An idea to improve security, for hacked PC's

andrade · 09-26-2005, 10:50 PM

This is an idea i had, thinking in servers security.
Please read it all.

The base idea is, even if someone gain acess to a root shell (ssh or not), he can't do nothing if he doesn't have access to the commands.

Then it will exist a program/script that will convert our programs in names, with many, and aleatory, characters.
Example:

our /bin/ls will be now /bin/a2bs3mc02c0b

All binaries will stay with names like that. Then the program will register the names and, automatically, create a script, per example:

#!/bin/1bv3c3g4bb (that were, before, the "bash" command, that the program had register before)
lg9sf7g77 (formerly "alias") /bin/bash=/bin/1bv3c3g4bb
lg9sf7g77 (formerly "alias") bash=1bv3c3g4bb

This for all commands.

The script will keep saved, and after we start a session, we will have to execute the script, that will have the name that we choose for it.
In this way, whos get a shell in our computer, will not have access to it, if he doesn't know the script name.

Capt_Caveman · 09-26-2005, 11:21 PM

I've actually seen this implemented in a small scale before, with just a few commands. However, I can see a number of reasons why this wouldn't work. One weakness would be that the size of the binaries would be the same and would be a likely clue. Second, shell scripts that rely on binaries would have to somehow be dynamically updated for their new names. Lastly, once someone has gained access they could just upload their own binaries (which actually happens alot). Personally I think it relies a little too much on "security-through obscurity". I do like the alias trick though.

andrade · 09-26-2005, 11:25 PM

Quote:

Lastly, once someone has gained access they could just upload their own binaries (which actually happens alot)

How?

Edit :

Quote:

One weakness would be that the size of the binaries would be the same and would be a likely clue

Why? The attacker will not have access to the file size

Capt_Caveman · 09-26-2005, 11:54 PM

A number of common services have built-in utilities or subsystems for uploading files. One example is the ftp upload function in PHP, another is SSH. Compromise one of those services and you have the ability to upload whatever you want.

andrade · 09-26-2005, 11:58 PM

Quote:

A number of common services have built-in utilities or subsystems for uploading files. One example is the ftp upload function in PHP, another is SSH. Compromise one of those services and you have the ability to upload whatever you want.

Perhaps, to change them, for just create files without execute permissions...
And of course, you will not able to chmod them.....

Anyway, apache by itself will be secure

Capt_Caveman · 09-27-2005, 12:14 AM

Code:

[root@Alpha bin]# mv chmod fjlakfjl
[root@Alpha bin]# fjlakfjl --help
Usage: fjlakfjl [OPTION]... MODE[,MODE]... FILE...
  or:  fjlakfjl [OPTION]... OCTAL-MODE FILE...
  or:  fjlakfjl [OPTION]... --reference=RFILE FILE...
Change the mode of each FILE to MODE.

  -c, --changes           like verbose but report only when a change is made
      --no-preserve-root  do not treat `/' specially (the default)
      --preserve-root     fail to operate recursively on `/'
  -f, --silent, --quiet   suppress most error messages
  -v, --verbose           output a diagnostic for every file processed
      --reference=RFILE   use RFILE's mode instead of MODE values
  -R, --recursive         change files and directories recursively
      --help     display this help and exit
      --version  output version information and exit

Each MODE is one or more of the letters ugoa, one of the symbols +-= and
one or more of the letters rwxXstugo.

Report bugs to <bug-coreutils@gnu.org>.

andrade · 09-27-2005, 12:19 AM

Quote:

Originally posted by Capt_Caveman

Code:

[root@Alpha bin]# mv chmod fjlakfjl [root@Alpha bin]# fjlakfjl --help Usage: fjlakfjl [OPTION]... MODE[,MODE]... FILE... or: fjlakfjl [OPTION]... OCTAL-MODE FILE... or: fjlakfjl [OPTION]... --reference=RFILE FILE... Change the mode of each FILE to MODE. -c, --changes like verbose but report only when a change is made --no-preserve-root do not treat `/' specially (the default) --preserve-root fail to operate recursively on `/' -f, --silent, --quiet suppress most error messages -v, --verbose output a diagnostic for every file processed --reference=RFILE use RFILE's mode instead of MODE values -R, --recursive change files and directories recursively --help display this help and exit --version output version information and exit Each MODE is one or more of the letters ugoa, one of the symbols +-= and one or more of the letters rwxXstugo. Report bugs to <bug-coreutils@gnu.org>.

how the attacker knows that the command is "fjlakfjl"?
He don't know. If is a command that it put it herself, it will not able to execute, if don't have execute permissions

Capt_Caveman · 09-27-2005, 12:24 AM

You're missing the point. You can just walk through /bin without knowing any of the filenames and use --help to figure out which command is which or more easily just find ls and then you'll know all the binary sizes.

andrade · 09-27-2005, 12:28 AM

Quote:

Originally posted by Capt_Caveman
You're missing the point. You can just walk through /bin without knowing any of the filenames and use --help to figure out which command is which or more easily just find ls and then you'll know all the binary sizes.

I think you are not understanding the idea.
Imagine you attack a computer, and now you have a shell and you are root, and don't have access to the commands... what you will do?

Capt_Caveman · 09-27-2005, 12:29 AM

Hit the tab button twice

andrade · 09-27-2005, 12:33 AM

Quote:

Originally posted by Capt_Caveman
Hit the tab button twice

I had think in that also...
It isn't like that for all shells...
anyway, i think that you can remove it, and add this function to the script

Vgui · 09-27-2005, 12:56 AM

Sorry, but this idea really is pointless. As soon as they have root, you're done, because anything you do, they can undo. As a few have said, the most common action an attacker will take is to upload their own binaries. If the normal commands are not found, they would _for sure_ just upload their own copies (that's why programs like rkhunter and other md5 checking programs are so important for servers).
Commonly, a system will be compromised, and instead of making their presence known, the intruder will just upload a few key modified binaries (like who, ps, top, etc.). The modified binaries may perhaps mask their presence, or hide running processes used to do all sorts of nasty things off your computer (like send spam).
As I said, once they have root, you're done. Your best bet is to immediately take the machine offline, and start from scratch.

EDIT: One more thing (after re-reading your post, and imaging you coming back with some left field idea), how would you even know when to run this "scrambler" script? That would rely on intrusion detection, which can fail, etc. Would you instead have the binaries always running under the scrambled names? That seems like a huge hassle for getting any real work done. The idea is just too far fetched and definately not worth the time. There's a reason that the "tried and true" methods of compromise cleaning are used.

andrade · 09-27-2005, 01:11 AM

Quote:

Originally posted by Vgui
Sorry, but this idea really is pointless. As soon as they have root, you're done, because anything you do, they can undo. As a few have said, the most common action an attacker will take is to upload their own binaries. If the normal commands are not found, they would _for sure_ just upload their own copies (that's why programs like rkhunter and other md5 checking programs are so important for servers).
Commonly, a system will be compromised, and instead of making their presence known, the intruder will just upload a few key modified binaries (like who, ps, top, etc.). The modified binaries may perhaps mask their presence, or hide running processes used to do all sorts of nasty things off your computer (like send spam).
As I said, once they have root, you're done. Your best bet is to immediately take the machine offline, and start from scratch.

EDIT: One more thing (after re-reading your post, and imaging you coming back with some left field idea), how would you even know when to run this "scrambler" script? That would rely on intrusion detection, which can fail, etc. Would you instead have the binaries always running under the scrambled names? That seems like a huge hassle for getting any real work done. The idea is just too far fetched and definately not worth the time. There's a reason that the "tried and true" methods of compromise cleaning are used.

Ok. It was just an idea

Stay fine