----------------- Hints on hacking in a safe mode made for TWWC by Yog-Sotho -----------------------
Hello everybody!
Today we're gonna face the problem of "what to do in order to avoid or at least to delay (ehhehe) a bit being busted". Owning a shell is not that difficult once you have good tools. The most difficult part is to hide any clue of you, your ip, your actions and so on.
Let's take a quick look to the first moves which should be done:
1) Whenever you break into a shell with root privilegies, first thing to do is to hide what you've just done. You can type "unset HISTFILE" and "unset HISTSAVE" to avoid system from logging what you do and moreover (very important!!) you have to link the file bashistory to /dev/null in order to avoid this file from logging in history. Remember to unlink it by /dev/null whenever you logout the shell or the admin will get suspectful when he sees bash history linked to nothing! This is the first option.
Second option is to do "kill -9 0" when you leave the shell. This will send a "terminate" signal to the program without cleaning its environment (pid files, cache, socekts, childs etc). And of course the file bashistory won't be written/saved in this way.
Third option very similar to the previous one is to type "kill " when you leave the shell then we send a kill signal to the program, closing it with all linked to it. But in this way bashistory file will be saved with informations.
To use the previous 2 options, you have to know the of the program. If it's a daemon it will have a pidfile in /var/run which contains the PID. You can type "cat /var/run/httpd.pid" for example to know the PID of the http daemon. Or you can type "ps aux" to get a list of all active PIDs then you chose the one you want to kill.
OK now we know a bit more how to clean our clues. Of course the use of a good log cleaner is suggested. All these actions must be taken at least the first time you break into a server.
2) Before starting uploading your shit, it's a good thing to study the admin and to check if there's any intruder's detection tool or chkroot. You have to do it manually or if you have skills enough, you can write your own script/program to do that. To check manually, you need to know the md5sum of the software and the md5sum of the executables in order to find them. Remote logging is also very important to discover. To do that edit the syslog.conf file and search for @othermachine.
Theoritical, when you finish to install the rootkit and you log in the backdoor, you don't need to do all these checks but I personally do "unset HISTFILE" any time I join in a hacked shell. Just for being sure.
3) Now that we're sure our admin is a complete dumbhead and we cleaned everything, we can start our backdooring action to his system. USE A CLEAN ROOTKIT/BACKDOOR because otherwise you would had worked for nothing. The rootkit got by a friend or downloaded by the Net or found on a hacked shell are most of the times backdoored and that means you will lose the shell in a while. So take a rootkit with open sources and NOT PRECOMPILED BINARIES, check the sources for any backdoor (don't forget the shellcode which can hide a backdoor too) and then upload it and compile it to the target shell. I personally would suggest you something like Superkit or Suckit (which inspired the Superkit itself). Adore is also a very good backdoor. It's stealth and it bypasses iptables firewalls. Whenever you finish, don't forget to delete the compressed file of the rootkit!
Precompiled rootkits are good when on the shell there's no compiler. Get the rootkit by a trusty friend when possible.
4) OK! Now you own officially the server. You have now to decide what to do with your new toy. You can add a bnc to chat through ( don't forget to hide the process, the open port and evreything is related to the psybnc ), you can use the shell to make experiments to improve your knowledges ( NOT SUGGESTED!! install Linux on your PC and try there it's not so risky!!) or you can add the shell to your Ddosnet ( if you already have one ). We will talk about these subjects another time.
5) SUGGESTIONS: - if you want to scan with your new shell I will suggest you to use a good scanner ( synscan for example ) or even a massrooter but always USE A VERY LOW DELAY in order to avoid flooding the bandwith of
the shell. This will make the admin suspectful. Don't forget to hide the process of the scanner!! As always you should do!!
- if you want to root other boxes with that, handle the shell with care else you will lose it. Don't try to exploit several times a single box or the admin of this target box will notice your ip for sure and probably he will notice also that you're trying to do "bad things" to his server. Try one time today and if it fails and you want to try again do it the day after!
- Normally we tend to login into an hacked box as root right guys? That's bad! I will suggest you to create a super-user with root privilegies but not the root himself. That's because if you do something and the admin sees that "root" made "this and that", he knows he didn't do that so he will know that he has been owned 'cause somebody else used root access to do "this and that". Got it? Don't forget to hide the super user in the system using the rootkit's backdoored binaries installed.
- VERY IMPORTANT -----> check ALWAYS the size of the files you backdoor! You know that if sizes is not the "standard" one, there are plenty of programs to check file's size in order to find "modified" files. So check always the size and ...well...maybe it can sounds a bit lame but... fill the source of the backdoored binary til the size is the needed one. If your binary is bigger than the original one ...then try to cut out something "useless" although I know this is not very easy to do. Anyway FILE'S SIZE DOES MATTER! eheheheh
- If you try an exploit which makes the shell crash, there will be lot of shit in the logfiles and you will have to clean them too before starting to do anything else. Of course first you have to own the box with another exploit which doesn't make the server crash. Then you clean everything and you go on as previously described.
- Always install a sniffer for the network and a keylogger for password and so on. Of course you will not forget to hide processes and files in your backdoored binaries. These 2 simple tools will make your life easier into the server.
- Whenever you need to start a program ( backdoor, trojan, sniffer, etc ) at the system startup, there are at least 2 way of doing that:
@ backdooring the INITD adding your program in it (although this can be easily discovered if the admin takes a look at it);
@ /etc/rc.d/rc.d/S . Read more about runlevel and you'll learn better how to do this. To know the default runlevel of your shell just edit /etc/inittab file and.... voilą! :)
- In case you need to restart the system, consider that the admin will notice it for sure ( Wtf! Do you notice if your computer restart by itself?! ) so you need to fake that the system restarted because of an error of any sort (hard disk error, kernel panic message, etc). Howto do that will come up soon. In case search for Watchdog ;o)
So.... this first Howto "Supposed To Be Safe" Hacking Speech is at its end. I made it in order to give some hint to my friends and TWWC's members. If you already know all this shit... well....turn back and read something else!!
THIS IS MADE FOR TWWCs ONLY! SO PLEASE KEEP THIS INFORMATIONs FOR YOURSELF 'CAUSE YOU WON'T GET MORE IF I SEE THIS FILE OR THESE WORDS AROUND!!!!
MANY MANY MANY THANKS/SHOUTS/GREETS TO THE 2 MASTERS WHO GAVE ME ALL THESE TASTY INFORMATIONS WITH PATIENCE AND KINDNESS
Wuvbear - The Best Linux/Security/Programming Man I know
dG_ - The Best Linux/Security/Programming Boy I know
hehehehehehheheheheheehheheheehhehehehehehehhhhhhhhhhehehhehehehehehehhheheheeeehhehehehehheheheheheheheheheheheheheheheheh
Yog-Sotho - 2004
Comments to: g0d@fucked.co.uk Website: CUMMING SOON Ftp: WILL BE COMMUNICATED SOON
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< TWWCs are not dead >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>