This section outlines how I found a backdoor on a Solaris box that I was attempting to secure for "a customer" --- too late as it turned out. The notes below are a little rough --- they are the notes I took at the time.
netstat -a | grep LIST
*.sunrpc *.* 0 0 0 0 LISTEN
*.32771 *.* 0 0 0 0 LISTEN
*.fs *.* 0 0 0 0 LISTEN
*.printer *.* 0 0 0 0 LISTEN
*.32772 *.* 0 0 0 0 LISTEN
*.32773 *.* 0 0 0 0 LISTEN
*.22370 *.* 0 0 0 0 LISTEN
*.22102 *.* 0 0 0 0 LISTEN
*.32775 *.* 0 0 0 0 LISTEN
*.32776 *.* 0 0 0 0 LISTEN
*.32795 *.* 0 0 0 0 LISTEN
*.32816 *.* 0 0 0 0 LISTEN
*.32838 *.* 0 0 0 0 LISTEN
*.6000 *.* 0 0 0 0 LISTEN
*.32918 *.* 0 0 0 0 LISTEN
*.22 *.* 0 0 0 0 LISTEN
*.6010 *.* 0 0 0 0 LISTEN
bash-2.05b#
(Of course, if netstat had been trojanned, then the port that I was suspicious of above, 22102, would not have shown up --- but using nmap to scan the machine would have found it.)
lsof_4.72/lsof_4.72_src/lsof | grep 22102 sshd2 285 root 3u inet 0x30000315108 0t0 TCP *:22102 (LISTEN) ls -l /usr/bin/sshd2 -rwxr-xr-x 1 root root 264424 Mar 28 2002 /usr/bin/sshd2 bash-2.05b# lsof_4.72/lsof_4.72_src/lsof | grep sshd2 sshd2 285 root cwd VDIR 32,0 1536 2 / sshd2 285 root txt VREG 32,0 264424 439751 /usr/bin/sshd2 sshd2 285 root txt VREG 32,0 1126216 141590 /usr/lib/libc.so.1 sshd2 285 root txt VREG 32,0 17256 90258 /usr/platform/sun4u/lib/libc_psr.so.1 sshd2 285 root txt VREG 32,0 838700 141177 /usr/lib/libnsl.so.1 sshd2 285 root txt VREG 32,0 19876 141106 /usr/lib/libmp.so.2 sshd2 285 root txt VREG 32,0 14908 141120 /usr/lib/libsec.so.1 sshd2 285 root txt VREG 32,0 56988 141121 /usr/lib/libsocket.so.1 sshd2 285 root txt VREG 32,0 5328 141075 /usr/lib/libdl.so.1 sshd2 285 root txt VREG 32,0 234132 141118 /usr/lib/ld.so.1 sshd2 285 root 0r VCHR 13,2 0t0 479352 /devices/pseudo/mm@0:null sshd2 285 root 1w VCHR 13,2 0t0 479352 /devices/pseudo/mm@0:null sshd2 285 root 2w VCHR 13,2 0t42 479352 /devices/pseudo/mm@0:null sshd2 285 root 3u inet 0x30000315108 0t0 TCP *:22102 (LISTEN) ssh ls -lR / | grep "Mar 28 2002" drwxrwxrwx 3 root root 512 Mar 28 2002 0nb drwxrwxrwx 2 root root 512 Mar 28 2002 backup -rwxr--r-- 1 root root 4032 Mar 28 2002 cleaner *** GOLD! ******************** -rwxr-xr-x 1 root root 9852 Mar 28 2002 pg -r-xr-xr-x 1 root root 10456 Mar 28 2002 in.fingerd -rw-r--r-- 1 root root 5254 Mar 28 2002 inetd.conf -r-xr-sr-x 1 root root 50712 Mar 28 2002 ldlibnet.so -r-sr-xr-x 1 root root 29292 Mar 28 2002 login -r-xr-sr-x 1 root root 50712 Mar 28 2002 netstat -r-sr-xr-x 1 root root 18556 Mar 28 2002 su -r-sr-xr-x 1 root root 29292 Mar 28 2002 xlogin -rw-rw-rw- 1 root root 28 Mar 28 2002 ttyhash -rw-r--r-- 1 guest staff 370 Mar 28 2002 CON.sixth.003.Z -rw-r--r-- 1 guest staff 360 Mar 28 2002 CON.tenth.003.Z -rwxrwxrwx 1 guest staff 240 Mar 28 2002 SCRIPT.Z -r-xr-xr-x 1 root root 264424 Mar 28 2002 a.out -rwxr--r-- 1 root sys 2544 Mar 28 2002 rc2 -rwxr--r-- 1 root sys 2001 Mar 28 2002 rc3 -r-sr-xr-x 1 root root 29292 Mar 28 2002 xlogin -rw------- 1 root root 525 Mar 28 2002 ssh_host_key -rw-r--r-- 1 root root 329 Mar 28 2002 ssh_host_key.pub -rwxr-xr-x 1 root root 264424 Mar 28 2002 sshd2 -rw-r--r-- 1 root root 461 Mar 28 2002 sshd_config -r-xr-sr-x 1 root root 50712 Mar 28 2002 ldlibnet.so -rw------- 1 guest staff 0 Mar 28 2002 wsconAAAmHaaym:0.0 bash-2.05b# find / -name ldlibnet.so /usr/lib/ldlibnet.so /dev/rmt/0nb/backup/ldlibnet.so find / -name cleaner /dev/rmt/0nb/cleaner bash-2.05b# ls -l /dev/rmt lrwxrwxrwx 1 root root 40 Mar 19 2002 0 -> ../../devices/pci@1f,4000/scsi@2/st@5,0: lrwxrwxrwx 1 root root 41 Mar 19 2002 0b -> ../../devices/pci@1f,4000/scsi@2/st@5,0:b . . lrwxrwxrwx 1 root root 41 Mar 19 2002 0n -> ../../devices/pci@1f,4000/scsi@2/st@5,0:n lrwxrwxrwx 1 root root 42 Mar 19 2002 0bn -> ../../devices/pci@1f,4000/scsi@2/st@5,0:bn drwxrwxrwx 3 root root 512 Mar 28 2002 0nb lrwxrwxrwx 1 root root 41 Mar 19 2002 0u -> ../../devices/pci@1f,4000/scsi@2/st@5,0:u lrwxrwxrwx 1 root root 42 Mar 19 2002 0ub -> ../../devices/pci@1f,4000/scsi@2/st@5,0:ub lrwxrwxrwx 1 root root 43 Mar 19 2002 0ubn -> ../../devices/pci@1f,4000/scsi@2/st@5,0:ubn lrwxrwxrwx 1 root root 42 Mar 19 2002 0un -> ../../devices/pci@1f,4000/scsi@2/st@5,0:un ls -alR /dev/rmt/0nb .: total 34 drwxrwxrwx 3 root root 512 Mar 28 2002 . drwxrwxr-x 3 root sys 512 Mar 27 2002 .. drwxrwxrwx 2 root root 512 Mar 28 2002 backup -rwxr--r-- 1 root root 4032 Mar 28 2002 cleaner -rwxr-xr-x 1 root root 9852 Mar 28 2002 pg ./backup: total 392 drwxrwxrwx 2 root root 512 Mar 28 2002 . drwxrwxrwx 3 root root 512 Mar 28 2002 .. -r-xr-xr-x 1 root root 10456 Mar 28 2002 in.fingerd -rw-r--r-- 1 root root 5254 Mar 28 2002 inetd.conf -r-xr-sr-x 1 root root 50712 Mar 28 2002 ldlibnet.so -r-sr-xr-x 1 root root 29292 Mar 28 2002 login -r-xr-sr-x 1 root root 50712 Mar 28 2002 netstat -r-sr-xr-x 1 root root 18556 Mar 28 2002 su -r-sr-xr-x 1 root root 29292 Mar 28 2002 xlogin And reading the (ascii) contents of cleaner... #!/bin/sh # # Generic log cleaner v0.4 By: Tragedy/Dor (dor@kaapeli.net) # Based on sauber.. # # This is TOTALLY incomplete... I never added support for IRIX or SunOS... # And.. i most likely never will.. And i take no responsibility for any use/misuse # of this tool.. # . . . .
| ...previous | cont's... |