14.4. Back Doors

14.4. Back Doors

After penetrating a system, quite often hackers install in it a back-door program for logging into the system that bypasses the regular login procedure. The general operating principle of such programs is the following:

  • The back-door program opens a port and listens on it for a connection.

  • When the hacker connects to this port, the program opens a command shell on the port, thus giving the hacker the ability to execute commands.

The back-door operation is similar to the way Trojan programs work; however, Trojans have to be launched by the user to be installed, and back doors are uploaded to the target computer and installed by the hackers.

There is also a similarity with the way rootkit programs work. There is no clear-cut distinction among different hacker tools, with one program having the functionality of what used to be separate utilities. Rootkit and back-door utilities have been combined in a single package for a long time, although separate utilities can still be found.

Hacker utilities are not the type of software you can purchase at a store where regular software is sold. Hackers write these programs for their own use; nevertheless, they can be downloaded from some private sites.

Hackers do not like to make their utilities public, because in that case the loopholes they use to penetrate systems will be closed.

Because the main goal of this book is to teach you how to create a secure system, I will not consider creating and installing back-door software. What I will consider is how to detect and neutralize it.

The simplest and quickest way to find a program that does not belong is to check the current processes and open ports. As already stated, a back-door utility waits for the hacker to connect to the computer it is installed on, meaning that there has to be a process for this program. The current processes can be viewed by executing the ps command. Open ports are checked using a port-scanning utility or the netstat program.

When using the ps utility to check the current processes, make sure that it has not been modified by hackers. Because Linux source codes are open, hackers can modify the ps utility in such a way that it will not display the process of the back-door program. Thus, they can slip the doctored version into your system.

The source codes being open means that any other program can be modified to perform other functions in addition to the legitimate ones. For example, the telnetd utility can be modified in such a way that it can be used to enter the system without having to go through the regular login procedure. Thus, make sure that the executable files for all running processes have not been modified.

Moreover, some daemons can support loadable modules. Thus, hackers can write and load their own module instead of or in addition to the standard modules of a service. Detecting this module will be more difficult, because the main process file is not changed.

Modifying program source codes is a rather difficult task, and you have to possess good programming knowledge; consequently, even though this method is among the most dangerous ones, it is not that widespread. Still, it should not be dismissed, because even though there are few high-class hackers, they do exist.

Pay close attention when inspecting the process list. There may be two utilities with the same name in your system, for example, telnetd . One of these will be the genuine utility, and the other will be a back door planted by hackers.

If you server is never turned off, hackers can simply start their back door program and leave the system knowing that they can come back any time they wish. But if the server is periodically turned off or rebooted, they will have to make arrangements for the back door to start upon reboot to keep it functioning.

Consequently, you should check all boot scripts for changes. This may prove to be a complex task, because there are quite a few such scripts in Linux and hackers can modify any of them. Scripts for loading services are located in the /etc/rc.d/init.d directory.

Even if you do not find any extraneous processes or any modified service or program file, there still may be a back door in your system. Processes can be hidden from viewing by kernel modules.

Of late, the Linux kernel has become truly modular. This is convenient because while earlier the kernel had to be recompiled to add a new functionality, now this can be done by simply executing a few commands to load the necessary module.

So how can the kernel be used to hide a process? The ps program, and others like it, uses the kernel to determine, which processes are running. The kernel has all information about what is being currently executed. Hackers have written various modules that prevent the kernel from disclosing information about certain processes, thus keeping those processes hidden from the administrator's eyes. This is why you should not stop after inspecting processes and executable files even if you don't find anything suspicious.

In addition to starting a process, a back-door program has to open a port, on which to wait for the hacker to connect. Your task is to find this port.

The quickest method of determining that a service is waiting for connection is to use the netstat command. But because this command is a part of a standard Linux distribution, its source code can be tampered with. The most reliable way to search for extra open ports is to use a port scanner, even though this takes longer.

The best way to hide a back-door from network analyzers is to program it using raw sockets, the way sniffers are programmed. The installed back-door program monitors all traffic going through the server and, if it sees specially-marked packets, executes the instructions specified in them. The hacker can then send broadcast packets marked this way and the back door will filter them out and execute the instructions in them.

The netstat utility and port-scanner utilities cannot detect sniffer programs. However, to monitor traffic, a network card has to operate in a special mode, called promiscuous, which can be easily detected by checking the state of the network interface with the help of the ifconfig command. When in the promiscuous mode, the network card passes on to the operating system packets addressed to any machine in the network.

The only sign of there being a sniffer in the system is the increased workload on the server because of all the packets that pass the network card passed on to the operating system for processing.

But even then back-door programs can be detected. In this case, you follow the "like cures like" principle. To be more specific, start a sniffer of your own and check what is passing through you network card. Packets sending confidential information, such as passwords, are a sure indication of a back-door program doing its filthy job. But if the back door encrypts the information it sends, you will not be able to detect this with a sniffer program.

The best protection against a back door is a properly-configured firewall. If your default policy is to prohibit everything, allowing access to public resources only, even if a malware program opens some port it will be impossible to connect to it without changing the firewall filters. Keep an eye on firewall filter files to make sure that they are not modified, and all of a hacker's efforts will be in vain.



Hacker Linux Uncovered
Hacker Linux Uncovered
ISBN: 1931769508
EAN: 2147483647
Year: 2004
Pages: 141

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net