[lug] Interesting Crash Report

rm at mamma.varadinet.de rm at mamma.varadinet.de
Wed Mar 21 13:16:08 MST 2001

On Wed, Mar 21, 2001 at 12:57:02PM -0700, D. Stimits wrote:
> lsof on my machine is in /usr/sbin, it might be in /sbin on some
> machines. It is a target for crackers, since it can expose them. lsof
> looks at an open file, and tells about the process that is opening it.

Yes, once the machine is 'tainted' you can't trust anything.
I've a set of binaries of some of the most usefull 'forensic'
programs that i copy to a suspicious machine (into some private
directory that i put first (!) in my path). Also it's a wise idea
to use a clean version of libc (some stripped down version will
do). Some candidates are: a good shell (statically linked one pre-
fered), lsof, sshd (start it on a non-privileged port with your
own config file and te login program that you brought with you),
/usr/bin/passwd, lsmod etc. Some of these programs need to be built
for the target machine, so it's a good idea to save them right after
you first installed the system.

Still then, most of these program depend on kernel functions and
those can be 'patched' unless you disabled loadable module support
in you kernel configuration (not a bad idea for exposed server).
Once an intruder is root he/she/it(?) can insert modules that will
hide certain files/directories/processes and even hide some kernel
modules themself. I spent most of last weekend analyzing code from
a root kit that does exactly that (poor scriptkiddy: he had three
month of free access to the server and wasn't able to become root ;-)
He/she brought in als sorts of cracking software not being aware
that all of it was written for 2.2.x kernel and the server was 
running 2.0.38. Now i have a nice fresh collection of code and
a long traceback of netlogs ...)


More information about the LUG mailing list