LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 09-26-2005, 10:50 PM   #1
andrade
Member
 
Registered: Oct 2004
Location: Portugal
Distribution: Ubuntu
Posts: 41

Rep: Reputation: 15
An idea to improve security, for hacked PC's


This is an idea i had, thinking in servers security.
Please read it all.

The base idea is, even if someone gain acess to a root shell (ssh or not), he can't do nothing if he doesn't have access to the commands.

Then it will exist a program/script that will convert our programs in names, with many, and aleatory, characters.
Example:

our /bin/ls will be now /bin/a2bs3mc02c0b

All binaries will stay with names like that. Then the program will register the names and, automatically, create a script, per example:

#!/bin/1bv3c3g4bb (that were, before, the "bash" command, that the program had register before)
lg9sf7g77 (formerly "alias") /bin/bash=/bin/1bv3c3g4bb
lg9sf7g77 (formerly "alias") bash=1bv3c3g4bb

This for all commands.

The script will keep saved, and after we start a session, we will have to execute the script, that will have the name that we choose for it.
In this way, whos get a shell in our computer, will not have access to it, if he doesn't know the script name.
 
Old 09-26-2005, 11:21 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I've actually seen this implemented in a small scale before, with just a few commands. However, I can see a number of reasons why this wouldn't work. One weakness would be that the size of the binaries would be the same and would be a likely clue. Second, shell scripts that rely on binaries would have to somehow be dynamically updated for their new names. Lastly, once someone has gained access they could just upload their own binaries (which actually happens alot). Personally I think it relies a little too much on "security-through obscurity". I do like the alias trick though.
 
Old 09-26-2005, 11:25 PM   #3
andrade
Member
 
Registered: Oct 2004
Location: Portugal
Distribution: Ubuntu
Posts: 41

Original Poster
Rep: Reputation: 15
Quote:
Lastly, once someone has gained access they could just upload their own binaries (which actually happens alot)
How?

Edit :

Quote:
One weakness would be that the size of the binaries would be the same and would be a likely clue
Why? The attacker will not have access to the file size

Last edited by andrade; 09-26-2005 at 11:29 PM.
 
Old 09-26-2005, 11:54 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
A number of common services have built-in utilities or subsystems for uploading files. One example is the ftp upload function in PHP, another is SSH. Compromise one of those services and you have the ability to upload whatever you want.
 
Old 09-26-2005, 11:58 PM   #5
andrade
Member
 
Registered: Oct 2004
Location: Portugal
Distribution: Ubuntu
Posts: 41

Original Poster
Rep: Reputation: 15
Quote:
A number of common services have built-in utilities or subsystems for uploading files. One example is the ftp upload function in PHP, another is SSH. Compromise one of those services and you have the ability to upload whatever you want.
Perhaps, to change them, for just create files without execute permissions...
And of course, you will not able to chmod them.....

Anyway, apache by itself will be secure
 
Old 09-27-2005, 12:14 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Code:
[root@Alpha bin]# mv chmod fjlakfjl
[root@Alpha bin]# fjlakfjl --help
Usage: fjlakfjl [OPTION]... MODE[,MODE]... FILE...
  or:  fjlakfjl [OPTION]... OCTAL-MODE FILE...
  or:  fjlakfjl [OPTION]... --reference=RFILE FILE...
Change the mode of each FILE to MODE.

  -c, --changes           like verbose but report only when a change is made
      --no-preserve-root  do not treat `/' specially (the default)
      --preserve-root     fail to operate recursively on `/'
  -f, --silent, --quiet   suppress most error messages
  -v, --verbose           output a diagnostic for every file processed
      --reference=RFILE   use RFILE's mode instead of MODE values
  -R, --recursive         change files and directories recursively
      --help     display this help and exit
      --version  output version information and exit

Each MODE is one or more of the letters ugoa, one of the symbols +-= and
one or more of the letters rwxXstugo.

Report bugs to <bug-coreutils@gnu.org>.
 
Old 09-27-2005, 12:19 AM   #7
andrade
Member
 
Registered: Oct 2004
Location: Portugal
Distribution: Ubuntu
Posts: 41

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by Capt_Caveman
Code:
[root@Alpha bin]# mv chmod fjlakfjl
[root@Alpha bin]# fjlakfjl --help
Usage: fjlakfjl [OPTION]... MODE[,MODE]... FILE...
  or:  fjlakfjl [OPTION]... OCTAL-MODE FILE...
  or:  fjlakfjl [OPTION]... --reference=RFILE FILE...
Change the mode of each FILE to MODE.

  -c, --changes           like verbose but report only when a change is made
      --no-preserve-root  do not treat `/' specially (the default)
      --preserve-root     fail to operate recursively on `/'
  -f, --silent, --quiet   suppress most error messages
  -v, --verbose           output a diagnostic for every file processed
      --reference=RFILE   use RFILE's mode instead of MODE values
  -R, --recursive         change files and directories recursively
      --help     display this help and exit
      --version  output version information and exit

Each MODE is one or more of the letters ugoa, one of the symbols +-= and
one or more of the letters rwxXstugo.

Report bugs to <bug-coreutils@gnu.org>.
how the attacker knows that the command is "fjlakfjl"?
He don't know. If is a command that it put it herself, it will not able to execute, if don't have execute permissions
 
Old 09-27-2005, 12:24 AM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
You're missing the point. You can just walk through /bin without knowing any of the filenames and use --help to figure out which command is which or more easily just find ls and then you'll know all the binary sizes.
 
Old 09-27-2005, 12:28 AM   #9
andrade
Member
 
Registered: Oct 2004
Location: Portugal
Distribution: Ubuntu
Posts: 41

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by Capt_Caveman
You're missing the point. You can just walk through /bin without knowing any of the filenames and use --help to figure out which command is which or more easily just find ls and then you'll know all the binary sizes.
I think you are not understanding the idea.
Imagine you attack a computer, and now you have a shell and you are root, and don't have access to the commands... what you will do?
 
Old 09-27-2005, 12:29 AM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Hit the tab button twice
 
Old 09-27-2005, 12:33 AM   #11
andrade
Member
 
Registered: Oct 2004
Location: Portugal
Distribution: Ubuntu
Posts: 41

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by Capt_Caveman
Hit the tab button twice
I had think in that also...
It isn't like that for all shells...
anyway, i think that you can remove it, and add this function to the script
 
Old 09-27-2005, 12:56 AM   #12
Vgui
Member
 
Registered: Apr 2005
Location: Canada
Distribution: Slackware
Posts: 496

Rep: Reputation: 31
Sorry, but this idea really is pointless. As soon as they have root, you're done, because anything you do, they can undo. As a few have said, the most common action an attacker will take is to upload their own binaries. If the normal commands are not found, they would _for sure_ just upload their own copies (that's why programs like rkhunter and other md5 checking programs are so important for servers).
Commonly, a system will be compromised, and instead of making their presence known, the intruder will just upload a few key modified binaries (like who, ps, top, etc.). The modified binaries may perhaps mask their presence, or hide running processes used to do all sorts of nasty things off your computer (like send spam).
As I said, once they have root, you're done. Your best bet is to immediately take the machine offline, and start from scratch.

EDIT: One more thing (after re-reading your post, and imaging you coming back with some left field idea), how would you even know when to run this "scrambler" script? That would rely on intrusion detection, which can fail, etc. Would you instead have the binaries always running under the scrambled names? That seems like a huge hassle for getting any real work done. The idea is just too far fetched and definately not worth the time. There's a reason that the "tried and true" methods of compromise cleaning are used.

Last edited by Vgui; 09-27-2005 at 12:58 AM.
 
Old 09-27-2005, 01:11 AM   #13
andrade
Member
 
Registered: Oct 2004
Location: Portugal
Distribution: Ubuntu
Posts: 41

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by Vgui
Sorry, but this idea really is pointless. As soon as they have root, you're done, because anything you do, they can undo. As a few have said, the most common action an attacker will take is to upload their own binaries. If the normal commands are not found, they would _for sure_ just upload their own copies (that's why programs like rkhunter and other md5 checking programs are so important for servers).
Commonly, a system will be compromised, and instead of making their presence known, the intruder will just upload a few key modified binaries (like who, ps, top, etc.). The modified binaries may perhaps mask their presence, or hide running processes used to do all sorts of nasty things off your computer (like send spam).
As I said, once they have root, you're done. Your best bet is to immediately take the machine offline, and start from scratch.

EDIT: One more thing (after re-reading your post, and imaging you coming back with some left field idea), how would you even know when to run this "scrambler" script? That would rely on intrusion detection, which can fail, etc. Would you instead have the binaries always running under the scrambled names? That seems like a huge hassle for getting any real work done. The idea is just too far fetched and definately not worth the time. There's a reason that the "tried and true" methods of compromise cleaning are used.

Ok. It was just an idea

Stay fine
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Idea on how to improve apache security at www.linuxfanatics.org linuxfanatics Linux - Security 2 03-06-2005 04:45 PM
A Security Idea. rvijay Linux - Security 9 01-28-2005 12:54 PM
Security idea, does it exist somewhere already? bobtmasse Linux - Security 3 12-18-2003 11:17 PM
Interesting idea of file security hamster Linux - Software 5 06-09-2003 10:03 PM
What else can I do to improve my System's Security? Artimus Linux - Security 7 04-13-2003 04:26 PM


All times are GMT -5. The time now is 06:40 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration