Cover V05, I11
Article
Figure 1
Sidebar 1
Sidebar 2

nov96.tar


Sidebar: Mask file formats

ps mask file -- An example /dev/ptyp mask file is as follows:

0 0       # Strips all output with processes running
# under root
1 p0      # Strips all output associated with tty ttyp0
2 sniffer # Strips from output all programs with the
# name sniffer

Only the first 125 characters in a line are significant. strtok(3) is used to parse a line of input, and no error checking is done on the format or number of fields. One result is that a blank line in the file will most probably cause a segmentation violation. Only the first two fields in a line are looked at; so, even though comments are not explicitly supported, they are benign. As shown above, there are three types of specifications. A specification other than 0, 1, or 2 will be ignored. With specification 2, only the name of a program is checked, not any options or arguments that would be seen with ps -w.

netstat mask file - An example /dev/ptyq mask file is shown below. (Note that "foreign" refers to connections from the local host out, and "local" refers to connections into the local host.) The SunOS and Linux versions use slightly different encodings for masking actions.

SunOS Rootkit:

0 6667          # Strip all foreign irc network connections
# (port #)
1 23            # Strip all local telnet connections (port #)
2 192.88.209.5  # Strip all foreign connections from
# cert.org
3 128.120.1.    # Strip all local connections to a ucd subnet

Linux Rootkit:

0 500          <- Hides all connections by uid 500
1 128.31       <- Hides all local connections from
128.31.X.X
2 128.31.39.20 <- Hides all remote connections to
128.31.39.20
3 8000         <- Hides all local connections from port 8000
4 6667         <- Hides all remote connections to port 6667
5 .term/socket <- Hides all UNIX sockets including the
path.term/socket

The code to read in the file is the same as for ps, so the same limitations apply.

As shown above, there are three types of specifications. A specification other than those supported will be ignored. Not all versions support the mask file "override" option.

ls/du mask file - An example /dev/ptyr mask files is as follows:

sunsnif
icmpfake

Only the first 125 characters in a line are significant. There is no parsing of the specification line, and the entire line (up to 125 characters) is used. So, comments are not allowable in this file. The code assumes that there will be a terminating \n (i.e., the specification line was 124 characters), and it is blindly removed. Thus, if there were a filename > 124 characters, it could not be masked. Only filenames may be specified; specifically, UIDs and GIDs cannot be specified. This is a plus for the good guys.

syslog mask file, Linux only - An example /dev/ptys mask file is as follows:

evil.com
123.100.101.202
rshd