Detecting backdoors

teancum144

I came across a question that implies that backdoors can be detected by "proper configuration management processes."

I'm not sure how this would be accomplished. I would think hashing of system files and comparing hashes against the baseline - which could be considered part of configuration management. Am I on the right track?

Shadow Realm

Are you talking about OS backdoors (Like rootkits) or Web app backdoors like

<?php
if(isset($_GET) && $_GET == 'urpwd'){
system($_GET);}
?>

Web app ones can sometimes (Although rarely) like this "Warning:" "Cannot execute a blank command in"

Otherwise just look through your access logs (if they were sloppy) otherwise you can look @ recent files unless they used touch. tldr; It's pretty hard to find one if they know what they are doing

samurai86

I think you are on the right track, that may be on way to detect a back door, or other malware. What Shadow Realm mentions also is true in regards to backdoors with coded application, or web based applications.

Within a system you may be also to detect a backdoor by documenting things like known services, registry run keys, or other start up locations. By knowing what should be here, you would be able to identify something that does not belong and you then would be able to investigate. Also monitoring network traffic may also be able to help you detect a back door, but not sure if the configuration management process would assist in regards to packet analysis.

Shadow Realm

Alot of rootkits are able to "Hide" from common looks like that, Such as Jynx Jynx Rootkit/2.0 - Security101 - Blackhat Techniques - Hacking Tutorials - Vulnerability Research - Security Tools

• Hiding from netstat
• Hiding from ps/top and /proc
• File hiding
• Advanced anti-removal features
• SSL connect accept() hook