Recognizing compromised binaries

[friedl () MTNDEW COM (Stephen Friedl)]

Hello all,

As I have recounted, the ADMSUCKS hack this weekend has been quite
vivid, but one small point I've not seen before in this forum. The
bad guy had compromised most of the obvious system binaries (ls,
ps, netstat, etc.) so it was hard to identify even what was wrong.

S/he of course replaced the date and time, so "ls -l" listings all
showed the files where they were, but the *inode number* of the
files were all different. Since most of the system binaries were
installed onto a fresh hard drive, the inode numbers are all low
and more or less sequential.

This made it possible to recognize which files had been compromised:

# cd /bin
# ls -lti
  22590 -rwsr-xr-x   1 root  root     19116 Oct  6  1998 umount
1466438 -rwxr-xr-x   1 root  root     36970 Oct  2  1998 ps
  22560 -rwxr-xr-x   1 root  root    262756 Oct  2  1998 tcsh
  ....
  22594 -rwxr-xr-x   1 root  root      8008 Sep  2  1998 hostname
1466436 -rwxr-xr-x   1 root  root     30968 Sep  2  1998 netstat
  22552 -rwxr-xr-x   1 root  root    153752 Aug 28  1998 ash.static
  ...
  22542 -rwxr-xr-x   1 root  root     12736 Aug  6  1998 ln
1466433 -rwxr-xr-x   1 root  root    137415 Aug  6  1998 ls
  22544 -rwxr-xr-x   1 root  root      8268 Aug  6  1998 mkdir

The 146xxx numbers were all hacked, and they were all over the
system. This is not a definitive test, of course (the bad guy
could probably just "cat hacked.ls > /bin/ls" and keep the same
inode number), for me this was a very early clue as to the extent
of the damage and kept me from wasting my time trying to piece it
back together -- I got a new hard drive and started over.

Inode numbers are your friends.

Steve

---
Stephen J Friedl|Software Consultant|Tustin, CA|  +1 714 544-6561
3B2-kind-of-guy |I speak for me only|  KA8CMY  |steve () unixwiz net