Identifying and blocking the backdoors in Linux Enkli Ylli a, Julian Fejzaj b, Igli Tafaa a Faculty of Information Technology, Polytechnic University of Tirana, Sheshi Nënë Tereza ,Tiranë, Albania b Faculty of Natural Sciences, University of Tirana, Bulevardi Zogu i Pare, Tiranë, Albania Abstract Security and privacy is becoming a hot topic not only for the people in the field but also at social and family gatherings. It looks like attackers are finding sensational ways to gain access to systems and networks. On the other side, white hatters are developing new ways to block and protect customers from these attacks, and it feels like this process will never come to an end. However, it is important to have eyes open wide for our own safety. Knowledge is power. In this paper we introduce backdoors as a mean of attacking and gaining access over a system. We do that by using some tools in Ubuntu, a set of commands that will be explained in next sessions. We give a demonstration of how to inspect hidden backdoors. Finally, we introduce a way to stop backdoor attack. Keywords bacdoors, RK hunter, Ubuntu 1. Introduction 2. RELATED WORK Nowadays, the knowledge required to keep There are different types of backdoors that networks and systems well-protected, need to be accomplish attacks when systems have vulnerabilities. regularly updated. A strong reason for that is that In [1], there are treated vulnerabilities of the attackers are becoming more and more sophisticated, authentication system and how attackers can establish by using a wide diversity of ways to achieve an malicious backdoors to bypass authentication logic. approach to a system or a network. All those working They describe three types of backdoors and propose in the field, need to roll up their sleeves and be their elimination. In [2], there are given some statistics equipped with the proper background so that next time about methods used by actors to hack and crack when a sensational attack is reported on the news, they systems, and the result is that even one may say that won’t consider themselves blessed that their company backdoors are old, they are still one of the most used weren’t the objective. However, no matter how much methods to gain unauthorized access in a system or secured a system is, there will be a manner to crack it. network. We should take in consideration, that even if a system is not vulnerable today, it may be in danger at some point in the future. Setting “night terrors” apart, 3. THEORETICAL APPROACH delightedly, there are only a few highly developed aggressors especially in our country, against which our In the cybersecurity world, the backdoor is a defence will fail. In this paper, we introduce backdoors method where unauthorized and authorized users have as a mean of gaining access to a specific technology. the capability to get security measures and earn the We put emphasis that backdoors aren’t only used for most important access level which is root access. So dreadful purposes; those of the non-criminal category gaining this access on a software application, network are used to help clients who are desperately or computer system is very dangerous because they can outside of their devices or for damage assessment and steal your personal data, financial information and dealing with software concerns. Also, we will install more and more malware to control everything demonstrate in Linux Ubuntu how to find hidden they have hacked. Backdoor malwares are generally backdoors, by using a set of commands and tools. mentioned as a Trojan. A Trojan is a malicious Finally, we will show a way how to stop a backdoor computer program that acts to be something different attack. for the purposes of delivering malware, stealing your data, or opening up a backdoor on your computer Proccedings of RTA-CSIT 2021, May 2021, Tirana, Albania EMAIL: eylli@yahoo.com (A. 1); julian.fejzaj@fshn.edu.al (A. 2); itafaj@gmail.com (A. 3) © 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org) system. Much like the Trojan horse in Greece history,  Networking computer Trojans always contain a really bad surprise. Trojans sometimes have the ability to recreate In the end, the installer will construct an Oracle VM themselves and spread to other computer systems VirtualBox gather in the Windows Start menu, which without any additional commands from the cyber facilitates you to start the app and entry its dossier. “criminal” who created them. An attacker can gain ▪ With basic settings, Oracle VM VirtualBox will be control of your computer using a backdoor to: planted for all customers on the regional device. [5] ▪ Upload or Download files Setting Up Ubuntu on VirtualBox ▪ Fulfill DDoS attacks on further devices ▪ Open the just installed VirtualBox and choose ▪ Adjust device settings as he wants, including user New. At this moment new window will appear. credentials or even passwords. ▪ Select the architecture (32 or 64 bit) and the guest OS. ▪ Steal data ▪ Apply the Base Memory (RAM) ▪ Install other malware on the system ▪ Hit “Next” until it displays the VM storage size. ▪ Shut down or restart the machine Decide how much space we need determined by our ▪ Download extra files hard disk and finish the wizard by hitting thecreate button. ▪ Run processes and tasks ▪ Next on VirtualBox window, select “Start” and ▪ Control the device on remote choose the “media source”. In our situation, select the Backdoors are of different types and not all of them “.iso” on the desktop. have malicious intent. ▪ Accomplish the installation.[6] Administrative backdoors are created by the hardware and software makers themselves. 5. RESULTS Unlike backdoor malware, administrative backdoors aren't necessarily thought up with an illegitimate purpose in mind. Most of the times, built-in or How to find strongly hidden backdoor, rootkit and administrative backdoors exist as artifacts of the port? process of software creation. The 1st step [8]: sudo apt-get install rkhunter 4. ENVRIONMENT SETUP We chose to do our experiments in Ubuntu. Initially, we need to install Virtual Box in order to plant Ubuntu on it. We are using Ubuntu because it is user- friendly and is compatible with Debian packages. Setting up Virtual Box on Windows platform. To install Virtual Box first and foremost, Windows Installer must “live” in our system. ▪ Start Oracle VM VirtualBox installation by double clicking on the executable file. ▪ Welcome dialog enables us to choose where to install Oracle VM VirtualBox and which components to install. The components available are:  USB support  Python support Proccedings of RTA-CSIT 2021, May 2021, Tirana, Albania EMAIL: eylli@yahoo.com (A. 1); julian.fejzaj@fshn.edu.al (A. 2); itafaj@gmail.com (A. 3) © 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org) sudo netstat -antu –p sudo gedit /var/log/rkhunter.log The 3rd step List of processes: sudo ps –e The 2nd step – Port Scan [7]: Proccedings of RTA-CSIT 2021, May 2021, Tirana, Albania EMAIL: eylli@yahoo.com (A. 1); julian.fejzaj@fshn.edu.al (A. 2); itafaj@gmail.com (A. 3) © 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org) The 4th step - List of hidden processes [4]: sudo apt-get install unhide sudo unhide-posix proc The 5th step - View logs[10]: Proccedings of RTA-CSIT 2021, May 2021, Tirana, Albania EMAIL: eylli@yahoo.com (A. 1); julian.fejzaj@fshn.edu.al (A. 2); itafaj@gmail.com (A. 3) © 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org) sudo gedit /var/log/dpkg.log 6. CONCLUSIONS sudo gedit /var/log/daemon.log sudo gedit /var/log/user.log To conclude, security is an important topic and everyone should have some basic information in order The 6th step - Check Repository: to protect themselves from possible attacks. Remember grep ^ /etc/apt/sources.list that if your system is safe today it can be a target tomorrow. One of most popular ways even in 2020 are /etc/apt/sources.list.d/* backdoors. We learned that backdoors are used from good guys and bad guys too. Through the sections of this paper we learned what backdoors are and how attackers use them to gain access over a computer. In the experimental section, we demonstrated a simple way how to detect hidden processes. Finally, we gave a solution what to do in case of a backdoor attack. We blocked traffic to prevent damage. 7. References [1] A. Mishra, J.P. Jyotiyana “Secure Authentication: Eliminating Possible Backdoors in Client-Server Endorsement”, 2016 [2] “Data breach investigation report”, 2019 [3] https://www.malwarebytes.com/backdoor/ [4]https://www.cyberciti.biz/tips/linux-unixwindows- find-hidden-processes-tcp-udpports.html Finally, we are giving some commands what to do in [5]https://www.virtualbox.org/manual/ch02.html case of a backdoor attack. We block outgoing traffic to prevent backdoor damage. [6]https://askubuntu.com/questions/142549/how-to- We can use iptables to contain further damage if a install-ubuntu-on-virtualbox malware has been able to infect our host. By applying iptables filters with ‘OUTPUT’ option we block any [7]http://manpages.ubuntu.com/manpages/trusty/man8/ unwanted traffic coming out from the host. netstat.8.html Commands [9]: Iptables –A OUTPUT –o eth1 –j DROP [8]https://help.ubuntu.com/community/RKhunter We can add extra rules for logging and analyzing. [9]https://www.thegeekstuff.com/2011/06/iptables- Build a new link named LOGGING: rules-examples/ iptables -N LOGGING Then add outgoing traffic to LOGGING link: [10]https://helpdeskgeek.com/linux-tips/displaya-list- iptables -A OUTPUT -j LOGGING of-recently-installed-software-packagesin-ubuntu/ Decline packets iptables -A LOGGING -j DROP Proccedings of RTA-CSIT 2021, May 2021, Tirana, Albania EMAIL: eylli@yahoo.com (A. 1); julian.fejzaj@fshn.edu.al (A. 2); itafaj@gmail.com (A. 3) © 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org)