[plug] Untraceable Process. Sys-Op Challenge
Timothy White
weirdo at tigris.org
Tue Feb 8 18:09:45 WST 2005
Timothy White wrote:
> Andrew Furey wrote:
>
>> On Tue, 08 Feb 2005 00:05:19 +0800, Timothy White <weirdo at tigris.org>
>> wrote:
>> [snip]
>>
>>> $ ps aux |grep luser
>>> luser 5048 0.5 3.4 3176 2092 pts/4 Ss+ 23:32 0:00 -bash
>>> luser 5078 0.4 5.0 4664 3132 pts/4 S 23:32 0:00 perl
>>> server.pl
>>> tim 5162 0.0 0.7 1496 448 pts/2 S+ 23:34 0:00 grep
>>> luser
>>> --- You can see that the process you want is a perl script called
>>> server.pl
>>>
>> [snip]
>>
>>> # vdir /proc/5078/
>>> total 0
>>> -r--r--r-- 1 luser luser 0 Feb 7 23:39 cmdline
>>> lrwxrwxrwx 1 luser luser 0 Feb 7 23:39 cwd -> /tmp
>>> -r-------- 1 luser luser 0 Feb 7 23:39 environ
>>> lrwxrwxrwx 1 luser luser 0 Feb 7 23:39 exe ->
>>> /usr/bin/perl
>>> dr-x------ 2 luser luser 0 Feb 7 23:39 fd
>>> -r--r--r-- 1 luser luser 0 Feb 7 23:39 maps
>>> -rw------- 1 luser luser 0 Feb 7 23:39 mem
>>> lrwxrwxrwx 1 luser luser 0 Feb 7 23:39 root -> /
>>> -r--r--r-- 1 luser luser 0 Feb 7 23:39 stat
>>> -r--r--r-- 1 luser luser 0 Feb 7 23:39 statm
>>> -r--r--r-- 1 luser luser 0 Feb 7 23:39 status
>>> --- Shows that the file should be in /tmp. It's not.
>>>
>>
>> My guess (not sure how plausible) is something like this:
>>
>> http://sysd.org/proj/psf.c
>>
>> So that the file is actually there (or somewhere the user can write
>> to), but its process entry has been modified to give it a different
>> name. I thought I saw a while back that one of the security-scanning
>> tools (nmap or john or the like) had this as an option, but I can't
>> seem to find it now.
>>
>> I was about to ask whether this is doable with a child perl script
>> without the /usr/bin/perl binary supporting it, but then I realised
>> that it doesn't actually need to be a perl script at all. If this is
>> the way he's doing it, you can't trust anything in the /proc output -
>> odds are it's a compiled C program somewhere in his home directory.
>>
>> [quote attrib="Wash"] Wacky fun... [/quote]
>>
> Sorry but: (Quote from psf.c)
>
> The ways to discover faked processes I know are:
>
> * kidding with top(1)
> * ps auwx --cols 1024
> * cat /proc/[pidn]/cmdline (Linux only)
> * whatever non-standart process stack monitors
> * looking open files with "lsof" program
> * if you use -d (daemonize) option, be careful!!! As any cool daemon
> should
> do, "psf" closes std(in,out,err). What your admin will think if he
> (she)
> sees "pine -i" with no parent and neither allocated TTY?!
> ---
> So /proc remains correct. And using the other methods above the best I
> can get is:
> $ lsof|grep luser|grep perl
> perl 3273 luser cwd DIR 3,1 0 178041
> /tmp/s42R0t (deleted)
> perl 3273 luser rtd DIR 3,1 4096 2 /
> perl 3273 luser txt REG 3,1 1057324 207585
> /usr/bin/perl
> perl 3273 luser mem REG 3,1 89000 175378
> /lib/ld-2.3.2.so
> perl 3273 luser mem REG 3,1 17920 111740
> /usr/lib/perl/5.8.4/auto/IO/IO.so
> perl 3273 luser mem REG 3,1 9232 175676
> /lib/libdl-2.3.2.so
> perl 3273 luser mem REG 3,1 130336 175677
> /lib/libm-2.3.2.so
> perl 3273 luser mem REG 3,1 78279 176896
> /lib/libpthread-0.10.so
> perl 3273 luser mem REG 3,1 1214160 175674
> /lib/libc-2.3.2.so
> perl 3273 luser mem REG 3,1 18204 175675
> /lib/libcrypt-2.3.2.so
> perl 3273 luser mem REG 3,1 22352 111743
> /usr/lib/perl/5.8.4/auto/Socket/Socket.so
> perl 3273 luser mem REG 3,1 33528 176891
> /lib/libnss_files-2.3.2.so
> perl 3273 luser 0r CHR 1,3 47982
> /dev/null
> perl 3273 luser 1u CHR 136,0 2
> /dev/pts/0
> perl 3273 luser 2u CHR 136,0 2
> /dev/pts/0
> perl 3273 luser 3u IPv4 2466063 TCP
> *:9000 (LISTEN)
>
> ---
>
> Good guess though. And some of the stuff I hadn't thought about.
Hmmm. Even worse. Leave it running for a while and less files are open.
That deleted file in /tmp is gone from the open file list?
perl 3273 luser mem REG 3,1 1057324 207585
/usr/bin/perl
perl 3273 luser mem REG 3,1 89000 175378
/lib/ld-2.3.2.so
perl 3273 luser mem REG 3,1 17920 111740
/usr/lib/perl/5.8.4/auto/IO/IO.so
perl 3273 luser mem REG 3,1 9232 175676
/lib/libdl-2.3.2.so
perl 3273 luser mem REG 3,1 130336 175677
/lib/libm-2.3.2.so
perl 3273 luser mem REG 3,1 78279 176896
/lib/libpthread-0.10.so
perl 3273 luser mem REG 3,1 1214160 175674
/lib/libc-2.3.2.so
perl 3273 luser mem REG 3,1 18204 175675
/lib/libcrypt-2.3.2.so
perl 3273 luser mem REG 3,1 22352 111743
/usr/lib/perl/5.8.4/auto/Socket/Socket.so
perl 3273 luser mem REG 3,1 33528 176891
/lib/libnss_files-2.3.2.so
Tim
--
Tim White - Use the Fox, Luke!
PGP/GPG id: 602E944D, Pub Key Serv: subkeys.pgp.net
Fingerprint: 04C2 9682 B7B2 3006 009D A9F3 067E EDCD 602E 944D
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20050208/ecd40fbb/attachment.pgp>
More information about the plug
mailing list