Section 19.14 Finding set-UID Programs

19.14 Finding set-UID Programs

Many crackers will leave behind back doors, so that they may get back into your system more easily. The least sophisticated and most detectable way is to leave behind a set-UID program. This simply is a program owned by root with the set-UID bit set. This can be done by a cracker operating as root in only 10 seconds via

 cp /bin/sh /tmp/.foo chmod 4755 /tmp/.foo 

Is this an effective strategy? How recently have you scanned for set-UID programs? You can (and should) detect if this has been done with a simple compare command:

 ls -l /bin/sh /tmp/.foo cmp /bin/sh /tmp/.foo 

A cracker can prevent this by adding the command

 date >> /tmp/.foo 

This alters the size so that it is not obvious from the size that they copied sh. The cmp program will indicate if one of the files is identical to the first part of the other file. Still, you need to know which file to compare against, which is a guessing game. They can avoid this detection simply by writing their own program that executes the shell; this will be completely different from any of your programs. They could install the Trojan in an existing program.

To find set-UID and set-GUID programs, issue the following command:

 find / -perm +6000 -print