Re: LKM Trojan installed

> > > ... i created a directory, copied 'ps' et al to it, and used chattr on

The original poster seemed to think that a immutable binary was immune to any tampering, and could thus always be trusted. I wanted to make sure that misconception was cleared up - if it can be chattr'd by you as root, it can be unchattr'd by an attacker as root.[1]

I had a honeypot that was compromised by an attacker, and one of the things he/she did was to look for chattr'd binaries. I didn't have any chattr'd binaries on this machine, but I created some similar to the method originally described here on a second honeypot. The same cracker got into this machine a few hours later, again looked around and this time found my chattr'd binaries.

This cracker was either not good at LKMs or didn't want to use them, instead backdooring the binaries themselves. However he/she found the chattr'd binaries, unchattr'd, replaced them with backdoored versions, fixed the timestamps, and put the chattr bit back.

So file attributes do help point the way to files you consider important, and a good cracker will investigate and subvert these if possible.

That said, defense in depth is good, and most crackers who got into my honeypots never looked for chattr bits at all. Just don't assume that a file protected by chattr is in fact unchangeable by root unless you have locked down chattr in the kernel.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

So, is this as niggling response to a niggling response? ;-)

[1] And if the attacker played games with your kernel, then even

    pristine programs are easily subvertable by having the kernel     itself lie to them, no binary trojaning necessary.

--
Brian Hatch                  "Do you understand
   Systems and                everything you say, sir?"
   Security Engineer         "Yes, if I listen
www.buildinglinuxvpns.net     attentively."

Every message PGP signed