Re: LKM Trojan installed
From: Brian Hatch (focus-linux@ifokr.org)
Date: 02/11/03
- Previous message: Brian Hatch: "Re: LKM Trojan installed"
- Maybe in reply to: Rivanor P. Soares: "LKM Trojan installed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Feb 2003 09:14:30 -0800 From: Brian Hatch <focus-linux@ifokr.org> To: Jay Beale <jay@bastille-linux.org>
> > > ... i created a directory, copied 'ps' et al to it, and used chattr on
> > > them. having a known good binary outside $PATH is something of a comfort
> > > ...
> >
> > Of course, if the cracker has gotten root, they can chattr it right
> > back. In fact, the first thing I'd do as an attacker is to find all
> > chattr'd files on the filesystem since they're probably important.
>
> Errmmmm...not to be a niggling b*stard, but:
>
> As long as you don't put all your faith in chattr, it's still a nice
> step. I mean, it does "raise the bar," confusing some scripts and
> usually their associated kiddies.
The original poster seemed to think that a immutable binary was immune
to any tampering, and could thus always be trusted. I wanted to make
sure that misconception was cleared up - if it can be chattr'd by you as
root, it can be unchattr'd by an attacker as root.[1]
I had a honeypot that was compromised by an attacker, and one of the
things he/she did was to look for chattr'd binaries. I didn't have any
chattr'd binaries on this machine, but I created some similar to the
method originally described here on a second honeypot. The same cracker
got into this machine a few hours later, again looked around and this
time found my chattr'd binaries.
This cracker was either not good at LKMs or didn't want to use them,
instead backdooring the binaries themselves. However he/she found
the chattr'd binaries, unchattr'd, replaced them with backdoored
versions, fixed the timestamps, and put the chattr bit back.
So file attributes do help point the way to files you consider
important, and a good cracker will investigate and subvert these
if possible.
That said, defense in depth is good, and most crackers who got into
my honeypots never looked for chattr bits at all. Just don't assume
that a file protected by chattr is in fact unchangeable by root
unless you have locked down chattr in the kernel.
So, is this as niggling response to a niggling response? ;-)
[1] And if the attacker played games with your kernel, then even
pristine programs are easily subvertable by having the kernel
itself lie to them, no binary trojaning necessary.
-- Brian Hatch "Do you understand Systems and everything you say, sir?" Security Engineer "Yes, if I listen www.buildinglinuxvpns.net attentively." Every message PGP signed
- application/pgp-signature attachment: stored
- Next message: Gwendolynn ferch Elydyr: "Re: LKM Trojan installed"
- Previous message: Brian Hatch: "Re: LKM Trojan installed"
- Maybe in reply to: Rivanor P. Soares: "LKM Trojan installed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
