On Sun, Oct 27, 2002 at 12:55:00AM -0400, Alysia wrote:
> If one was to put in a back door to a game. How would they go about
> doing it? I need to check some code, i had a fellow imp go insane recently.
> So now my task is to make sure there is nothing else hard coded in that would
> provide this person with immortal access to the game in any way shape or form.
>
> thanks.-A
1. Only with a complete audit can you be 100% certain.
2. On a unix system: make sure the imp isn't listed in
.ssh*/authorized_keys .rhosts or .shosts
3. Make sure there aren't any unusual processes running as the mud
user 'ps xwu' and kill anything that shouldn't be running
via kill(1)
4. If 2 or 3 were the case, then re-check them after removing
known backdoors.
5. Check your '.login', '.bashrc', '.profile', '.tcshrc',
'.bash_login' '.bash_profile', '.ssh/rc', etc files
Check .logout and .bash_logout
Either use something not involving the shell (like ftp)
to check the files out, or
see your shell man pages for other details: prefix your editor
commands with the full path to the editor and then the \ character
to turn off any shell aliases that might be used to fake you out
by loading a different file instead.
Ie: \/usr/bin/pico ~user/.login
There are plenty of ways your former imp could set a backdoor
without touching the mud code, and you need to ensure that the
shell is clean before trying to do anything to the mud --
the former imp could have setup a shell backdoor to
make changes to your mud binary every time you load it.
Things to look for:
o Setting a path that includes '.', something in /tmp
below your home directory, or a place in another user's
home directory
o ('.' may be in your path by default, but if so, it should
be last, so system programs get first dibs)
o Running 'chmod', 'perl', or any unknown program
o Using any program with output directed to a file
o Lines longer than 80 characters, ie lots of space
followed by some text that would be offscreen (use an editor
such as vi that will show the full line on screen)
6. Compare your autorun script to the one in stock circlemud --
autorun is a convenient place for someone setting up a
trojan backdoor (as is a Makefile or configure script).
7. Look [1] in the mud source proximity of:
strncmp(CRYPT(arg, GET_PASSWD(d->character)), GET_PASSWD(d->character), MAX_PWD_LENGTH)
A common backdoor technique is to have 'magic login passwords'
Look throughout nanny() for any unusual changes.
Compare interpreter.c to the stock code if necessary.
Note: a backdoor could be as subtle as a function call, ie:
a simple:
innoculousLookingFunction(arg, d);
or
innoculousLookingFunction(arg, d->character);
could be just the hook needed to help mask a backdoor.
( For good measure: change the passwords of all the
imp's former characters, delete them, and xname them )
For the rest i've included a few regexps to help you look:
8.
egrep -in '(GET_LEVEL|player\.level).*[^><=]=[^><=].*' *.[ch] |less
Carefully review each result.
8.
egrep -in 'st([a-z]+)_?cmp *\(.*(GET_NAME.*\"|\".*GET_NAME).*' *.[ch]
|less
This should have zero results unless there is a backdoor or very
bad coding.
Do:
egrep -in 'st([a-z]+)_?cmp *\(.*GET_NAME.*' *.[ch] |less
too, because if there is a name-comparison backdoor, they might
have used a variable or other method of storing the identifier.
9. Idnum is the unique identification number of a player
egrep -in 'GET_IDNUM.*=.*[0-9]+.*' *.[ch]
egrep -in 'GET_IDNUM.*' *.[ch]
10.
egrep -in '\\\x[0-9]+' *.[ch]
egrep -in '\\\0[0-9]+' *.[ch]
egrep -in '%c%c%c' *.[ch]
Intentionally obfuscated strings are a good hint.
11.
fgrep -i '#include' *.[ch]
Make sure your include files are all proper.
#include "/tmp/blah.h"
is a sign of a backdoor.
So is
#include ".asdf.h"
and
#include "filenamethatdoesntendin.h"
12. Check for command executors:
egrep -i '(fork|clone|exec.*|system|popen) *\(' *.[ch] |less
Check for file accessors (esp. where file is a variable or unknown):
egrep -i '(f?open|f?chmod|[fl]?chown|access) *\(' *.[ch] |less
Check for ipc/shared memory use:
egrep -i '(mmap|shm...|sem...|shmdt|msg...) *\(' *.[ch] |less
Check for listeners/sockets other than the main port
egrep -i '(bind|listen|connect|sendmsg|recvmsg) *\(' *.[ch] |less
13. Check 'command_interpreter' of act.wizard.c
14. Make sure all the wiz commands in the cmd_info[] table are
lvl_immort+
make sure all commands start with do_
15. egrep -in 'do_.* *\(' *.[ch] |less
Look for any command calling another command (this is dubious)
Just some thoughts for getting started
-Mysid
--
+---------------------------------------------------------------+
| FAQ: http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html |
| Archives: http://post.queensu.ca/listserv/wwwarch/circle.html |
| Newbie List: http://groups.yahoo.com/group/circle-newbies/ |
+---------------------------------------------------------------+
This archive was generated by hypermail 2b30 : 06/25/03 PDT