preface

Well, isn’t it the National Day? Because of the epidemic, we are all at home, but such a thing happened, see the headline you should know what it is, I was hacked!! Cough cough cough, can’t say to be black, can only say that I downloaded a backdoor software, to backdoor software, for example grey pigeon, time light this, the hacker over there remote control me, I know, this is the most basic software. But I still won, and in the end, my account number and password were stolen. It’s hard, isn’t it? That’s why I wrote this article.

How do you protect this backdoor, Trojan?

It’s easy. Just don’t download it. Hey, what are you talking about? Ahem, the best way, 360. 360? What are you talking about? Isn’t 360 a cancer? Does 360 Cloud Brain know? Although this thing is often a freak, say this is a Trojan, that is a virus. But just leave it alone. Or you can try not to install 360, first of all, we need to know the importance of 360, or you can switch to Kaspersky. Ahem, get to the point

  1. 360 is just the first way
  2. The second type of Linux, such as Ubuntu, is demonstrated in this article using CentOS
  3. Firewall software, like Skynet
  4. One last thing, do as I say

The first method :360, Teng computer butler, tinder, kaspersky and other antivirus

Can’t you install 360? Fool, find your own tutorial.

The second method: Linux chkRootKit +RKHunter direct protection

The second way to start. Have you heard of rootkit? If not, go to Baidu

1. File-level rootkit

File-level Rootkit usually hides itself by modifying important files of the system after entering the system through program vulnerabilities or system vulnerabilities. After the system was attacked by rootkit, the legitimate files were replaced by Trojan programs and turned into shell programs, while inside was a hidden backdoor program. System programs that are easily replaced by rootkit include Login, ls, ps, ifconfig, du, find, netstat, etc. Among them, login is the most frequently replaced, because when accessing Linux, whether through local login or remote login, The /bin/login program runs, and the system uses the /bin/login program to collect and verify the user’s account and password. The rootkit replaces the system’s /bin/login with a root permission backdoor password. This allows an attacker to enter the system easily by entering a preset password. Even if the system administrator changes or clears the root password, the attacker can still log in to the system as the root user. After entering the Linux system, the attacker will carry out a series of attacks, the most common is to install sniffer to collect important data on the local server or other servers in the network. By default, Linux also has some system files that monitor the actions of these tools, such as ifconfig command. Therefore, in order to avoid detection, attackers will try to replace other system files, such as ls, ps, ifconfig, du, find, netstat, etc. If these files are all replaced, then at the system level it can be difficult to detect that the Rootkit is already running in the system.

This is the file-level Rootkit, which has a great maintenance on the system. At present, the most effective defense method is to regularly check the integrity of important files in the system. If the files are found to be modified or replaced, it is likely that the system has been invaded by rootkit. There are many tools to check the integrity of the file system, including Tripwire, AIDE, etc. These tools can be used to periodically check the integrity of the file system to check whether the system is invaded by rootkit.

2. Kernel rootkit

Kernel-level rootkit is a rootkit than level file more advanced way of an intrusion, it can make the attacker gained control of the system at the bottom of the fully at this time an attacker can modify the system kernel, which intercepts the command to run the program submitted to the kernel, and redirect it to the invaders of the selected program and run the program, that is to say, When the user wants to run program A, the kernel modified by the intruder pretends to execute program A, when in fact program B is executed.

Kernel-level rootkit is mainly attached to the kernel and does not make any modifications to system files, so it is difficult for common detection tools to detect its existence. In this way, once the system kernel is implanted with a rootkit, attackers can do anything to the system without being detected. At present, there is no good defense tool for kernel-level Rootkit. Therefore, it is very important to do a good job in system security defense and keep the system working within the minimum permission. As long as the attacker cannot obtain the root permission, the kernel cannot be implanted with rootkit.

3. The theme
Understand, install, prepare, and use the ChkRootKit

The chkRootkit is a Tool for locating and detecting rootkit backdoors in Linux. Its official address is www.chkrootkit.org/. The chkRootKit is not included in the official CentOS source. Therefore, install the chkRootkit manually, which is more secure. The following describes how to install a CHkRootkit.

  1. Prepare the GCC compilation environment

To install the GCC compilation environment for the CentOS, run the following commands:

Yum -y install GCC -c++ yum -y install GCC -c++Copy the code
  1. Install chkrootkit

For security purposes, you are advised to download the source code of the ChkRootkit from the official website and install it as follows:

Tar ZXVF chkrootkit.tar.gz CD chkrootkit-* make sense #Copy the code
  1. Use chkrootkit

The installed chkrootkit program is in the /usr/local/chkrootkit directory. Run the following command to display the detailed usage of the chkrootkit:

/ usr/local/chkrootkit/chkrootkit - h # displays help informationCopy the code

Chkrootkit Parameters are described as follows:

The command role
-h Display help Information
-v Displaying version Information
-ddebug Ddebug mode, display the related instruction program of the detection process
-q In quiet mode, only problematic content is displayed
-x In advanced mode, all test results are displayed
-r Dir Sets the specified directory as the root directory
-p Dir1 :dir2:dirN Specifies the directory of system commands used for chkRootkit detection
-n Skip the NFS connection directory

To use the chkrootkit, run the chkrootkit command to automatically start system detection. Here are the results for one system:

[root@server chkrootkit] # /usr/local/chkrootkit/chkrootkit
Checking ` ifconfig '... INFECTED
Checking ` ls '... INFECTED
Checking `login'... INFECTED
Checking ` netstat '... INFECTED
Checking ` ps '... INFECTED
Checking ` top '... INFECTED
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking ` tar '... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `telnetd'... not found
Copy the code

From the output, you can see that the ifconfig, ls, login, netstat, ps, and top commands for this system have been infected. The safest and most effective method for a system infected with a ChkRootKit is to back up the data and reinstall the system

The chkRootkit uses some system commands in the process of checking the rootkit. Therefore, if the server is hacked, the dependent system commands may have been replaced by the intruder. In this case, the detection results of the ChkRootkit will become completely unreliable. To avoid this problem with the chkRootkit, you can back up system commands used by the chkRootkit before opening the server to the public. When necessary, you can use the backup original system commands for the chkRootkit to detect the rootkit. This can be done by:

[root@server ~] # mkdir /usr/share/.commands [root@server ~] # cp `which --skip-alias awk cut echo find egrep id head ls  netstat ps strings sed uname` /usr/share/.commands [root@server ~] # /usr/local/chkrootkit/chkrootkit -p /usr/share/.commands/ [root@server share] # cd /usr/share/ [root@server share] # tar zcvf commands.tar.gz .commands [root@server share] # rm -rf commands.tar.gzCopy the code

The preceding operation creates a.commands hidden file under /usr/share/ and backs up the system commands used by the chkRootkit to this directory. You can compress the.commands directory for security purposes and download it to a secure location for backup. If the server is invaded, you can upload the backup to any path on the server and specify the path with the “-p” parameter of the chkrootkit command.

Rootkit backdoor detection tool RKHunter

RKHunter is a professional tool that detects whether a server is infected with a Rootkit by executing a series of scripts. The official list of things RKHunter can do is:

  1. MD5 verification test to check whether files have been changed
  2. The binary and system tool files used by the rootkit are detected
  3. Detect the feature code of Trojan horse program
  4. Check whether file properties of common programs are abnormal
  5. Detect system related tests
  6. Detect hidden files
  7. Detect suspicious core module LKMS
  8. Check the enabled listening ports of the system
  9. The installation and use of RKHunter are described in detail below.
The installation and use of RKHunter are described in detail below.
  1. Install the RKHunter

RKHunter is the official web address: www.rootkit.nl/projects/ro… It is recommended to download RKHunter from this site. The version downloaded here is RKHunter -1.4.0.tar.gz. Installation of RKHunter is very simple, the process is as follows:

[root@server ~] # ls rkhunter-1.4.0\.tar.gz [root@server ~] # PWD /root [root@server ~] # tar-zxvf [root@server ~] # CD rkhunter-1.4.0 [root@server rkhunter-1.4.0] #./installer.sh --layout default  --installCopy the code

RKHunter is installed in /usr/local/bin by default. Use the RkHunter directive

The rkhunter command has many parameters, but it is very simple to use. You can run rkhunter directly to show the usage of the command. Here are some of the common options used by RkHunter.

/ root @ server ~ # / usr/local/bin/rkhunter – help

Rkhunter common parameters and their meanings are as follows:

parameter meaning
–c, –check This parameter is mandatory for checking the current system
–configfile Use a specific configuration file
–cronjob Run regularly as a CRon task
–sk, –skip-keypress Automatically complete all detection, skip keyboard input
–summary Display the statistics of the test results
–update Detect updates
-v, –version Displaying version Information
–versioncheck Detecting the latest version

Here is an example of testing a system with RkHunter:

[root@server rkhunter-1.4.0] # /usr/local/bin/rkhunter -c [Rootkit Hunter version 1.4.0] # It mainly detects binary files in the system, because these files are most vulnerable to rootkit attacks. If OK is displayed, Checking System Commands are running properly, if Warning is displayed, Checking System commands do Not need to be ignored. Performing 'strings' command checks Checking 'strings' command [ OK ] Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preloaded libraries [ None found ] Checking LD_LIBRARY_PATH variable [ Not found ] Performing file properties checks Checking for prerequisites [ Warning ] /usr/local/bin/rkhunter [ OK ] /sbin/chkconfig [ OK ] .... (a)... [Press <ENTER> to continue] # Check for rootKits. [Press <ENTER> to continue] # Check for rootkits. Performing check of known rootkit files and directories 55808 Trojan - Variant A [ Not found ] ADM Worm [ Not found ] AjaKit Rootkit [ Not found ] Adore Rootkit [ Not found ] aPa Kit [ Not found ] Apache Worm [ Not found ] Ambient (ark) Rootkit [ Not found ] Balaur Rootkit [ Not found ] BeastKit Rootkit [ Not found ] beX2 Rootkit [ Not found ] BOBKit Rootkit [ Not found ] .... (a)... [Press <ENTER> to continue] # Performing Performing Additional Rootkit checks Suckit Rookit additional checks [OK] Performing kit files or directories, malware detection, and specified kernel modules Performing additional Rootkit checks Suckit Rookit additional checks [OK] Checking for possible rootkit files and directories [ None found ] Checking for possible rootkit strings [ None found ] Performing malware checks Checking running processes for suspicious files [ None found ] Checking for login backdoors [ None found ] Checking for suspicious directories [ None found ] Checking for sniffer log files [ None found ] Performing  Linux specific checks Checking loaded kernel modules [ OK ] Checking kernel module names [ OK ] [Press <ENTER> to Check the network, system port, system startup file, system user and group configuration, SSH configuration, file system, etc. Check the network, system port, system startup file, system user and group configuration, SSH configuration, file system... Performing checks on the network ports Checking for backdoor ports [ None found ] Performing checks on the network interfaces Checking for promiscuous interfaces [ None found ] Checking the local host... Performing system boot checks Checking for local host name [ Found ] Checking for system startup files [ Found ] Checking system startup files for malware [ None found ] Performing group and account checks Checking for passwd file [ Found ] Checking for root equivalent (UID 0) accounts [ None found ] Checking for passwordless accounts [ None found ] . (a)... [Press <ENTER> to continue] # Checking application versions Checking version of GnuPG[OK] Checking version of OpenSSL [Warning] Checking version of OpenSSH [OK] This section is actually a summary of the above output, which gives you a general idea of the security status of the server directory. System checks summary ===================== File properties checks... Required commands check failed Files checked: 137 Suspect files: 4 Rootkit checks... Rootkits checked : 311 Possible rootkits: 0 Applications checks... Applications checked: 3 Suspect applications: 1 The system checks took: 6 minutes and 41 secondsCopy the code

The main benefit of using RkHunter on a Linux terminal is that the results of each item are displayed in a different color. If it is green, it is ok. If it is red, it is cause for concern. In addition, in the process of performing the inspection above, the Enter key is needed to continue after each part of the inspection is completed. To make the program run automatically, run the following command:

[root@server ~]# /usr/local/bin/rkhunter --check --skip-keypress 
Copy the code

At the same time, if you want the checker to run regularly every day, you can add the following to /etc/crontab:

30 09 * * * root /usr/local/bin/rkhunter --check --cronjob 
Copy the code

In this way, the RKHunter checker runs once a day at 9:30.

Third: firewall software

First, Windows has its own firewall

Windows Defender, Windows Built-in firewall, in

** Control Panel system and Security Windows

Defender firewall

阿鲁纳恰尔邦

In, open. But the default is open, anyway, check to see if there is no open, some software can close the firewall, check on the right!

Second :360 home firewall

Yes, it is 360, personally think that 360 firewall can also, download version of the independent, connecting the brain of cloud, it is the wave of fly up, although there is no use, regularly check the port, I this front-end developer, see is port, wifi usage recently, who is with wifi, what mobile phone, computer, This is what I’m looking at, so this firewall is a good solution to my problem, and naturally I recommend it. Mainly we these developers use, recommend.

Number three: GlassWire

GlassWire is an application for Windows, and for Windows, it’s beautiful, it’s simple and it looks like thisThis is the picture to switch to Chinese. You wouldn’t expect this to be for Windows, it’s so clean! So I pushed the app, with one word, “Yes!”

Fourth: Firewall App Blocker

Bai restricts software access to a network Firewall:

For most users, the Windows firewall, while useful, is not taken advantage of, mainly because the setup is slightly cumbersome. Using the Firewall App Blocker (Fab) to block applications from networking is super easy. Users only need to add the application to the list of software, check the state to disable the Internet, uncheck the state to temporarily allow the Internet, it is as simple as that.

This software is very easy to use, its biggest advantage is to solve the Windows built-in firewall difficult to use the problem. Also recommended. But the interface isn’t as nice as GlassWire’s.

You may be saying, “Why only Windows software? Where’s the MAC?” My answer is, you don’t have to rant about the MAC’s defenses, let alone trojans, because it would take a lot of time for a top hacker to break into it! As for Linux, you may have already seen it, so I don’t need to tell you. If you want to show off your skills, I have no problem with an anti-hacker. If you do succeed, what can you do? Waiting for the cybercops to find you? Don’t turn innocent into guilty.

One last way

preface

This method is very round, if it is really not to listen to don’t listen (the heartfelt advice of the blogger), the last method is anti-hacker backdoor software, the preface is not much, directly into the topic

To the chase

Get down to business now!

Know what backdoors are

Backdoors are program methods that bypass security controls to gain access to a program or system. Typically during software development, programmers create backdoors in the software so that flaws in the design can be fixed. However, if these backdoors become known to others, or if they are not removed before the software is released, then they become a security risk that hackers can easily exploit as a vulnerability. Generally speaking, a backdoor is a way left in a computer system for a particular user to control the computer system in a particular way.

One, remote control of the two connectivity

(1) Any remote control technology must establish at least one TCP or UPD connection with the target (the controlled end). If the hacker is not online, the system sends a connection request to the hacker every 30 seconds.

** (2) any remote control Trojan can write at least one random boot item, service boot item, or hijack a system necessary normal boot item. And will be hidden in a directory, release Trojan. To facilitate random startup.

2. Anti-remote control method based on remote control connectivity — two commands to judge whether it is controlled

  1. The easiest way to do this is with two commands, one of which is “netstat”. The other is the “tasklist” command. These two commands are perfect for anti-hacking remote control. First of all we are in the virtual machine test, in the native use of grey pigeon master end to generate a Trojan into the virtual machine to run.

    Tasklist # Check the number of ports used by all programs

  2. Confirm the virtual machine has been in our remote control Trojan after we began to execute the first command, first of all we first in the situation of the Internet, the network of all the programs are closed, including anti-virus software, QQ, thunder, such as the existence of the network of the program is closed, save the most original process. It’s easy for us to identify. Open the Start menu again — run — and enter “CMD”. Enter the black DOS window and run the netstat -ano command. This command is used to view the current network connection status. Listenning indicates that the port is connected. If the port is listenning, the port is connected. If the port is ESTABLISHED, the port is connected. We must be thinking, why are we connecting to a remote host when we don’t have any programs on the Internet? The following is a remote control Trojan in the virtual machine network connection status.

  3. At this point, the PID value of the last line to capture the status of the connection is: 3920, this is when we say that the remote controller establishes at least a TCP or UDP connection with the target, and here we establish a TCP connection, and if you look closely, “Foregin Address” means the IP Address of the Internet, and you can search baidu for the IP Address, and you can know where the people in the region are controlling our computer. Take a closer look at the port after the IP address: 8000. Many mainstream remote software now uses port 8000 or port 80, which is even more suspicious. In this way, we can view the process, because the Trojan must be running in memory if it wants to connect, otherwise it cannot connect, we view the suspicious process in memory, the above captured connection PID is: 3920. We enter the command “tasklist/SVC” this command is to view the current process and PID values and started services.

  4. Using the above command, we found the network connection corresponding PID process 3920, and found that the process name is an IE process, obviously this problem, because we did not open the browser, how to get the IE process? Decisively knows it’s a remote control Trojan camouflaging the process. We should run a check and kill the process immediately, killing it from memory. The taskkill /f /pid 3920 command is used to forcibly end the process whose PID value is 3920. When we forced the end of the Trojan found that the remote control software on the master end of the chicken immediately offline. So the hacker can’t take control.

  5. Just to be clear, we have now, for the time being, made it impossible for the hacker to take control of our computer, ending its remote control of the connection program. But we want to know the second connectivity remote control, remote control software is in order to let the other side to reboot the system after continue to online, on the hacker’s remote control software must be written on the control of the computer of a random start, the random startup is run immediately when system start trojans, run the Trojan can again online. So we also need to check our startup. Many startup entries are written to the registry. Here are some of the possible startup keys written by a Trojan.

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon HKEY_CURRENT_USER\Software\Microsoft\Windows \ NT\CurrentVersion\ Load \Windows **

*** In CMD to switch to the directory process a forced delete it, switch to the directory after the input command “del /ah /f svchot.exe” can be forced to delete the hidden Trojan. * * 2. At this point we have hidden in the service start trojans killed, you can go to stop the service, or by sc delete to delete the service, there is not much talked about, because the service start trojans have been killed, even if the service is also unable to find the start the program. We will restart the virtual machine here, and then check whether the network connection will also establish a TCP remote control connection with the hacker?

Three, based on remote control of the connectivity of anti-hacker remote control law — two software to determine whether there is a backdoor

  1. The two tools are icesWord and SSM software. The first software mainly deals with some DLL process injection or Trojan with Rootkit. The so-called Rootkit means hidden. Such Trojan has the function of hiding network connection state and process. But using IceWord you can see the hidden Trojan at the kernel level. For example, the following is GHOST Trojan DLL injection, it is injected into the Svchost.exe process through the DLL, icesWord can find the suspect DLL module.

    And it makes sense to say that “Svchost.exe” must be controlled if it is connected to the outside IP. The DLL is injected into the “Svhochst.exe” process for control, so there will be a connection. Generally speaking, “Svchost.exe” may have a connection to the US IP except when Microsoft updates. But at other times there is no IP connection to the outside world. You can see it directly through 360’s Internet connection.

    Processes in IcesWord are shown in black. If there are red processes, they are usually Trojan horses using kernel rootkit technology. Such trojans are usually not visible through the task Manager or taskList/SVC, but they can be seen quickly with the Ice Blade.

  2. The icesWord software is very powerful and I won’t go into it here, but I’ve already given some examples. Let’s talk about the use of SSM tools. First, I will install this software in the virtual machine. And start this software. After this software is started, as long as we run any program, it will alarm to show what action the software has performed! Here we will copy a grey Pigeon remote control Trojan into our virtual machine, when we click the remote control Trojan when the SSM immediately alarm, prompting the program to start, this action is normal, because the program needs the Explorer graphical program process to start.

  3. HKLC/System/CurretcontrolSet/services/HKLC/CurretcontrolSet/services/HKLC/System/CurretcontrolSet/services/HKLC/CurretcontrolSet/services This is not quite normal, not install what program, a simple program actually write service, increase service, suspicious!

  4. When we allow this operation, you will find that the service key is written to the registry continuously, which must be a suspicious action, and finally the Trojan releases the program into the system directory. In theory, an executable program will not be randomly released to the system directory, suspicious!

  5. This allows the discovery of the last step there is a process to try to inject IE inside IE background start Trojan, obviously can be analyzed is a suspicious Trojan program, is likely to be a backdoor Trojan, it has written to the service of this connectivity! Through the SSM interception program action can be analyzed a program is not tied to a backdoor Trojan.

    Above is the anti – hacker tutorial THAT I share, hope can help you 😉

I’m a Python developer, and I’ve compiled a series of tutorials for you to learn about the Python system.