What are the possible hacker backdoors?

Hi all. I don’t have any intention to hack anywhere, instead I want to secure my suse 10.2 to prevent possible attacks from outside. I suspect someone did get on my pc (probably some of my coworkers), because around 100GB of my movies and other stuff have dissapered from disk during the night and at home I’m the only one working on this pc. My pc has at least the following connections for disposal:
1)apache web server (running a simple web page)
2)ssh
3)nxserver for gui remote connection

I did check /var/log/message but there was no message entry for ssh that would be suspicious for that magic night. Unfortunately the nxserver is 1.5v and has no log (soon I’m replacing it with 3.0 that has loggin possible). My pc is behind router and has firewall enabled, but some ports are left open (for nx connection,…) So my questions are:
1)What or where could be possible backdoors?
2)How could I prevent or at least limit them?
3)Which log files do indicate possible atacks or connections attempts?
Thanks for you help.

install rkhunter & run it, it will let you know of any vulnerabilities

Andy

In case they modified the log, … you could also check your bash shell history. Hackers sometimes forget to modify that.

In case your movies were on an NTFS partition, is it possible it simply did not mount properly (because of a clean unmount from a recent MS-Windows boot)?

Look for someone logging in (via nx) with your password during the night in /var/log/messages (nx users a user account, so it should show up there). You could possibly change your password NOW to avoid a repeat.

Thanks for the hints.

In case your movies were on an NTFS partition, is it possible it simply did not mount properly
both disks have just ext3 partitions so this shouldn’t be the problem.

In case they modified the log, … you could also check your bash shell history
can you please tell me how to do that. Thanks again.

I’m not at a Linux PC right now.

I recall (and I have a bad memory) that the command is simply:
history

and if that scrolls off the screen type:
history > bash-history.txt
and use a text editor to open “bash-history.txt”.

In fact one can go direct to the file (instead) where the history is stored, but I don’t know that off the time of my head … I would need to be at a Linux PC for a dozen seconds to find that.

Interesting topic. Now is it actually possible to remove ALL traces on a compromised system?
If so I wonder why hackers wouldn´t write a small program to automate that task and clean up everything that needs to be removed. I´m quite sure that´s already the case…

TheMask.

Thanks oldcpu, I’ll check it.

If so I wonder why hackers wouldn´t write a small program to automate that task and clean up everything that needs to be removed
I’m against hacking if it’s used for spying,copying private date and doing any other damages to remote computers and people. On the other hand if it’s organized for intentional security investigations with the consent of the “victim” or exclusive for study purposes, then I approve it. Anyway in my case I have just a few malicous coworkers, trying to tease me. Besides, in my opinion linux users in general are more open minded and morally aware, but there are always some fools who are not.

Hmmm… possible, but in the processing of removing, one could leave a trace by removing too much. Hence I’m not so certain that is already the case. … or rather, its the case “perfectly” … things get missed.

But I’m always willing to learn on this.

Thank you for clarifying that. I totally agree with both of you. :wink:
Now for my opnion such scripts already exist - and if they are properly programmed, no trace would be left of the attack/tease/hack. That´s what I meant in my previous post.
If anyone would have used such a script in your case, you would hardly be able notice anything besides the loss of your data…


TheMask.***

I understand… but I’m skeptical that is possible to the extent you suspect.

There are too many logs, and too much “goes on” in a PC, and it is too easy to mistakenly delete too much. That in itself leaves a trail.

I have looked at some scripts (designed for hacking at Linux) in some forensic posts of users whose Linux PCs were hacked - the scripts automated cleaning routines were not perfect. They missed files. They deleted too much in cases. They deleted not enough in other cases.

Its easy to say “properly programmed”, but in practice, that is INCREDIBLY difficult.

Interesting. Means that it´s quite impossible to get into a system and leave without being noticed… I thought that´s somehow possible.
Thanks for your previous reply - I think it´s a very interesting topic to think about.

TheMask.

AusCERT - UNIX Intruder Detection Checklist this should get you started also note in checking logs they also mention

… many intruders edit log files in an attempt to hide their activity …

Plenty to follow on with from that page including cleaning if needed.

Thanks - it’s a good place to start (already know that page). As for the friendly nudge I’ve increased your reputation… :wink:


TheMask.***

If yours is just a desktop rather than a server than there is less points of exploits.

Kurt Seifried - LASG

The original OP has several points of entry, i.e apache and web software, places like .: packet storm ]:. - http://packetstormsecurity.org/](http://www.packetstormsecurity.com/) will show you so many web applications that will have exploits. Then we have ssh which if not key authenticated is a glaring hole. Yet with the implication that it is a collegue seems a little malicious to me, unless they know they have a backup. But then the chances of being rooted after entry rise take this little one that I noticed today. .: packet storm ]:. - http://packetstormsecurity.org/](http://www.packetstormsecurity.com/filedesc/enyelkm-1.3-no-objs.tar-gz.html)

The more doors you have open the more chances, most desktops by default should have very little running. As for social engineering not sure the savy should/will get caught.

Hi
You might also see if you can get a shell account on an external
service. I use www.rootshell.be from which I can ssh to then do nmap
etc back to my home systems :slight_smile:


Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 11.1 (i586) Kernel 2.6.27.19-3.2-default
up 12:49, 2 users, load average: 1.80, 1.11, 0.51
GPU GeForce 6600 TE/6200 TE - Driver Version: 180.29

Thanks malcolmlewis and FeatherMonkey - you’ve helped alot. :slight_smile: I think that is enough material to read through for the next few hours/days.
Enjoy your weekend, guys!

TheMask.