Re: Linux-box hacked, ls, ps, login modified

[lamont () ICOPYRIGHT COM (Granquist, Lamont)]

On Thu, 23 Mar 2000, Rick Tait wrote:
> It's times and incidents like this that remind me of the power of
> [ch,ls]attr & friends.
>
> Why not setup your box as you want it, then chattr +i all the binaries
> that could potentially be trojaned - and then *remove* the ability from
> the running kernel to remove the +i bit? That way - no binary can be
> modified *at* all. End result: no trojans! cf:
>
> [root@sigsegv sbin]# cp /tmp/install.log /bin/login
> cp: overwrite `/bin/login', overriding mode 0755? y
> cp: cannot create regular file `/bin/login': Permission denied
>
> Someone gave me a perl script (syscapset) to do this last week and it
> works fabulously. AFAIK, one can't undo the removal of the immutable bit
> after using syscapset until you reboot. And John Q. Cracker is unlikely to
> do this due to the rather large suspicion quotient involved.

if you can write to /dev/kmem you can hack the running kernel get around
the immutable bit (this is why with BSD securelevels writing to /dev/kmem
is turned off).  unfortunately, linux doesn't impliment anything like BSD
securelevels in the kernel by default.  to actually impliment this kind of
protection you need to do something like the LIDS package of kernel
patches (www.lids.org).

> I've tested this and it *does* work. Of course, moving the script to a
> secured box after using it, thus not leaving it lying around for prying
> eyes would be a good thing. :)
>
> Anyone who's interested in said script, let me know.
>
> Rick.
>
> On Wed, 22 Mar 2000, Frank Derichsweiler wrote:
>
> > Hi list,
> >
> > Anybody seen this?
> > The process for gl0ck is running as root on a red hat box.
> >
> > /bin/bincp/glox.su:
> >
> > gl0ck 3.2 [icmp/tcp/udp/frag+rand ID] by ip, this copy is registred to s3phz
> >
> > usage: Cancer <ip#1,ip#2,...> [options]
> >
> > -F <type>       : i=icmp s=syn u=udp f=fragbomb [i=icmp]
> > -I <addr>       : Use <addr> as source [random]
> > -p <port>       : Destinationport in syn/udp flood
> > -s <size>       : Payload size in bytes(always 0 in synflood) [0]
> > -c <count>      : Only send <count> packets [endless]
> > -m <count>      : Multiple packets(<count>) in each packetburst [1]
> > -d <delay>      : Microsec(s) delay between bursts [0]
> > -t <min>        : Floodtimeout in min(s) [30]
> > -l <port>       : CancerServer, listen for cmd's on <port>
> > -f <hostfile>   : Flood using CancerServers in <hostfile>
> > -q              : Quiet mode
> > ~
> >
> > Further investigation shoed shat /bin/ls /bin/ps /bin/login were
> > replaced byx trojaned ones.
> >
> > Luckily I found a source file with code for an exploit. Unfortunately
> > I cannont transfer it from "\xeb \x38 ..." to a readalby form.
> >
> > Any ideas?
> >
> > TIA
> > Frank
> >
> >
> > --
> > Frank Derichsweiler
> > Please *NO* CC: I read the mailing list !
>
> --
> main(v, c)char**c;{for(v[c++]="Rick Tait <rickt () unixlabs net>\n)";(!!c)[*
> c]&&(v--||--c&&execlp(*c,*c,c[!!c]+!!c,!c));**c=!c)write(!!*c,*c,!!**c);}