Not Making Tracks

If the hacker plans to consume resources that your system possesses, he will try to become invisible, so he can stay undetected on your system and use the system at his discretion. The resources the hacker wants to access could be the strategic location of the system on the network for network snooping, or it could simply be one more CPU on which to collect and analyze data.

This can be accomplished by connecting with a method that does not leave evidence of the connection, or by leaving evidence that would misdirect anyone to the source of the connection, or by removing the evidence after the fact. A hacker's success at connection hiding is dependent on both the hacker's knowledge and skill and the skill and knowledge of the system administrator.

Anonymous Connections

Anonymous connections allow access to systems without providing an identity for the connection. These connections can be logged which can indicate the source location of the connection and the activities performed while connected. The tracks that are left by hackers via anonymous connections are often of limited value. Hackers will often use an intermediary site to hide the actual origin of the connection. Anonymous services usually provide only specific, limited services and are widely utilized externally, so any specific instance will be buried among an overwhelming amount of legitimate uses. The volume of use of an anonymous service, and thereby the size of the logs, often lead to organizations not logging or minimally logging an anonymous service.

Stealth Connections

Most of the connection monitoring and reporting programs use accounting log files: /etc/utmp for currently logged on users, /etc/wtmp for historic logins, and /etc/btmp for bad login attempts on those systems that support the btmp file. There are a few ways to connect to a system and avoid this logging environment, thus leaving very little evidence.

The first is to use the noninteractive C shell. A noninteractive shell is a shell that does not have a tty device attached to it. It is generally used to run background jobs, although it can be used to run foreground jobs. However, since it does not have a tty, it cannot run processes that require tty control, like editors and other screen-based applications. It is invoked with the command csh -i . Since it does not associate a tty, it does not create an entry in the utmp log file.

Another method is to execute the xterm program with the utmpInhibit resource set to TRUE. This can be done with the -ut command-line option or by setting the X resource to TRUE in either the system-wide X resources file or your local X resources file, usually .Xdefaults . These options exist to simplify the connection information from users on X terminals. Generally, the login process from the X terminal will create an entry in the utmp log file and then, without the "utmpinhibit" option, each xterm window creates another " user " on the system, causing a misrepresentation in reporting information and licensing problems on some systems.

These methods only hide the connection to the system. Anything that is run on that system is open to monitoring while the process is executing or logging when the process has completed.

For the system manager to overcome this approach, all connections to a system should be logged through appropriate auditing procedures. All programs that create an interactive shell should be audited. As for network connections, both the network sockets should be logged and the daemons that use the sockets should be audited . The socket log will indicate from where the system receives connections while the daemon audit trail will indicate the activities of the service that was using the socket. It may be worthwhile to invoke some countermeasures to determine the origins of the connections.

Connection Hiding

Connection hiding is the process of keeping the system from reporting the connection. Connection hiding requires the insertion of tools (software) which either keep the connection from being logged or prevent the connection from being reported . These can be in the form of libraries which have been altered to do this or "Trojan" utilities which perform as the utility they replace but without reporting the hacker's activities. Many hacker toolkits include versions of system utilities that do not report the hacker's presence.

Another method is to alter the information in the utmp log so that the standard commands that report connection information will report incorrect information. This file can be altered to show a connection by someone else or to show no connection at all.

The hacker software " uthide," which is available on the included CD-ROM, removes all references to the given user ID from the /etc/wtmp file, effectively hiding the user's connections. This is, of course, not the only log file which can be recording these actions. However, it does illustrate how simple it is to remove tracks from logs.

However, the process of altering this log with uthide, under close examination, will reveal that someone was logged on to the system and that the utmp file has been altered. The log will not indicate who it was that was logged on or who altered the system log.

Process Hiding

Process hiding is the process of using system resources without leaving records of that use. The information about what is currently running on your system is available through commands which get their information from reading the structures directly from memory. How processes are started will alter how they are reported. The reporting commands may have limited command length and will truncate the options and parameters that were passed to the command that goes beyond this limit. A system administrator needs to understand how his auditing reports the commands and if there are any limitations to these commands. A skilled hacker understands this and is very careful to keep his activities secret.

The information about what is currently running on your system is available through the ps command. This command gets its information from reading the structures directly from memory.

You also need to be aware that the way a command is issued will affect the amount of information that is visible in the process status. If the command is invoked with a parameter, the command and the parameters will appear on the program status list. However, if the input is redirected into the command, only the command will appear on the program status list. For example, running the command

 cat  /etc/passwd 

will be seen with the ps command as

 cat  /etc/passwd 

where the command

 cat < /etc/passwd 

will be seen as

 cat 

Even though each of these commands does the same thing, using redirection will report less information.

A skilled hacker understands this and is very careful to keep his activities secret. He will also understand that "exec"ing a child process will replace the parent process in the process table with the child process, thereby removing the parent process from the system. So " exec "ing a shell over a setUID program will disguise the fact that it is running with an effective UID of 0.

Hackers will also name their hacking tools something that does not look threatening , or the same name as a standard UNIX command, so that if it is seen running, no one will think twice about it.

Some hackers will install a modified version of the process status command, ps, that will not report the processes that are being run by the hacker's purloined account. The system manager should monitor the attributes of the executable programs on the system to detect programs that have been changed.