[plug] Untraceable Process. Sys-Op Challenge
Timothy White
weirdo at tigris.org
Tue Feb 8 16:38:04 WST 2005
Andrew Furey wrote:
>On Tue, 08 Feb 2005 00:05:19 +0800, Timothy White <weirdo at tigris.org> wrote:
>[snip]
>
>>$ ps aux |grep luser
>>luser 5048 0.5 3.4 3176 2092 pts/4 Ss+ 23:32 0:00 -bash
>>luser 5078 0.4 5.0 4664 3132 pts/4 S 23:32 0:00 perl
>>server.pl
>>tim 5162 0.0 0.7 1496 448 pts/2 S+ 23:34 0:00 grep luser
>>--- You can see that the process you want is a perl script called server.pl
>>
>[snip]
>
>># vdir /proc/5078/
>>total 0
>>-r--r--r-- 1 luser luser 0 Feb 7 23:39 cmdline
>>lrwxrwxrwx 1 luser luser 0 Feb 7 23:39 cwd -> /tmp
>>-r-------- 1 luser luser 0 Feb 7 23:39 environ
>>lrwxrwxrwx 1 luser luser 0 Feb 7 23:39 exe -> /usr/bin/perl
>>dr-x------ 2 luser luser 0 Feb 7 23:39 fd
>>-r--r--r-- 1 luser luser 0 Feb 7 23:39 maps
>>-rw------- 1 luser luser 0 Feb 7 23:39 mem
>>lrwxrwxrwx 1 luser luser 0 Feb 7 23:39 root -> /
>>-r--r--r-- 1 luser luser 0 Feb 7 23:39 stat
>>-r--r--r-- 1 luser luser 0 Feb 7 23:39 statm
>>-r--r--r-- 1 luser luser 0 Feb 7 23:39 status
>>--- Shows that the file should be in /tmp. It's not.
>>
>
>My guess (not sure how plausible) is something like this:
>
>http://sysd.org/proj/psf.c
>
>So that the file is actually there (or somewhere the user can write
>to), but its process entry has been modified to give it a different
>name. I thought I saw a while back that one of the security-scanning
>tools (nmap or john or the like) had this as an option, but I can't
>seem to find it now.
>
>I was about to ask whether this is doable with a child perl script
>without the /usr/bin/perl binary supporting it, but then I realised
>that it doesn't actually need to be a perl script at all. If this is
>the way he's doing it, you can't trust anything in the /proc output -
>odds are it's a compiled C program somewhere in his home directory.
>
>[quote attrib="Wash"] Wacky fun... [/quote]
>
Sorry but: (Quote from psf.c)
The ways to discover faked processes I know are:
* kidding with top(1)
* ps auwx --cols 1024
* cat /proc/[pidn]/cmdline (Linux only)
* whatever non-standart process stack monitors
* looking open files with "lsof" program
* if you use -d (daemonize) option, be careful!!! As any cool daemon should
do, "psf" closes std(in,out,err). What your admin will think if he (she)
sees "pine -i" with no parent and neither allocated TTY?!
---
So /proc remains correct. And using the other methods above the best I can get is:
$ lsof|grep luser|grep perl
perl 3273 luser cwd DIR 3,1 0 178041 /tmp/s42R0t (deleted)
perl 3273 luser rtd DIR 3,1 4096 2 /
perl 3273 luser txt REG 3,1 1057324 207585 /usr/bin/perl
perl 3273 luser mem REG 3,1 89000 175378 /lib/ld-2.3.2.so
perl 3273 luser mem REG 3,1 17920 111740 /usr/lib/perl/5.8.4/auto/IO/IO.so
perl 3273 luser mem REG 3,1 9232 175676 /lib/libdl-2.3.2.so
perl 3273 luser mem REG 3,1 130336 175677 /lib/libm-2.3.2.so
perl 3273 luser mem REG 3,1 78279 176896 /lib/libpthread-0.10.so
perl 3273 luser mem REG 3,1 1214160 175674 /lib/libc-2.3.2.so
perl 3273 luser mem REG 3,1 18204 175675 /lib/libcrypt-2.3.2.so
perl 3273 luser mem REG 3,1 22352 111743 /usr/lib/perl/5.8.4/auto/Socket/Socket.so
perl 3273 luser mem REG 3,1 33528 176891 /lib/libnss_files-2.3.2.so
perl 3273 luser 0r CHR 1,3 47982 /dev/null
perl 3273 luser 1u CHR 136,0 2 /dev/pts/0
perl 3273 luser 2u CHR 136,0 2 /dev/pts/0
perl 3273 luser 3u IPv4 2466063 TCP *:9000 (LISTEN)
---
Good guess though. And some of the stuff I hadn't thought about.
Tim
--
Tim White - Use the Fox, Luke!
PGP/GPG id: 602E944D, Pub Key Serv: subkeys.pgp.net
Fingerprint: 04C2 9682 B7B2 3006 009D A9F3 067E EDCD 602E 944D
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20050208/d2bf2983/attachment.pgp>
More information about the plug
mailing list