Date: Fri, 14 Feb 2003 21:42:32 -0800 From: Terry Lambert <tlambert2@mindspring.com> To: pura life CR <puralifecr@hotmail.com> Cc: freebsd-chat@freebsd.org Subject: Re: Processes hiding techniques. Message-ID: <3E4DD348.626BA13E@mindspring.com> References: <F60f2jIvbwwF7pONGR600019116@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
pura life CR wrote: > Hi, I would like to know what are current processes hiding techniques that > can be used in FreeBSD for an intruder. I would like to know this for > learning how to deal with this situation when I become a FreeBSD admin. The same techniques for any UNIX system. > For example, an user wants to run a nmap or password cracking or a irc bot, > what can he do to hide the process so the admin when perform a ps -ax is not > able to look the process. Replace the "ps" program, is the obvious one. The easy fix for this is for the admin to mount the directory containing the binary as read-only. You'd have a hell of a time replacing it then; you might as well ask how to change the title on a magazine cover after it's printed. 8-). If the admin doesn't want to do that, they can use something like TrustedBSD. Cryptographic checksumming and binary signing will prevent all command replacement attacks not performed by an insider. Run their own copy of the OS, and run the copy that's supposed to be running under vmware. That's pretty easy to spot, too, both by sluggish performance, console differences, and the fact that your de0 ethernet interface just changed names on you. 8-) 8-). For all the kernel module techniques, where the reported information is inconsistant with the true state, an admin just needs to bump the securelevel to 1 or 2, and it stops the attacker cold, unless they have physical access to the machine. A smart admin will still notice signs that the process is running; if nothing else, they will notice a difference in system responsiveness, due to the increased load. In general, if you want to do this, you should buy your own computer. If you want more information, you should probably subscribe to "bugtraq", or read it online. Since the attacks used will change over time, this is not something you can learn once, and be done learning it. PS: What's the "pua" for? -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E4DD348.626BA13E>