Ok..... You've been at it for all night. Trying all the exploits you can think of. The system seems tight. The system looks tight.The system *is* tight. You've tried everything. Default passwds, guessable passwds, NIS weaknesses, NFS holes, incorrectpermissions, race conditions, SUID exploits, Sendmail bugs, and so on... Nothing. WAIT! What's that!?!? A "#" ???? Finally!After seeming endless toiling, you've managed to steal root. Now what? How do you hold onto this precious super-userprivilege you have worked so hard to achieve....?This article is intended to show you how to hold onto root once you have it. Itis intended for hackers and administrators alike.From a hacking perspective, it is obvious what good this paper will do you. Admin's can likewise benefit from this paper. Everwonder how that pesky hacker always manages to pop up, even when you think you've completely eradicated him from yoursystem?This list is BY NO MEANS comprehensive. There are as many ways to leave backdoors into a UNIX computer as there areways into one.BeforehandKnow the location of critical system files. This should be obvious (If you can'tlist any of the top of your head, stop readingnow, get a book on UNIX, read it, then come back to me...). Familiarity with passwd file formats (including general 7 fieldformat, system specific naming conventions, shadowing mechanisms, etc...). Knowvi. Many systems will not have thoserobust, user-friendly editors such as Pico and Emacs. Vi is also quite useful for needing to quickly seach and edit a large file. Ifyou are connecting remotely (via dial-up/telnet/rlogin/whatver) it's always niceto have a robust terminal program that has anice, FAT scrollback buffer. This will come in handy if you want to cut and paste code, rc files, shell scripts, etc...The permenance of these backdoors will depend completely on the technical saavyof the administrator. The experienced andskilled administrator will be wise to many (if not all) of these backdoors. But,if you have managed to steal root, it is likely theadmin isn't as skilled (or up to date on bug reports) as she should be, and manyof these doors may be in place for some timeto come. One major thing to be aware of, is the fact that if you can cover you tracks during the initial break-in, no one will belooking for back doors.The Overt Add a UID 0 account to the passwd file. This is probably the most obvious and quickly discovered method of rentry. Itflies a red flag to the admin, saying "WE'RE UNDER ATTACK!!!". If you must do this, my advice is DO NOT simplyprepend or append it. Anyone causally examining the passwd file will see this. So, why not stick it in the middle...#!/bin/csh# Inserts a UID 0 account into the middle of the passwd file.# There is likely a way to do this in 1/2 a line of AWK or SED. Oh well.