Finding Passwords

Martin Weitzel martin at mwtech.UUCP
Wed Sep 26 20:39:55 AEST 1990 

In article <3346:Sep2422:01:3090 at kramden.acf.nyu.edu> brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
[about how to avoid getting trapped by a trojan horse]
>
>And what if it imitates getty and login in all respects?
[...]
>You cannot reliably *detect* a Trojan Horse unless you can reliably
>*avoid* a Trojan horse.
[...]

Agreed. You cannot do it ... at least not before login, but I think
there are some ways to know really soon if you have been trapped by
a trojan login, and even to find out who installed it.

[Small sidenote: According to the excellent book "UNIX System Security"
(Kochan + Wood), what we are speaking about is not a "trojan horse",
but a "spoof". But to avoid confusion, for this thread I'll stay with
the term "trojan".]

The key for the following ideas is that a trojan getty can never
look allright in the ps-list (except the one who installed it has
allready access as root, but in this case he wouldn't need a trojan
any more :-/).

If the trojan manages to show up as "getty" in the ps-list, it can be
easily detected as its UID is not 0. If the trojan has an ordinary
name in the ps-list, it can be detected by looking at the terminals
for which *no* gettys are active. If such a terminal shows a login-
screen, it's a trojan. In this case it should even be easy to find
the person who installed it by reading the login-history (provided
the system has no guest account, which IMHO is allways a bad idea ...).

Based on the above, it should be feasible to have a daemon process
running permanently in the background, that every minute or so
snapshots the ps-list and remembers the names of the tty-lines where
the "real" gettys are running. After someone has logged in, the
.profile could contain a command to query the daemon how long the
getty has been active for this terminal before. If it turns out that
no getty has been active in the last minutes before login though there
was apparently nobody working at this terminal, you have been trapped
by a trojan and can immediatly change your password.

Furthermore, the system administrator can now look who used this
terminal immediatly before you, and so find the one who installed
the trojan.

I can see few changes to circumvent these security barriers. Especially
it would hard for the trojan to correctly simulate the behaviour that
occurs *after* your login without knowing your .profile. Hence it can
not tell you "every thing's O.K., the terminal was 10 minutes ununsed
before your login" and then continue how you would expect it.
-- 
Martin Weitzel, email: martin at mwtech.UUCP, voice: 49-(0)6151-6 56 83

More information about the Comp.unix.internals mailing list