Linux backdoor in Centos 6

Support for security such as Firewalls and securing linux
Dat
Posts: 7
Joined: 2015/07/07 15:02:57

Re: Linux backdoor in Centos 6

Postby Dat » 2015/07/10 16:01:32

You mean it is just a app running with root permission and automatically started?

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: Linux backdoor in Centos 6

Postby gerald_clark » 2015/07/10 16:04:55

Most likely he just compiled a program that systems() out to a shell and made it suid. No magic there.

Dat
Posts: 7
Joined: 2015/07/07 15:02:57

Re: Linux backdoor in Centos 6

Postby Dat » 2015/07/10 16:09:29

How can I find which process it is running and how to completely remove it?

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: Linux backdoor in Centos 6

Postby gerald_clark » 2015/07/10 16:19:30

Once you have been compromised you can't be sure of anything.
You can never be sure you have identified the vector and removed it.

Dat
Posts: 7
Joined: 2015/07/07 15:02:57

Re: Linux backdoor in Centos 6

Postby Dat » 2015/07/10 16:28:49

May be I'll re-install the OS. Anyway, the pc is not used for my personal purposes, it is used only for software development at my company.
My teamleads will reveal his technique in several days.
Thanks everybody, I've learnt something.

jscarville
Posts: 97
Joined: 2014/06/17 21:50:37

Re: Linux backdoor in Centos 6

Postby jscarville » 2015/08/27 21:08:29

You can do that with busybox and some shell scripting.

manuel19
Posts: 5
Joined: 2015/05/18 13:07:18

Re: Linux backdoor in Centos 6

Postby manuel19 » 2015/11/05 16:06:26

Maybe he creates a script that each time you try to change your password using the command passwd, his script sends to him your new password.
So, each time you change your password, he will get a new email letting he knows which password you set.

Make sense right?

aks
Posts: 2495
Joined: 2014/09/20 11:22:14

Re: Linux backdoor in Centos 6

Postby aks » 2015/11/05 19:12:03

So a script to intercept the keyboard buffer then (I guess it's possible, but can't think of it off-hand)?

Otherwise, this whole posting is a non entity, dude had root and could do root type stuff.

manuel19
Posts: 5
Joined: 2015/05/18 13:07:18

Re: Linux backdoor in Centos 6

Postby manuel19 » 2015/11/05 23:05:33

I think the backdoor script is always running in background in the system (centos, ubuntu, etc).

Every time the User executed the command passwd the-password-here the script reads the command and write it to a file (/root/thepassword.txt) for example.
Then the same script remove the word passwd leaving the-password-here alone in the /root/thepassword.txt
Then each time the file /root/thepassword.txt is modified it is sent to the-bad-guy@domain.com

The hacker is doing something like that... For that reason Is why always has the last configured password in the system.
It doesn't matter how many times the User change the password, every time the password is going to be send to the-bad-guy.

That's what I think. Maybe he is doing another thing..I don't know... I'm just letting you know what I think probably he is doing to you, the User.