Re: newbie: how to prevent troyan horses?

From: Juha Laiho (Juha.Laiho_at_iki.fi)
Date: 05/13/03


Date: Tue, 13 May 2003 19:02:01 GMT

Rita Bijlsma <bijr@oce.nl> said:
> I'm a newbie when it comes to security.
> I want to ask how can I protect myself against troyan horses
> and still try programs from any source.
>
> What I plan to do is:
>
> - Execute the potentially dangerous programs only while being
> logged in as a user that does not own any important files
> and that belongs to a single group, which contains only that
> user. To ensure that this user has no rights anywhere else
> on the system.

The program might have legitimate needs to write f.ex. in /tmp and
/var/tmp.

> - Remove world execute permission of any suid programs, especially
> suid root programs. To ensure that programs run by the limitted
> rights user can not make use of security holes in suid programs.

Also, the program might have legitimate needs to call setuid/setgid
programs.

> Will this do or is this wrong?

It already takes you some way towards your goal, but note that the
program might well behave differently when running under different
users -- f.ex. it might check whether it's running as root - and
only perform nastily when run as root.

Furhter, you might wish to monitor the network traffic to/from the host
where you're running the program (or be very restrictive about the
network traffic you allow in and out of the host during testing).

However, if you really want to be certain, you'd need to go through
the source code of the suspect programs -- and make sure your compiler
and libraries are clean.

-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)


Relevant Pages

  • RE: Linux hacked
    ... Subject: Linux hacked ... After you boot up into the OS running from CD, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ...
    (Security-Basics)
  • Re: Screensaver takes too much time to fade-out...
    ... If you are serious about making your machine secure, ... learn a thing or two about security. ... These logs are mailed to the root user at 3am. ... Setup dovecot and use a local email client to fetch it. ...
    (Fedora)
  • Re: Linux hacked
    ... is to boot your system with a separate ... You can't trust the logs, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ...
    (Security-Basics)
  • Re: [security bulletin] HPSBTU02211 SSRT071326 rev.1 - HP Tru64 UNIX Running the dop command, Lo
    ... HP Software Security Response Team ... UNIX Operating System running the dop command. ... privileges of the root user. ... echo "HP Security bulletin code identification: ...
    (Bugtraq)
  • RE: Linux hacked
    ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
    (Security-Basics)