* * * * *

                     Notes on what geeks find interesting

I've been using Linux for over twelve years now, and I'm still learning it.

Today, Wlofie [1] and I spent a few hours doing Stupid Shell Tricks under
Linux—stuff like naming files “ ‥ ” (that's space period period space or even
“ . * & ! prang” (that's space period space asterisk space ampersand space
explanation point space "prang") or even “-rf *”—names that give the Unix
shell fits (or naive users fits trying to get rid of such files).

From there, we ventured into the territory that crackers use to hide their
activities under Unix systems. One such trick is the following command:

> GenericUnixPrompt> hacker_tool || rm -rf ./
>

Kill the running hacker_tool process and all the files are removed. A process
listing will only show the hacker_tool running. A smart cracker will zap or
munge the history file of the shell. So that's a pretty hard thing to detect.

Another trick a cracker will do to make things difficult is:

> GenericUnixPrompt> hacker_tool &
> [1] 4532
> GenericUnixPrompt> /bin/rm hacker_tool
>

This starts the hacker_tool, then the executable is removed. The program
still runs since the code is in memory, but there's no way to actually
recover the executable.

Or so I thought.

Wlofie showed me this though (at least, under Linux):

> GenericUnixRootPrompt# cd /proc/4532
> GenericUnixRootPrompt# cp exe /tmp/recovered_executable_file
>       # or alternatively
> GenericUnixRootPrompt# dd if=exe of=/tmp/recovered_execuable_file
>

Ah, the things geeks find interesting.

[1] http://wlofie.dyndns.org/

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.