Re: [linux-security] Re: Bind Overrun Bug and Linux

[Duncan Simpson <dps io stargate co uk>]

A recent CERT advisory said the sort of things we expect

ps, pstree, netstat, ls, etc  omit interesting information that you might not
		              want to reveal.
bind                          xterm backdoor.

It has not happened to me so I do not know myself. Last time I recompiled 
everything from known clean source and it was *not fun*. I checked for hidden 
processes and stuff like that using echo * instead of ls (which is one of the 
most likely things to be trojanised).

My ps tester should detect simple ps trojans and tell you about them, avoiding 
logs on the local machine. The subject looks inoccuous enough if the attacker 
sees it. The message content is explicit. The program will also tell you about 
what IP address the attacker was connected from in many cases and boot the 
attacker off the system (the program does not use netstat, so backdoor netstat 
is useless; it avoids hostnames and teels you the IP numbers and time). If the 
attacker is silly enough to use telnet or similar you will know the source.

The process name in all versions of ps, pstree, etc is httpd. The advanatge 
over MD5 sums is the identification of evil processes and the genertaion of 
lots of perminent information from /proc. There is also an unreleased scanner 
that uses kill with signal 0 and compares with /proc for those that hack 
/proc, in addition to the normal /proc vs ps, checking. It is a simple trap 
and *not* a replacement for regular tripwire scans (alert attackers can easily 
kill it before it gets them).

You can get the source by annoymous ftp from mars.astra.co.uk in the 
/pub/word2x directory. The code in the arhive called check-ps. Np bianries are 
avialable and you should compile it yourself for obviuos security reasons 
anyway.


-- 
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."