Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: AW: AW: [suse-security] SuSE security reputation, etc..
  • From: "Petri Sirkkala." <petes@xxxxxxxxxxxxx>
  • Date: Sun, 6 Aug 2000 12:24:55 +0300 (EEST)
  • Message-id: <Pine.LNX.4.21.0008061215570.6845-100000@xxxxxxxxxxxxxxxxx>

On Sat, 5 Aug 2000, OKDesign oHG Security Webmaster wrote:

> > Someone might install some scripts to USER account and for example copy
> > all input/output to a file, including su passwords.
> Good idea.
> But how should he manage to get this script started ?
> And even if the script IS started and running, I should see it when doing a
> ps, shouldn't I ?
> And I always do ps axf before doing any su-like thing.
> Any other holes ?

You can not rely on any operations after someone compromises your

A script could be run in your .login or any other .rc file. The attaker
might even compile a new binary for some of your commands (for example
su or ps ) to snoop your passwords and place it to your path before the
real one. Of course he can only put it in some directory that user has
privileges to write, but still it is possible to make your users
environment hostile.

Checking prosesses would then only show 'normal' things after all he
might even have changed your bash (or another shell you use to some
hacked binary) and the .login script might run that malicious shell for
you before you get to type in even the first command. This shell could
be carefully crafted to hide its existence in every aspect, as it could
process input and output of commands like ps and su anyway it sees fit.


> --- Stephan
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx

< Previous Next >