Re: /proc/NNNNN accuracy
From: D.C. van Moolenbroek (dcvmoole@cs.vu.nl)
Date: 12/18/02
- Next message: V. Bidikov: "Re: Redhat 7.3 DoS attack"
- Previous message: Arthur Clune: "Re: /proc/NNNNN accuracy"
- In reply to: Jem Berkes: "Re: /proc/NNNNN accuracy"
- Next in thread: Jem Berkes: "Re: /proc/NNNNN accuracy"
- Reply: Jem Berkes: "Re: /proc/NNNNN accuracy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "D.C. van Moolenbroek" <dcvmoole@cs.vu.nl> Date: Wed, 18 Dec 2002 16:49:03 +0100
"Jem Berkes" wrote:
> Thanks everyone for the replies. I think /proc/pid is going to be very
> useful to me, then. If I install various home grown utilities that help
> monitor processes it's highly unlikely that a script kiddie/rootkit is
> going to replace all of them. I wanted a way to bypass 'ps' which
> everything seems to rely on.
Let me tell you a bit about the concept "kernel-level rootkit". Such
rootkits are loaded into kernel space and become part of the running kernel,
and usually have simple surface[1], advanced surface[2], or advanced deep[3]
protection against process listings (advanced as in, it can fool chkrootkit
and similar userspace utilities), because they prevent certain processes
from appearing in /proc at all. I can assure you that even some (although
not all) scriptkiddies use such rootkits nowadays. You can monitor /proc as
much as you want, but with such rootkits, an intruder can hide processes
without altering even one binary, and your process monitor utilities won't
help you a bit. A well-written kernel rootkit running on a "standard" Linux
system is nearly impossible to detect, so you're better off spending your
time on patching your system and/or hardening your kernel instead.
>
> Getting process information will have to involve enumerating the pid
> paths in /proc. Otherwise, I could imagine a pid-hopping malicious
> program that keeps spawning a different pid in order to avoid detection
> (?)
That wouldn't be an effective way of hiding a process, as the chance that
'ps' or any other process lister sees such a program twice is far more
likely than that it doesn't see it at all. After all, a child can only be
spawned by a parent, and it's not possible to delay-spawn or something like
that. Besides that, a program that keeps transferring control to its newly
spawned children, will not be able to do any other task properly, so it
wouldn't be very useful either...
Regards,
David
[1]
http://packetstorm.decepticons.org/UNIX/penetration/rootkits/sk-1.3a.tar.gz
[2] <not publicly available>
[3]
http://packetstorm.decepticons.org/UNIX/penetration/rootkits/Phantasmagoria.
tgz
--
class sig{static void main(String[]s){for// D.C. van Moolenbroek
(int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL)
"Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-
- Next message: V. Bidikov: "Re: Redhat 7.3 DoS attack"
- Previous message: Arthur Clune: "Re: /proc/NNNNN accuracy"
- In reply to: Jem Berkes: "Re: /proc/NNNNN accuracy"
- Next in thread: Jem Berkes: "Re: /proc/NNNNN accuracy"
- Reply: Jem Berkes: "Re: /proc/NNNNN accuracy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
