Monday, March 26, 2007
Notes on what geeks find interesting
I've been using Linux for over twelve years now, and I'm still learning it.
Today, Wlofie
and I spent a few hours doing Stupid Shell Tricks under Linux—stuff like
naming files “ ‥ ” (that's space period period space or even
“ . * & ! prang” (that's space period space asterisk space ampersand
space explanation point space "prang") or even “-rf *”—names
that give the Unix shell fits (or naive users fits trying to get rid of such
files).
From there, we ventured into the territory that crackers use to hide their activities under Unix systems. One such trick is the following command:
GenericUnixPrompt> hacker_tool || rm -rf ./
Kill the running hacker_tool process and all the files are
removed. A process listing will only show the hacker_tool
running. A smart cracker will zap or munge the history file of the shell.
So that's a pretty hard thing to detect.
Another trick a cracker will do to make things difficult is:
GenericUnixPrompt> hacker_tool & [1] 4532 GenericUnixPrompt> /bin/rm hacker_tool
This starts the hacker_tool, then the executable is removed.
The program still runs since the code is in memory, but there's no way to
actually recover the executable.
Or so I thought.
Wlofie showed me this though (at least, under Linux):
GenericUnixRootPrompt# cd /proc/4532 GenericUnixRootPrompt# cp exe /tmp/recovered_executable_file # or alternatively GenericUnixRootPrompt# dd if=exe of=/tmp/recovered_execuable_file
Ah, the things geeks find interesting.
