icc@lasspvax.UUCP (Mark Fedor) (09/21/85)
> From: notch@srcsip.UUCP (Michael k Notch) > Subject: invisibility. > I have heard a rumor that it is possible for a user on 4.2bsd to go > invisible to other users. > Has anyone else heard this rumor and possibly confirm it. > Also, if it is true, could someone explain to me how it is done. > Thanks. I will take this in the strictest confidence. I have made myself invisible to other users while I was logged in by writing a program that reads utmp, finds my entry, nulls it out, and then writes back the new utmp. This effectively eliminates you from `who',`finger',and `w'. However, this does not eliminate you from `ps'. `ps' looks in kmem and eliminating yourself from kmem (process tables) looks pretty sticky. Obviously, you need super-user privileges to cloak yourself. Also, some unknowing user who logs in during the split second you modify utmp might find themselves cloaked. If anybody has attempted a cloak from `ps', I would like to know the details. Send details by E-mail. -- ========================================================= USENET: {decvax,ihnp4,cmcl2,vax135}!cornell!lasspvax!icc ARPA: icc%lasspvax@Cornell.arpa MAIL: Instructional Computing Center 11 Snygg Hall, SUNY at Oswego Oswego, New York 13126 PHONE: (315) 341-3055 =========================================================
speck%cit-vlsi@CIT-VAX.ARPA (Don Speck) (09/26/85)
How to cloak oneself depends on your goal. If you merely want anonymity, login as root. If you wish to be invisible, try naming your shell "getty".
mikel@codas.UUCP (Mikel Manitius) (10/04/85)
> > How to cloak oneself depends on your goal. If you merely want > anonymity, login as root. If you wish to be invisible, try naming > your shell "getty". There are several ways one might cloak oneself, logging in as another user is cheating. If you run 4.Xbsd, then try makeing your enviornemnt take up more than 4k, (ie: set many variables to X's to ocupy that space), this will cause ps and w, to cloak your command arguments, w will only show the name of the process, and ps will show it surrounded by ()'s (i.e: " (mail)", including the extra space), also note that if the program changes argv[0], this will have no effect, the name of the command shown is derrived from the name of file which is being executed. Another way is if your administrator has left /etc/utmp mode 666, just write a little program that finds your utmp entry, and either changes it, or removes it completely. I once hacked out a version of ps(1) that checked to see of /tmp/.FILE existed, and replaced /usr/bin/ps with it (I was nasty at school), if the file did exist, none of my processes would be shown to other users. Another form of cloaking... If you have access to /dev/kmem, get the source for the 4.1BSD version of renice(1), change it to look up the user ID instead of the priority, and change it to someting. apparently, this UID is not used for permissions, but rather for terminal information. Thusly, a process can have UID 0, EUID 100, and be shown to the world as being executed by a user who has UID 200. Note that things described above have only been tested on 4.1bsd. -- ======= Mikel Manitius ==----===== AT&T ...!{ihnp4!}codas!mikel ==------===== Information Systems (305) 869-2462 ===----====== SDSS Regional Support AT&T-IS ETN: 755 =========== Altamonte Springs, FL My opinions are my own. =======
seth@megad.UUCP (Seth H Zirin) (10/08/85)
> > I have heard a rumor that it is possible for a user on 4.2bsd to go > > invisible to other users. > > Also, if it is true, could someone explain to me how it is done. > I have made myself invisible to other users while I was logged in by > writing a program that reads utmp, finds my entry, nulls it out, and > then writes back the new utmp. This effectively eliminates you from > `who',`finger',and `w'. However, this does not eliminate you from `ps'. > `ps' looks in kmem and eliminating yourself from kmem (process tables) > looks pretty sticky. Obviously, you need super-user privileges to cloak > yourself. Also, some unknowing user who logs in during the split second > you modify utmp might find themselves cloaked. I must be missing something, but, WHY would anyone want to "cloak" themselves for any legitimate purpose? Eliminating one's entries in the process table would have a detrimental impact on the system in general, and on that user's continued execution in particular. When I was a student, my favorite hack was to get into supervisor mode and disable interrupts. -- ------------------------------------------------------------------------------- Name: Seth H Zirin UUCP: {decvax, ihnp4}!philabs!sbcs!megad!seth Keeper of the News for megad
maurice@nmtvax.UUCP (10/14/85)
>> How to cloak oneself depends on your goal. If you merely want >> anonymity, login as root. If you wish to be invisible, try naming >> your shell "getty". To truly vanish will require lots of work with other things too. Of course the most noticible is /etc/utmp, and then there is fixing ps not to show you, but there are several other things too. First there is /usr/adm/wtmp. Unless that is fixed too, running the last(1) program will show a user as still being logged in. Some places have the 'top' program that was distributed over the net a while back (another ps like program) that will need to be fixed as well. Then there is the lastlog of when users last logged in. That can be watched for changes. Another is watching the character device for access and modify time changes. Active terminals can be noted, as well as their owners. Granted that for most of these fixes, one needs be root as that the files are (or at least should be) protected from general write access, and kmem without general read access. These seem to be most of what I can think of, perhaps there are more subtil ways, I can think of one already, but to say it in general, you can run, but you can't hide. Perhaps from 99% of the users you can, but someone will still be able to see that you are there from one thing or another. Roger Levasseur New Mexico Tech
maurice@nmtvax.UUCP (10/23/85)
>I must be missing something, but, WHY would anyone want to "cloak" themselves >for any legitimate purpose? Eliminating one's entries in the process table >would have a detrimental impact on the system in general, and on that user's >continued execution in particular. Cloaking would allow one to be able to work on the system without anyone actually noticing that they are there, or to be on the system as an *unseen* observer. Oh, yes, it's not removing process entries from the process table, but rather not reporting that they are there. Roger Levasseur New Mexico Tech