Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This is an idea i had, thinking in servers security.
Please read it all.
The base idea is, even if someone gain acess to a root shell (ssh or not), he can't do nothing if he doesn't have access to the commands.
Then it will exist a program/script that will convert our programs in names, with many, and aleatory, characters.
Example:
our /bin/ls will be now /bin/a2bs3mc02c0b
All binaries will stay with names like that. Then the program will register the names and, automatically, create a script, per example:
#!/bin/1bv3c3g4bb (that were, before, the "bash" command, that the program had register before)
lg9sf7g77 (formerly "alias") /bin/bash=/bin/1bv3c3g4bb
lg9sf7g77 (formerly "alias") bash=1bv3c3g4bb
This for all commands.
The script will keep saved, and after we start a session, we will have to execute the script, that will have the name that we choose for it.
In this way, whos get a shell in our computer, will not have access to it, if he doesn't know the script name.
I've actually seen this implemented in a small scale before, with just a few commands. However, I can see a number of reasons why this wouldn't work. One weakness would be that the size of the binaries would be the same and would be a likely clue. Second, shell scripts that rely on binaries would have to somehow be dynamically updated for their new names. Lastly, once someone has gained access they could just upload their own binaries (which actually happens alot). Personally I think it relies a little too much on "security-through obscurity". I do like the alias trick though.
A number of common services have built-in utilities or subsystems for uploading files. One example is the ftp upload function in PHP, another is SSH. Compromise one of those services and you have the ability to upload whatever you want.
A number of common services have built-in utilities or subsystems for uploading files. One example is the ftp upload function in PHP, another is SSH. Compromise one of those services and you have the ability to upload whatever you want.
Perhaps, to change them, for just create files without execute permissions...
And of course, you will not able to chmod them.....
[root@Alpha bin]# mv chmod fjlakfjl
[root@Alpha bin]# fjlakfjl --help
Usage: fjlakfjl [OPTION]... MODE[,MODE]... FILE...
or: fjlakfjl [OPTION]... OCTAL-MODE FILE...
or: fjlakfjl [OPTION]... --reference=RFILE FILE...
Change the mode of each FILE to MODE.
-c, --changes like verbose but report only when a change is made
--no-preserve-root do not treat `/' specially (the default)
--preserve-root fail to operate recursively on `/'
-f, --silent, --quiet suppress most error messages
-v, --verbose output a diagnostic for every file processed
--reference=RFILE use RFILE's mode instead of MODE values
-R, --recursive change files and directories recursively
--help display this help and exit
--version output version information and exit
Each MODE is one or more of the letters ugoa, one of the symbols +-= and
one or more of the letters rwxXstugo.
Report bugs to <bug-coreutils@gnu.org>.
[root@Alpha bin]# mv chmod fjlakfjl
[root@Alpha bin]# fjlakfjl --help
Usage: fjlakfjl [OPTION]... MODE[,MODE]... FILE...
or: fjlakfjl [OPTION]... OCTAL-MODE FILE...
or: fjlakfjl [OPTION]... --reference=RFILE FILE...
Change the mode of each FILE to MODE.
-c, --changes like verbose but report only when a change is made
--no-preserve-root do not treat `/' specially (the default)
--preserve-root fail to operate recursively on `/'
-f, --silent, --quiet suppress most error messages
-v, --verbose output a diagnostic for every file processed
--reference=RFILE use RFILE's mode instead of MODE values
-R, --recursive change files and directories recursively
--help display this help and exit
--version output version information and exit
Each MODE is one or more of the letters ugoa, one of the symbols +-= and
one or more of the letters rwxXstugo.
Report bugs to <bug-coreutils@gnu.org>.
how the attacker knows that the command is "fjlakfjl"?
He don't know. If is a command that it put it herself, it will not able to execute, if don't have execute permissions
You're missing the point. You can just walk through /bin without knowing any of the filenames and use --help to figure out which command is which or more easily just find ls and then you'll know all the binary sizes.
Originally posted by Capt_Caveman You're missing the point. You can just walk through /bin without knowing any of the filenames and use --help to figure out which command is which or more easily just find ls and then you'll know all the binary sizes.
I think you are not understanding the idea.
Imagine you attack a computer, and now you have a shell and you are root, and don't have access to the commands... what you will do?
Sorry, but this idea really is pointless. As soon as they have root, you're done, because anything you do, they can undo. As a few have said, the most common action an attacker will take is to upload their own binaries. If the normal commands are not found, they would _for sure_ just upload their own copies (that's why programs like rkhunter and other md5 checking programs are so important for servers).
Commonly, a system will be compromised, and instead of making their presence known, the intruder will just upload a few key modified binaries (like who, ps, top, etc.). The modified binaries may perhaps mask their presence, or hide running processes used to do all sorts of nasty things off your computer (like send spam).
As I said, once they have root, you're done. Your best bet is to immediately take the machine offline, and start from scratch.
EDIT: One more thing (after re-reading your post, and imaging you coming back with some left field idea), how would you even know when to run this "scrambler" script? That would rely on intrusion detection, which can fail, etc. Would you instead have the binaries always running under the scrambled names? That seems like a huge hassle for getting any real work done. The idea is just too far fetched and definately not worth the time. There's a reason that the "tried and true" methods of compromise cleaning are used.
Originally posted by Vgui Sorry, but this idea really is pointless. As soon as they have root, you're done, because anything you do, they can undo. As a few have said, the most common action an attacker will take is to upload their own binaries. If the normal commands are not found, they would _for sure_ just upload their own copies (that's why programs like rkhunter and other md5 checking programs are so important for servers).
Commonly, a system will be compromised, and instead of making their presence known, the intruder will just upload a few key modified binaries (like who, ps, top, etc.). The modified binaries may perhaps mask their presence, or hide running processes used to do all sorts of nasty things off your computer (like send spam).
As I said, once they have root, you're done. Your best bet is to immediately take the machine offline, and start from scratch.
EDIT: One more thing (after re-reading your post, and imaging you coming back with some left field idea), how would you even know when to run this "scrambler" script? That would rely on intrusion detection, which can fail, etc. Would you instead have the binaries always running under the scrambled names? That seems like a huge hassle for getting any real work done. The idea is just too far fetched and definately not worth the time. There's a reason that the "tried and true" methods of compromise cleaning are used.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.