View Single Post
Old 10-20-2006, 09:01 AM   #30
arivero
Guru
arivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it is
 
arivero's Avatar
 
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
Quote:
Originally Posted by Mike Kostousov
I think - to replace passwd is better way. I created network profile with this quoted key and chosed this profile by default. Now, by pressing network button this script is being executed.
Wow!! Of course, it stores the key, and it uses it when you start a connection. I had not thought of it, because I thought that if the test fails it was not going to store the key.
Now, This seems a safe way to script execution by itself; if you do not want script execution anymore, you delete the profile and voila! It is somehow risky in the sense that if you change the connection and it really gets to contact iDS, it could update the system if you are not fast enough to remove the internet cable nor swicht your wifi router off.

A minor problem is that we do not know exactly at which point the hack is being executed. We can conjecture it is in the line "iwconfig $ethIf key $key" of the script wireless.sh, but on the other hand the authors of the script (Alexis, Matthijs and Edwin, some of them you know from iRex forums) took already some wrapping measures (namely, key="$4").

Quote:
So, I am just need to create script which will change /etc/passwd, start dropbeal and etc. But what happens if integrity check fails?
Let me to check the scripts and I will tell you in this same posting. (Back in a couple minutes.) (Here I am). It seems that the integrity checks are done in do_updates.sh in the /usr/bin directory. It checks

Code:
updates_done=0
new_password='Ko2IxrVVzZZT.'

echo -n 'Checking for patches:'

if [ -x /usr/sbin/dropbearmulti ]
then
        echo -n ' rm_sshd'
        /usr/bin/ipkg remove -force-depends dropbear
        updates_done=1
fi

if [ "`grep '^root:' /etc/passwd | cut -d: -f2`" != "${new_password}" ]
then
        echo -n ' passwd'
        sed -i "s,^\\([^:]*\\):[^:]*:0:,\\1:${new_password}:0:," /etc/passwd
        updates_done=1
fi
And it cheks also for registry modifications. As you see, if the check for the password fails, it just sets the password to the fixed one.

Last edited by arivero; 10-20-2006 at 09:19 AM.
arivero is offline   Reply With Quote