Security Incidents mailing list archives
More rootkit defense
From: Phil Stracchino <alaric () BABCOM COM>
Date: Mon, 26 Mar 2001 16:37:27 -0800
It has come to my notice that the majority of skript-kiddies and writers of rootkits are either unaware of the oft-forgotten wonders of file attributes, or can't be bothered to provide for them in their 'sploits. However, remembering which files you have flagged immutable, and manually clearing and resetting the flag every time you update software, is time-consuming and error-prone. With this in mind, I offer for your consideration sysfiles.pl, a simple Perl tool to frustrate such unsophisticated miscreants by locking a selected set of key system files with chattr. The list of binaries that sysfiles currently looks for is based on the list examined by chkrootkit, with a few additions such as lsof, ssh, and who. The complete list, at present, is: basename biff chattr chfn chsh crond date dirname du echo env find in.fingerd grep in.identd ifconfig inetd killall login ls lsattr lsof mail netstat passwd pidof in.pop2d in.pop3d ps pstree realpath rpcinfo in.rshd sendmail ssh ssh-keygen sshd su syslogd tar tcpd in.telnetd in.timed top traceroute who write The first time it is run, sysfiles uses which and realpath to build a dbm database of the absolute paths to the real binaries for these commands. The realpath program (attached) is a simple C interface to the realpath() call; providing it as an external program was immensely simpler than making sure the long list of .ph files required to invoke realpath() via syscall() are all present. The real paths to each binary and the current file attributes are listed. Three command-line options exist: sysfiles -update causes the path database to be rebuilt. sysfiles -lock sets the immutable (+i) attribute on the list of system binaries, which should defeat the majority of existing rootkits. sysfiles -unlock removes the immutable attribute. Omitting any argument at all other than on the first run, or supplying both -lock and -unlock, will result in a usage message. The program will refuse to replace the path database file if it is a symbolic link. This is not a panacea, obviously. It won't defeat the sophisticated hacker who has gained a rootshell and is manually working at compromising your system. However, it'll stop most of the skript-kiddies and most automated 'sploits in their tracks. Any discussion, suggestions for improvement, additions to the list of Key Things That Should Be Protected, or potential arguments as to why this tool Might Be Not A Good Idea are welcomed. Attachments: 1. sysfiles.pl 2. realpath.tar.gz -- Linux Now! ..........Because friends don't let friends use Microsoft. phil stracchino -- the renaissance man -- mystic zen biker geek Vr00m: 2000 Honda CBR929RR -- Cage: 2000 Dodge Intrepid R/T Previous vr00mage: 1986 VF500F (sold), 1991 VFR750F3 (foully murdered)
Attachment:
sysfiles.pl
Description:
Attachment:
realpath-1.0.tar.gz
Description:
Current thread:
- More rootkit defense Phil Stracchino (Mar 27)
- Message not available
- Re: More rootkit defense Phil Stracchino (Mar 27)
- Re: More rootkit defense gabriel rosenkoetter (Mar 28)
- Re: More rootkit defense Phil Stracchino (Mar 28)
- Re: More rootkit defense gabriel rosenkoetter (Mar 28)
- Re: More rootkit defense Phil Stracchino (Mar 27)
- Message not available
- Re: More rootkit defense Phil Stracchino (Mar 28)