Path: utzoo!attcan!uunet!mcsun!unido!mikros!mwtech!martin From: martin@mwtech.UUCP (Martin Weitzel) Newsgroups: comp.unix.internals Subject: Re: Finding Passwords Message-ID: <936@mwtech.UUCP> Date: 26 Sep 90 10:39:55 GMT References: <50845@brunix.UUCP> <4086@auspex.auspex.com> <3346:Sep2422:01:3090@kramden.acf.nyu. Reply-To: martin@mwtech.UUCP (Martin Weitzel) Organization: MIKROS Systemware, Darmstadt/W-Germany Lines: 52 In article <3346:Sep2422:01:3090@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: [about how to avoid getting trapped by a trojan horse] > >And what if it imitates getty and login in all respects? [...] >You cannot reliably *detect* a Trojan Horse unless you can reliably >*avoid* a Trojan horse. [...] Agreed. You cannot do it ... at least not before login, but I think there are some ways to know really soon if you have been trapped by a trojan login, and even to find out who installed it. [Small sidenote: According to the excellent book "UNIX System Security" (Kochan + Wood), what we are speaking about is not a "trojan horse", but a "spoof". But to avoid confusion, for this thread I'll stay with the term "trojan".] The key for the following ideas is that a trojan getty can never look allright in the ps-list (except the one who installed it has allready access as root, but in this case he wouldn't need a trojan any more :-/). If the trojan manages to show up as "getty" in the ps-list, it can be easily detected as its UID is not 0. If the trojan has an ordinary name in the ps-list, it can be detected by looking at the terminals for which *no* gettys are active. If such a terminal shows a login- screen, it's a trojan. In this case it should even be easy to find the person who installed it by reading the login-history (provided the system has no guest account, which IMHO is allways a bad idea ...). Based on the above, it should be feasible to have a daemon process running permanently in the background, that every minute or so snapshots the ps-list and remembers the names of the tty-lines where the "real" gettys are running. After someone has logged in, the .profile could contain a command to query the daemon how long the getty has been active for this terminal before. If it turns out that no getty has been active in the last minutes before login though there was apparently nobody working at this terminal, you have been trapped by a trojan and can immediatly change your password. Furthermore, the system administrator can now look who used this terminal immediatly before you, and so find the one who installed the trojan. I can see few changes to circumvent these security barriers. Especially it would hard for the trojan to correctly simulate the behaviour that occurs *after* your login without knowing your .profile. Hence it can not tell you "every thing's O.K., the terminal was 10 minutes ununsed before your login" and then continue how you would expect it. -- Martin Weitzel, email: martin@mwtech.UUCP, voice: 49-(0)6151-6 56 83