Section 14.3 Ending Cracker Servers with a Kernel Mod | Real World Linux Security Prentice Hall Ptr Open Source Technology Series

14.3 Ending Cracker Servers with a Kernel Mod

A common cracker technique once he has broken into your system and made himself root is to install what I call a cracker server, one type of Trojan horse. This is a server program listening on a port that is well known (to the cracker). It receives and executes requests from the cracker. Some popular Rootkits contain simple ones. The more sophisticated cracker servers will require a password and implement encrypted communication.

The popular Distributed Denial of Service cracker tools such as Barbed Wire, trin00, and TFN2000 use such a cracker server that the crackers install on hundreds of systems each waiting for those magic words LJOYUI HUIYIU (encrypted version of attack system X). I keep a Cracker Trap listening on popular cracker server ports to detect and lock out any cracker who probes my systems for popular cracker servers. The Cracker Trap is studied in detail in "Adaptive Firewalls: Raising the Drawbridge with the Cracker Trap" on page 559. These ports are listed as are the legitimate ones in the ports program; it is discussed in "Turn Off Unneeded Services" on page 86.

About once a week, the Cracker Trap traps a cracker looking for an easy win. The Cracker Trap is part of my TCP Wrappers configuration and it locks the cracker's system out permanently!

These cracker servers almost always listen on high port numbers, above 1023, using either UDP or TCP. You need to look closely at the output of

 netstat -a

Occasionally when I report the culprit to his ISP, I receive e-mail back saying that the account has been disabled. Most large ISPs do not even bother to respond to my e-mail and some do not even have an abuse@them.com. I suppose it will take a multimillion-dollar negligence lawsuit to fix this. (I do thank psi.net and earthlink.com for throwing crackers off their systems due to my reports!)

to notice one of these because the client side of a client/server system typically will ask for "any old unused port" to be assigned to it and these will be high-numbered ports. The distinction is that in these latter cases (for TCP) the port will show as connected. The cracker port will show as "listening" because it is waiting for a cracker client to connect to it and issue commands.

The ports program (discussed in "Turn Off Unneeded Services" on page 86) flags these high-numbered TCP ports that are in a listening state and any high-numbered UDP ports, and this is very helpful in detecting cracker ports.

A simple modification to the kernel will disallow the practice of a cracker daemon listening on a high-numbered port (or otherwise unused port) entirely, even if a cracker succeeds in becoming root! This modification will prevent anyone from specifying that a port number above 1023 be assigned to their newly opened socket. Non-root processes still will not be allowed to listen on low numbered ports (below 1024). The modification would be to the inet_bind() function in the net/ipv4/af_inet.c source file (in the 2.0 series kernels). Search for the line

 snum = ntohs(addr->sin_port);

and add the following lines after it, tweaking the port numbers as desired:

 /*  * May need tweaking if > 3 X servers  * or > 3 SSH-forwarded X sessions,  * 1080 is socks, 2049 is NFS  */ if (snum >= PROT_SOCK   && !(snum >= 6000 && snum <= 6002)   && !(snum >= 6010 && snum <= 6012)   && snum != 1080   && snum != 2049)          return(-EACCES);

You even might modify inet_bind() to allow only processes with low PIDs to open privileged port numbers. This would prevent a cracker even from killing a less important daemon and then starting his rogue daemon on that privileged port!

Top