Something more …
About Back Doors…………..
When ever a intruder has setup a residence in your system, he tries to make sure that you will find it difficult to rid your system of their presence. You can find the holes and can seal them. But the greedy attackers always find mechanism to quickly regain access at their whim– these mechanism are called back door.
Finding and clearing your system of these back doors is next to impossible because there are innumerable ways to create a back door. Full recovery from these are complicated, especially when systems (mostly proprietary) have unique configurations that were never documented.
Followings are the widely used techniques that are used in this scenario :
Creating Rouge Account :
Most sys admins tells that superuser-equivalent accounts are the critical resources to protect and audit. It is always difficult to keep track of the inconspicuously named accounts that have the superuser privilege. Crackers( Not Hackers) always try to create such accounts. It can be easily created by creating a account with a UID or GID set to 0.
To identify check the accounts with the same GID with the root user, and then review your group file, ‘/etc/groups’, to check for the same GID property. These accounts are easily found in ‘/etc/password’.
In GNU/LINUX or UNIX systems attackers always tries to target the rc.d file ( the most important file while the system boot ups) to plant backdoor programs. Be sure to check each ‘rc’ files for programs that you are not familiar of or that have not been added recently.
The ‘inetd.conf’ or ‘xinetd.conf’ file can also be a nest to keep the booby traps. Inetd.conf/ xinetd.conf specifies the configuration for inetd/xinetd , the UNIX/LINUX Internet superserver, which dynamically runs various program as needed, like, ftp, telnet, finger, and so on. Suspicious daemon can be found here as well.
Access restrictions are controlled through kernel via ipchains and iptables or progam-by-program basis by use of tcp wrapers. By trojaning iptables/ipchains binaries ( same as windows executables ) or the tcp wrapper binaries, a cracker can make sure that there is a hidden rule allowing his machine to have access, regardles of what rule the admin has set.
You can always use ‘ps -ax’ command. These commands can be scripted to report the a change in the running processes. There is unique FreeBSD tool ‘sockstat’ to do the same for you.
Trojan binaries can be found easily by using file integrity tools under one impotant condition ::: the file integrity tools and their database themselves have not been modified by the cracker. You should always keep a copy of these important system tools like cat, more, grep, netstat, md5sum, ipchains, ps, rpm, lsof, and other usefull reporting/configuration tools on read-only media like cdrom.
To find hidden network services, you should run port scanner to scan yourself ( I always prefer nmap as it was in â€œMatrixâ€- The movie Smile and believe me its really effective) from local and remote workstation. Check out www.insecure.org for â€œnmapâ€.