487 lines
10 KiB
HTML
487 lines
10 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Unusual or hidden files</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.60"><LINK
|
|
REL="HOME"
|
|
TITLE="Securing and Optimizing Linux"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="General System Security"
|
|
HREF="gen-syssecured.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Log Spoofed, Source Routed and Redirect Packets"
|
|
HREF="chap5sec61.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="System is compromised !"
|
|
HREF="chap5sec63.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Securing and Optimizing Linux: RedHat Edition -A Hands on Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="chap5sec61.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 5. General System Security</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="chap5sec63.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="AEN4243"
|
|
>5.33. Unusual or hidden files</A
|
|
></H1
|
|
><P
|
|
> It is important to not forget to look everywhere on the system for unusual or hidden files -files that start with a period and are normally not shown by
|
|
the <B
|
|
CLASS="command"
|
|
>ls</B
|
|
> command, as these can be used to hide tools and information password cracking programs, password files from other systems, etc..
|
|
A common technique on UNIX systems is to put a hidden directory or file in a user's account with an unusual name, something like '...' or '.. ' -dot dot space
|
|
or <B
|
|
CLASS="keycap"
|
|
>..</B
|
|
>-<B
|
|
CLASS="keycap"
|
|
>^G</B
|
|
> -dot dot ctrl-G.
|
|
The find program can be used to look for hidden files.
|
|
</P
|
|
><DIV
|
|
CLASS="example"
|
|
><A
|
|
NAME="AEN4250"
|
|
></A
|
|
><P
|
|
><B
|
|
>Example 5-5. Use find to find</B
|
|
></P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /# <B
|
|
CLASS="command"
|
|
>find</B
|
|
> / -name ".. " -print -xdev
|
|
[root@deep] /# <B
|
|
CLASS="command"
|
|
>find</B
|
|
> / -name ".*" -print -xdev | cat -v
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="note"
|
|
><BLOCKQUOTE
|
|
CLASS="note"
|
|
><P
|
|
><B
|
|
><SPAN
|
|
CLASS="inlinemediaobject"
|
|
><IMG
|
|
SRC="./images/Note.gif"
|
|
ALT="Note"
|
|
></IMG
|
|
></SPAN
|
|
>: </B
|
|
>
|
|
Files with names such as <TT
|
|
CLASS="literal"
|
|
>.xx</TT
|
|
> and <TT
|
|
CLASS="literal"
|
|
>.mail</TT
|
|
> have been used that is, files that might appear to be normal.
|
|
</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
><P
|
|
> All <SPAN
|
|
CLASS="acronym"
|
|
>SUID</SPAN
|
|
> and <SPAN
|
|
CLASS="acronym"
|
|
>SGID</SPAN
|
|
> files that still exist on your system after we have removed those that won't absolutely require such privilege
|
|
are a potential security risk, and should be monitored closely. Because these programs grant special privileges to the user who is executing them, it is necessary to
|
|
ensure that insecure programs are not installed.
|
|
</P
|
|
><P
|
|
> A favorite trick of crackers is to exploit <SPAN
|
|
CLASS="acronym"
|
|
>SUID</SPAN
|
|
> root programs, and leave a <SPAN
|
|
CLASS="acronym"
|
|
>SUID</SPAN
|
|
> program as a backdoor to get in the next time. Find all <SPAN
|
|
CLASS="acronym"
|
|
>SUID</SPAN
|
|
>
|
|
and <SPAN
|
|
CLASS="acronym"
|
|
>SGID</SPAN
|
|
> programs on your system, and keep track of what they are so that you are aware of any changes, which could indicate a potential intruder.
|
|
Use the following command to find all <SPAN
|
|
CLASS="acronym"
|
|
>SUID/SGID</SPAN
|
|
> programs on your system:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /# <B
|
|
CLASS="command"
|
|
>find</B
|
|
> / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><DIV
|
|
CLASS="tip"
|
|
><BLOCKQUOTE
|
|
CLASS="tip"
|
|
><P
|
|
><B
|
|
><SPAN
|
|
CLASS="inlinemediaobject"
|
|
><IMG
|
|
SRC="./images/Tip.gif"
|
|
ALT="Tip"
|
|
></IMG
|
|
></SPAN
|
|
>: </B
|
|
>
|
|
See in this book under <A
|
|
HREF="soft-secmonitor.html"
|
|
>Securities Software/Monitoring Tools</A
|
|
> for more information about the software <A
|
|
HREF="chap14sec112.html"
|
|
>sXid</A
|
|
>that will do the job for you automatically each day and report the results via mail.
|
|
</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
><P
|
|
> Group and world writable files and directories particularly system files partitions, can be a security hole if a cracker gains access to your system and modifies them. Additionally, world-writable
|
|
directories are dangerous, since they allow a cracker to add or delete files as he or she wishes in these directories. In the normal course of operation, several files will be writable, including
|
|
some from the <TT
|
|
CLASS="filename"
|
|
>/dev, /var/catman</TT
|
|
> directories, and all symbolic links on your system.
|
|
To locate all group & world-writable files on your system, use the command:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /# <B
|
|
CLASS="command"
|
|
>find</B
|
|
> / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \;
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
To locate all group & world-writable directories on your system, use the command:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /# <B
|
|
CLASS="command"
|
|
>find</B
|
|
> / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \;
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><DIV
|
|
CLASS="tip"
|
|
><BLOCKQUOTE
|
|
CLASS="tip"
|
|
><P
|
|
><B
|
|
><SPAN
|
|
CLASS="inlinemediaobject"
|
|
><IMG
|
|
SRC="./images/Tip.gif"
|
|
ALT="Tip"
|
|
></IMG
|
|
></SPAN
|
|
>: </B
|
|
>
|
|
A file and directory integrity checker like Tripwire software can be used regularly to scan, manage and find modified group or world writable files and directories easily. See in this book under <A
|
|
HREF="soft-secmonitor.html"
|
|
>Securities Software/Monitoring Tools</A
|
|
>
|
|
for more information about Tripwire.
|
|
</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
><P
|
|
> Don't permit any unowned file. Unowned files may also be an indication that an intruder has accessed your system. If you find unowned file or directory on your system, verify its integrity, and
|
|
if all looks fine, give it an owner name. Some time you may uninstall a program and get an unowned file or directory related to this software; in this case you can remove the file or directory safely.
|
|
To locate files on your system that do not have an owner, use the following command:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /#<B
|
|
CLASS="command"
|
|
>find</B
|
|
> / -nouser -o -nogroup
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
Please Note Once again, files reported under <TT
|
|
CLASS="filename"
|
|
>/dev</TT
|
|
> directory don't count.
|
|
|
|
</P
|
|
><P
|
|
> Finding all the <TT
|
|
CLASS="filename"
|
|
>.rhosts</TT
|
|
> files that could exist on your server should be a part of your regular system administration duties, as these files should not be permitted on your system. Remember that a cracker
|
|
only needs one insecure account to potentially gain access to your entire network.
|
|
You can locate all <TT
|
|
CLASS="filename"
|
|
>.rhosts</TT
|
|
> files on your system with the following command:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /#<B
|
|
CLASS="command"
|
|
>find</B
|
|
> /home -name .rhosts
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
|
|
You can also use a cron job to periodically check for, report the contents of, and delete <TT
|
|
CLASS="filename"
|
|
>$HOME/.rhosts</TT
|
|
> files. Also, users should be made aware that you regularly perform this type
|
|
of audit, as directed by policy.
|
|
</P
|
|
><P
|
|
> To use a cron job to periodically check and report via mail all <TT
|
|
CLASS="filename"
|
|
>.rhosts</TT
|
|
> files, do the following:
|
|
Create as root the <TT
|
|
CLASS="filename"
|
|
>find_rhosts_files</TT
|
|
> script file under <TT
|
|
CLASS="filename"
|
|
>/etc/cron.daily</TT
|
|
> directory <TT
|
|
CLASS="userinput"
|
|
><B
|
|
>touch</B
|
|
></TT
|
|
> <TT
|
|
CLASS="filename"
|
|
>/etc/cron.daily/find_rhosts_files</TT
|
|
> and add the following
|
|
lines in this script file:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> #!/bin/sh
|
|
/usr/bin/find /home -name .rhosts | (cat <<EOF
|
|
This is an automated report of possible existent .rhosts files on the server
|
|
deep.openna.com, generated by the find utility command.
|
|
|
|
New detected <TT
|
|
CLASS="filename"
|
|
>.rhosts</TT
|
|
> files under the <TT
|
|
CLASS="filename"
|
|
>/home</TT
|
|
> directory include:
|
|
EOF
|
|
cat
|
|
) | /bin/mail -s "Content of .rhosts file audit report" root
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
|
|
Now make this script file executable, verify the owner, and change the group to root.
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /#<B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> 755 /etc/cron.daily/find_rhosts_files
|
|
[root@deep] /#<B
|
|
CLASS="command"
|
|
>chown</B
|
|
> 0.0 /etc/cron.daily/find_rhosts_files
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
Each day mail will be sent to root with a subject: Content of .rhosts file audit report containing potential new <TT
|
|
CLASS="filename"
|
|
>.rhosts</TT
|
|
> files.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="chap5sec61.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="chap5sec63.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Log Spoofed, Source Routed and Redirect Packets</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="gen-syssecured.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>System is compromised !</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |