5.33. Unusual or hidden files

It is important to not forget to look everywhere on the system for unusual or hidden files -files that start with a period and are normally not shown by the ls command, as these can be used to hide tools and information password cracking programs, password files from other systems, etc.. A common technique on UNIX systems is to put a hidden directory or file in a user's account with an unusual name, something like '...' or '.. ' -dot dot space or ..-^G -dot dot ctrl-G. The find program can be used to look for hidden files.

Example 5-5. Use find to find

            [root@deep] /# find / -name ".. " -print -xdev
            [root@deep] /# find / -name ".*" -print -xdev | cat -v

Note: Files with names such as .xx and .mail have been used that is, files that might appear to be normal.

All SUID and SGID files that still exist on your system after we have removed those that won't absolutely require such privilege are a potential security risk, and should be monitored closely. Because these programs grant special privileges to the user who is executing them, it is necessary to ensure that insecure programs are not installed.

A favorite trick of crackers is to exploit SUID root programs, and leave a SUID program as a backdoor to get in the next time. Find all SUID and SGID programs on your system, and keep track of what they are so that you are aware of any changes, which could indicate a potential intruder. Use the following command to find all SUID/SGID programs on your system:

            [root@deep] /# find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;

Tip: See in this book under Securities Software/Monitoring Tools for more information about the software sXidthat will do the job for you automatically each day and report the results via mail.

Group and world writable files and directories particularly system files partitions, can be a security hole if a cracker gains access to your system and modifies them. Additionally, world-writable directories are dangerous, since they allow a cracker to add or delete files as he or she wishes in these directories. In the normal course of operation, several files will be writable, including some from the /dev, /var/catman directories, and all symbolic links on your system. To locate all group & world-writable files on your system, use the command:

            [root@deep] /# find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \;
To locate all group & world-writable directories on your system, use the command:

            [root@deep] /# find / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \;

Tip: A file and directory integrity checker like Tripwire software can be used regularly to scan, manage and find modified group or world writable files and directories easily. See in this book under Securities Software/Monitoring Tools for more information about Tripwire.

Don't permit any unowned file. Unowned files may also be an indication that an intruder has accessed your system. If you find unowned file or directory on your system, verify its integrity, and if all looks fine, give it an owner name. Some time you may uninstall a program and get an unowned file or directory related to this software; in this case you can remove the file or directory safely. To locate files on your system that do not have an owner, use the following command:

            [root@deep] /#find / -nouser -o -nogroup
Please Note Once again, files reported under /dev directory don't count.

Finding all the .rhosts files that could exist on your server should be a part of your regular system administration duties, as these files should not be permitted on your system. Remember that a cracker only needs one insecure account to potentially gain access to your entire network. You can locate all .rhosts files on your system with the following command:

            [root@deep] /#find /home -name .rhosts
You can also use a cron job to periodically check for, report the contents of, and delete $HOME/.rhosts files. Also, users should be made aware that you regularly perform this type of audit, as directed by policy.

To use a cron job to periodically check and report via mail all .rhosts files, do the following: Create as root the find_rhosts_files script file under /etc/cron.daily directory touch /etc/cron.daily/find_rhosts_files and add the following lines in this script file:

            /usr/bin/find /home -name .rhosts | (cat <<EOF
            This is an automated report of possible existent .rhosts files on the server
            deep.openna.com, generated by the find utility command.

            New detected .rhosts files under the /home directory include:
            ) | /bin/mail -s "Content of .rhosts file audit report" root
Now make this script file executable, verify the owner, and change the group to root.

            [root@deep] /#chmod 755 /etc/cron.daily/find_rhosts_files
            [root@deep] /#chown 0.0 /etc/cron.daily/find_rhosts_files
Each day mail will be sent to root with a subject: Content of .rhosts file audit report containing potential new .rhosts files.