Attacking Linux, Part 2

By Rick Moen, ITworld |  News

However, regardless of whether your attacker entered via the front or
back door, his next priority after gaining root access is to cover his
tracks, preventing the administrator from noticing his presence and
locking him out. He'll do that by sabotaging the system logs and
accounting software, disabling any security-monitoring software, and
installing trojan horse (trojaned) software to conceal his activities,
gain additional intelligence, and create back doors in case he needs
another way in.

The trojaned software usually includes replacement binaries for the
genuine login, netstat, ps, ifconfig, du, df, ls, top, syslogd, tcpd,
locate, and various servers run by the inetd superserver. The aim is to
hide the attacker's tools, logs, and processes, so that they are
invisible to the legitimate root user.

And tomorrow the world!
Some of those processes will be spy programs, running to capture login
information entered by local users for remote systems elsewhere. Those
will be logged and conveyed back to the attacker, giving him new
targets. Some may be network sniffers, monitoring the traffic passing
nearby, to or from other nearby machines, and likewise capturing
private information for the bad guys. Those work by putting your
network interface in promiscuous mode, in which the normal disregarding
of other machines' network traffic gets disabled. Some may be
clandestine network services, such as file-swapping, that are useful
for the attacker and his friends. Most distressing of all, some may be
carrying out attacks on other systems. The older variety of those
involved flooding distant machines with either normal or deliberately
malformed network traffic (ping, ping of death, smurf, SYN flooding,
teardrop, land, bonk), as a denial of service (DoS) attack. Then
starting last year, the more-organized DDoS tools (trinoo, Tribal Flood
Network, stacheldraht, Trank, and so on) came to sudden public
attention when they were used to overwhelm popular Internet sites. The
third-party, subverted machines (zombies) used to carry out those
attacks appear to have been university machines, favored for their lax
security and high Internet bandwidth, but your Linux hosts could be the
attackers' next tools.

Even if your machines don't cause you that order of embarrassment, the
other risks are equally grim: you can reveal confidential data with
business and/or personal consequences, lose that data entirely, see it
corrupted or sabotaged, be involved in wrongful or even criminal
activity, lose access to your computing resources, and indirectly cause
harm to your staff and business associates.

Join us:






Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.


    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question