Re: Detecting a compromised system
On Sun, 15 Feb 2009 14:06:29 -0500
Nikolaus Rath <Nikolaus@rath.org> wrote:
> Hello,
>
> I recently though about the least sophisticated way to introduce a
> backdoor into a system if a already had a root shell. My naive
> approach would be to
>
> a) create a setuid root shell somewhere in the fs,
>
> or
>
> b) modify an existing setuid binary to grant me root access
> (e.g. when invoced with a special parameter)
>
>
> Since I don't consider myself particularly ingenious in that respect,
> I expected that it would be pretty easy to spot these modifications.
> So I did exactly the above and then tried to "detect" my changes.
>
> I first looked for any additional packages that might help me with
> this and installed (and configured to the best of my knowledge)
> checksecurity and tiger.
>
> I thought to remember that debian packages need to register any suid
> binaries that they install, and I also read in the tiger documentation
> that it verifies the checksums of installed system binaries. Thus I
> expected that both my modifications would immediately show up.
> However, nothing like that happened.
>
> Now I'm wondering if there really is no easy way to detect such
> changes, if I didn't find the right packages, or if I messed up the
> configuration.
>
> Anyone able to help?
>
>
> Best,
>
> -Nikolaus
>
Finding such files is easy
find / -perm /u+s
detecting whether they should be setuid root, I don't know enough about the
debian system to tell
Reply to: