Various backdoor and log tools under Linux

After hacking into the Linux system, many intruders tend to become complacent. One of the reasons for this is that the technical requirements are higher. Below, let's take a look at some of the classic tools used.

1. Extending from here: back door and Connection tool

(1) Httptunnel

Tunnel means tunnels, usually httptunnel called HTTP Andao, which is the principle of disguising data as HTTP data through a firewall, in fact, it creates a two-way virtual data connection in the HTTP request to penetrate the firewall. To put it simple, it means that a conversion program is set up on both sides of the firewall, and the packets that were originally sent or accepted are tricked into the format of the HTTP request, so it does not require another proxy server to penetrate the firewall directly.

Httptunnel includes two programs: HTC and HTS, where HTC is the client, and HTS is the server side, we now look at how I use them. For example, the IP of the machine that opened the FTP is 192.168.10.231, the local machine IP is 192.168.10.226, because of the firewall reason, the local machine cannot connect to the FTP. What to do? Now it's time to consider using Httptunnel. The process is as follows:

First step: Start the Httptunnel client on the local machine. Take a look at the port that this machine is now open, and you will find that port 8888 is already listening on Netstat.

The second step: Start the server side of the Httptunnel on the other machine, and execute the command "hts-f localhost:21 80", this command means that the data emitted from the 21 port of the machine all through 80 port to turn, and open 80 port as the listening port, Look at his machine again with Neststat, and you'll find that port 80 is now listening.

The third step: on the local machine with the FTP connection to the 8888 port of the machine, you will find that the other side of the machine has been connected. So why do people see 127.0.0.1, not 192.168.10.231? Because we are now connected to the 8888 port of the machine, the firewall will certainly not have a response, if not sent out, the LAN firewall must not know. Now connected to the 8888 port on the computer, the FTP packet, whether it is control information or data information, is HTC disguised as an HTTP packet and then sent past, in the firewall, this is normal data, equivalent to deceive the firewall.

It should be noted that the use of this trick requires the cooperation of other machines, that is, to start a hts on his machine, the services he provided, such as FTP redirect to the 80 port allowed by the firewall, so that the firewall can be successfully bypassed! Surely some people will ask, if the other side of the machine itself has a WWW service, that is, his 80 port is listening, this will not conflict? The advantage of Httptunnel is that even if his machine was previously 80 ports open, there is no problem now, the redirected tunnel service will be unblocked!

(2) Tcp_wrapper

Tcp_wrapper is a free software developed by Wietse Venema. Tcp_wrapper The birth of a small story, about 1990 years, the author of the University of the server has been repeatedly invaded by a foreign hacker, because the affected host hard disk data repeatedly by the rm-rf/command the entire erase, so find clues extremely difficult, Until one night the author stumbled upon the work of the hacker in the ongoing finger victim of the host, peeping the victim's work. Thus, an idea was born: design a software that allows it to intercept the IP, user name, and other information that originated the finger request. Venema soon put into work, and Tcp_wrapper was born! Since then, Tcp_wrapper has gradually become a standard security tool with extensive application. It enables administrators to monitor and filter the various services provided by INETD.

Tcp_wrapper Compile and install successfully, a TCPD program is generated, It can be in inetd.conf this control file to replace the location of in.telnetd, so that whenever there is a Telnet connection request, TCPD will intercept the request, first read the administrator set of access control files, in line with the requirements, the connection will be transferred intact to the real in.telnetd program, by I N.TELNETD complete the follow-up work. If the IP originating from this connection does not conform to the settings in the access control file, the connection request is interrupted and the Telnet service is denied. The implementation of Tcp_wrapper access control relies on two files: Hosts.allow,hosts.deny. If we edit the/etc/syslog.conf file, we add the logging function, namely: #tcp wrapper Loglocal3.info/var/log/tcplog

After editing, save the file, the/var/log will generate a tcplog file, note that the file read and write properties, should only be read and write access to root. Then Ps-ef grep syslogd, find the SYSLOGD process number, kill-hup Restart the SYSLOGD process for the changes to take effect. Here, we can take a look ahead of the generated Tcplog file content, as follows: Jul 22:00:52www.test.orgin.telnetd[4365]: Connect from 10.68.32.1 Jul 31 22:02:10WWW.TEST.ORGIN.TELNETD[4389]: Connect from 10.68.32.5 to 22:04:58www.test.orgin.ftpd[4429]: connect from 10.68.32.3 2 02:11:07www.test.orgin.rshd[13660]: Connect from 10.68.32.5 2 02:11:07www.test.orgin.rlogind[13659 ]: Connect from 10.68.32.1

From the above we can see, in the installation of Tcp_wrapper host, the system of every connection, Tcp_wrapper have made a record, its content including time, service, status, IP, etc., on the attack this has a great reference value, however, must remember to clear the log.

(3) rootkit tool: Lrk

The rootkit appeared in the early 1990s as a tool for attackers to hide their traces and retain root access. In general, attackers gain access to the system through remote attacks or password guessing. The attacker would then install a rootkit on the compromised host, and then he would check the system through a rootkit's backdoor to see if there were other users logged in, and if only himself, the attacker would start cleaning up the information in the log. Once the user and password for other systems are obtained through a rootkit sniffer, the attacker will use this information to invade other systems.

If an attacker is able to properly install a rootkit and clean up the log file appropriately, it will be difficult for the system administrator to notice that the system has been compromised until one day the administrator of the other system contacts him or the sniffer log fills the disk, only to realize that the disaster is imminent. However, most commonly used commands such as PS, DF, and LS are not trusted during system recovery and cleanup. Many rootkits have a program called fix that allows an attacker to first use the program to take a snapshot of the system binaries before installing the rootkit, and then install the replacement program. Fix can forge three timestamps (Atime, CTime, mtime), date, permission, owning user, and owning user group for the replacement program based on the original program. If an attacker is able to use these excellent applications accurately and behaves cautiously when installing a rootkit, it will be difficult for the system administrator to discover.
Below we introduce a very typical LRK version 6 for Linux systems. Linux rootkit 6 is an open-source rootkit that, after years of development, has become more sophisticated and features more and more features. Here's a quick introduction to the various tools included with the Linux rootkit.

The first is the procedure to hide the intruder's whereabouts. To hide the intruder's whereabouts, the authors of the Linux Rootkit IV are mindshare, writing a number of alternative programs for system commands, using these programs instead of the original system commands to hide the intruders ' whereabouts. These procedures include:

LS, find, du these programs block the display of intruders ' files and calculate the space occupied by intruders ' files. Before compiling, the intruder can set the location of their own files via Rootkit_files_file, which is/dev/ptyr by default. Note If you use the Showflag option at compile time, you can use the LS-/command to list all the files. These programs can also automatically hide all files named: Ptyr, Hack.dir, and w4r3z.

PS, top, pidof These programs are used to hide all processes associated with intruders.

Netstat the network data traffic that hides/into the specified IP address or port.

Killall will not kill the process hidden by the intruder.

Ifconfig If the intruder initiates the sniffer, the program blocks the display of the promisc tag, making it difficult for the system administrator to discover that the network interface is already in promiscuous mode.

Crontab hides the crontab entry for the attacker.

TCPD prevents certain connections from being logged to the log.

Syslogd filters out some of the connection information in the log.

followed by backdoor procedures. Trojan Horse program can provide the back door for local users, Trojan network monitoring program can provide remote users with inetd, rsh, SSH and other backdoor services, depending on the version. With the upgrade of the version, the functions of the Linux Rootkit IV are becoming more and more powerful and feature richer. Generally includes the following network service programs:

CHFN programs that promote local user rights. Run CHFN, and when it prompts for a new user name, if the user enters the Rookit password, his permission is promoted to root.

CHSH programs that promote local user rights. Run Chsh, and when it prompts for a new shell, if the user enters a rootkit password, his permissions are promoted to root.

The passwd has the same effect as the above two programs. When prompted to enter a new password, if you enter the Rookit password, the permissions can become root.

Login allows you to log on with a rootkit password using any account. If you are denied login with the root account, you can try Rewt. When the backdoor is used, the program can also disable recording of the command's history.

inetd Trojan inetd program that provides remote access services to attackers.

RSHD provides remote shell services for attackers. An attacker could launch a remote root shell using rsh-l Rootkitpassword Host command commands.

SSHD provides the backdoor for an attacker to provide SSH services.

And then the tool program. All programs that do not belong to the above types can be categorized as such, and they implement features such as log cleanup, message sniffing, and port binding for remote shells, including:

Fix file Property forgery program.

Linsniffer Packet Sniffer program.

Sniffchk a simple bash shell script to check if a sniffer is running in the system.

Login allows you to log on with a rootkit password using any account. If you are denied login with the root account, you can try Rewt. When the backdoor is used, the program can also disable recording of the command's history.

Z2 utmp/wtmp/lastlog log Cleanup tool. You can delete all entries for a user name in the Utmp/wtmp/lastlog log file. However, if the Linux system needs to manually modify its source code, set the location of the log file.

Bindshell the shell service on a port, the default port is 12497. Provides shell services for remote attackers.

(4) Netcat

This is a simple and useful tool that can read and write data by using a network connection that uses a TCP or UDP protocol. It is designed as a stable backdoor tool that can be easily driven directly by other programs and scripts. At the same time, it is also a powerful network debugging and probing tool, able to build almost all the types of network connections you need, as well as a few interesting built-in features.

2. Find traces of Linux: Log tool

For sophisticated attackers, after entering the system, they should also know their "clues" and clear these traces, naturally need to understand some of the log tools.

(1) Logcheck

Logchek can automatically check the log files and periodically check the log files for activity that violates security rules and exceptions. It first cut off the normal log information, keep some of the problematic logs, and then email the information to the system administrator. Logcheck uses the Logtail program to remember the location of the log file that was last read, and then starts processing the new log information from this location. Logcheck mainly consists of the following main documents:

logcheck.sh executable script file, record Logcheck check those log files etc, we can add it to crontab in timed run.

Logcheck.hacking is a schema file that Logcheck checks. Together with the following files, they are executed in order from top to bottom. This document indicates the pattern of the intrusion activity.

Logcheck.violations This file represents a pattern of problematic, counterintuitive activities. The priority is smaller than the schema file above.

Logcheck.violations.ignore this file and the above Logcheck.violations priority is relative, is we do not care about the problem of the pattern file.

Logcheck.ignore This is the last mode file to check. If there is no match to the first three schema files, and there is no match to the schema file, then output to the report.

Logtail log file information is logged.

Logcheck reads all the contents of the relevant log file during the first run, Logtail creates a logfile.offset offset file for each concerned log file in the log file directory, so that it can be checked from this offset at the next check. When Logcheck executes, the content that is not ignored is sent to the user specified by the system administrator in logcheck.sh in the form of a message.

(2) Logrotate

This tool is in common with Linux distributions. It can automatically make the log loop, delete the longest-saved log, its configuration file is/etc/logrotate.conf, we can set the log cycle, the number of backup logs and how to back up the log, and so on. In the/ETC/LOGROTATE.D directory, including some of the tools of the log looping settings files, such as Syslog, in these files specify how to do the log loop according to/etc/logrotate.conf, you can also add other files in this area to cycle the log of other services.

(3) Swatch

Swatch is a real-time log monitoring tool that lets you set events of interest. Swatch operates in two ways: one that exits at the end of the check log and another that continuously monitors the log for new information. Swatch offers a number of notification methods, including email, ringing, terminal output, multiple colors, and more. Before installing, you must ensure that the system supports Perl. Swatch Software focuses on configuration file swatchmessage, a text file that tells the Swatch what logs need to be monitored, what triggers to look for, and what actions to perform when the trigger is triggered. When Swatch finds that it matches a trigger regular expression defined in Swatchmessage, it executes the notifier defined in SWATCHRC.

Of course, the software described above is only a few beautiful shells in the Linux sea, as more and more users join the Linux army, we believe that the excellent hack will be more and more, which in turn will promote the Linux operating system gradually mature, we wait and see.

Various backdoor and log tools under Linux