playing with a backdoor

I played last night with a backdoor shell that I found on the net and will show you how this works and how you can find traces if you are the system administrator.

I used 2 vm’s (virtual machines), both based on Debian/Linux one called “victim” it simulates the cracked server where the backdoor runs and the other box called “hacky” where the bad guy is sitting in front :)

The first step of the bad guy is to start a server that listens on some port (12345) on his box, a good program for this is netcat, the command could be something like: netcat -l -p 12345

After compiling the backdoor in an executable program on the cracked server (“victim”), the bad guy starts it and sends a shell to his box home.

Back at the shell of the bad guy we see that the backdoor sends us some information about the box and the banner of the author of the script.

The bad guy can now send every command to the cracked server, like “hostname” and he gets the hostname which is “victim” back

So what can a system administrator do in this case?

First of all, don’t panic and plug out the computer, a lot of traces could be destroyed after you do that.

A good way is to check the process list, with something like “ps ax” or “ps fax”. As you can see there is the process of the backdoor (marked red)

We know now the process ID the port and the IP where the shell is listening. Now it’s time for another great program called ngrep. With ngrep you can sniff network traffic in nearly the same way you can use the normal grep on Linux.
Start ngrep on the port that the backdoor uses.

The bad guy sends the command “uptime”.

And the administrator sees in his ngrep output the “uptime” request also.

Yes this was a very lucky system administrator, in the real life crackers use encrypted backdoors or rootkit which can hide processes or manipulate commands like ps.

« How to secure Joomla!