Backdoors

1. Present the backdoors installed once a system is compromised.
2. Discovering and disabling backdoors.

Install a modified login so that if you typed in the backdoor password, it would allow you to log in regardless of what the password really is. Such a backdoor would spawn access before the user actually logged in and appeared in utmp and wtmp. To better hide such backdoor passwords from commands like strings, one can encrypt and hide backdoor password better.

Almost every network service has at one time or another been backdoored by an intruder. Backdoored versions of finger, rsh, rexec, rlogin, ftp, even inetd, etc., have been floating around forever. These are programs that are nothing more than a shell connected to a TCP port with maybe a backdoor password to gain access. These programs sometimes replace a service like uucp that never gets used or they get added to the inetd.conf file as a new service.

A normal = in.telnetd=, does several checks such as the setting of the environment variable named TERM (for terminal the user was using). Typically, the terminal setting might be Xterm or VT100. An intruder could backdoor it so that when the terminal was set to, say, "letmein", it would spawn a shell without requiring any authentication.

Cron on Unix schedules the running of certain programs according to a configuration file. An intruder could add a backdoor shell program to run between 1 AM and 2 AM. So, for 1 hour every night, the intruder could gain access. Intruders have also looked at legitimate programs that typically run in cronjob and built backdoors into those programs as well.

Almost every UNIX system uses shared (*.so) libraries. The shared libraries are intended to reuse many of the same routines thus cutting down on the size of programs. Some intruders have backdoored routines like crypt.o and= _crypt.o=. Programs like login would use the crypt() routine and if a backdoor password was used it would spawn a shell. Therefore, even if the administrator was checking the MD5 of the login program, it was still spawning a backdoor routine and many administrators were not checking the libraries as a possible source of backdoors.

Suppose we start doing MD5 checksums of almost everything. Attackers get around that by backdooring the open() library routine and file access routines. The backdoor routines were configured to read the original files, but execute the Trojan backdoors. Therefore, when the MD5 checksum program was reading these files, the checksums always looked good. But when the system ran the program, it executed the Trojan version. Even the trojan library itself, could be hidden from the MD5 checksums. It is therefore necessary to statically link the MD5 checksum checker, and be very sure of the loader.

The same method used for libraries for bypassing MD5 checksum could be used at the kernel level. Even a statically linked MD5 program cannot tell the difference.

An intruder will want to store their "loot" on the server waiting for an opportune time to transport it away. To hide these rather large files from an administrator, an intruder may patch the files system commands like "ls", "du", and "fsck" to hide the existence of certain directories or files. In one case, an intruder created a section on the hard drive to have a proprietary format that was designated as "bad" sectors on the hard drive.

In the PC world, many viruses hide within the boot block section and most antivirus software will check to see if the boot block has been altered. On Unix, surprisingly, it is not typical to check the boot block, therefore some intruders have placed backdoors in the boot block area.

There are many network backdoor programs that allow an intruder to set up on a certain port number on a machine that will allow access without ever going through the normal services. Because the traffic is going to a non-standard network port, the administrator can overlook the intruder's traffic. These network traffic backdoors are typically using TCP, UDP, and ICMP, but it could be many other kinds of packets.

Administrators can spot a TCP connection and notice the odd behavior, while UDP shell backdoors lack any connection so netstat would not show an intruder accessing the machine. Many firewalls have been configured to allow UDP packets for services like DNS through. Many times, intruders will place the UDP Shell backdoor on that port and it will be allowed to by-pass the firewall.

An administrator can set up a sniffer trying to see the data while a suspicious someone is accessing a shell, but an intruder can add encryption to the network traffic backdoors and it becomes almost impossible to determine what is actually being transmitted between the two machines.

When parsing uid/gid in the /etc/password file, most login(1) implementations will fail to detect non-numeric characters in the uid/gid field and the standard atoi(3) will return 0, giving super user privileges. Example: rmartin:x:x50:50:R. Martin:/home/rmartin:/bin/bash On Linux boxes, this will give uid 0 to user rmartin.