Home » Forums » Linux » Linux kernel

Spyware susceptibility

Submitted by Anonymous
on October 2, 2004 - 12:24am

Does anyone know if it is possible to run a user program, process, thread, etc. and make the execution _not_ show up in the process list in /proc or the usual ps command in 2.6? I am hoping the answer is NO so that it would be impossible for user mode spyware to be installed on the system without showing up as a running user process. Thanks for any info... -Tony from Dallas,TX. USA

‹ Linux: Merging Reiser4 Into -mm Would like info on history of File Size Limitations through kernel 2.4 - Now ›

root kit

Anonymous
on
October 2, 2004 - 4:34am

normally no, but if your system has been corrupted by any suspicious person it may be possible.

search for root kit on google.
this is piece of software which is used for hacking (the bad meaning) purpose. It is supposed to covert some actions to the admin or the normal user (for instance running a program in stealth mode ;-)

It is possible...

Anonymous
on
October 2, 2004 - 6:19am

Well, if a person is able to change the kernel it's possible...Otherwise, you can do it by hiding the process in another process, which is quite simple and impossible to prevent, but since almost all software running on a Linux machine is run through binaries that are read only (to the user), it'd be extremely difficult to hide the process in an effective manner. Unless the spyware gets root privileges, which shouldn't happen.

Also, if you wanted to make your system nearly immune to spyware, just deny execution of binaries in your home directory and the tmp directory. Might break a few apps, but you can feel pretty safe after that.

easy and safe: noexec partitions

KiTaSuMbA
on
October 3, 2004 - 4:56am

a classic omission (done it myself a few times - /me flushes) is to not lock-down against executables the /tmp directory wich is necessarily fully accessable by world.
The easiest way to do so, is to have a separate partition with a noexec option. The same can be applied to a /home partition. This of course would disable any scripts, plugins or other "personal" applications but it can all be handled putting them somewhere system-wide by root like /usr/local and redirecting other apps that may use them right there... If this tends to become too troublesome due to complexity, yet you are determined to concede the less possible risk, special projects like grsecurity or SElinux can be more appropriate.

a little bit OT:

Anonymous
on
October 3, 2004 - 7:46am

anyway, if somebody is interested to scan his system for infected files,
he sould get the latest version of "chkrootkit"...

www.chkrootkit.org <--- check it out

see this thread

Anonymous
on
October 4, 2004 - 5:57pm

http://kerneltrap.org/node/view/3930

Not invisible, but still intriguing.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.