Hiding stuff
Dennis G. Rears FSAC
drears at PICA.ARMY.MIL
Tue Mar 21 04:24:26 AEST 1989
Elmar writes:
>In article <18676 at adm.BRL.MIL> drears at PICA.ARMY.MIL (Dennis G. Rears (FSAC)) writes:
>>[The original poster - I lost the name] wrote:
>>> How do I hide what I doing,specifically,when someone envokes a
>>>w,who,top,finger,ps,lastcom,etc...,it doesn't show what I doing.
>> My favourite way is to "rsh hostname /bin/csh".
>
>You need 'csh -i'. But it's not very funny to work if you have no tty accessed
>and therefore NO job control in the shell.
You do not *need* csh -i; On my ULtrik system I just use
/bin/csh.
>
>>w, who, finger, lastcom can't catch me.
>
>lastcomm DOES catch you!
I don't know. We have all accounting disabled on our system.
>
>> Ps, and top can catch me
>>however. Then I use the command "ch realcmd arguments" to run any
>>program. Ch basically puts spaces into argv[0]. This will hide it
>>from ps and top.
>
>I don't know the command 'top', maybe that's what we call 'lastcomm' which
>shows the last commands which had been executed. But, if you use 'top' the way
>we use 'lastcomm', what does your 'lastcom' with one 'm' at the end do?
>
>Anyway, 'ps -auxww' will show the arguments you use. Note the two 'w's.
>(Under 4.x bsd and Ultrix 3.0)
This is easily defeated. Have the first argument be nothing but
90 spaces inside quotations marks.
My response was meant as a way to hide what you are doing from a
casual user not a system admin. If you really want to hide stuff
write a program that does:
o Find the location of the file.
o If not suid or guid copy it with name of " ".
o fork a child; put it to sleep, wake it up 2 seconds later,
have it unlink(" "); exit
o parent execs file " "
o if the file is suid, check to see if you have write
permission on any directory in the filesystem (i.e. /usr/tmp) then
make a hard link to it, then continue with the fork.
Dennis
More information about the Comp.unix.questions
mailing list