Re: backdoor question

From: Mysidia (
Date: 10/28/02

On Sun, Oct 27, 2002 at 12:55:00AM -0400, Alysia wrote:
> If one was to put in a back door to a game. How would they go about
> doing it? I need to check some code, i had a fellow imp go insane recently.
> So now my task is to make sure there is nothing else hard coded in that would
> provide this person with immortal access to the game in any way shape or form.
> thanks.-A

1. Only with a complete audit can you be 100% certain.

2. On a unix system: make sure the imp isn't listed in
   .ssh*/authorized_keys .rhosts or .shosts

3. Make sure there aren't any unusual processes running as the mud
   user   'ps xwu' and kill anything that shouldn't be running
   via kill(1)

4. If 2 or 3 were the case, then re-check them after removing
   known backdoors.

5. Check your '.login', '.bashrc', '.profile', '.tcshrc',
   '.bash_login' '.bash_profile', '.ssh/rc', etc files

   Check  .logout  and .bash_logout

   Either use something not involving the shell (like ftp)
   to check the files out, or

   see your shell man pages for other details: prefix your editor
   commands with the full path to the editor and then the \ character
   to turn off any shell aliases that might be used to fake you out
   by loading a different file instead.

   Ie:   \/usr/bin/pico ~user/.login

   There are plenty of ways your former imp could set a backdoor
   without touching the mud code, and you need to ensure that the
   shell is clean before trying to do anything to the mud --
   the former imp could have setup a shell backdoor to
   make changes to your mud binary every time you load it.

   Things to look for:
        o Setting a path that includes '.', something in /tmp
          below your home directory, or a place in another user's
          home directory
        o ('.' may be in your path by default, but if so, it should
           be last, so system programs get first dibs)
        o Running 'chmod', 'perl', or any unknown program
        o Using any program with output directed to a file

        o Lines longer than 80 characters, ie lots of space
          followed by some text that would be offscreen (use an editor
          such as vi that will show the full line on screen)

6. Compare your autorun script to the one in stock circlemud --
   autorun is a convenient place for someone setting up a
   trojan backdoor (as is a Makefile or configure script).

7. Look [1] in the mud source proximity of:

strncmp(CRYPT(arg, GET_PASSWD(d->character)), GET_PASSWD(d->character), MAX_PWD_LENGTH)

A common backdoor technique is to have 'magic login passwords'

Look throughout nanny() for any unusual changes.

Compare interpreter.c to the stock code if necessary.

Note: a backdoor could be as subtle as a function call, ie:
a simple:

   innoculousLookingFunction(arg, d);
   innoculousLookingFunction(arg, d->character);

could be just the hook needed to help mask a backdoor.

( For good measure: change the passwords of all the
   imp's former characters, delete them, and xname them )

For the rest i've included a few regexps to help you look:

    egrep -in '(GET_LEVEL|player\.level).*[^><=]=[^><=].*' *.[ch] |less

    Carefully review each result.

    egrep -in 'st([a-z]+)_?cmp *\(.*(GET_NAME.*\"|\".*GET_NAME).*' *.[ch]

    This should have zero results unless there is a backdoor or very
    bad coding.


    egrep -in 'st([a-z]+)_?cmp *\(.*GET_NAME.*' *.[ch] |less

    too, because if there is a name-comparison backdoor, they might
    have used a variable or other method of storing the identifier.

9.  Idnum is the unique identification number of a player

     egrep -in 'GET_IDNUM.*=.*[0-9]+.*' *.[ch]

     egrep -in 'GET_IDNUM.*' *.[ch]

    egrep -in '\\\x[0-9]+' *.[ch]
    egrep -in '\\\0[0-9]+' *.[ch]
    egrep -in '%c%c%c' *.[ch]

    Intentionally obfuscated strings are a good hint.

     fgrep -i '#include' *.[ch]

    Make sure your include files are all proper.
    #include "/tmp/blah.h"
    is a sign of a backdoor.

    So is
    #include ".asdf.h"

    #include "filenamethatdoesntendin.h"

12. Check for command executors:
    egrep -i '(fork|clone|exec.*|system|popen) *\(' *.[ch] |less

    Check for file accessors (esp. where file is a variable or unknown):
    egrep -i '(f?open|f?chmod|[fl]?chown|access) *\(' *.[ch] |less

    Check for ipc/shared memory use:
    egrep -i '(mmap|shm...|sem...|shmdt|msg...) *\(' *.[ch] |less

    Check for listeners/sockets other than the main port
    egrep -i '(bind|listen|connect|sendmsg|recvmsg) *\(' *.[ch] |less

13. Check 'command_interpreter' of act.wizard.c

14. Make sure all the wiz commands in the cmd_info[] table are

    make sure all commands start with do_

15. egrep -in 'do_.* *\(' *.[ch] |less

    Look for any command calling another command (this is dubious)

Just some thoughts for getting started


   | FAQ: |
   | Archives: |
   | Newbie List:   |

This archive was generated by hypermail 2b30 : 06/25/03 PDT