OT: Linux tip

Bill Campbell bill at celestial.com
Thu Oct 18 13:58:37 PDT 2007 

On Thu, Oct 18, 2007, Jay R. Ashworth wrote:
>On Thu, Oct 18, 2007 at 12:30:13PM -0700, Bill Campbell wrote:
>> On Thu, Oct 18, 2007, Jay R. Ashworth wrote:
>> >I got rootkitted last month, on my sister's MythTV box, by a Polish IRC
>> >bot I can't remember the name of just now, that turned up in a ps as
>> >./miracle, and was in /var/tmp/keystuff.
>> 
>> I have a simple perl script, findexecs, that goes through
>> directory trees looking for executable programs.  A quick check
>> using ``findexec /tmp /dev /var/tmp'' will often turn up
>> ``interesting'' things.
>
>Assuming your rootkit doesn't break the ability of whatever system call
>your perl script is using to prowl the tree with a loadable module.

That perl script uses the standard gnu gfind command (I make a
symlink on Linux systems so that my fingers can type gfind
without thinking).

It could very easily be modified to do the scanning by reading
the directory entries, which is what I do with most of the python
scripts I'm writing now.  It currently depends on the ``file''
command, but I think there's a perl module for that as well.

>> Typically the IRC is talking back to something in undernet.org.
>
>This one was numeric.
>
>> Another useful command is ``lsof -n -i | less'' then look for
>> connections established to strange outside systems on unusual ports.
>
>Oh: "ports".  :-)

Fairlight mentioned greping for LISTEN, but I've often found that the IRC
bots aren't listening for general connections.  They make connections back
to a master controller, then are run from that machine.

I have often found that these cracks have had directories with files
containing lists of server IP addresses to check, and have used these lists
to seed iptables blocking at the borders.

>> >I figured out where it was by going to /proc/PID/cwd, and that
>> >suggested to me, just now, a pretty cool way to tell what's *really*
>> >running on your machine, assuming someone hasn't monkeyed with ls and
>> >/proc:
>> >
>> >ls -l /proc/*/exe
>> 
>> Crackers often mess with ps, ls, find, and other programs to hide
>> their presence.  Slightly smarter crackers will set the immutable
>> bit on their changed programs to make it a bit more difficult for
>> one to fix them.  The commands ``lsattr'' and ``chattr'' are your
>> friends (so far I haven't found a cracker who changed them :-).
>
>Lucky us.
>
>> On RPM based systems (SuSE, Red Hat, CentOS, etc.) ``rpm -V'' can
>> be very useful to find changes by hackers.  It's no replacement
>> for maintaining good intrusion detection software that makes it
>> easy to detect new, missing, or changed files on the system.
>
>Or, y'know, tripwire.

I used tripwire for years, reluctantly as its output is extremely verbose,
and it doesn't handle files with whitespace nicely.  I put up with it until
I couldn't get it to build properly on 64-bit SuSE systems so broke down
and wrote my own security scanner in python.

My scanner uses the tripwire configuration files, maintaining its own
database using Sleepycat/BDB files.  Its output is much cleaner than
tripwire's only displaying useful information relating to new, changed, and
missing files.

AIDE is another freely available intrusion detection program.

Bill
--
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

When a place gets crowded enough to require ID's, social collapse is
not far away.  It is time to go elsewhere.  The best thing about space
travel is that it made it possible to go elsewhere.
                -- Robert Heinlein

More information about the Filepro-list mailing list