OT: Linux tip

[Bill Campbell]

On Thu, Oct 18, 2007, Jay R. Ashworth wrote:
>I got rootkitted last month, on my sister's MythTV box, by a Polish IRC
>bot I can't remember the name of just now, that turned up in a ps as
>./miracle, and was in /var/tmp/keystuff.

I have a simple perl script, findexecs, that goes through
directory trees looking for executable programs.  A quick check
using ``findexec /tmp /dev /var/tmp'' will often turn up
``interesting'' things.

Typically the IRC is talking back to something in undernet.org.

Another useful command is ``lsof -n -i | less'' then look for
connections established to strange outside systems on unusual ports.

>I figured out where it was by going to /proc/PID/cwd, and that
>suggested to me, just now, a pretty cool way to tell what's *really*
>running on your machine, assuming someone hasn't monkeyed with ls and
>/proc:
>
>ls -l /proc/*/exe

Crackers often mess with ps, ls, find, and other programs to hide
their presence.  Slightly smarter crackers will set the immutable
bit on their changed programs to make it a bit more difficult for
one to fix them.  The commands ``lsattr'' and ``chattr'' are your
friends (so far I haven't found a cracker who changed them :-).

On RPM based systems (SuSE, Red Hat, CentOS, etc.) ``rpm -V'' can
be very useful to find changes by hackers.  It's no replacement
for maintaining good intrusion detection software that makes it
easy to detect new, missing, or changed files on the system.

Bill
--
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

Giving money and power to government is like giving whiskey and car keys to
teenage boys -- P.J. O'Rourke
-------------- next part --------------
:
#!/csrel25/bin/perl
eval "exec /csrel25/bin/perl -S $0 $*"
	if $running_under_some_shell;

# $Header: /vol/cscvs/lbin/findexecs,v 1.4 1998/12/13 23:05:14 bill Exp $
# $Date: 1998/12/13 23:05:14 $
# @(#) $Id: findexecs,v 1.4 1998/12/13 23:05:14 bill Exp $

( $progname = $0 ) =~ s!.*/!!; # save this very early

$USAGE = "
#
#   Usage: $progname [-v] [file|directory [file|directory...]]
#
# Options   Argument    Description
#   -x                  Don't cross file system boundaries (-xdev)
#   -v                  Verbose
#
";

sub usage {
	die join("\n", at _) .
	"\n$USAGE\n";
}

do "getopts.pl";

&usage("Invalid Option") unless do Getopts("vVx");

$\ = "\n";	# use newlines as separators.

$suffix = ( ($verbose = ($opt_v || $opt_V)) ? '' : $$ );

# $< = $>;	# make it ignore taintedness

$, = ' ';		# set output field separator
@arguments = ($#ARGV < 0 ? '.': @ARGV);

use IO::Handle;

$fh = new IO::Handle;

if($ARGV[0] eq '-') {
	$fh->fdopen(fileno(STDIN),"r");
}
else {
	$opt_x = '-xdev' if $opt_x;
	open(INPUT, "gfind @arguments $opt_x -type f |");
	$fh->fdopen(fileno(INPUT), "r");
}
while($_ = $fh->getline) {
	chop;
	next if( /\.o$/ || ! -f $_ || -T _ );
	$_ = `file $_`;
	next unless ( /executable/ );
	s/:.*\s+$//;
	print;
}