Hackers will enter a system more than once after breaking into it. To make it easier the next time they gain access to the system, hackers leave behind a backdoor, and Trojan horses are the best example of a backdoor. There are many ways to leave backdoors in Unix, and the following describes some common backdoors for network administrators to refer to and prevent them.

Password cracking backdoor

This is the earliest and oldest method used by intruders, not only to gain access to Unix machines, but also to create backdoors by cracking codes. This is an account with a weak password. In the future, even if the administrator blocks the intruder's current account, these new accounts may still be the backdoor for re-invading. In most cases, intruders look for unused accounts with weak passwords and then change the passwords with difficulty. When the administrator looks for accounts with weak passwords, they will not find those accounts whose passwords have been changed. As a result, it can be difficult for administrators to determine which account to block.

Rhosts++ backdoor

On networked Unix machines, services like Rsh and Rlogin use a simple authentication method based on the hostname in the rhosts file. Users can easily change the settings without a password to access. By typing "++" into a user's rhosts file that can be accessed, an intruder could allow anyone from anywhere to access the account without a password. Especially when the home directory is shared outward via NFS, the intruder is more enthusiastic about this. These accounts have also become a backdoor for intruders to break in again. Many people prefer to use RSH because it usually lacks logging capabilities. Many administrators often check for "++", so the intruder actually sets the hostname and username of another account from the web, making it difficult to detect.

Checksum and timestamp backdoors

In the early days, many intruders replaced binaries with their own Trojan programs. The system administrator relies on a timestamp and a system checksum program to determine whether a binary has been changed, such as the sum program in Unix. The intruders have also developed new techniques to synchronize the timestamps of the Trojan file with the original file. Here's how it works: first set the system clock back to the original file time, and then adjust the time of the trojan file to the system time. Once the binary trojan file is precisely synchronized with the original, the system time can be set back to the current time. The Sum program is based on the CRC checksum and is easy to fool. The intruder devised a program that could adjust the checksum of the trojan to the checksum of the original file. MD5 is recommended by most people, and the algorithm used by MD5 has not yet been fooled.

Login back door

In Unix, the login program is usually used to authenticate the password of a user coming from telnet. The intruder takes login.c's original code and modifies it so that it checks the back door code when comparing the input password with the stored password. If a user types in a backdoor token, it will ignore the password set by the administrator and let you go straight in. This will allow the intruder to gain access to any account, even root. Since the backend password generates an access before the user actually logs in and is logged to the UTMP and WTMP, the intruder can log in to obtain the shell without exposing the account. When the administrator notices this backdoor, he uses the "strings" command to search for the login program for textual messages. In many cases, the back door order will be revealed. The intruder will start encrypting or better hiding the password to invalidate the strings command. So more administrators are using MD5 checksums to detect this kind of backdoor.

Telnetd back door

When the user telnets to the system, the inetd service that listens on the port accepts the connection and then hands it to in.telnetd, which runs login. Some intruders know that the administrator will check if the login has been modified, so they start to modify the in.telnetd. A typical terminal setup is Xterm or VT100.An intruder can do a backdoor that produces a shell that doesn't require any authentication when the terminal is set to "letmein".

Service back door

Almost all network services have been used as backdoors by intruders. Finger, rsh, rexec, rlogin, ftp, and even inetd are all over the place. Some are just shells connected to a certain TCP port, and access can be obtained through the backend password. These procedures are sometimes □ with Thornwa? If you don't use a service like Ucp, or if you add it to inetd.conf as a new service, the administrator should pay close attention to which services are running and use MD5 to validate the original service program.

Cronjob back door

Cronjobs on Unix can schedule the running of specific programs on a schedule. An intruder can join a backdoor shell program to make it run between 1AM and 2AM, then one hour per night can gain access. You can also view the legitimate programs that are frequently running in cronjob and insert backdoors.

Library back door

Almost all UNIX systems use shared libraries that are used to reduce code length by reusing the same functions. Some intruders have backdoors into functions like crypt.c and _crypt.c, and programs like login.c call crypt(). A shell is generated when using a backdoor order. As a result, even if an administrator checks the login program with MD5, a backdoor function will still be generated, and many administrators will not check if the library has been made a backdoor. There is a problem for many intruders: some administrators do more MD5 validation on everything, and one way is for the intruder to backdoor open() and file access functions. The backdoor function reads the original file but executes the Trojan backdoor. So when MD5 reads these files, the checksum is fine, but when the system is running, the trojan version will be executed, and even the trojan library itself can evade the MD5 checksum, and there is a way for the administrator to find the backdoor, which is to statically encode the MD5 checksum and run it, and the static connection program will not use the trojan shared library.

Kernel backdoor

The kernel is at the heart of Unix's work, and the methods used for libraries to evade MD5 checks are also applicable at the kernel level, even if they are not even recognizable for static connections. A kernel with a good backdoor is the hardest to find by administrators, but fortunately the kernel's backdoor is not readily available, and everyone knows how widespread it is.

File system backdoor

Intruders need to store their loot or data on the server and can't be detected by administrators, and intruders' articles often include exploit scripting tools, backdoor sets, sniffer logs, email backups, source code, and so on! Sometimes in order to prevent administrators from discovering such large files, intruders need to patch "ls", "du", "fsck" to hide specific directories and files, and at a very low level, intruders do such a vulnerability: cut out a part of the hard disk in a proprietary format and represent it as a bad sector. As a result, intruders can only access these hidden files with special tools, and it is difficult for the average administrator to discover the file system in these "bad sectors" when it does exist.

Boot block backdoor

In the PC world, many viruses are hiding in the root zone, and antivirus software is all about checking if the root zone has been altered. Under Unix, most administrators don't check the software in the root zone, so some intruders leave some backdoors in the root zone.

TCPShell backdoor

Intruders may establish these TCPShell backdoors on firewalls that are not blocked on high-level TCP ports. In many cases, they are protected with passwords so that administrators don't see shell access as soon as they connect. Administrators can use the netstat command to see the current connection status, which ports are listening, and the current connection ins and outs. Often, these backdoors allow intruders to evade TCPWrapper technology. These backdoors can be placed on **TP ports and many firewalls allow e-mail access.

UDPShell backdoor

Administrators often pay attention to TCP connections and observe their strange situations, but the UDPShell backdoor does not have such a connection, so netstat cannot show the intruder's access traces, many firewalls are set to allow DNS-like UDP packets to pass, usually the intruder places UDPShell on this port, allowing the firewall to pass through.

ICMPShell backdoor

Ping is one of the common ways to detect machine activity by sending and receiving ICMP packets. Many firewalls allow outsiders to ping their internal machines, and an intruder can put data into Ping's ICMP packets, forming a shell channel between the ping machines, and the administrator may notice the storm of pings, but the intruder will not be exposed unless he looks at the data in the packet.

Encrypted connections

An administrator may create a sniffer to try to access a piece of data, but when an intruder encrypts the network access backdoor, it is impossible to determine what is being transmitted between two machines.