More rootkit defense

[Phil Stracchino <alaric () BABCOM COM>]

It has come to my notice that the majority of skript-kiddies and writers
of rootkits are either unaware of the oft-forgotten wonders of file
attributes, or can't be bothered to provide for them in their 'sploits.
However, remembering which files you have flagged immutable, and manually
clearing and resetting the flag every time you update software, is
time-consuming and error-prone.

With this in mind, I offer for your consideration sysfiles.pl, a simple
Perl tool to frustrate such unsophisticated miscreants by locking a
selected set of key system files with chattr.

The list of binaries that sysfiles currently looks for is based on the
list examined by chkrootkit, with a few additions such as lsof, ssh, and
who.  The complete list, at present, is:

   basename biff chattr chfn chsh crond date dirname du echo env find
   in.fingerd grep in.identd ifconfig inetd killall login ls lsattr lsof
   mail netstat passwd pidof in.pop2d in.pop3d ps pstree realpath rpcinfo
   in.rshd sendmail ssh ssh-keygen sshd su syslogd tar tcpd in.telnetd
   in.timed top traceroute who write

The first time it is run, sysfiles uses which and realpath to build a dbm
database of the absolute paths to the real binaries for these commands.
The realpath program (attached) is a simple C interface to the realpath()
call; providing it as an external program was immensely simpler than
making sure the long list of .ph files required to invoke realpath() via
syscall() are all present.  The real paths to each binary and the current
file attributes are listed.

Three command-line options exist:

   sysfiles -update causes the path database to be rebuilt.

   sysfiles -lock sets the immutable (+i) attribute on the list of
      system binaries, which should defeat the majority of existing
      rootkits.

   sysfiles -unlock removes the immutable attribute.

Omitting any argument at all other than on the first run, or supplying
both -lock and -unlock, will result in a usage message.  The program will
refuse to replace the path database file if it is a symbolic link.

This is not a panacea, obviously.  It won't defeat the sophisticated
hacker who has gained a rootshell and is manually working at compromising
your system.  However, it'll stop most of the skript-kiddies and most
automated 'sploits in their tracks.

Any discussion, suggestions for improvement, additions to the list of Key
Things That Should Be Protected, or potential arguments as to why this
tool Might Be Not A Good Idea are welcomed.

Attachments:
        1.      sysfiles.pl
        2.      realpath.tar.gz


--
 Linux Now!   ..........Because friends don't let friends use Microsoft.
 phil stracchino   --   the renaissance man   --   mystic zen biker geek
    Vr00m:  2000 Honda CBR929RR   --   Cage:  2000 Dodge Intrepid R/T
 Previous vr00mage:  1986 VF500F (sold), 1991 VFR750F3 (foully murdered)

Attachment: sysfiles.pl
Description:

Attachment: realpath-1.0.tar.gz
Description: