Hacking Linux Exposed





previous article
next article
/proc/config offers a post-intrusion clue
By Bri Hatch.

Summary: A non-standard kernel patch provides some insight into a cracker's activities.

The /proc filesystem is populated by files that are hooks into the kernel. For example running cat /proc/version will let you see the version of the Linux kernel that's running, who it was compiled by, and when. The /proc/### directories contain info about the processes that are running on your system. The files under the /proc/sys directory can let you view and, in some cases, change characteristics of the kernel at run time.

So what is the purpose of /proc/config? Heck - I'd never even heard of /proc/config until this issue came up. /proc/config is only available in your kernel if you apply a patch and enable it using CONFIG_PROC_CONFIG when you compile.

/proc/config is actually pretty handy -- it shows you the compile-time configuration settings for the kernel:

  $ head /proc/config

Say you want to upgrade to the next available kernel. Your current kernel works fine, so you'd like to use the same parameters, but you accidentally lost your original .config configuration file. Simply cat /proc/config > /usr/src/linux/.config and you're ready to go.

Anyway, a friend has a computer that has /proc/config enabled. He runs a file integrity check every night out of cron.[1] One day he found that /proc/config had been changed.

The first thing I thought to myself is that he must be crazy. Checking all of /proc with a file integrity tool is pretty painful - one might even say pointless. Since the files there aren't real files, they're not as static as real files. The timestamp of files in /proc, with a few exceptions, is always equal to the current time. The file size of most files is reported as 0, even when they do present data when read.

  $ date
  Thu May 22 14:00:00 PDT 2003
  $ ls -la /proc/cmdline
  -r--r--r--    1 root     root            0 May 22 14:00 /proc/cmdline
  $ cat /proc/cmdline
  BOOT_IMAGE=2.4.18 ro root=305 apm=on

This must lead to huge numbers of false positives with file integrity checkers, unless you turn off timestamp tests and such. Some of these files are constantly changing, such as /proc/{stat,uptime,PID}. He assures me that /proc has lots of false positives, which he's cleaned up by liberal use of post processing with egrep...

But, my worries aside, it seemed that indeed /proc/config had been changed. He'd compiled his kernel on his own, and checked his kernel sources in /usr/src/linux, and nothing seemed amiss. Comparing his old .config kernel compilation configuration file with the output of /proc/config clearly showed something fishing was going on:

  $ cd tmp
  $ scp backupserver:/path/to/.config oldconfig
  $ sort oldconfig > oldconfig.sort
  $ sort /proc/config > curconfig.sort
  $ diff oldconfig.sort curconfig.sort

Those three lines represent kernel configuration parameters that were not in his original .config file.[2] While I have no idea what RARBOG is, the _BD bits makes me think "backdoor", UDP_PRT makes me think "UDP port", and _HIDE is non too encouraging.

There wasn't any process actively listening on port 18872,[3] however it's quite possible for the kernel to be watching for packets on that port without actively binding it.[4]

We scoured the machine looking for the kernel modifications that allowed the CONFIG_RARBOG, but couldn't find them on the filesystem, or by looking through the unallocated sectors of the disk. Most likely the cracker compiled the kernel elsewhere and uploaded it. (It was polite that he used the same configuration file for maximum compatibility...)

If anyone has a copy of this RARBOG kernel patch, I'd love to see it. Regardless, the machine has been taken off line and is currently having the software re-installed from clean sources.

And hopefully this'll teach him not to administer his machine from a university network over telnet any more...


[1] Running a file integrity tool out of cron isn't the best method - a cracker who has gotten root access can easily munge with your database or program invocation to hide his activities. The most sure method to run a file integrity tool is at the console, booted from secure cd/floppy media, in single user mode. However, it's better than nothing.

[2] For completeness, we ran the same checksum algorithms on the oldconfig file to verify that they matched the original (pre-intrusion) /proc/config checksums.

[3] We tested lsof locally, which isn't the most reliable thing to use when the kernel is suspect, and then nmap from the neighboring machine.

[4] Some port scan detectors work in this fashion - rather than binding an unused port and accepting connections they bind raw sockets and watch for any inbound accesses to ports that are not currently bound to processes.

Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. Given his wetware's shortage of /proc/kcore and the excessive number of /proc/interrupts, it's amazing he ever gets any real work done. Bri can be reached at bri@hackinglinuxexposed.com.

Copyright Bri Hatch, 2003

This is the May 22, 2003 issue of the Linux Security: Tips, Tricks, and Hackery newsletter. If you wish to subscribe, visit http://lists.onsight.com/ or send email to Linux_Security-request@lists.onsight.com.

previous article
next article