These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/Executing Stealth Commands

Classnotes | UNIX03 | RecentChanges | Preferences

One of the tricks of the crafty cracker (or even the crafty administrator) is issuing stealth commands. What is a stealth command?

A stealth command is any command which is intended to mask the activity of the user. There are numerous ways to do this, but the three craftiest are as follows:

1. Renaming Commands

By renaming a command, anyone issuing a ps or a w will not easily be able to identify it. For example if I was running john (the password cracker from this morning) it's much harder to identify it if it had been renamed to ls.

We wont spend much time on this now, but we will return to it later in the course.

2. Renaming Command Lines

Every single UNIX application that runs will have a series of arguments which indicate the command line options it was called with. For example:
 $ ls -la /home/foo

Has an array of arguments:

 (1) = "-la"
 (2) = "/home/foo"

This array not only tells the program what to do, it is also used by the system to report what was run (i.e., when viewed via the /proc interface or via ps).

Well, if you've ever programmed before, you may be wondering "What is the element (0) of this array?" The answer to this is the name of the program itself.

This is a trick that some programers do to provide multiple interfaces to a given program. They symlink variously named programs to the same program and the program looks at this 0th array to determine how it was called.

This 0th element can be overwritten by the program. So, a stealthy (or trojanned) program can mislead you by calling itself something else. For example, the program:

 trojanrabbit

Could rename it's 0th element to

 ls -la /

After it is run.

3. Hiding Commands Using cat

Finally, you can hide the commands you type using the simplest editor (see UNIX01/The Simplest Editor).

By issuing

 # cat | /bin/sh

You will only leave this single line in .bash_history. However, as cat will accept input from STDIN and redirect it into BASH, you will be able to type as many commands as you desire.

This is a very common way to hide what you are doing. It can be useful to administrators who are trying to combat against an online cracker, and it can be abused by said cracker to mask what they are doing.

Always always watch for this command line in your .bash_history. If it appears there, and you did not type it, then it is a sure sign that you've been compromised.

Some people actually make cronjobs that periodically grep for this string and e-mail the administrator if it appears in .bash_history.


Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited September 27, 2003 12:28 am (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.