[Full-Disclosure] ALERT ALERT plaintext passwords in linux ALERT ALERT

From: silvio@big.net.au
Date: 09/16/02 

From: silvio@big.net.au (silvio@big.net.au)
Date: Sun, 15 Sep 2002 15:23:11 -0700

On Sun, Sep 15, 2002 at 07:30:23PM +0200, Mikhail Iakovlev wrote:

> The whole /proc file system is virtual. In short it provides information about your computer configuration.
> Don't worry, it does not actually occupy your computer's resources, except some memory.
> And removing this file...hah, I'd love to see how you do it, since
> file is sort of linked to actual memory.

A "thing" I've seen in the past with bad attempts to disabling /dev/*mem
style things (for crappy honeypots presumeablely - dont worry, this was one
on one of of our own _development_ boxes for a while) -->

have the lseek file operation "not do anything" for those devices ;-)

/bin/cat works, but you try to do anything with lseek, and it doesnt work..
just seeks back to 0.

of course.. u can emulate an lseek with reading etc, since this also
updates the fpos.. 

--
ok.. so for the security enhanced Linux etc.. and for those chkrootkit
programs (shell scripts?)  -->
a nice method to find "hidden" processes is to recognize that a process
is a process id can be considered an exclusive resource that is available
on request by anyone on the system.
so the idea is to cycle through all the pid's, and see which ones you
can't obtain.  if at the same time you can view such a process in the regular
listings.. something is interesting.  in any case, it would appear that
the task slot cannot be allocated for "some" reason(s).
take it with a grain of salt.. but interesting none the less.
note that on linux recycling the pid's goes back to 300..  a sysctl would
be nice here to set this figure.
--
bad forensics 404 -->
sometimes a kernel rootkit will hijack the stat syscall..  maybe when doing
an exec redirection, and it wants to keep the original stat's correct
etc.
i've seen use on occasion to compare the timestamps via stat syscall and through
something like debugfs for example on the inode directly.  looking
for inconsistancies here are important to detect interesting oddities.  yes,
it does depend when the incore inode gets written back to disk, but this
is useful anyway..
forensics ain't what I do a profession.. hey, i don't even work here!
--
Silvio

Relevant Pages

  • Re: OOP and memory management
    ... But having to worry a few times about ... good thing to have, but whether the programmer ... The are more resources that a single program must manage ... Memory allocation/deallocation just happens ...
    (comp.programming)
  • Re: OOP and memory management
    ... But having to worry a few times about ... > good thing to have, but whether the programmer ... > The are more resources that a single program must manage ... Memory allocation/deallocation just happens ...
    (comp.programming)
  • Re: REGION=0M and LSQA
    ... At the time, memory was very expensive, and we ... remaining storage and always issued a return code zero. ... programs actually worked in production, ... all of the resources used by the job up until that point ...
    (bit.listserv.ibm-main)
  • Re: A realistic price comparison
    ... > Spreading Apple FUD is just as bad as spreading Microsoft FUD. ... > However, I assure you, I had more than enough resources on my XP ... > instilled in them by having limited memory and disk space early on. ...
    (comp.sys.mac.advocacy)
  • Re: Alternatives to C: ObjectPascal, Eiffel, Ada or Modula-3?
    ... pretty much have memory bugs, ... having to do manual cleanups for 100% of your resources or for only 1%? ... This is a slight problem in languages like Java that have GC but no flow-control abstraction. ... Languages like Lisp and Smalltalk are another story: it's easy to have a with-open flow control construct that runs some subordinate code and then cleans up, and to have this be the standard way to use such things. ...
    (comp.programming)