LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-06-2009, 03:58 PM   #1
justmehere
Member
 
Registered: Jul 2005
Distribution: Mandrake 6.1
Posts: 59

Rep: Reputation: 15
Malicious Scripts


Greetings all.

I am logging in as a non-root user and wish to know if its possible for a malicious script to install itself and modify file permissions to allow its self to run on startup and circumvent the built in firewall ? How easy is it for a script to do this without user intervention ?

Any links or tutorials links on the inner workings of Linux also would be greatly appreciated.
 
Old 07-06-2009, 04:06 PM   #2
MS3FGX
Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 351Reputation: 351Reputation: 351Reputation: 351
If you are running scripts of unknown origin, it is is absolutely possible (and very easy, really) for them to be doing malicious things behind the scenes. Elevating itself to root-level is a little harder, but that may not even be the point. There is plenty of damage a malicious script can do as a normal user, not system-wide, but damage to your personal files and settings is just as bad on a single-user machine.

To take your example, a script could set itself up to run every time you log in without root permissions by only modifying a few simple files. It would take root permissions to start up with the system (unless something was misconfigured); but again, on a single-user system, there isn't a lot of functional difference between starting every boot and starting when you log in.

However, "circumvent the built in firewall" could mean a few different things. You would need to clarify that a bit.

But the central thing to remember is that if you don't know where a script has come from, or haven't examined the source code, it can be exceptionally dangerous to execute it on your machine.
 
Old 07-06-2009, 04:36 PM   #3
justmehere
Member
 
Registered: Jul 2005
Distribution: Mandrake 6.1
Posts: 59

Original Poster
Rep: Reputation: 15
Thanks for the reply.

The kind of malicious script that I am thinking of is one that can essentially record key strokes for websites that I travel to recording the passwords and sending them to a remote user ? Also ones that will allow a remote user to access and control your system.

What I was trying to say about *circumventing* the firewall is that this *unknown* malicious script might be able to change firewall rules in order that it may be allowed to send data out or is it that any script installed and configured can send out data without needing any changes to firewall rules via TCP ? How does Linux work with respect this scenario ? Do firewall rules need to be changed in order for an executable to transmit data via TCP or can they send freely without any system configuration ?

Could you also perhaps explain how I can find on my system any malicious script or executable that should not be there ? Perhaps one that was installed recently remotely?

Thanks in advance

Victor
 
Old 07-06-2009, 05:28 PM   #4
MS3FGX
Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 351Reputation: 351Reputation: 351Reputation: 351
No modification to the system firewall would be required to send data, unless the firewall had already been setup to implicitly block outgoing data from everything but a whitelist of applications. No firewall is going to be doing that out of the box, it would be way to limiting for the end user, something like that would have to be configured on your end.

So yes, any script you run could easily send data to any site it wishes without any attempt being made to limit or stop it, it is really no different from you starting a web browser and coming to LQ. Even if you have a strong inbound firewall setup, applications on your system will always be allowed to call out.
 
Old 07-06-2009, 05:44 PM   #5
justmehere
Member
 
Registered: Jul 2005
Distribution: Mandrake 6.1
Posts: 59

Original Poster
Rep: Reputation: 15
Thanks so much for the reply. Its really nice to know these things before they happen and maybe sometimes in some cases after the fact. Appreciate the reply.

Victor
 
Old 07-06-2009, 07:23 PM   #6
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
The type of thing you are worried about is probably most likely to happen using the web browser. Click-jacking for example. Aside from taking care which web sites you visit, look at using Firefox's noscript plugin. Also take care to always log out of websites you visit, so that an attack on the site can't hijack your open session. With web 2.0, there are attacks that don't rely on which OS you are using.

In Linux, SUID scripts are not allowed. If you use BSD or Unix, they might be.
 
Old 07-07-2009, 10:28 AM   #7
justmehere
Member
 
Registered: Jul 2005
Distribution: Mandrake 6.1
Posts: 59

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by jschiwal View Post
The type of thing you are worried about is probably most likely to happen using the web browser. Click-jacking for example. Aside from taking care which web sites you visit, look at using Firefox's noscript plugin. Also take care to always log out of websites you visit, so that an attack on the site can't hijack your open session. With web 2.0, there are attacks that don't rely on which OS you are using.

In Linux, SUID scripts are not allowed. If you use BSD or Unix, they might be.
Your absolutely correct about downloading a malicious script via the web browser. I have seen this via Windows many times and did notknow that it can happen on Linux. I will definitely take a look at the Firefox no-script plugin. Appreciate the information on this because I was not sure if this could happen on Linux.

Just a few more questions. Does anyone know how to configure Firestarter for Linux so that only selected applications (i.e Firefox, gFTP) can be allowed outgoing access ? If Firestarter cannot do this is there another firewall that is easy to configure and which allows this type of rule? I also wanted to ask if its possible for a malicious script to tamper with the firewall settings so that it can enable itself so that it may send out TCP data ? How can I prevent this from happening ?

I had one final question. Is it possible to check all scripts which start when Linux does in order to find any unknown or unaccounted for scripts ? Is there a utility for Linux which can located and display all startup scripts ?

Thanks to everyone for the replies.
 
Old 07-09-2009, 12:09 AM   #8
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,281

Rep: Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032
1. Firewall tampering
to tamper with iptables (linux f/w tech) you need to be root. Assuming(!) no weird (elevate privs) exploit avail at the non-root level, you should be safe...


2. Startup scripts
don't know your distro, but generally you'd want to start looking into /etc/init.d

3. definitely second the FF NoScript add-on; invaluable

4. I can recommend the SELinux service for the paranoid; don't know if your distro does that. RH based ones do, others may.
 
Old 07-09-2009, 11:19 AM   #9
justmehere
Member
 
Registered: Jul 2005
Distribution: Mandrake 6.1
Posts: 59

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by chrism01 View Post
1. Firewall tampering
to tamper with iptables (linux f/w tech) you need to be root. Assuming(!) no weird (elevate privs) exploit avail at the non-root level, you should be safe...


2. Startup scripts
don't know your distro, but generally you'd want to start looking into /etc/init.d

3. definitely second the FF NoScript add-on; invaluable

4. I can recommend the SELinux service for the paranoid; don't know if your distro does that. RH based ones do, others may.
Thanks for the reply. I am using Ubuntu 9.0.4 but will research SELinux. .
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible to abuse SUID to do something malicious? Tomás Ó hÉilidhe Linux - General 2 12-18-2008 02:39 PM
Is this JavaScript malicious? Doctorzongo Programming 6 07-21-2008 03:42 PM
Malicious Script jspsandhu Linux - General 12 09-29-2005 05:05 PM
Malicious C code protection gdboling Programming 4 09-02-2003 06:14 PM
Protecting against malicious PHP paranoid Linux - Security 0 03-14-2003 09:32 AM


All times are GMT -5. The time now is 06:16 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration