Re: backdoor question

From: Mike Stilson (
Date: 10/28/02

On Mon, Oct 28, 2002 at 05:54:38PM -0500, Mysidia wrote:
>On Sun, Oct 27, 2002 at 12:55:00AM -0400, Alysia wrote:
>> If one was to put in a back door to a game. How would they go about
>> doing it? I need to check some code, i had a fellow imp go insane recently.
How?  As innocuously as possible in a way that would be so tedious to
those doing the audit that they might overlook it.

>> So now my task is to make sure there is nothing else hard coded in that would
>> provide this person with immortal access to the game in any way shape or form.
I'd worry more about shell access than a hijacked mud.  If he has shell
access he can do whatever he wants with the mud, and it's equally easy
to either jack the mud or open up a (non-privileged at least) shell

>1. Only with a complete audit can you be 100% certain.

And unless you ABSOLUTELY know what you're doing, with intimite
knowledge of every line of code, 100% is a fantasy.

>2. On a unix system: make sure the imp isn't listed in
>   .ssh*/authorized_keys .rhosts or .shosts
>3. Make sure there aren't any unusual processes running as the mud
>   user   'ps xwu' and kill anything that shouldn't be running
>   via kill(1)

To be more sure:
Reboot from trusted, readonly media (to avoid kernel module kits).  If
this isn't possible, make ABSOLUTELY certain you're using an unmodified,
statically linked ps.  Also make sure to check the output of ps against
/proc (if your system has it) to make sure there are no hidden process
numbers.  Most people don't keep good md5sums of circle and files, since
lots are pretty dynamic it'd be useless to worry about them.

Next, make sure to check (again, with statically linked versions) with
lsof -i, and netstat -tuapn    Be very suspicious of any extra ports
open, especially by the circle process.  Actually, just checking "lsof"
as the circle admin account could be useful to see if he has something
else open, perhaps for logging passwd's.

If he's on a static ip, you could even be so silly as to block his ip
(iptables, ipfw, ip blackhole, blocking at the router, or any other
number of ways) but that's not going to last for long and is REAL easy
to get around.

>4. If 2 or 3 were the case, then re-check them after removing
>   known backdoors.

Actually, if 2 or 3 were the case, if you don't own the machine you're
running it on, inform the administrator/owner.  You can audit everything
and anything, but, well to be blunt, if you have to ask how to
find/check this then someone else is probably more qualified to do the
post-mortem on the machine which would have to be taken offline and
basically re-installed from scratch to be certain.

>   Things to look for:

also check LD_PRELOAD:
$ echo $LD_PRELOAD

No guarantees this is empty or what it may contain, but if it isn't
empty, make sure what it points to is valid.  That's long been one of
the simplest ways to root a box.

>6. Compare your autorun script to the one in stock circlemud --
>   autorun is a convenient place for someone setting up a
>   trojan backdoor (as is a Makefile or configure script).

Just to elaborate:
All autorun should do is: start the circle process, copy stdout and
stderr to a file, then do some grep's or whatever to put things into
various text files.  It should under no circumstances be starting any
other processes except bin/circle.  Make certain your makefile doesn't,
umm.. do anything you don't understand.  The odd things to look at would
be in either the all or (especially) default rules.

>12. Check for command executors:
>    egrep -i '(fork|clone|exec.*|system|popen) *\(' *.[ch] |less

generally speaking, fork/clone/exec shouldn't be there except for maybe
ispell or copyover.  system() is called for executing autowiz.  fork()
is called in core_dump_real() at least in pl17.  As a side note, fork
isn't exactly a giveaway.  I daemonized my circle and handle
logging/rerunning internally, but that would still be easy to find.

>    Check for file accessors (esp. where file is a variable or unknown):
>    egrep -i '(f?open|f?chmod|[fl]?chown|access) *\(' *.[ch] |less

Just check this one carefully, as there are a lot of legitimate uses of
this in a mud, not stock, but I can think of uses.  So just carefully
check any calls to these VERY carefully.

>    Check for ipc/shared memory use:
>    egrep -i '(mmap|shm...|sem...|shmdt|msg...) *\(' *.[ch] |less

This would be an absolute giveaway.  There's, as far as I can think of
but might be wrong, absolutely no use for this in a mud.

>    Check for listeners/sockets other than the main port
>    egrep -i '(bind|listen|connect|sendmsg|recvmsg) *\(' *.[ch] |less

connect() would be an absolute giveaway, since a daemon shouldn't be
calling anyone (unless you have my metaserver patch, or I think the i3c
package connects() as well.)

>13. Check 'command_interpreter' of act.wizard.c
Also, check for anything that contains GET_ID/GET_IDNUM.  He could've
easily added something that checks for another imp's ID and runs some
command to either reinstate his char, randomly mess up someone's char,
or an endless list of other things.  This could possibly show up a LOT
of lines, and be tedious to check them, but it's still necessary so
check all of 'em.


   | FAQ: |
   | Archives: |
   | Newbie List:   |

This archive was generated by hypermail 2b30 : 06/25/03 PDT