[plug] Untraceable Process. Sys-Op Challenge
Timothy White
weirdo at tigris.org
Wed Feb 9 10:22:17 WST 2005
Carl Gherardi wrote:
>I'll take a punt.
>
>Use procmail or other mail style filtering program.
>
>In procmail script something like
>
>:0:
>....
>| check_if_server_active && cat "program text " >> /tmp/server.pl &&
>/tmp/server.pl && rm /tmp/server.pl
>
>Using some obfuscation on how the filenames are created so server.pl
>cant be grepped - every time a new mail arrives procmail will kick of
>the server.
>
>Dependant on how tight restrictions are on mail filters, but this
>seems workable.
>
>
Close. This would work except...
'grep -R -i server.pl ~/*' would find that.
Doing that on my box would come out clean
Your right about copying a program to a 'tmp' file and deleting it.
I just had a thought though for giving the executable a different name
each time or making sure a grep wouldn't find it.
The other thing. This process is started manually each time rather than
through procmail. Why? Because many system admins would check procmail
scripts when they think they have been compromised.
Tim
p.s. How my thing works now it can be found with grep, give me 10
minutes and even grep will have a hard time finding it.
Oh, and to make thinks nasty, think about a payload that forks for
numerous functions rather than just one, all self contained and hidden
in a single file.
--
Tim White - Use the Fox, Luke!
PGP/GPG id: 602E944D, Pub Key Serv: subkeys.pgp.net
Fingerprint: 04C2 9682 B7B2 3006 009D A9F3 067E EDCD 602E 944D
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20050209/d83dbbc7/attachment.pgp>
More information about the plug
mailing list