From owner-freebsd-chat Fri Feb 14 21:44:21 2003 Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 436F937B401 for ; Fri, 14 Feb 2003 21:44:19 -0800 (PST) Received: from heron.mail.pas.earthlink.net (heron.mail.pas.earthlink.net [207.217.120.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA85443F75 for ; Fri, 14 Feb 2003 21:44:18 -0800 (PST) (envelope-from tlambert2@mindspring.com) Received: from pool0246.cvx40-bradley.dialup.earthlink.net ([216.244.42.246] helo=mindspring.com) by heron.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128) (Exim 3.33 #1) id 18jv7Z-0007Kd-00; Fri, 14 Feb 2003 21:44:18 -0800 Message-ID: <3E4DD348.626BA13E@mindspring.com> Date: Fri, 14 Feb 2003 21:42:32 -0800 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: pura life CR Cc: freebsd-chat@freebsd.org Subject: Re: Processes hiding techniques. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a4bd05f38053890badde6371c73cd2cbd5666fa475841a1c7a350badd9bab72f9c350badd9bab72f9c Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org pura life CR wrote: > Hi, I would like to know what are current processes hiding techniques that > can be used in FreeBSD for an intruder. I would like to know this for > learning how to deal with this situation when I become a FreeBSD admin. The same techniques for any UNIX system. > For example, an user wants to run a nmap or password cracking or a irc bot, > what can he do to hide the process so the admin when perform a ps -ax is not > able to look the process. Replace the "ps" program, is the obvious one. The easy fix for this is for the admin to mount the directory containing the binary as read-only. You'd have a hell of a time replacing it then; you might as well ask how to change the title on a magazine cover after it's printed. 8-). If the admin doesn't want to do that, they can use something like TrustedBSD. Cryptographic checksumming and binary signing will prevent all command replacement attacks not performed by an insider. Run their own copy of the OS, and run the copy that's supposed to be running under vmware. That's pretty easy to spot, too, both by sluggish performance, console differences, and the fact that your de0 ethernet interface just changed names on you. 8-) 8-). For all the kernel module techniques, where the reported information is inconsistant with the true state, an admin just needs to bump the securelevel to 1 or 2, and it stops the attacker cold, unless they have physical access to the machine. A smart admin will still notice signs that the process is running; if nothing else, they will notice a difference in system responsiveness, due to the increased load. In general, if you want to do this, you should buy your own computer. If you want more information, you should probably subscribe to "bugtraq", or read it online. Since the attacks used will change over time, this is not something you can learn once, and be done learning it. PS: What's the "pua" for? -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message