Backdoors can be classified as:
- local - give root access to normal accounts,
- remote - even if we do not have account on server, thanks to this type of backdoor we'll get root access.
There are many types of backdoors, such as:
- Modification of /etc/passwd,
- New service in /etc/inetd.conf,
- ICMP backdoor,
- sshd daemon modification,
- Rootkit (kernel module).
Modification of /etc/passwd
Most primitive method, it is adding line with user to /etc/passwd. (with uid=0 and guid=0 for root access).
Example line might look like this:
This method is easy to notice (just examine /etc/passwd).
New service in /etc/inetd.conf
inetd is daemon used to listen for connections on internet sockets, and running programs in response to them. Trick is to assign port to backdoor program that for example inserts user (with username and password selected by us, and root access) to /etc/passwd .
ICMP acronym stands for (Internet Control Message Protocol), it is used by hosts and routers to communicte network-layer information to each other. For example, when internet device A wants to check if internet device B is available, it sends ICMP packet (ping, or ICMP type 8 code 0) to device B, hoping that device B responds. We can use this protocol to add backdoor to system. For example, we can listen to ping requests of certain length to execute 'add user' program.
Main deficiency of this type of backdoors is ease to notice - process is not hidden (ps command will list it), and netstat command will report open RAW socket belonging to our backdoor process.
sshd daemon modification
We can add 'patch' to sshd that:
- adds universal password that enables to login to any account on system,
- stops reporting to syslog after universal password login.
Supporting module might add following functions:
- hiding of selected process,
- restoring of selected process,
- hiding of selected file,
- restoring of selected file,
- backdoor uninstallation,
- starting root shell.
Supporting module should also be hidden.
Example rootkit might have following functions:
- hiding of folders,
- hiding of processes,
- acquiring uid=0 for selected user,
- hiding in lsmod,
- hiding in /proc/modules,
- hiding of socket waiting for ping in netstat,
- hiding of selected IP address in system logs,
- protection from rootkit removal.