=Paper=
{{Paper
|id=Vol-2872/short07
|storemode=property
|title=Identifying and blocking the backdoors in Linux
|pdfUrl=https://ceur-ws.org/Vol-2872/short07.pdf
|volume=Vol-2872
|authors=Enkli Ylli,Julian Fejzaj,Igli Tafa
|dblpUrl=https://dblp.org/rec/conf/rtacsit/YlliFT21
}}
==Identifying and blocking the backdoors in Linux==
https://ceur-ws.org/Vol-2872/short07.pdf
Identifying and blocking the backdoors in Linux
Enkli Ylli a, Julian Fejzaj b, Igli Tafaa
a
Faculty of Information Technology, Polytechnic University of Tirana, Sheshi Nënë Tereza ,Tiranë, Albania
b Faculty of Natural Sciences, University of Tirana, Bulevardi Zogu i Pare, Tiranë, Albania
Abstract
Security and privacy is becoming a hot topic not only for the people in the field but also at social
and family gatherings. It looks like attackers are finding sensational ways to gain access
to systems and networks. On the other side, white hatters are developing new ways to block and
protect customers from these attacks, and it feels like this process will never come to an end.
However, it is important to have eyes open wide for our own safety. Knowledge is power. In this
paper we introduce backdoors as a mean of attacking and gaining access over a system. We do that
by using some tools in Ubuntu, a set of commands that will be explained in next sessions. We give
a demonstration of how to inspect hidden backdoors. Finally, we introduce a way to stop backdoor attack.
Keywords
bacdoors, RK hunter, Ubuntu
1. Introduction 2. RELATED WORK
Nowadays, the knowledge required to keep There are different types of backdoors that
networks and systems well-protected, need to be accomplish attacks when systems have vulnerabilities.
regularly updated. A strong reason for that is that In [1], there are treated vulnerabilities of the
attackers are becoming more and more sophisticated, authentication system and how attackers can establish
by using a wide diversity of ways to achieve an malicious backdoors to bypass authentication logic.
approach to a system or a network. All those working They describe three types of backdoors and propose
in the field, need to roll up their sleeves and be their elimination. In [2], there are given some statistics
equipped with the proper background so that next time about methods used by actors to hack and crack
when a sensational attack is reported on the news, they systems, and the result is that even one may say that
won’t consider themselves blessed that their company backdoors are old, they are still one of the most used
weren’t the objective. However, no matter how much methods to gain unauthorized access in a system or
secured a system is, there will be a manner to crack it. network.
We should take in consideration, that even if a system
is not vulnerable today, it may be in danger at some
point in the future. Setting “night terrors” apart,
3. THEORETICAL APPROACH
delightedly, there are only a few highly developed
aggressors especially in our country, against which our In the cybersecurity world, the backdoor is a
defence will fail. In this paper, we introduce backdoors method where unauthorized and authorized users have
as a mean of gaining access to a specific technology. the capability to get security measures and earn the
We put emphasis that backdoors aren’t only used for most important access level which is root access. So
dreadful purposes; those of the non-criminal category gaining this access on a software application, network
are used to help clients who are desperately or computer system is very dangerous because they can
outside of their devices or for damage assessment and steal your personal data, financial information and
dealing with software concerns. Also, we will install more and more malware to control everything
demonstrate in Linux Ubuntu how to find hidden they have hacked. Backdoor malwares are generally
backdoors, by using a set of commands and tools. mentioned as a Trojan. A Trojan is a malicious
Finally, we will show a way how to stop a backdoor computer program that acts to be something different
attack. for the purposes of delivering malware, stealing your
data, or opening up a backdoor on your computer
Proccedings of RTA-CSIT 2021, May 2021, Tirana, Albania
EMAIL: eylli@yahoo.com (A. 1); julian.fejzaj@fshn.edu.al (A. 2); itafaj@gmail.com (A. 3)
© 2021 Copyright for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
�system. Much like the Trojan horse in Greece history, Networking
computer Trojans always contain a really bad surprise.
Trojans sometimes have the ability to recreate In the end, the installer will construct an Oracle VM
themselves and spread to other computer systems VirtualBox gather in the Windows Start menu, which
without any additional commands from the cyber facilitates you to start the app and entry its dossier.
“criminal” who created them. An attacker can gain ▪ With basic settings, Oracle VM VirtualBox will be
control of your computer using a backdoor to: planted for all customers on the regional device. [5]
▪ Upload or Download files Setting Up Ubuntu on VirtualBox
▪ Fulfill DDoS attacks on further devices ▪ Open the just installed VirtualBox and choose
▪ Adjust device settings as he wants, including user New. At this moment new window will appear.
credentials or even passwords. ▪ Select the architecture (32 or 64 bit) and the guest
OS.
▪ Steal data
▪ Apply the Base Memory (RAM)
▪ Install other malware on the system
▪ Hit “Next” until it displays the VM storage size.
▪ Shut down or restart the machine Decide how much space we need determined by our
▪ Download extra files hard disk and finish the wizard by hitting thecreate
button.
▪ Run processes and tasks
▪ Next on VirtualBox window, select “Start” and
▪ Control the device on remote choose the “media source”. In our situation, select the
Backdoors are of different types and not all of them “.iso” on the desktop.
have malicious intent.
▪ Accomplish the installation.[6]
Administrative backdoors are created by the
hardware and software makers themselves.
5. RESULTS
Unlike backdoor malware, administrative backdoors
aren't necessarily thought up with an illegitimate
purpose in mind. Most of the times, built-in or How to find strongly hidden backdoor, rootkit and
administrative backdoors exist as artifacts of the port?
process of software creation.
The 1st step [8]:
sudo apt-get install rkhunter
4. ENVRIONMENT SETUP
We chose to do our experiments in Ubuntu.
Initially, we need to install Virtual Box in order to plant
Ubuntu on it. We are using Ubuntu because it is user-
friendly and is compatible with Debian packages.
Setting up Virtual Box on Windows platform.
To install Virtual Box first and foremost, Windows
Installer must “live” in our system.
▪ Start Oracle VM VirtualBox installation by double
clicking on the executable file.
▪ Welcome dialog enables us to choose where to
install Oracle VM VirtualBox and which components
to install.
The components available are:
USB support
Python support
Proccedings of RTA-CSIT 2021, May 2021, Tirana, Albania
EMAIL: eylli@yahoo.com (A. 1); julian.fejzaj@fshn.edu.al (A. 2); itafaj@gmail.com (A. 3)
© 2021 Copyright for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
� sudo netstat -antu –p
sudo gedit /var/log/rkhunter.log
The 3rd step List of processes:
sudo ps –e
The 2nd step – Port Scan [7]:
Proccedings of RTA-CSIT 2021, May 2021, Tirana, Albania
EMAIL: eylli@yahoo.com (A. 1); julian.fejzaj@fshn.edu.al (A. 2); itafaj@gmail.com (A. 3)
© 2021 Copyright for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
�The 4th step - List of hidden processes [4]:
sudo apt-get install unhide
sudo unhide-posix proc
The 5th step - View logs[10]:
Proccedings of RTA-CSIT 2021, May 2021, Tirana, Albania
EMAIL: eylli@yahoo.com (A. 1); julian.fejzaj@fshn.edu.al (A. 2); itafaj@gmail.com (A. 3)
© 2021 Copyright for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
� sudo gedit /var/log/dpkg.log 6. CONCLUSIONS
sudo gedit /var/log/daemon.log
sudo gedit /var/log/user.log To conclude, security is an important topic and
everyone should have some basic information in order
The 6th step - Check Repository: to protect themselves from possible attacks. Remember
grep ^ /etc/apt/sources.list that if your system is safe today it can be a target
tomorrow. One of most popular ways even in 2020 are
/etc/apt/sources.list.d/* backdoors. We learned that backdoors are used from
good guys and bad guys too. Through the sections of
this paper we learned what backdoors are and how
attackers use them to gain access over a computer. In
the experimental section, we demonstrated a simple
way how to detect hidden processes. Finally, we gave a
solution what to do in case of a backdoor attack. We
blocked traffic to prevent damage.
7. References
[1] A. Mishra, J.P. Jyotiyana “Secure
Authentication: Eliminating Possible Backdoors in
Client-Server Endorsement”, 2016
[2] “Data breach investigation report”, 2019
[3] https://www.malwarebytes.com/backdoor/
[4]https://www.cyberciti.biz/tips/linux-unixwindows-
find-hidden-processes-tcp-udpports.html
Finally, we are giving some commands what to do in [5]https://www.virtualbox.org/manual/ch02.html
case of a backdoor attack.
We block outgoing traffic to prevent backdoor damage. [6]https://askubuntu.com/questions/142549/how-to-
We can use iptables to contain further damage if a install-ubuntu-on-virtualbox
malware has been able to infect our host. By applying
iptables filters with ‘OUTPUT’ option we block any [7]http://manpages.ubuntu.com/manpages/trusty/man8/
unwanted traffic coming out from the host. netstat.8.html
Commands [9]:
Iptables –A OUTPUT –o eth1 –j DROP [8]https://help.ubuntu.com/community/RKhunter
We can add extra rules for logging and
analyzing. [9]https://www.thegeekstuff.com/2011/06/iptables-
Build a new link named LOGGING: rules-examples/
iptables -N LOGGING
Then add outgoing traffic to LOGGING link: [10]https://helpdeskgeek.com/linux-tips/displaya-list-
iptables -A OUTPUT -j LOGGING of-recently-installed-software-packagesin-ubuntu/
Decline packets
iptables -A LOGGING -j DROP
Proccedings of RTA-CSIT 2021, May 2021, Tirana, Albania
EMAIL: eylli@yahoo.com (A. 1); julian.fejzaj@fshn.edu.al (A. 2); itafaj@gmail.com (A. 3)
© 2021 Copyright for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
�