Thwart Trojan horse attacks on Linux systems

By Mark Sobell

July 21, 2004 12:00 PM ET

Computerworld -

This content is excerpted from a chapter from the new book, "A Practical
Guide to Red Hat Linux: Fedora Core & Red Hat Enterprise Linux", authored by
Mark Sobell, ISBN 0131470248. It is excerpted with permission from publisher
Prentice Hall PTR, copyright 2005, Mark G. Sobell. To learn more, please
visit the book's page at: http://www.phptr.com/title/0131470248

A Trojan horse is a program that does something destructive or disruptive to your system while appearing to be benign. As an example, you could store the following script in an executable file named mkfs:

while true do echo 'Good Morning Mr. Jones. How are you? Ha Ha Ha.' > /dev/console done

If you are running as Superuser when you run this command, it would continuously write a message to the console. If the programmer were malicious, it could do worse. The only thing missing in this plot is access permissions.

A malicious user could implement this Trojan horse by changing Superuser's PATH variable to include a publicly writable directory at the start of the PATH string. (The catch is that you need to be able to write to /etc/profile - where the PATH variable is set for root-and only root can do that.) Then you would need to put the bogus mkfs program file in that directory. Because the fraudulent version appears in a directory mentioned earlier than the real one in PATH, the shell runs it. The next time Superuser tries to run mkfs, the fraudulent version would run.

Trojan horses that wait for and take advantage of the misspellings that most people make are one of the most insidious types. For example, you might type sl instead of ls. Because you do not regularly execute a utility named sl and you may not remember typing the command sl, it is more difficult to track down this type of Trojan horse than one that takes the name of a utility you are familiar with.

A good way to prevent executing a Trojan horse is to make sure that your PATH variable does not contain a single colon (:) at the beginning or end of the PATH string or a period (.) or double colon (::) anywhere in the PATH string. A common way to check for a Trojan horse is to examine the filesystem periodically for files with setuid (refer to item 5 on page 372). The following command lists these files:

# find / -perm -4000 -exec ls -lh {} \; 2> /dev/null -rwsr-xr-x 1 root root 54K Apr 5 16:17 /usr/bin/lppasswd -rwsr-xr-x 1 root root 111K Feb 17 10:26 /usr/bin/crontab -rwsr-xr-x 1 root root 7.0K Apr 13 08:26 /usr/bin/kpac_dhcp_helper -rws--x--x 1 root root 18K Mar 23 12:05 /usr/bin/chfn -rws--x--x 1 root root 6.8K Mar 23 12:05 /usr/bin/newgrp -rwsr-xr-x 1 root root 39K Apr 15 12:26 /usr/bin/at -rwsr-xr-x 1 root root 42K Mar 30 13:45 /usr/bin/gpasswd -r-s--x--x 1 root root 91K Feb 15 10:04 /usr/bin/passwd -rwsr-xr-x 1 root root 17K Feb 17 09:12 /usr/bin/rlogin ---s--x--x 1 root root 96K Apr 1 08:19 /usr/bin/sudo -rwsr-xr-x 1 root root 6.8K Apr 13 08:26 /usr/bin/kgrantpty -rwsr-xr-x 1 root root 18K Feb 17 09:12 /usr/bin/rcp -rwsrwxr-x 1 root root 364K Mar 16 13:32 /usr/bin/tvtime -rwsr-xr-x 1 root root 40K Mar 30 13:45 /usr/bin/chage -rwsr-xr-x 1 root root 9.6K Feb 17 09:12 /usr/bin/rsh -rws--x--x 1 root root 19K Mar 23 12:05 /usr/bin/chsh ...

This command uses find to locate all the files that have their setuid bits set (mode 4000). The hyphen preceding the mode causes find to report on any file that has this bit set, regardless of how the other bits are set. The output sent to standard error is redirected to /dev/null so that it does not clutter the screen.
You can also set up a program, such as AIDE (Advanced Intrusion Detection Environment), that will take a snapshot of your system and check it periodically as you specify. See www.cs.tut.fi/~rammer/aide.html for more information.

Read more about Linux and Unix in Computerworld's Linux and Unix Topic Center.

Additional Resources

WHITE PAPER

Forrester Consulting - Optimizing Users and Applications in a Mobile World

Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster.

Read now.

WHITE PAPER

Enter the Security KnowledgeVault

Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

WHITE PAPER

Cut Communications Costs Once and for All

New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Top Stories

Free Insider Guide

Excel 2010 Cheat Sheet: Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.

Linux and Unix White Papers

Consolidating SAP Applications to Linux on Power by IDC: IDC studied a group of enterprises that had deployed SAP applications on IBM Power Systems servers running Linux server operating environments and had...
Overcome Top 7 Admin Challenges of Active Directory: As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
Insiders Can Ruin Your Company. Take Action.: Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
Top Solutions and Tools to Prevent Devastating Malware: Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
Streamline Compliance and Increase ROI: Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will...

Linux and Unix Webcasts

Optimizing Networks for the Cloud: Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere: Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere: Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware: Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn...
Virtualize Business-Critical Applications with Confidence: Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®...

Newsletter Sign-Up

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter

Operating Systems
Linux
Macintosh
Computerworld Daily News
View all newsletters | Privacy Policy

IT Jobs

See All Jobs Post a job for $295

Jobs by SimplyHired

Linux and Unix White Papers | All Linux and Unix White Papers