LastDoor - Root Backdoor and Log-Cleaner for Linux
[+] What is it?
A backdoor for retaining root access and a log cleaner with several functions.
Important!: LastDoor was created as a demonstration tool for use in legal penetrations testing. By using this program you accept full responsibility. The creator accepts no liability for any damage or harm that may be caused with its use.
- Hardcoded password, no prompt/blank screen unless correct password entered
- Protection for virtual file systems
- All commands sent to system as root once setuid 0.
- Log cleaner searches the file system for chosen strings, no finite log lists used
- Log cleaner options:
- Search string replace with new string (e.g. change your ip in the logs)
- Search string delete string
- Search string delete line
- Search string delete file contents
- Multi-string search/destroy at once
- Includes hidden files
- Maintains the file modified date despite making changes
- On running the log cleaner, the process is forked as a background daemon
- User sets timer prior to running so they can logout/exit, and it will clean up after you have gone.
- If you don't logout prior to the process starting, the file search process will be displayed
- If you do logout prior to the process starting this will allow your .bash_history to refresh
and be included in the search (shoud you want to delete your ./LastDoor command for example).
[+] Compatibility issues?
- The program utilizes Find Grep and Sed. The syntax used was tested in a GNU coreutils environment and will fail for BSD (for example). This will be fixed in the next version after further testing is done.
- gcc LastDoor.c -o LastDoor -Wall (all std libs used)
- cp LastDoor /bin/LastDoor (for example)
- chmod u+s /bin/LastDoor (set the s bit)
- non-rootuser@whatever# /bin/LastDoor (run!)
Example scenario:"We have managed to escalate to root via a local exploit on the server and now want to put in place a means of getting back to root in the future whilst covering our tracks..:
Step 1: Compile the program and chmod the user s bit permission:
Note that the permissions are now: -rwsr-xr-x for LastDoor
Step 2: Run program and login (note that there is no password prompt, and no feedback is given unless password is correct):
Note, I switched to a non-root user for demonstration purposes:
Run program and enter password (r0ng)
First signs of life!:
Step 3: Verify that we are root: Select option 1 and check 'id' & 'whoami':
Step 4: Now that the backdoor is in place, time to cover tracks with the log cleaner. Notice in the picture below I have chosen the syslog for demonstration purposes. Highlighted for future reference is the last date modified "2012-12-13 23:54"
Prior to running the log cleaner, I modified two ips in the syslog to illustrate its functions. The two lines highlighted are ip: 987.654.321.987, and on the next line 123.456.789.123. We will aim to delete the line where the first ip is found, and change the second ip from 123.456.789.123 to 22.214.171.124.
Step 5: Bring up the Log Cleaner options:
We want to replace the ip 123.456.789.123 with 126.96.36.199, so select option 1 (search/replace string), enter in the ip address to search for, enter the replacement ip, then enter the max directory depth (e.g. /var/log/... would require 3):
After that, we are asked if we want to do more search/replace jobs. Since we want to delete the line where the ip 987.654.321.987 is present, we choose yes.
Following the on-screen prompt, we enter the second ip, the same directory depth of 3, and this time we are finished, so enter 'no' to more search/replace jobs.
Notice that there is a final prompt for the number of seconds before executing. I enter 5 which gives adequate time to logout and close the shell [the process would then run as a background daemon] (However, this is not necessary unless for example you wanted to make sure your bash history is updated to delete previous commands like "./LastDoor", or you wanted to make sure your ip isn't recorded on logout).
For demonstration purposes I don't exit the shell, and am able to view the progress of the search from the shell:
Once the process completes, I cat syslog to check that the changes were made. As per the overlay images show below, the line where the first ip was found was deleted, and the second ip, formally 123.456.789.123 was changed to 188.8.131.52, as requested.
Finally, we want to check that the file date modified has not been changed as this might arise suspicion. Running "ls -l": the image below shows that the log cleaner has maintained the original file modified date which was "2012-12-13 23:54" hurra!
Download (Archive: LastDoor, LastDoor.c, README) from Packetstormsecurity.org
(If you find this useful, why not checkout a advert below to support the blog? :O ) ~r0ng