On Wed, 1 Nov 2000, Benjamin Scott wrote:
> Unfortunately, one of the first things your typical root kit does is replace
> /bin/ps and /bin/ls with trojans that filter out the malicious programs.
> I've also heard or seen of exploits which tamper with the shell, more and
> less, the RPM database, and even the C library.
Good point Ben. So here's a shell script I just hacked together that
processes /proc to give you a limited ps command (attached as ps.sh.txt).
If you want to use it, just save it as ps.sh, make it executable, and run
it.
If you look at the code, note that the tr commands in the pipes in the
first section are:
tr -s "<tab><space>" "<space><space>"
If you cut and paste, all the tabs will be replaced by spaces and it won't
work properly.
Of course, if they replace the shell, this may or may not work. But I
think it's pretty unlikely they'll hack the kernel to break the /proc
filesystem, and then reboot with the new kernel without you noticing.
=8^)
--
We sometimes catch a window, a glimpse of what's beyond
Was it just imagination stringing us along?
------------------------------------------------
Derek Martin | Unix/Linux geek
[EMAIL PROTECTED] | GnuPG Key ID: 81CFE75D
Retrieve my public key at http://pgp.mit.edu
#!/bin/sh
echo -e "PID\tPPID\tUser\tStatus\tCMD LINE\n---\t----\t----\t------\t--------\n"
for file in /proc/[0-9]* ; do
myPID=`echo $file | sed 's~/proc/~~'`
if [ -e "$file" ]; then
cd $file
CMDLINE=`cat cmdline 2>/dev/null`
myPPID=`grep PPid status 2>/dev/null | tr -s " " " "| cut -d' ' -f
2`
Status=`grep Sta status 2>/dev/null | tr -s " " " " | cut -d' ' -f
2`
myUID=`grep Uid status 2>/dev/null | tr -s " " " " | cut -d' ' -f
2`
fi
# Process may have died while we were checking
if [ -z "$CMDLINE" ];then
# this could be blank if it's a kernel thread
if [ -e stat ]; then
# if the file stat exists, it's a kernel thread and not dead
CMDLINE=`cat stat |cut -d" " -f 2 |sed 's/[()]//'`
else
CMDLINE=Died
fi
fi
[ -z "$myPPID" ] && myPPID="Died"
[ -z "$Status" ] && Status="Died"
[ -z "$myUID" ] && myUID="Died"
# get the user name from the Uid if possible
if [ "$myUID" != "Died" ]; then
user=`grep "^[a-z]\+:.*:$myUID:" /etc/passwd 2>/dev/null`
if [ -n "$user" ]; then
user=`echo $user | cut -d':' -f 1`
else
user=$myUID
fi
echo -e "$myPID\t$myPPID\t$user\t$Status\t$CMDLINE"
fi
done | sort -n
