LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
[stats]
From: Ant <fineales@ozemail.com.au>
To : James Leone <linuxcpa@netscape.net>
Date: 17 Apr 2003 13:12:40 +0930
Re: Honeypots get stickier??
On Thu, 2003-04-17 at 02:33, James Leone wrote:
> I also had another idea...hardware related to rooting. Is there a way
> to embed commonly "rooted" applications in embedded firware so that
> commonly rooted applications such as sudo cannot be overwritten with a
> trojaned version?
Yes, there is a file attribute called immutable which is set by chattr.
ext2 or 3 only?
EG:
[ant@ant ant]$ touch test // create the file
[ant@ant ant]$ lsattr test // check attributes
-------------- test // no attributes
[ant@ant ant]$ rm test // kill it
[ant@ant ant]$ ls test
ls: test: No such file or directory // gone! (normal)
[ant@ant ant]$ touch test // create another
[ant@ant ant]$ chattr +i test // set immutable flag
chattr: Operation not permitted while setting flags on test //not r00t
[ant@ant ant]$ su
Password:
[root@ant ant]# chattr +i test // set immutable flag
[root@ant ant]# ls -al test // root or ant could delete or modify
-rw-rw-r-- 1 ant ant 0 Apr 17 13:05 test
[root@ant ant]# lsattr test
---i---------- test // immutable flag
[root@ant ant]# rm test
rm: remove write-protected regular empty file `test'? y
rm: cannot remove `test': Operation not permitted // no-go!
I used to set this flag on /bin/* /sbin/* /usr/bin/* /usr/sbin/*
/usr/local/bin/* /usr/local/sbin/*
This meant that any generic exploit that patches system binarys would
fail. Instead the hacker would have to guess it was the immutable flag
and modify the exploit to break the system, then un-immutable the
attributes then patch the file. This is still possible, but it gets
harder with each extra level you add. I doubt most script kiddies would
know about this one.
Ant
--
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.freenode.net
To unsubscribe from the LinuxSA list:
mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index:
[thread]
[date]
[subject]
[author]
[stats]
Return to the LinuxSA Mailing List Information Page