21

Long story short I was making sure a web app didn't create a LFI vuln by attempting to open /etc/passwd with it. My first attempt to prevent LFI was unsuccessful and listed out the file, and I noticed this at the bottom:

backdoor:x:0:0::/root:/bin/bash

What does this mean, and is it malicious? If so how do I remove it.

AviD
  • 72,138
  • 22
  • 136
  • 218
CarlosAllende
  • 353
  • 2
  • 7
  • 38
    It's not really that long of a story. This is a homework problem you're asking us to help you solve. Northern Virginia Community College ITN 170. https://www.coursehero.com/file/13907290/passwdadded/ Please be slightly more honest when you're asking the questions. – John Deters Nov 30 '16 at 20:41
  • 12
    … especially when asking things that actually are meant to spur one's investigative skills. You might then be talking to people who like to investigate. – Marcus Müller Nov 30 '16 at 20:42
  • 3
    You would be better off omitting technical terms from your question. It does seem strange that someone knows what a `LFI vuln` is and how to exploit it, but is confused about `backdoor` entry in the `/etc/passwd`. It is like asking `I am a firefighter. Is it OK that my house is on fire?` – VL-80 Dec 01 '16 at 14:35

2 Answers2

66

Well, from your question I assume you know what a line in /etc/passwd is, so your question strikes me as a bit of odd. Unless, of course, you're going through some kind of test and don't really know your ways around a unix system and try to pass easily by cheating with us.

However:

That's a line in /etc/passwd that defines a user called backdoor, which prefers the bash shell.

The bad news is (aside from the fact that someone utterly stupid or an author of some kind of admin test used the name backdoor for this user) that this account uses user ID 0 and Group ID 0, and home /root, and all three of those should be absolutely exclusive to root, the super user.

Your system has been compromised.

You'll need to remove the system from the network, do a postmortem analysis, and set it back up from scratch, hopefully closing the vulnerability you found in your postmortem analysis that allowed them do this in the first place. (Leaving the system up and trying to "clean it up" is a losing game because who know what other rootkits or backdoors they have planted).

Marcus Müller
  • 5,843
  • 2
  • 16
  • 27
  • 23
    "so your question strikes me as a bit of odd" - Indeed. I imagine a competent attacker would use a less obviously evil name, such as `toor` (which is a thing on some of the BSDs and might pass unnoticed). – Kevin Nov 30 '16 at 02:01
  • 13
    @Kevin usually, you'd simply not add anything to /etc/passwd – you just add a password for one of the system accounts to /etc/shadow or whatever auth database there is, and flip the suid bit on one or two shells or script interpreters. Stay minimal, stay unnoticed. And if I ever did that, none of the users, scripts, executables, process names or log entries would contain "backdoor". – Marcus Müller Nov 30 '16 at 10:00
  • Xander, sorry, I don't agree with your edit. Either go the full length as Lightness Races in Orbit suggested (and you reject-edited), or don't play nice. – Marcus Müller Nov 30 '16 at 18:25
  • 9
    That line certainly didn't smell right to me, either. A quick search for that text showed up as a hit on an /etc/passwd file named passwd.added from a file associated with Northern Virginia Community College course ITN170. So while I'm not saying it's a homework question, I'm still tagging it with the homework tag... – John Deters Nov 30 '16 at 20:37
  • @JohnDeters nice detective work :) Yeah, even if this is actually a script kiddie applying what they've thaught him in ITN170, this is **so** homework-y… – Marcus Müller Nov 30 '16 at 20:41
0

Although your system may well have been compromised, it is worthwhile to consider an alternative hypothesis: that another system administrator has placed this backdoor login there deliberately. It may even have been done for a legitimate purpose (although it is rather odd if so). Perhaps someone was fired recently? There are so many hidden ways to put backdoors in (such as running a modified ssh daemon) that this rather obvious way looks wrong.

Edit: as pointed out in several comments, this makes the potential situation more serious, not less.

James Brusey
  • 111
  • 3
  • 11
    Maybe you wouldn't panic where you work, but I promise this would trigger alarm bells all the way up to the top in our shop. (It would also likely be detected pretty quickly by our system scans.) This is the kind of scenario they present in our annual security training. This offense would demonstrate such blatant disregard for our security policy that it would get you fired first time, no warning. – John Deters Nov 30 '16 at 20:57
  • 2
    'Perhaps someone was fired recently' - in which case you have the absolute *worst* backdoor scenario, and you really do need to consider nuking from orbit. – sapi Dec 01 '16 at 09:48
  • I agree with the comment. It could be time to panic majorly and I didn't mean to imply otherwise. Please remember though that some of us work in research labs with PhD students who sometimes do stupid things. – James Brusey Dec 03 '16 at 09:31