I’m highly suspicious that someone installed a backdoor on my system. Is there a program or way to determine this?
Thanks
What makes you think you have a back door? Your details are too vague for an intelligent response. Are you just looking for lots of guesses?
Who have you given your root password to?
What were you doing when suspicion was triggered?
What are the specs of your system?
Do you log in as root to deliberately make your system vulnerable?
Who has access to your machine in a physical sense?
Have you set up firewall? aparmor?
Which version of Linux which distro?
imterpsfan2 wrote:
>
> I’m highly suspicious that someone installed a backdoor on my system.
> Is there a program or way to determine this?
>
> Thanks
>
You can at least check your system with chkrootkit.
sudo /sbin/chkrootkit
You probably need to install the package if not already on your system.
–
openSUSE 11.3 64 bit | Intel Core2 Quad Q8300@2.50GHz | KDE 4.5 | GeForce
9600 GT | 4GB Ram
openSUSE 11.3 64 bit | Intel Core2 Duo T9300@2.50GHz | KDE 4.5 | Quadro FX
3600M | 4GB Ram
I was at someone’s house. I left the computer open while they were there. Months later I tried to log on to the internet and was unable to do so. Then I found that person’s WEP Credentials listed in my network settings as well as files accessed that I haven’t looked at myself in months.
32-bit system, SUSE 11.1
I did not log in as root.
No firewall setup.
Does chkrootkit identify backdoor programs?
Recommend you inspect the the “modified date” file property of any suspected files, it’s usually beyond the technical skill level of casual Users to hack that value. From that info, you’ll likely be able to establish a date and time of any “incident” if it even exists.
Along similar lines, the odds of rootkit exploitation is tiny. Not impossible, but possible only if someone with sufficient knowledge and/or skill gained sufficient access to “own” the machine, and the combination of those required circumstances is very rare.
You’d probably find it far more likely to become victim of common exploits like keyloggers, trojans, etc.
I would guess the type of backdoor you’re talking about is more likely detected by things like netstat and logging local User authentication.
IMO,
Tony
How would I log user authentication?
imterpsfan2 wrote:
>
> Does chkrootkit identify backdoor programs?
>
I don’t think any program can detect all possible backdoors. I recommended
chkrootkit since it mentions at least some cgi backdoors in its readme file
which it can detect.
Probably one can detect backdoors with clever use of some network sniffers
(but this is far beyond my limited skills).
But what you described later sounds more like unauthorized access by a
person changing your network settings and using your computer than a
backdoor.
–
openSUSE 11.3 64 bit | Intel Core2 Quad Q8300@2.50GHz | KDE 4.5 | GeForce
9600 GT | 4GB Ram
openSUSE 11.3 64 bit | Intel Core2 Duo T9300@2.50GHz | KDE 4.5 | Quadro FX
3600M | 4GB Ram
Nothing showed up on the chkrootkit.
Hi
You could use lsof to see if there are any strange programs running,
else you could use wireshark to monitor network traffic.
Else if your still not feeling comfortable, either rebuild the machine
(backup your data), else if you can get a replacement drive and build a
new system and transfer your data over…
–
Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.32.23-0.3-default
up 3 days 5:44, 3 users, load average: 0.21, 0.23, 0.28
GPU GeForce 8600 GTS Silent - Driver Version: 260.19.12
The Command
last
will extract all User logins to your machine from var/log/wtmp
You can match that output against your own memory of your own actions and also against any files with modified dates you believe were done without your authorization.
I suspect packet capturing by something like Wireshark is a bit overboard, something like netstat which displays active network connections would be more effective determining if an unauthorized network connection exists.
Tony
Tony
With last I am not seeing any different users. However, I am seeing a system reboot at periodic times. I left the computer in hibernate mode. If someone were using a backdoor then they wouldn’t have to log in right?
What would I look for with netstat?
I also notice I have a folder named cron in my Documents folder.
-
If an existing User account was compromised, you would see logons and possibly activity which requires re-authentication that don’t match what you remember doing (from your posts, this is your personal machine so you should remember what you did). Reboots might require inspection but are not necessarily smoking guns.
-
If you put your machine in hibernate mode, your User activity is logged off and saved to disk. I haven’t looked closely at hibernate to be able to state definitively that the machine is still active and can be logged on remotely (would require valid credentials), but even if the machine were powered off completely if your NIC supports WOL, a remote User could still try to connect.
-
You’ll really need to define “backdoor” properly. Normally, it is defined as <unauthorized use>, and “unauthorized” means by normal computer configuration, not whether a Human User like yourself authorizes. In other words, a “backdoor” circumvents by creating an unauthorized communication channel and/or accesses computer subsystems like I/O (your keyboard for instance with a keylogger). Simply using your User Account because you left your Username/Password accessible is <not> a backdoor, but installing a device that records and sends personal information secretly can be.
-
Netstat displays all existing network connections. Typically it’s possible to know what you’re connecting to, anything else would be questioned.
-
A folder named cron in your Documents folder might be suspicious but you’d need to determine what it does to determine its significance.
For starters based on what you’ve posted, if you just want to prevent compromise I’d recommend you create and use a different User Account (don’t just rename the User Account and/or change the password), then continue monitoring activity. Copy to your new account’s folders only safe files. If you want to go further and forensically investigate you may want to clone the drive for analysis, but I suspect that’s more than you are likely want to do.
HTH,
Tony
Are you talking about my wireless card or network card, or both? I took the wireless card out and it still seemed like someone was accessing files.
I can’t pull out the network card because it’s soldered in.
I also noticed the reboot logon would happen at 5 in the morning and last for 4 hours. That seems suspicious to me.
Since I can’t pull out the network card how can I disable it in Linux?
Most laptops have a way to physically disable a NIC.
If not, you can enable/disable a number of different ways, I suppose one global way is
/etc/init.d/network stop
I’d recommend rebooting to re-enable networking services if you use the “network stop” method, I’ve noticed that required wireless services don’t necessarily restart properly when simply restarting network services.
Dunno about your mysterious reboots, could be anything. If you’re not proficient in debugging, maybe it’s worth peace of mind to get up in the morning one day? 
Tony
On 11/05/2010 01:06 PM, tsu2 wrote:
>
> Most laptops have a way to physically disable a NIC.
> If not, you can enable/disable a number of different ways, I suppose
> one global way is
>
>
> Code:
> --------------------
> /etc/init.d/network stop
> --------------------
>
>
> I’d recommend rebooting to re-enable networking services if you use the
> “network stop” method, I’ve noticed that required wireless services
> don’t necessarily restart properly when simply restarting network
> services.
>
> Dunno about your mysterious reboots, could be anything. If you’re not
> proficient in debugging, maybe it’s worth peace of mind to get up in the
> morning one day?
You can disable the wired NIC by unloading the driver with ‘sudo /sbin/modprove
-rv <driver_name>’. To reload, change the -rv to -v.