Thwart Trojan horse attacks on Linux systems

By Mark Sobell

July 21, 2004 12:00 PM ET

Recommended

(4)

Digg

Twitter

Share/Email

Computerworld -

This content is excerpted from a chapter from the new book, "A Practical
Guide to Red Hat Linux: Fedora Core & Red Hat Enterprise Linux", authored by
Mark Sobell, ISBN 0131470248. It is excerpted with permission from publisher
Prentice Hall PTR, copyright 2005, Mark G. Sobell. To learn more, please
visit the book's page at: http://www.phptr.com/title/0131470248

A Trojan horse is a program that does something destructive or disruptive to your system while appearing to be benign. As an example, you could store the following script in an executable file named mkfs:

while true do echo 'Good Morning Mr. Jones. How are you? Ha Ha Ha.' > /dev/console done

If you are running as Superuser when you run this command, it would continuously write a message to the console. If the programmer were malicious, it could do worse. The only thing missing in this plot is access permissions.

A malicious user could implement this Trojan horse by changing Superuser's PATH variable to include a publicly writable directory at the start of the PATH string. (The catch is that you need to be able to write to /etc/profile - where the PATH variable is set for root-and only root can do that.) Then you would need to put the bogus mkfs program file in that directory. Because the fraudulent version appears in a directory mentioned earlier than the real one in PATH, the shell runs it. The next time Superuser tries to run mkfs, the fraudulent version would run.

Trojan horses that wait for and take advantage of the misspellings that most people make are one of the most insidious types. For example, you might type sl instead of ls. Because you do not regularly execute a utility named sl and you may not remember typing the command sl, it is more difficult to track down this type of Trojan horse than one that takes the name of a utility you are familiar with.

A good way to prevent executing a Trojan horse is to make sure that your PATH variable does not contain a single colon (:) at the beginning or end of the PATH string or a period (.) or double colon (::) anywhere in the PATH string. A common way to check for a Trojan horse is to examine the filesystem periodically for files with setuid (refer to item 5 on page 372). The following command lists these files:

# find / -perm -4000 -exec ls -lh {} \; 2> /dev/null -rwsr-xr-x 1 root root 54K Apr 5 16:17 /usr/bin/lppasswd -rwsr-xr-x 1 root root 111K Feb 17 10:26 /usr/bin/crontab -rwsr-xr-x 1 root root 7.0K Apr 13 08:26 /usr/bin/kpac_dhcp_helper -rws--x--x 1 root root 18K Mar 23 12:05 /usr/bin/chfn -rws--x--x 1 root root 6.8K Mar 23 12:05 /usr/bin/newgrp -rwsr-xr-x 1 root root 39K Apr 15 12:26 /usr/bin/at -rwsr-xr-x 1 root root 42K Mar 30 13:45 /usr/bin/gpasswd -r-s--x--x 1 root root 91K Feb 15 10:04 /usr/bin/passwd -rwsr-xr-x 1 root root 17K Feb 17 09:12 /usr/bin/rlogin ---s--x--x 1 root root 96K Apr 1 08:19 /usr/bin/sudo -rwsr-xr-x 1 root root 6.8K Apr 13 08:26 /usr/bin/kgrantpty -rwsr-xr-x 1 root root 18K Feb 17 09:12 /usr/bin/rcp -rwsrwxr-x 1 root root 364K Mar 16 13:32 /usr/bin/tvtime -rwsr-xr-x 1 root root 40K Mar 30 13:45 /usr/bin/chage -rwsr-xr-x 1 root root 9.6K Feb 17 09:12 /usr/bin/rsh -rws--x--x 1 root root 19K Mar 23 12:05 /usr/bin/chsh ...

This command uses find to locate all the files that have their setuid bits set (mode 4000). The hyphen preceding the mode causes find to report on any file that has this bit set, regardless of how the other bits are set. The output sent to standard error is redirected to /dev/null so that it does not clutter the screen.
You can also set up a program, such as AIDE (Advanced Intrusion Detection Environment), that will take a snapshot of your system and check it periodically as you specify. See www.cs.tut.fi/~rammer/aide.html for more information.

Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Jump to comments

Linux

Additional Resources

WHITE PAPER

Do You Know the 7 Steps to Successful Data Migration?

Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business.

WHITE PAPER

Total Cost of Ownership of Server Computing Vs. PCs

Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment.

WHITE PAPER

IDC White Paper: Linux in a Global Recession

Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today.