Forwarded from Backup Legal Mega
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Β» π¦Quickly check whether the computer has been hacked (Linux version)
π¦Check users :
If you obtained an abnormal user name (assumed to be hacker) in the previous step , you can check the user in detail using the following methods:
1) View user id and group information: id hacker
2) View user's recent login information: lastlog -u hacker
3) View user history login information: last hacker
4) View user login failure information: lastb hacker
5) View comprehensive information: finger hacker
6) Note: The fingercommand is not built-in in some operating systems, you can use the package management tool to install it yourself, such as:
> Ubuntu/Debian: apt-get install finger
> CentOS/RedHat: yum install finger
> ArchLinux: pacman -S finger
7) The other non-built-in commands mentioned below are similar
Β» π¦Quickly check whether the computer has been hacked (Linux version)
π¦Check users :
If you obtained an abnormal user name (assumed to be hacker) in the previous step , you can check the user in detail using the following methods:
1) View user id and group information: id hacker
2) View user's recent login information: lastlog -u hacker
3) View user history login information: last hacker
4) View user login failure information: lastb hacker
5) View comprehensive information: finger hacker
6) Note: The fingercommand is not built-in in some operating systems, you can use the package management tool to install it yourself, such as:
> Ubuntu/Debian: apt-get install finger
> CentOS/RedHat: yum install finger
> ArchLinux: pacman -S finger
7) The other non-built-in commands mentioned below are similar
Forwarded from Backup Legal Mega
Β» ]Quickly check whether the computer has been hacked (Linux version)
π¦Check abnormal permissions
Linux users will generally use sudoto allow ordinary users can perform root operations, so for the average user already exists,
Can not be taken lightly. sudoPermissions management, in /etc/sudoersand /etc/sudoers.dyou can view,
It is best to check the changed files frequently to ensure that no ordinary user has obtained unexpected permissions. For each ordinary user,
You can use the command groups usernameto query the group it belongs to, if it is root or sudo group,
Or the group is in the /etc/sudoersfile, then it will be especially alert.
π¦Check abnormal permissions
Linux users will generally use sudoto allow ordinary users can perform root operations, so for the average user already exists,
Can not be taken lightly. sudoPermissions management, in /etc/sudoersand /etc/sudoers.dyou can view,
It is best to check the changed files frequently to ensure that no ordinary user has obtained unexpected permissions. For each ordinary user,
You can use the command groups usernameto query the group it belongs to, if it is root or sudo group,
Or the group is in the /etc/sudoersfile, then it will be especially alert.
Forwarded from Backup Legal Mega
Β» ]Quickly check whether the computer has been hacked (Linux version)
1) Abnormal startup items
The self-starting process under Linux differs according to its service manager, and the following three are commonly used:
2) Upstart
Upstart is an event-based method used to replace the ancient /sbin/init process to handle tasks and service self-starting.
π¦To view this type of self-starting file, you can use the following command:
> View all self-starting projects: initctl list
>View a self-starting project: initctl show-config evil
SystemV
> SystemV is service start/stop/status xxx.servicethe service management system behind commonly used commands.
π¦ To view this type of self-starting file, you can use the following command:
1) View the self-starting script: ls /etc/init.d/
2) View symbolic links for runlevels: ls /etc/rc*.d/
SystemD
3) SystemD is a modern service management system, and the newer Linux versions have all been migrated to SystemD.
π¦ There are two ways to view all self-starting services:
1) systemctl list-unit-files --type=service
ls /lib/systemd/system/*.service /etc/systemd/system/*.service
2) The old version of Linux is generally a mixture of Upstart and SystemV, and most of the new versions have been migrated to SystemD.
1) Abnormal startup items
The self-starting process under Linux differs according to its service manager, and the following three are commonly used:
2) Upstart
Upstart is an event-based method used to replace the ancient /sbin/init process to handle tasks and service self-starting.
π¦To view this type of self-starting file, you can use the following command:
> View all self-starting projects: initctl list
>View a self-starting project: initctl show-config evil
SystemV
> SystemV is service start/stop/status xxx.servicethe service management system behind commonly used commands.
π¦ To view this type of self-starting file, you can use the following command:
1) View the self-starting script: ls /etc/init.d/
2) View symbolic links for runlevels: ls /etc/rc*.d/
SystemD
3) SystemD is a modern service management system, and the newer Linux versions have all been migrated to SystemD.
π¦ There are two ways to view all self-starting services:
1) systemctl list-unit-files --type=service
ls /lib/systemd/system/*.service /etc/systemd/system/*.service
2) The old version of Linux is generally a mixture of Upstart and SystemV, and most of the new versions have been migrated to SystemD.
Forwarded from Backup Legal Mega
Β» ]Quickly check whether the computer has been hacked (Linux version)
π¦other
1) Abnormally scheduled tasks
In addition to the above self-starting services, under Linux, you can also run persistent tasks through scheduled tasks.It is relatively simple to check for abnormal scheduled tasks
2) You only need to view /etc/crontaband /etc/cron.*the scheduled task files in the subdirectory .
3) bash initialization
Anyone who has used Linux knows that $HOME/.bashrcit can be initialized and applied to each shell in the file,
4) In other words, the script inside may be executed every time a new terminal is opened.
5) Such profiles include .bashrc, .bash_profile, .bash_login, .profileand so on.
6) Whether it runs and the order of running is determined by whether the shell is logged in when it is called, and whether it runs interactively,
π¦other
1) Abnormally scheduled tasks
In addition to the above self-starting services, under Linux, you can also run persistent tasks through scheduled tasks.It is relatively simple to check for abnormal scheduled tasks
2) You only need to view /etc/crontaband /etc/cron.*the scheduled task files in the subdirectory .
3) bash initialization
Anyone who has used Linux knows that $HOME/.bashrcit can be initialized and applied to each shell in the file,
4) In other words, the script inside may be executed every time a new terminal is opened.
5) Such profiles include .bashrc, .bash_profile, .bash_login, .profileand so on.
6) Whether it runs and the order of running is determined by whether the shell is logged in when it is called, and whether it runs interactively,
Forwarded from Backup Legal Mega
π¦For bash, the execution flow is as follows:
Forwarded from Backup Legal Mega
The execution sequence is A->B->C, B[123] means that it will be executed only when the first script exists. The flow chart is as follows:
Forwarded from Backup Legal Mega
Β» ]Quickly check whether the computer has been hacked (Linux version)
π¦ For the login/non-login shell and interactive/non-interactive shell, please refer to other introductions on the Internet, which will not be expanded here.
> As long as you know the order of files executed by your shell initialization and check these files for suspicious commands, you can find abnormal information.
> Application-level self-start
It is difficult to find all suspicious self-starting items. Experienced attackers can modify existing self-starting scripts and pull up additional commands.
> This reduces the risk of being discovered. Some Linux desktop versions will also be responsible for running similar self-starting commands, such as my favorite xfce,
In Settings -> Session Starup -> Application Autostartcan add applications from the start.
π¦ For the login/non-login shell and interactive/non-interactive shell, please refer to other introductions on the Internet, which will not be expanded here.
> As long as you know the order of files executed by your shell initialization and check these files for suspicious commands, you can find abnormal information.
> Application-level self-start
It is difficult to find all suspicious self-starting items. Experienced attackers can modify existing self-starting scripts and pull up additional commands.
> This reduces the risk of being discovered. Some Linux desktop versions will also be responsible for running similar self-starting commands, such as my favorite xfce,
In Settings -> Session Starup -> Application Autostartcan add applications from the start.
Forwarded from Backup Legal Mega
Β» ]Quickly check whether the computer has been hacked (Linux version)
π¦ Abnormal record
!) Abnormal command history
In general, hackers will execute certain commands on the shell after they obtain the shell.We can use the historycommands to view the commands that have been run.
2) Or view the ~/.bash_historyfile directly . A smart hacker may clean up the trace after doing bad things, but if history is found to be maliciously cleaned,
3) Or being tampered with abnormally, that is enough to give us a warning signal.
4) Abnormal logging
Logs, especially system logs, are our great helpers. The following commands can be used to read log files and output related information:
> View the latest login time and ip of each user: lastlog
> View each user's login record: last
> View the log of each user's login attempt (including failed): lastb
> View the currently logged in user, ip and the command being executed: w
> Of course, intentional attackers will also hide their traces in these commands, such as using the gadget hidemyass.
5) System logs are generally generated by the rsyslogd process, and are configured in /etc/rsyslog.conffiles and /etc/rsyslog.d/directories.
6) Some common logs and introductions are as follows:
> /var/log/messages: general system logs
> /var/log/kern.log: system kernel log
> /var/log/boot.log: system boot log
> /var/log/auth.log: Logs related to login, such as ssh/sudo
success and failure logs are here
> /var/log/secure: Same as above
> /var/log/cron.d: execution log of cron scheduled tasks
5) By checking the above logs, you can often find some unexpected traces (if any).
π¦Crime scene
1) Although the self-test is mainly to find clues and instructions from criminal traces, sometimes the malware left by the attackers will still be running,
2) At this time, it is also a good idea to search for clues from the crime scene.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Abnormal record
!) Abnormal command history
In general, hackers will execute certain commands on the shell after they obtain the shell.We can use the historycommands to view the commands that have been run.
2) Or view the ~/.bash_historyfile directly . A smart hacker may clean up the trace after doing bad things, but if history is found to be maliciously cleaned,
3) Or being tampered with abnormally, that is enough to give us a warning signal.
4) Abnormal logging
Logs, especially system logs, are our great helpers. The following commands can be used to read log files and output related information:
> View the latest login time and ip of each user: lastlog
> View each user's login record: last
> View the log of each user's login attempt (including failed): lastb
> View the currently logged in user, ip and the command being executed: w
> Of course, intentional attackers will also hide their traces in these commands, such as using the gadget hidemyass.
5) System logs are generally generated by the rsyslogd process, and are configured in /etc/rsyslog.conffiles and /etc/rsyslog.d/directories.
6) Some common logs and introductions are as follows:
> /var/log/messages: general system logs
> /var/log/kern.log: system kernel log
> /var/log/boot.log: system boot log
> /var/log/auth.log: Logs related to login, such as ssh/sudo
success and failure logs are here
> /var/log/secure: Same as above
> /var/log/cron.d: execution log of cron scheduled tasks
5) By checking the above logs, you can often find some unexpected traces (if any).
π¦Crime scene
1) Although the self-test is mainly to find clues and instructions from criminal traces, sometimes the malware left by the attackers will still be running,
2) At this time, it is also a good idea to search for clues from the crime scene.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Forwarded from Backup Legal Mega
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦The Abnormal process ":
1) To find the abnormal process, you can use the topcommand to view the resources occupied by the running program, or ps -eflist the processes used by the current system.
2) If you find a process you don't know, you can use the following command to check it in detail:
3) View the full command line started by the process: ps eho command -p $PID
4) View the directory where the process started: readlink /proc/$PID/cwd
5) View the complete environment variable when the process
> starts: strings -f /proc/$PID/environ | cut -f2 -d ' '
> List all files opened by the process: lsof -p $PID
> List the network connections opened by the process: netstat -pan | grep $PID
> Of course, if the attacker hides the process by some means, it
> will still leave some clues, such as the suspicious LKM module, which will not be deepened here.
π¦Abnormal network traffic
1) If a malicious process is active, it is likely that it is communicating with the external network at this time, which requires analysis by packet capture tools.
2) For Linux desktop users, wireshark is an excellent choice, and for the server, tcpdump is a good tool, and it is also necessary to master it.
3) Take wireshark as an example, open the packet capture for a few minutes, through the built-in filtering rules, plus the network connection opened by the application analyzed above,
4) You can see what evil communication this malicious application is doing with the outside world, so as to timely assess the loss and protect the data.
5) In addition to the web browsing initiated by malware, some are initiated by themselves. For example, the attacker modified iptables, DNS, http proxy,
> Or /etc/hosts, it may cause our normal network requests to be intercepted and tampered by attackers. These small modifications may not be obvious,
6) But once you find that your network environment is'not quite right', you must be vigilant and carefully investigate.
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦The Abnormal process ":
1) To find the abnormal process, you can use the topcommand to view the resources occupied by the running program, or ps -eflist the processes used by the current system.
2) If you find a process you don't know, you can use the following command to check it in detail:
3) View the full command line started by the process: ps eho command -p $PID
4) View the directory where the process started: readlink /proc/$PID/cwd
5) View the complete environment variable when the process
> starts: strings -f /proc/$PID/environ | cut -f2 -d ' '
> List all files opened by the process: lsof -p $PID
> List the network connections opened by the process: netstat -pan | grep $PID
> Of course, if the attacker hides the process by some means, it
> will still leave some clues, such as the suspicious LKM module, which will not be deepened here.
π¦Abnormal network traffic
1) If a malicious process is active, it is likely that it is communicating with the external network at this time, which requires analysis by packet capture tools.
2) For Linux desktop users, wireshark is an excellent choice, and for the server, tcpdump is a good tool, and it is also necessary to master it.
3) Take wireshark as an example, open the packet capture for a few minutes, through the built-in filtering rules, plus the network connection opened by the application analyzed above,
4) You can see what evil communication this malicious application is doing with the outside world, so as to timely assess the loss and protect the data.
5) In addition to the web browsing initiated by malware, some are initiated by themselves. For example, the attacker modified iptables, DNS, http proxy,
> Or /etc/hosts, it may cause our normal network requests to be intercepted and tampered by attackers. These small modifications may not be obvious,
6) But once you find that your network environment is'not quite right', you must be vigilant and carefully investigate.
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Forwarded from Backup Legal Mega
π¦70% of linux systems not safe and tracked anonymously, this new article is important for any linux user
t.me/UndercodeTesting
t.me/UndercodeTesting
What you need Undercode posts to focus on ?
Anonymous Poll
30%
Termux & Linux tools ?
11%
Accounts ?
24%
Courses ?
13%
General Hacking tips ?
23%
Carding ?
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦2020 from 2 days last update Advanced dork Search & Mass Exploit Scanner :
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) git clone https://github.com/AlisamTechnology/ATSCAN
2) cd ATSCAN
3) chmod +x ./atscan.pl
4) chmod +x ./install.sh
5) ./install.sh
6) Portable Execution: perl ./atscan.pl
7) Installed Tool Execution: atscan
Menu: Applications > Web Application analysis > atscan
π¦FEATURES :
β Engines: [Google apis cache] Bing Ask Yandex Sogou Exalead Shodan
β Mass Dork Search
β Multiple instant scans.
β Mass Exploitation
β Use proxy.
β Random user agent.
β Random engine.
β Mass Extern commands execution.
β Exploits and issues search.
β XSS / SQLI / LFI / AFD scanner.
β Filter wordpress & Joomla sites.
β Wordpress theme and plugin detection.
β Find Admin page.
β Decode / Encode Base64 / MD5
β Ports scan.
β Collect IPs
β Collect E-mails.
β Auto detect errors.
β Auto detect forms.
β Auto detect Cms.
β Post data.
β Auto sequence repeater.
β Validation.
β Post and Get method
β IP Localisation
β Issues and Exploit search
β Interactive and Normal interface.
β And more...
β Verified
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦2020 from 2 days last update Advanced dork Search & Mass Exploit Scanner :
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) git clone https://github.com/AlisamTechnology/ATSCAN
2) cd ATSCAN
3) chmod +x ./atscan.pl
4) chmod +x ./install.sh
5) ./install.sh
6) Portable Execution: perl ./atscan.pl
7) Installed Tool Execution: atscan
Menu: Applications > Web Application analysis > atscan
π¦FEATURES :
β Engines: [Google apis cache] Bing Ask Yandex Sogou Exalead Shodan
β Mass Dork Search
β Multiple instant scans.
β Mass Exploitation
β Use proxy.
β Random user agent.
β Random engine.
β Mass Extern commands execution.
β Exploits and issues search.
β XSS / SQLI / LFI / AFD scanner.
β Filter wordpress & Joomla sites.
β Wordpress theme and plugin detection.
β Find Admin page.
β Decode / Encode Base64 / MD5
β Ports scan.
β Collect IPs
β Collect E-mails.
β Auto detect errors.
β Auto detect forms.
β Auto detect Cms.
β Post data.
β Auto sequence repeater.
β Validation.
β Post and Get method
β IP Localisation
β Issues and Exploit search
β Interactive and Normal interface.
β And more...
β Verified
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - AlisamTechnology/ATSCAN: Advanced dork Search & Mass Exploit Scanner
Advanced dork Search & Mass Exploit Scanner. Contribute to AlisamTechnology/ATSCAN development by creating an account on GitHub.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦The Best way for hack any mail in 2020
& high rated :
π¦HOW IT WORKS ?
Your best friend in credential reuse attacks.
1) You give Cr3dOv3r an email then it does two simple useful jobs with it:
2) Search for public leaks for the email and returns the result with the most useful details about the leak (Using haveibeenpwned API) and tries to get the plain text passwords from leaks it find
3) Now you give it a password or a leaked password then it tries this credentials against some well-known websites (ex: Facebook, Twitter, Google...), tells if the login successful and if there's captcha some where blocking our way!
4) Some of the scenarios Cr3dOv3r can be used in it
5) Check if the targeted email is in any leaks and then use the leaked password to check it against the websites.
6) Check if the target credentials you found is reused on other websites/services.
7) Checking if the old password you got from the target/leaks is still used in any website.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) download zip https://github.com/D4Vinci/Cr3dOv3r
2) cd Cr3dOv3r-master
3) python -m pip install -r win_requirements.txt
4) python Cr3d0v3r.py -h
+For Linux :
1) git clone https://github.com/D4Vinci/Cr3dOv3r.git
2) cd Cr3dOv3r
3) python3 -m pip install -r requirements.txt
4) python3 Cr3d0v3r.py -h
+For docker :
1) git clone https://github.com/D4Vinci/Cr3dOv3r.git
2) docker build -t cr3dov3r Cr3dOv3r/
3) docker run -it cr3dov3r "test@example.com"
β E N J O Y
use for learn only !
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦The Best way for hack any mail in 2020
& high rated :
π¦HOW IT WORKS ?
Your best friend in credential reuse attacks.
1) You give Cr3dOv3r an email then it does two simple useful jobs with it:
2) Search for public leaks for the email and returns the result with the most useful details about the leak (Using haveibeenpwned API) and tries to get the plain text passwords from leaks it find
3) Now you give it a password or a leaked password then it tries this credentials against some well-known websites (ex: Facebook, Twitter, Google...), tells if the login successful and if there's captcha some where blocking our way!
4) Some of the scenarios Cr3dOv3r can be used in it
5) Check if the targeted email is in any leaks and then use the leaked password to check it against the websites.
6) Check if the target credentials you found is reused on other websites/services.
7) Checking if the old password you got from the target/leaks is still used in any website.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) download zip https://github.com/D4Vinci/Cr3dOv3r
2) cd Cr3dOv3r-master
3) python -m pip install -r win_requirements.txt
4) python Cr3d0v3r.py -h
+For Linux :
1) git clone https://github.com/D4Vinci/Cr3dOv3r.git
2) cd Cr3dOv3r
3) python3 -m pip install -r requirements.txt
4) python3 Cr3d0v3r.py -h
+For docker :
1) git clone https://github.com/D4Vinci/Cr3dOv3r.git
2) docker build -t cr3dov3r Cr3dOv3r/
3) docker run -it cr3dov3r "test@example.com"
β E N J O Y
use for learn only !
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - D4Vinci/Cr3dOv3r: Know the dangers of credential reuse attacks.
Know the dangers of credential reuse attacks. Contribute to D4Vinci/Cr3dOv3r development by creating an account on GitHub.