FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 02-15-2009, 06:06 PM
Nikolaus Rath
 
Default Detecting a compromised system

Hello,

I recently though about the least sophisticated way to introduce a
backdoor into a system if a already had a root shell. My naive
approach would be to

a) create a setuid root shell somewhere in the fs,

or

b) modify an existing setuid binary to grant me root access
(e.g. when invoced with a special parameter)


Since I don't consider myself particularly ingenious in that respect,
I expected that it would be pretty easy to spot these modifications.
So I did exactly the above and then tried to "detect" my changes.

I first looked for any additional packages that might help me with
this and installed (and configured to the best of my knowledge)
checksecurity and tiger.

I thought to remember that debian packages need to register any suid
binaries that they install, and I also read in the tiger documentation
that it verifies the checksums of installed system binaries. Thus I
expected that both my modifications would immediately show up.
However, nothing like that happened.

Now I'm wondering if there really is no easy way to detect such
changes, if I didn't find the right packages, or if I messed up the
configuration.

Anyone able to help?


Best,

-Nikolaus

--
»Time flies like an arrow, fruit flies like a Banana.«

PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-15-2009, 09:11 PM
Micha Feigin
 
Default Detecting a compromised system

On Sun, 15 Feb 2009 14:06:29 -0500
Nikolaus Rath <Nikolaus@rath.org> wrote:

> Hello,
>
> I recently though about the least sophisticated way to introduce a
> backdoor into a system if a already had a root shell. My naive
> approach would be to
>
> a) create a setuid root shell somewhere in the fs,
>
> or
>
> b) modify an existing setuid binary to grant me root access
> (e.g. when invoced with a special parameter)
>
>
> Since I don't consider myself particularly ingenious in that respect,
> I expected that it would be pretty easy to spot these modifications.
> So I did exactly the above and then tried to "detect" my changes.
>
> I first looked for any additional packages that might help me with
> this and installed (and configured to the best of my knowledge)
> checksecurity and tiger.
>
> I thought to remember that debian packages need to register any suid
> binaries that they install, and I also read in the tiger documentation
> that it verifies the checksums of installed system binaries. Thus I
> expected that both my modifications would immediately show up.
> However, nothing like that happened.
>
> Now I'm wondering if there really is no easy way to detect such
> changes, if I didn't find the right packages, or if I messed up the
> configuration.
>
> Anyone able to help?
>
>
> Best,
>
> -Nikolaus
>

Finding such files is easy
find / -perm /u+s
detecting whether they should be setuid root, I don't know enough about the
debian system to tell


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-15-2009, 10:28 PM
"Boyd Stephen Smith Jr."
 
Default Detecting a compromised system

On Sunday 15 February 2009 13:06:29 Nikolaus Rath wrote:
> I expected that it would be pretty easy to spot these modifications.
> So I did exactly the above and then tried to "detect" my changes.
>
> I first looked for any additional packages that might help me with
> this and installed (and configured to the best of my knowledge)
> checksecurity and tiger.

Most security audit tools actually depend on being able to inventory the
system before an attack. Installing them after you are 'sploited doesn't
help.

Try installing them, then making a change that's not detectable.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 
Old 02-15-2009, 11:06 PM
Nikolaus Rath
 
Default Detecting a compromised system

"Boyd Stephen Smith Jr." <bss@iguanasuicide.net> writes:
> On Sunday 15 February 2009 13:06:29 Nikolaus Rath wrote:
>> I expected that it would be pretty easy to spot these modifications.
>> So I did exactly the above and then tried to "detect" my changes.
>>
>> I first looked for any additional packages that might help me with
>> this and installed (and configured to the best of my knowledge)
>> checksecurity and tiger.
>
> Most security audit tools actually depend on being able to inventory
> the system before an attack. Installing them after you are 'sploited
> doesn't help.
>
> Try installing them, then making a change that's not detectable.

Generally, you're right. But why do I need to make an explicit
snapshot of the system if all debian packages already contain the
necessary information? Is there no tool available that makes use of
it? This would also eliminate the need to make a new system snapshot
after each security upgrade.

Best,


-Nikolaus

--
»Time flies like an arrow, fruit flies like a Banana.«

PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-16-2009, 12:16 AM
"Boyd Stephen Smith Jr."
 
Default Detecting a compromised system

On Sunday 15 February 2009 18:06:55 Nikolaus Rath wrote:
> But why do I need to make an explicit
> snapshot of the system if all debian packages already contain the
> necessary information?

This information is tool-specific. It doesn't belong in the package. One
Debian tool, debsums, does occasionally get it's version of this information
shipped with the packages. But, not all of them (the packages) do. It's up
to the packager to ship debsums or not, AFAIK.

Sure, you could byte-by-byte compare against the file extracted from the .deb,
but the .deb isn't retained (too long) after installation.

> Is there no tool available that makes use of
> it?

debsums will make use of debsums-information in the packages, generate
debsums-information for packages that don't have it (either as they are
installed or afterwards), and verify the state of packages based on debsums-
information. It does not concern itself with files that are not recorded in
the dpkg database.

It's also possible to use apt (or dpkg??) hooks to update other tools at
installation/deinstallation time, but that might undermine the intent behind
the tools. (An attacker can do whatever they want as long as they do it as a
package?)
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 

Thread Tools




All times are GMT. The time now is 12:54 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org