
           Webshell is best used: a normal file (including a binary merged image) PHP is much more.  jsp
    
           @sin   This guy said java type decompile normal jar, add servlet backdoor. I haven't tried this, but I have to restart it. Just like apache  rootme . Modify for the version, and then restart. If you don't succeed, you'll be miserable ...

45. 23#_evil (Popular science is a kind of commonweal behavior) | 2015-09-27 10:05

    The NFS format can also be a .... mof for personal computer, but not to ensure the avoidance of killing. The traditional operation of PowerShell is sufficient.

46. 24#_evil (Popular science is a kind of commonweal behavior) | 2015-09-27 10:17

    Linux:
         kernel code will not go this way.
    
         after root:
             view . Bash_history, Snmpd.conf,ps aux,netstat-anlvop,lsof-i,iptables-l,iptables-nl,iptables-t nat-nl
    
              know what the administrator is accustomed to and what protective equipment is available.
    
             Sed,grep Clears the log of the Web container after each operation. Note MS-dos line breaks
             
              login ssh with Xiaoyu logtamper
    
             MySQL Linux can also be UDF right, I did not toss to find a better. A sequel to the Great Gods of the road ...
    
             Oracle Add a DBA user, a stored procedure, or something.
    
             mysqldump jsp-db2 Sub-tab, Jsp-wget, de-pants, ASP (background) pants

48. 25# Miyoshi Students (:) | 2015-09-28 08:24

    @_evil MOF Calling WMI timed start does not ensure that no-kill sex specifically what does it mean?
    The. NET remoting is also very fun, estimated that not many people use ~

50. 26#_evil (Popular science is a kind of commonweal behavior) | 2015-09-28 08:58

    @ Miyoshi Students MOF calls WMI timed to start . NET Remoting These two really did not try, long to see the empty toss under thanks.

52. 27#erevus | 2015-09-30 10:18

    You can try code audits, plug the shell into the database.

54. 28# Fire Day Attack Day | 2015-10-11 20:14

    @ Little Kwai write to the hard drive firmware?

56. 29#j4nker | 2015-10-13 23:36

    MOF calls WMI timed boot This is no trace, it's perfect for a backdoor, http://drops.wooyun.org/tips/8260.

58. 30# South (<///////////////////////>) | 2015-10-16 12:06

    All the programs on his server read it all over again, write a set of identical programs, and then deliberately leave a few of the holes you know.

60. 31# South (<///////////////////////>) | 2015-10-16 12:08

    @ South elder brother covered his program, oneself later want to take again more relaxed.

62. 32# Pen and ink (a good man's life, small breasts) | 2015-10-17 09:05

    at 00:00 /every:M,T,W,Th,F,S,Su net user guest p4ssw0rd
at 00:00 /every:M,T,W,Th,F,S,Su net user guest /active:yes
at 00:00 /every:M,T,W,Th,F,S,Su net localgroup administrators guest /add

64. 33#r00tgrok | 2015-12-06 10:14

    Google:many Ways of malware persistence (that's were always afraid to ask)
    Google:thousand ways to backdoor a Windows domain (forest)

The intruder has received the host's administrator privileges, please list several ways to leave the Backdoor: (both Windows and Linux system)