Sidebar: Mask file formats
ps mask file -- An example /dev/ptyp mask file is as
follows:
0 0 # Strips all output with processes running
# under root
1 p0 # Strips all output associated with tty ttyp0
2 sniffer # Strips from output all programs with the
# name sniffer
Only the first 125 characters in a line are significant.
strtok(3) is
used to parse a line of input, and no error checking
is done on the
format or number of fields. One result is that a blank
line in the file
will most probably cause a segmentation violation. Only
the first two
fields in a line are looked at; so, even though comments
are not
explicitly supported, they are benign. As shown above,
there are three
types of specifications. A specification other than
0, 1, or 2 will be
ignored. With specification 2, only the name of a program
is checked,
not any options or arguments that would be seen with
ps -w.
netstat mask file - An example /dev/ptyq mask file is
shown below. (Note
that "foreign" refers to connections from
the local host out, and
"local" refers to connections into the local
host.) The SunOS and Linux
versions use slightly different encodings for masking
actions.
SunOS Rootkit:
0 6667 # Strip all foreign irc network connections
# (port #)
1 23 # Strip all local telnet connections (port #)
2 192.88.209.5 # Strip all foreign connections from
# cert.org
3 128.120.1. # Strip all local connections to a ucd subnet
Linux Rootkit:
0 500 <- Hides all connections by uid 500
1 128.31 <- Hides all local connections from
128.31.X.X
2 128.31.39.20 <- Hides all remote connections to
128.31.39.20
3 8000 <- Hides all local connections from port 8000
4 6667 <- Hides all remote connections to port 6667
5 .term/socket <- Hides all UNIX sockets including the
path.term/socket
The code to read in the file is the same as for ps,
so the same
limitations apply.
As shown above, there are three types of specifications.
A specification
other than those supported will be ignored. Not all
versions support the
mask file "override" option.
ls/du mask file - An example /dev/ptyr mask files is
as follows:
sunsnif
icmpfake
Only the first 125 characters in a line are significant.
There is no
parsing of the specification line, and the entire line
(up to 125
characters) is used. So, comments are not allowable
in this file. The
code assumes that there will be a terminating \n (i.e.,
the
specification line was 124 characters), and it is blindly
removed.
Thus, if there were a filename > 124 characters,
it could not be masked.
Only filenames may be specified; specifically, UIDs
and GIDs cannot be
specified. This is a plus for the good guys.
syslog mask file, Linux only - An example /dev/ptys
mask file is as
follows:
evil.com
123.100.101.202
rshd
|