9

Suppose a hacker obtains a shell on my Linux host and wants to hide a file. What's the best way for him to do this? You may assume unprivileged or root access.

My thoughts are

  • Use a .file filename (pretty easy to find these of course)
  • Write a file to some obscure directory (might be found by tripwire and the like?)
  • Append to a log file (so that it's less suspicious that the file is growing)
  • Use some kind of stego (I have no idea how to do this)
  • Write to a raw portion of the disk (I don't know how to do this either)

I'm sure you security professionals know the common tricks?!

AviD
  • 72,138
  • 22
  • 136
  • 218
Fixee
  • 1,545
  • 2
  • 15
  • 24
  • 1
    What is the attack you're worried about here? I expect that most users and sysadmins hardly spend their time making sure they know about all the files on their filesystems. Wasting space is a common issue, but not the sort of thing hackers tend to focus on. Malware, viruses etc are a more specific threat and there are more specific considerations for finding and hiding such things. – nealmcb Feb 19 '11 at 00:43
  • 2
    @nealcmb - Contrarily, in some environments knowing about all the files on a file system is a requirement of the security plan. That is why there are utilities for file integrity monitoring and for log aggregation and alerting. However, my concern with this question is that it seems more focused on "how to attack" when this type of topic would more appropriately be discussed as a "how to defend" here. – Iszi Feb 19 '11 at 01:52
  • Why hide? Make the file immutable and see the super user squirm :) – 0xC0000022L Mar 03 '11 at 02:44

2 Answers2

12

If I have root on a system and really want to hide a file, the obvious answer is a rootkit, which can hide any files I want from almost all detection, by hooking filesystem reads etc. Rootkits are incredibly hard to find in a normal working environment, as you can't trust anything the OS reports. If you have Tripwire on a system, working correctly and monitoring the entire filesystem, the installation of a rootkit should be detected - however if an attacker can get root and has access to the Tripwire systems, then all bets are off.

What is much more likely in practice, however, is for files to be hidden in the depths of the filesystem, perhaps under . directories so they don't show to a normal ls, or perhaps as innocuously named files. The good thing is that more linux admins seem to know what files should exist than windows admins, probably more down to the fact that windows is managed typically through a gui, however with greater usage of Powershell this is changing.

Writing files to an unused portion of a disk can work, however in an enterprise environment you tend to find disks fully utilised, so an attacker would first need to either alter a partition or find some way to hide the use of a section of existing filesystem. It happens, but not as often as you may think.

Steganography is not used very much. Malicious executables are found in innocuous looking files, but usually as a vector, not in storage.

In summary, from a defenders perspective, protect root, patch regularly and use Tripwire or an equivalent.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 2
    Best protection against a rootkit on *nix is a single monolithic kernel with no module support and checksum verification on boot from read only media. – RobotHumans Feb 19 '11 at 23:59
  • @aking1012 - it certainly is one form of protection, and is appropriate in some environments. Sadly not appropriate for some enterprises that would be much better off using this. – Rory Alsop Feb 20 '11 at 00:58
  • 4
    Protect root _and the console_. Don't let people with physical access spoil your fun. –  Feb 24 '11 at 13:24
2

Not sure what you what to do with your 'file'? Some of your examples just seem like your want to write and read to some scratch space. if you have already rooted the box these file operations aren't hard to deal with. You can write to the root reserved space in the ext filesystem for example.

If you want to leave a cheesy setuid binary lying around in some obfuscated manner, you could toss it under a filesystem mount so that mundane 'gnufind' utilities couldn't get to it.

hpavc
  • 349
  • 1
  • 4