Path: utzoo!utgpu!utstat!jarvis.csri.toronto.edu!mailrus!purdue!haven!adm!xadmx!drears@PICA.ARMY.MIL
From: drears@PICA.ARMY.MIL (Dennis G. Rears (FSAC))
Newsgroups: comp.unix.questions
Subject: Re:  Hiding stuff
Message-ID: <18769@adm.BRL.MIL>
Date: 20 Mar 89 18:24:26 GMT
Sender: news@adm.BRL.MIL
Lines: 51

Elmar  writes:
>In article <18676@adm.BRL.MIL> drears@PICA.ARMY.MIL (Dennis G. Rears (FSAC)) writes:
>>[The original poster - I lost the name] wrote:
>>>	How do I hide what I doing,specifically,when someone envokes a
>>>w,who,top,finger,ps,lastcom,etc...,it doesn't show what I doing. 
>>   My favourite way is to "rsh hostname /bin/csh".
>
>You need 'csh -i'. But it's not very funny to work if you have no tty accessed
>and therefore NO job control in the shell.

   You do not *need* csh -i; On my ULtrik system I just use
/bin/csh.

>
>>w, who, finger, lastcom can't catch me.
>
>lastcomm DOES catch you!

   I don't know.  We have all accounting disabled on our system.
>
>> Ps, and top can catch me
>>however.  Then I use the command "ch realcmd arguments" to run any
>>program.  Ch basically puts spaces into argv[0].  This will hide it
>>from ps and top.
>
>I don't know the command 'top', maybe that's what we call 'lastcomm' which
>shows the last commands which had been executed. But, if you use 'top' the way
>we use 'lastcomm', what does your 'lastcom' with one 'm' at the end do?
>
>Anyway, 'ps -auxww' will show the arguments you use. Note the two 'w's.
>(Under 4.x bsd and Ultrix 3.0)

  This is easily defeated.  Have the first argument be nothing but
90 spaces inside quotations marks.

  My response was meant as a way to hide what you are doing from a
casual user not a system admin.  If you really want to hide stuff
write a program that does:

     	o Find the location of the file.
	o If not suid or guid copy it with name of " ".
        o fork a child; put it to sleep, wake it up 2 seconds later,
             have it unlink(" "); exit
	o parent execs file " "

        o if the file is suid, check to see if you have write
        permission on any directory in the filesystem (i.e. /usr/tmp) then
        make a hard link to it, then continue with the fork.


Dennis