6-18 vulnerability exploitation - backdoor connection

Rear door connection detection

In some cases , There may be some backdoors in the server , have access to Nmap Explore and try .

We have detected its corresponding ports and services before , And then to the target IP Address detection

nmap -sV -p 1524 192.168.1.105

You can see here is a service, It's a binding shell, As well as its banner Information ,root shell

nmap 192.168.1.105

We see here ingreslock Content , We can further detect

nmap -p 1524 -sV 192.168.1.105

We according to the bindshell, Guess , It will be a backdoor program , This is the time , We need to test this guess , We use it nc The port number of the connection destination address , To connect its back door , So as to obtain the corresponding permission

nc Connect the back door to get permission

Nc The goal is IP Port number Connect the backdoor .

nc 192.168.1.105 1524

After the connection , We can execute the corresponding command , Use id and whoami To view the current permissions , And execute other system commands

ifconfig
// View the currently connected server IP Address 

id
whoami
hostname

We use root Login to the server of the remote target with permission , Execute the highest authority command

Why does our server have backdoors

1、 Our current server has been attacked by corresponding hackers , It leaves a back door on the original server , We detected this back door , You can follow it directly shell, Connect

2、 System administrator , In some cases , Need to manage remote machines , But in the process of management , Need a corresponding rebound shell, This is the time , It is likely to open a waiting connection shell, We connect directly to this port number , Follow the administrator's thinking 、 Method 、 route , Enter the system

3、 Some software has connections shell back door , This is the time , We can connect directly , Connect to the corresponding shell

How to defend

We must test , The current system , Open those ports , In some cases , Try not to use ports , Close as much as possible , We just turn on , Our server is running , The port number that must be opened , Irrelevant port number , Direct closure , Of course , We also need to monitor the network status of the system server in real time , In the process of connection , We must pay attention to the possibility , This is an activity of connecting backdoors , We need to monitor it in real time