Friday, December 12, 2008


Hacker Scripts

One of the things bad hackers like to do is run their code on other people's computers. Some of the ways this is done is via Perl or PHP scripts. Here is an example of a simple information gathering script written in PHP:


It looks innocuous, but what does it do exactly?

It returns the UID, GID and Groups numbers of the account the script was executed on as well as all the group names. After that it does a "uname -a" and returns some system information (e.g. the exact version of the kernel you are running). Finally it returns the amount of free disk space and the total amount of disk space.

This is still bad because it means that there is some vulnerability in your system even though the script doesn't do anything destructive. After scouting out your system they are in a better position to compromise it.

Now if someone is always on the server they can keep an eye out for certain tell-tale signs of hacker activity. Sometimes you'll see things that look like hacker activity but aren't, e.g. Reddit or some other popular site linking to one of your web pages.

Some of the danger signs:

  1. Much higher than normal disk activity
  2. Too many instances of sendmail
  3. Instances of lwp-download or wget running when they shouldn't be
  4. More than one process running klogd or acpid
Danger sign #4 is interesting because it's an example of misdirection. Usually when you see two processes running klogd one of them is a fake. The hacker knows that if the system admin sees some weird process running that they're going to kill it right away, but if it's something that should be running like klogd then maybe they're not going to notice.

Security of your server is an on-going job and this blog entry is only scratching the surface. One simple thing you can do is to lock down important executables with "chmod 700" so only root can read, write or execute them.

Here is a list of executables that should be locked down, assuming they're on your system:

wget, elinks, curl, lynx, vsftpd, ftp

Basically any command that can "phone home" should be locked down. Even if you think your security is pretty good some new exploit could allow the bad hackers a way to execute scripts on your system.


Post a Comment

Subscribe to Post Comments [Atom]

<< Home

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]