I can see through your masks
[Announcement: There's a new list:
performance-list gnome org
. All invited.]
Over the past two weeks I found somebody accessing my departmental Linux account using password and running mallware. The first time it happened, I was in great shock. Fortunately the admins confirmed that password authentication was used, so my precious private key on my laptop was not stolen. So I convinced myself that a friend's Windows machine I used to check mail was the source of the problem. When it happened a second time though, it left only two choices: My laptop, and the Linux box I use to check email when I'm in University of Toronto at Scarborough on Thursdays. It's a professor's office box, not a public box.
Anyway, I investigated the box in question, and indeed it was infected, by a rootkit and lots of other bad
things. I didn't have root access, that made investigations a bit harder, but here are a couple of my observations that are worth noting:
- While the rootkit had process-hiding capabilities in place for
ps, I happened to run
pstree and were surprised to find a suspicious process (a process called "
smbd -D" with an space in it.) So, when in doubt about
pstree a try. Checking with
/proc does the job too, but it's harder.
- This one is more useful. Since I was not logged in as the root user, I couldn't see where
/proc/*/exe points to for processes owned by other users (included the root user), but I figured out a way around it: Stupidly enough, the kernel lets you see the
/proc/*/maps file for any process, and not surprisingly, the first line in that file corresponds to the image being run, which is exactly what the
/proc/*/exe file would have pointed to, could you ever see!