0

Consider I have root ssh access to a Linux server (Ubuntu 18.04 LTS). What is the best way to maintain access even after losing ssh access? Are there any tools out there to help maintaining stealthiness and access(root)?

FreeMind
  • 113
  • 1
  • 7
  • The thing about stealthiness is that as soon as the 'best way' becomes known, everyone starts looking for it and it's not so good anymore... In any case, people answering may want to know whether you're more concerned about your changes on the compromised host being found or about your communication being picked up by network monitoring (probably both, but I can imagine cases where one or the other might not be a major issue) – Silver Nov 11 '19 at 19:12
  • @Silver I know that whole server is monitored by Zabbix. I just want decent stealthiness and be able to maintain the root access for some time. It does not need to be a super secret technique. Something that works! – FreeMind Nov 11 '19 at 19:14
  • @FreeMind The thing about "something that works" is exactly that: Any answer that we give here will inevitably also be available to defenders, and highlight this weak spot more. Imagine asking on Facebook: "Where's the best place in Vienna to buy weed?" - Any answer would not be a good answer anymore as soon as it's posted. –  Nov 13 '19 at 06:42
  • @MechMK1 You are right. But there should be a way to give me some tips so I can go on and research about it myself somehow?! – FreeMind Nov 13 '19 at 07:10
  • The existing answer below does just that. –  Nov 13 '19 at 07:18

1 Answers1

4

Persistence

This would be called 'persistence' both from perspective of automated malware and a human attacker.

Some popular approaches include:

  • Extra user accounts - for example, creating an account 'hacker' with full suid privileges would allow to log in if the root credentials are changed;
  • Backdoors - for example, a php webshell on a webserver, or a running CobaltStrike beacon, or a netcat bind shell listener would enable future access even if ssh becomes blocked as such. Also, downgrading some system service to an older version with known remote code execution vulnerabilities would be a useful backdoor.
  • Scheduled tasks - for example, a cron job that runs a reverse shell every hour to an attacker-controlled adress, or a system startup script that adds an extra privileged account and backdoor when a system is restarted would enable to regain access at a later time if the attacker is kicked out.
Peteris
  • 8,419
  • 1
  • 28
  • 35