Linux backdoor in Centos 6
Linux backdoor in Centos 6
Hi everyone,
This morning, at my company, my team lead did a demonstration on creating a backdoor in Linux.
He used ssh to connect to my computer (with IP and password I provided); then he copied a program that he had prepared and ran it on my computer; and since that time he had had the ability do things such as shutting down my computer, killing running process (eclipse and thunderbird). Even when I changed my password and root password, he could control my computer.
He has not revealed his technique yet
Could any show tell me what technique did he use or what security hole did he exploit?
If I encounter such attach in real life, how can I remove the software?
Thanks
This morning, at my company, my team lead did a demonstration on creating a backdoor in Linux.
He used ssh to connect to my computer (with IP and password I provided); then he copied a program that he had prepared and ran it on my computer; and since that time he had had the ability do things such as shutting down my computer, killing running process (eclipse and thunderbird). Even when I changed my password and root password, he could control my computer.
He has not revealed his technique yet
Could any show tell me what technique did he use or what security hole did he exploit?
If I encounter such attach in real life, how can I remove the software?
Thanks
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: Linux backdoor in Centos 6
He used the gullible user exploit.
What is the output of 'uname -a' on this machine?
What is the output of 'uname -a' on this machine?
Re: Linux backdoor in Centos 6
I don't know, and now I cannot access to the machine, it is at my company; but it is is installed Centos 6.6 (I myself installed it, and I did not upgrade kernel manually).
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: Linux backdoor in Centos 6
If you never updated, there are several possible exploits.
Once compromised, the only safe thing to do is backup your data, format, and reinstall.
Then immediately 'yum update'.
Once compromised, the only safe thing to do is backup your data, format, and reinstall.
Then immediately 'yum update'.
Re: Linux backdoor in Centos 6
However, if this was done by your team leader then you should just need to ask him to undo the changes he made.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Linux backdoor in Centos 6
Of course, it is ok because he is my team lead.
But I wonder how can his program by pass the root password.
He gave me a hint that the program uses "system()" function.
But I wonder how can his program by pass the root password.
He gave me a hint that the program uses "system()" function.
Re: Linux backdoor in Centos 6
Who did he run as? Was he root? Was the binary suid?
Re: Linux backdoor in Centos 6
Dat wrote:Hi everyone,
This morning, at my company, my team lead did a demonstration on creating a backdoor in Linux.
He used ssh to connect to my computer (with IP and password I provided); then he copied a program that he had prepared and ran it on my computer; and since that time he had had the ability do things such as shutting down my computer, killing running process (eclipse and thunderbird). Even when I changed my password and root password, he could control my computer.
He has not revealed his technique yet
Could any show tell me what technique did he use or what security hole did he exploit?
If I encounter such attach in real life, how can I remove the software?
Thanks
Did you give him the root password?
Re: Linux backdoor in Centos 6
Yes, I did gave him root password.
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: Linux backdoor in Centos 6
So there was no backdoor used.