Thwart Trojan horse attacks on Linux systems

Computerworld -

This content is excerpted from a chapter from the new book, "A Practical
Guide to Red Hat Linux: Fedora Core & Red Hat Enterprise Linux", authored by
Mark Sobell, ISBN 0131470248. It is excerpted with permission from publisher
Prentice Hall PTR, copyright 2005, Mark G. Sobell. To learn more, please
visit the book's page at: http://www.phptr.com/title/0131470248

A Trojan horse is a program that does something destructive or disruptive to your system while appearing to be benign. As an example, you could store the following script in an executable file named mkfs:

If you are running as Superuser when you run this command, it would continuously write a message to the console. If the programmer were malicious, it could do worse. The only thing missing in this plot is access permissions.

A malicious user could implement this Trojan horse by changing Superuser's PATH variable to include a publicly writable directory at the start of the PATH string. (The catch is that you need to be able to write to /etc/profile - where the PATH variable is set for root-and only root can do that.) Then you would need to put the bogus mkfs program file in that directory. Because the fraudulent version appears in a directory mentioned earlier than the real one in PATH, the shell runs it. The next time Superuser tries to run mkfs, the fraudulent version would run.

Trojan horses that wait for and take advantage of the misspellings that most people make are one of the most insidious types. For example, you might type sl instead of ls. Because you do not regularly execute a utility named sl and you may not remember typing the command sl, it is more difficult to track down this type of Trojan horse than one that takes the name of a utility you are familiar with.

A good way to prevent executing a Trojan horse is to make sure that your PATH variable does not contain a single colon (:) at the beginning or end of the PATH string or a period (.) or double colon (::) anywhere in the PATH string. A common way to check for a Trojan horse is to examine the filesystem periodically for files with setuid (refer to item 5 on page 372). The following command lists these files:

This command uses find to locate all the files that have their setuid bits set (mode 4000). The hyphen preceding the mode causes find to report on any file that has this bit set, regardless of how the other bits are set. The output sent to standard error is redirected to /dev/null so that it does not clutter the screen.
You can also set up a program, such as AIDE (Advanced Intrusion Detection Environment), that will take a snapshot of your system and check it periodically as you specify. See www.cs.tut.fi/~rammer/aide.html for more information.