Author: Preston St. Pierre
One Ring to bring them all and in the darkness bind them….
In a hole in the ground there lived a hobbit. Skodo Baggins was his name, and he was the system administrator for one of the most important machines in all of Middle Earth, a manufacturing company that produced thematic action figures. Business was booming as orders rolled in at a pace not seen since the heady days of the Information Security Action Figure rush of 2002 or even the original Star Wars toys of the late 1970s.
In the heart of Middle Earth’s network, Skodo managed a crucial Linux file server that stored product plans, pricing information, and individual home directories for hundreds of Middle Earth employees. When Skodo originally got the job, his boss, a wise old wizard named Gandalf, told him, “The fate of Middle Earth is in your hands, Skodo!”
Skodo had recently downloaded the System Administrator Intrusion Discovery Cheat Sheets for Linux
and Windows from the SANS Institute. These tri-fold tip sheets help system administrators find traces of attackers on their systems using only built-in software included on the machine. Skodo was looking for unusual elements in his file system. He started out by looking for a file or directory with a name of dot-dot-space (“.. “), a technique sometimes used by attackers to camouflage files or directories. Skodo ran the following command:
# find / -name ".. " -print
Much to his surprise, Skodo’s search did return a directory with the name of dot-dot-space owned by a user named Smeagol in the /tmp directory, as shown in the figure below. Skodo changed into this dot-dot-space directory, but could see no files inside of it.
Noticing that the file ballad_of_bilbo_baggins.mov was world readable, Skodo viewed it, seeing this chilling movie. After shuddering at this abomination of Western civilization, Skodo returned to his investigation.
Given that the strange dot-dot-space directory was owned by user Smeagol, Skodo decided to pay a visit to Mr. G. Smeagol, a shriveled up old hobbit who worked in a cubicle down the hall. After walking into his cubicle and engaging old Smeagol in small talk about the delightful virtues of eating raw fish, Skodo began his interrogation.
“Tell me… Did you install some evil tool on the file server?” Skodo asked.
Smeagol quickly and nervously responded with feigned sincerity, “No! No! Smeagol love master and would never hurt the system. Smeagol will serve master.”
Smeagol continued with a small chuckle, “We run many applications that create a lot of files. This issue is just in the /tmp directory, so it shouldn’t worry poor master. Smeagol help master!” Then, Smeagol coughed and burped at the same time, making a loud hacking “Gollum!” sound.
Cautious, but sensing that this interrogation was leading nowhere, Skodo walked away from Smeagol’s cubicle. About ten paces away from the cubicle, Skodo paused as he heard the hideous sound of a twisted, evil form of Smeagol’s voice, emanating from the cubicle. The voice was whispering, but it was still loud enough for Skodo to hear distinctly: “We must keep control of the preciousssss kernel! Must control the precioussss for ourselves and not Master! My preciousssss kernel. My precioussssssssssssss…”
Questions:
- What two mistakes had Gollum/Smeagol and/or his tool made in this attack?
- Suppose Skodo is allowed to reboot the box. How can Skodo determine what really happened? What tools should he use?
- Now suppose Skodo is unable to reboot the Middle Earth file server. What tools should he use to determine what is really happening without shutting the box down or rebooting it?
- Short of storing it on a chain around his neck, how can Skodo protect his kernel from being seized by a user on the machine?
Submit answers to these questions to skodo@counterhack.net by March 19, 2004. Ed Skoudis will select the three best entries to win a copy of his latest book, Malware: Fighting Malicious Code. By the way, Ed’s Malware tome is a fine addition to your library, a favorite of hobbits around the world. To snag your own preciousssss copy, click here.
