Section 17.3 Detecting Deleted Executables

Previous page
Table of content
Next page
   

17.3 Detecting Deleted Executables

A cracker certainly does not want you to have a copy of his Trojan horse. Besides wanting to keep his techniques secret, it would be evidence that might get him a job at the license tag factory. It even might contain the IP address of the system that he is working from. A common technique that a cracker uses to prevent your "capturing" an executable simply is to remove it from disk. As will be discussed in "Finding the Cracker's Running Processes" on page 672, removing it from disk will not terminate the already running executable.

Starting in the 2.2 kernel, a symbolic link from /proc/PID/exe to the actual executable is provided. Additionally, it indicates if the executable has been removed from the file system by appending "(deleted)" to the name! This example shows what such a deleted executable will look like.

 
 $ file /proc/519/exe /proc/519/exe: broken symbolic link to /home/mr_ed/foo (deleted)

The following command may be invoked periodically, possibly from cron, to detect any instances of this:

 
 # file /proc/[0-9]*/exe|grep '(deleted)' /proc/519/exe: broken symbolic link to /home/mr_ed/foo (deleted)

A very useful feature in the kernel is that this symbolic link in /proc is good for reading even though the original file has been removed! This allows you to make a copy of the file for analysis as simply as

 
 cp /proc/519/exe /home/samspade/del_cracker

You even could make copies of these automatically via the following script, that I call getdel.csh; it is on the CD-ROM. It uses dd instead of cp simply because dd is less likely to be compromised by crackers because it is not as well known.

 
 #!/bin/csh -f # Detect and copy running executables deleted from disk. # DANGER: this program must run as root to capture all # data but if it finds something root *may* be compromised. # Optionally kills the program. # Requires kernel 2.2 or newer. # # Copyright 2001 Bob Toxen.  All rights reserved. # This program may be used under the terms of the # GNU GENERAL PUBLIC LICENSE Version 2. # # Offered as is with no warranty of any kind. set savdir=/home/samspade/delexe_dir set emailaddr=samspade@pentacorp.com set g='(deleted)' set s='s,/proc/\([0-9][0-9]*\).*,\1,' set p=(`file /proc/[0-9]*/exe|grep "$g"|sed "$s"`) umask 077 foreach i ( $p )   if ( ! -f $savdir/$i ) then          echo /bin/dd if=/proc/$i/exe of=$savdir/$i          echo /bin/dd if=/proc/$i/exe of=$savdir/$i | \            /bin/mail -s 'Del EXE' $emailaddr          /bin/dd if=/proc/$i/exe of=$savdir/$i >&! /dev/null          /bin/ls -l /proc/$i/exe >&! $savdir/$i.ls # Uncomment next line to kill it automatically #        /bin/kill -9 $i   else          echo already captured /proc/$i/exe   endif end
       
    Top

    Previous page
    Table of content
    Next page
    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    ISBN: N/A
    EAN: N/A
    Year: 2002
    Pages: 260
    BUY ON AMAZON
    Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
    A+ Fast Pass
    Adobe After Effects 7.0 Studio Techniques
    PMP Practice Questions Exam Cram 2
    File System Forensic Analysis
    Digital Character Animation 3 (No. 3)
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy