Malicious Scripts
 

Greetings all.

I am logging in as a non-root user and wish to know if its possible for a malicious script to install itself and modify file permissions to allow its self to run on startup and circumvent the built in firewall ? How easy is it for a script to do this without user intervention ?

Any links or tutorials links on the inner workings of Linux also would be greatly appreciated.

If you are running scripts of unknown origin, it is is absolutely possible (and very easy, really) for them to be doing malicious things behind the scenes. Elevating itself to root-level is a little harder, but that may not even be the point. There is plenty of damage a malicious script can do as a normal user, not system-wide, but damage to your personal files and settings is just as bad on a single-user machine.

To take your example, a script could set itself up to run every time you log in without root permissions by only modifying a few simple files. It would take root permissions to start up with the system (unless something was misconfigured); but again, on a single-user system, there isn't a lot of functional difference between starting every boot and starting when you log in.

However, "circumvent the built in firewall" could mean a few different things. You would need to clarify that a bit.

But the central thing to remember is that if you don't know where a script has come from, or haven't examined the source code, it can be exceptionally dangerous to execute it on your machine.

Thanks for the reply.

The kind of malicious script that I am thinking of is one that can essentially record key strokes for websites that I travel to recording the passwords and sending them to a remote user ? Also ones that will allow a remote user to access and control your system.

What I was trying to say about *circumventing* the firewall is that this *unknown* malicious script might be able to change firewall rules in order that it may be allowed to send data out or is it that any script installed and configured can send out data without needing any changes to firewall rules via TCP ? How does Linux work with respect this scenario ? Do firewall rules need to be changed in order for an executable to transmit data via TCP or can they send freely without any system configuration ?

Could you also perhaps explain how I can find on my system any malicious script or executable that should not be there ? Perhaps one that was installed recently remotely?

Thanks in advance

Victor

No modification to the system firewall would be required to send data, unless the firewall had already been setup to implicitly block outgoing data from everything but a whitelist of applications. No firewall is going to be doing that out of the box, it would be way to limiting for the end user, something like that would have to be configured on your end.

So yes, any script you run could easily send data to any site it wishes without any attempt being made to limit or stop it, it is really no different from you starting a web browser and coming to LQ. Even if you have a strong inbound firewall setup, applications on your system will always be allowed to call out.

Thanks so much for the reply. Its really nice to know these things before they happen and maybe sometimes in some cases after the fact. Appreciate the reply.

Victor

The type of thing you are worried about is probably most likely to happen using the web browser. Click-jacking for example. Aside from taking care which web sites you visit, look at using Firefox's noscript plugin. Also take care to always log out of websites you visit, so that an attack on the site can't hijack your open session. With web 2.0, there are attacks that don't rely on which OS you are using.

In Linux, SUID scripts are not allowed. If you use BSD or Unix, they might be.

Your absolutely correct about downloading a malicious script via the web browser. I have seen this via Windows many times and did notknow that it can happen on Linux. I will definitely take a look at the Firefox no-script plugin. Appreciate the information on this because I was not sure if this could happen on Linux.

Just a few more questions. Does anyone know how to configure Firestarter for Linux so that only selected applications (i.e Firefox, gFTP) can be allowed outgoing access ? If Firestarter cannot do this is there another firewall that is easy to configure and which allows this type of rule? I also wanted to ask if its possible for a malicious script to tamper with the firewall settings so that it can enable itself so that it may send out TCP data ? How can I prevent this from happening ?

I had one final question. Is it possible to check all scripts which start when Linux does in order to find any unknown or unaccounted for scripts ? Is there a utility for Linux which can located and display all startup scripts ?

Thanks to everyone for the replies.

1. Firewall tampering
to tamper with iptables (linux f/w tech) you need to be root. Assuming(!) no weird (elevate privs) exploit avail at the non-root level, you should be safe...


2. Startup scripts
don't know your distro, but generally you'd want to start looking into /etc/init.d

3. definitely second the FF NoScript add-on; invaluable

4. I can recommend the SELinux service for the paranoid; don't know if your distro does that. RH based ones do, others may.

Thanks for the reply. I am using Ubuntu 9.0.4 but will research SELinux. .