[1766] in linux-security and linux-alert archive
[linux-security] Re: Re: Bind Overrun Bug and Linux
daemon@ATHENA.MIT.EDU (Duncan Simpson)
Fri May 22 07:41:38 1998
Date: Fri, 22 May 1998 00:49:24 +0100
From: Duncan Simpson <dps@io.stargate.co.uk>
In-reply-to: "Your message of Tue, 19 May 1998 19:04:32 -0000."
<3561D7BD.E63810FD@wisper.net>
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
A recent CERT advisory said the sort of things we expect
ps, pstree, netstat, ls, etc omit interesting information that you might not
want to reveal.
bind xterm backdoor.
It has not happened to me so I do not know myself. Last time I recompiled
everything from known clean source and it was *not fun*. I checked for hidden
processes and stuff like that using echo * instead of ls (which is one of the
most likely things to be trojanised).
My ps tester should detect simple ps trojans and tell you about them, avoiding
logs on the local machine. The subject looks inoccuous enough if the attacker
sees it. The message content is explicit. The program will also tell you about
what IP address the attacker was connected from in many cases and boot the
attacker off the system (the program does not use netstat, so backdoor netstat
is useless; it avoids hostnames and teels you the IP numbers and time). If the
attacker is silly enough to use telnet or similar you will know the source.
The process name in all versions of ps, pstree, etc is httpd. The advanatge
over MD5 sums is the identification of evil processes and the genertaion of
lots of perminent information from /proc. There is also an unreleased scanner
that uses kill with signal 0 and compares with /proc for those that hack
/proc, in addition to the normal /proc vs ps, checking. It is a simple trap
and *not* a replacement for regular tripwire scans (alert attackers can easily
kill it before it gets them).
You can get the source by annoymous ftp from mars.astra.co.uk in the
/pub/word2x directory. The code in the arhive called check-ps. Np bianries are
avialable and you should compile it yourself for obviuos security reasons
anyway.
--
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null