Linux backdoor in Centos 6
Re: Linux backdoor in Centos 6
You mean it is just a app running with root permission and automatically started?
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: Linux backdoor in Centos 6
Most likely he just compiled a program that systems() out to a shell and made it suid. No magic there.
Re: Linux backdoor in Centos 6
How can I find which process it is running and how to completely remove it?
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: Linux backdoor in Centos 6
Once you have been compromised you can't be sure of anything.
You can never be sure you have identified the vector and removed it.
You can never be sure you have identified the vector and removed it.
Re: Linux backdoor in Centos 6
May be I'll re-install the OS. Anyway, the pc is not used for my personal purposes, it is used only for software development at my company.
My teamleads will reveal his technique in several days.
Thanks everybody, I've learnt something.
My teamleads will reveal his technique in several days.
Thanks everybody, I've learnt something.
-
- Posts: 135
- Joined: 2014/06/17 21:50:37
Re: Linux backdoor in Centos 6
You can do that with busybox and some shell scripting.
Re: Linux backdoor in Centos 6
Maybe he creates a script that each time you try to change your password using the command passwd, his script sends to him your new password.
So, each time you change your password, he will get a new email letting he knows which password you set.
Make sense right?
So, each time you change your password, he will get a new email letting he knows which password you set.
Make sense right?
Re: Linux backdoor in Centos 6
So a script to intercept the keyboard buffer then (I guess it's possible, but can't think of it off-hand)?
Otherwise, this whole posting is a non entity, dude had root and could do root type stuff.
Otherwise, this whole posting is a non entity, dude had root and could do root type stuff.
Re: Linux backdoor in Centos 6
I think the backdoor script is always running in background in the system (centos, ubuntu, etc).
Every time the User executed the command passwd the-password-here the script reads the command and write it to a file (/root/thepassword.txt) for example.
Then the same script remove the word passwd leaving the-password-here alone in the /root/thepassword.txt
Then each time the file /root/thepassword.txt is modified it is sent to the-bad-guy@domain.com
The hacker is doing something like that... For that reason Is why always has the last configured password in the system.
It doesn't matter how many times the User change the password, every time the password is going to be send to the-bad-guy.
That's what I think. Maybe he is doing another thing..I don't know... I'm just letting you know what I think probably he is doing to you, the User.
Every time the User executed the command passwd the-password-here the script reads the command and write it to a file (/root/thepassword.txt) for example.
Then the same script remove the word passwd leaving the-password-here alone in the /root/thepassword.txt
Then each time the file /root/thepassword.txt is modified it is sent to the-bad-guy@domain.com
The hacker is doing something like that... For that reason Is why always has the last configured password in the system.
It doesn't matter how many times the User change the password, every time the password is going to be send to the-bad-guy.
That's what I think. Maybe he is doing another thing..I don't know... I'm just letting you know what I think probably he is doing to you, the User.