Ok….. You’ve been at it for all night. Trying all the exploits you can think of. The system seems tight. The system looks tight.
The system *is* tight. You’ve tried everything. Default passwds, guessable passwds, NIS weaknesses, NFS holes, incorrect permissions, race conditions, SUID exploits, Sendmail bugs, and so on… Nothing. WAIT! What’s that!?!? A “#” ???? Finally!
After seeming endless toiling, you’ve managed to steal root. Now what? How do you hold onto this precious super-user privilege you have worked so hard to achieve….?
This article is intended to show you how to hold onto root once you have it. It is intended for hackers and administrators alike.
From a hacking perspective, it is obvious what good this paper will do you. Admin’s can likewise benefit from this paper. Ever wonder how that pesky hacker always manages to pop up, even when you think you’ve completely eradicated him from your system?
This list is BY NO MEANS comprehensive. There are as many ways to leave backdoors into a UNIX computer as there are ways into one.
Know the location of critical system files. This should be obvious (If you can’t list any of the top of your head, stop reading now, get a book on UNIX, read it, then come back to me…). Familiarity with passwd file formats (including general 7 field format, system specific naming conventions, shadowing mechanisms, etc…). Know vi. Many systems will not have those robust, user-friendly editors such as Pico and Emacs. Vi is also quite useful for needing to quickly seach and edit a large file. If you are connecting remotely (via dial-up/telnet/rlogin/whatver) it’s always nice to have a robust terminal program that has a nice, FAT scrollback buffer. This will come in handy if you want to cut and paste code, rc files, shell scripts, etc…
The permenance of these backdoors will depend completely on the technical saavy of the administrator. The experienced and skilled administrator will be wise to many (if not all) of these backdoors. But, if you have managed to steal root, it is likely the admin isn’t as skilled (or up to date on bug reports) as she should be, and many of these doors may be in place for some time to come. One major thing to be aware of, is the fact that if you can cover you tracks during the initial break-in, no one will be looking for back doors.
 Add a UID 0 account to the passwd file. This is probably the most obvious and quickly discovered method of rentry. It flies a red flag to the admin, saying “WE’RE UNDER ATTACK!!!”. If you must do this, my advice is DO NOT simply prepend or append it. Anyone causally examining the passwd file will see this. So, why not stick it in the middle…
 The super-server configuration file is not the first place a sysadmin will look, so why not put one there? First, some background info: The Internet daemon (/etc/inetd) listens for connection requests on TCP and UDP ports and spawns the appropriate program (usally a server) when a connection request arrives. The format of the /etc/inetd.conf file is simple. Typical lines look like this: