" Hacker Backdoor" Vulnerability


Summary

In the Unix/Linux world, hackers have exploited systems that produce 'remote shell' backdoors. These backdoor usually produce a remote root shell without any access control. Exploits on rpc.statd, rpc.ttdbserverd, rpc.cmsd, rpc.yppasswdd, and named often produce such a backdoor.

In addition, several "trojan horses" have been introduced to the Microsoft Windows environment including Back Oriffice, Netbus, and Netbus II. Also, the so-called Ramen Web backdoor has been detected as part of the Ramen Linux worm attack. Recently a variant of Ramen, called Lion has been identified (3/22/01).

Impact

These "Trojans" allow a malicious user to manipulate a Unix/Linux or Microsoft Windows system without the knowledge of the legitimate user.

The Ramen backdoor provides a Web server for replicated worms to collect their attack programs. The Lion worm installs a instance of SSH on a non-standard port and opens other backdoor ports.

Problem

Many of the so-called RPC exploits generate a second instance of inetd that 'advertises' a remote root shell. Identified tcp ports include 77 (exploited from rpc.yppasswdd), 600 (rpc.ttdbserverd, rpc.cmsd, rpc.sadmind), 1534 (rpc.ttdbserverd, rpc.cmsd, rpc.sadmind), and 10008 (named).

Back Oriffice, Netbus, Netbus II, as well as the Ramen and Lion worms are "Trojan Horse" programs that resemble computer viruses in that the user inadvertently installs them. Once installed, their presence is difficult to detect. These "backdoors" allow the hacker to manipulate the compromised host at will. Data can be compromised or modified.

Resolution

The RPC/named backdoors, as identified by SARA, usually represent a confirmed backdoor. You can confirm this by typing the following:

            telnet host port_number
 
If you receive a '#' prompt and can execute commands, then you have been compromised.

For other backdoors, It is up to you, the user to confirm that the "backdoors" are really present. Refer to the Microsoft Site for details in confirming the presence of the "backdoors.

SARA also can detect the Ramen Web server. If detected and confirmed by the administrator, the system is severely compromised (root kits, kernel mods, etc.)

SARA also detects the signature of the Lion worm by checking for SSH servers running on non-standard ports, and tcp services running on port 33567 and/or 60008. If detected and confimed by the administrator, the system is severely compromised.

The Fix

Systems that have been found to have a backdoor should be considered fully comproimised and need to be rebuilt. The SANS Institute provides a Lion worm detection program at http://www.sans.org/y2k/lionfind-0.1.tar.gz.

References: