HackFest Series: KeyLoggers (Trust and Ownership are Everything) for Administrators

Lisa Kachold lisakachold at obnosis.com
Sun Nov 30 20:28:08 MST 2008


Not all that glitters is gold.   Keyloggers can exist as part of a honeypot, PCI tool, management or systems administration utility or even a simple trojan virus.

It's becoming more and more common to log all root keystrokes in layers of trust and secrecy that systems administrators don't even immediately recognize are there.

Many keyloggers exist, but the three most often deployed in systems include:

1) Pam Daemon Systems Level:

 rootsh utility, which allows you to enable a systems logger that will show everything logged to the terminal whenever anyone invokes sudo.

http://freshmeat.net/projects/rootsh/

Many inplementations recommend renaming rootsh to another seemingly innocous sounding word - like "termd".

The use of rootsh and other keyloggers for root is exceptionally useful should you have more than one systems administrator, or want to keep track of changes on production systems.  PCI compliance and SOCKS both require controls in place for the root or administrative user.

The logs, (which by default log to /var/log/rootsh/ which can be changed upon implementation) of course, can be edited, like any logs, unless you utilize a stunnel or other syslog-ng single network loghost with limited access, which is yet another recommendation for a secure administration.

2) Kernel level:

Sebek clients (with Honeywall server) provide nearly invisable logging capacity for honeypot and systems administration monitoring.

http://www.honeynet.org/tools/sebek/

Sebek is a kernel module that is available for Windows machines also.  

3) Hardware based tools.

These masquerade as a USB to PCI or other conversion tool and most often deployed at NOCs with KVM's that don't also provide tty capacity.

http://www.keelog.com/download.html

These are especially useful, however the most saavy systems administrators usually see the terminal pause and flash that accompany use of a hardware logger.  

SO if you feel you ARE BEING WATCHED, you ARE.  [I personally I can't type when watched!]

The legal ramifications of micro-critique of a systems administrator or engineer for making such typing mistakes is problematic due to the non-exempt federal statutes for professionals, (since the FLSA standards requires us to be able to work without micro-direction) but be advised, all high level responsible actions are logged post 2001 in America!

 http://www.lieffcabraser.com/itovertime.htm

Trojan Keyloggers:

http://www.youtube.com/watch?v=fVy82nFcvVg

www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis |
http://www.urbandictionary.com/define.php?term=obnosis (503)754-4452
Catch the January PLUG HackFest!   Kristy Westphal, CSO for the Arizona Department of Economic
Security will provide a one hour
presentation on forensics.



_________________________________________________________________
Get more done, have more fun, and stay more connected with Windows Mobile®. 
http://clk.atdmt.com/MRT/go/119642556/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20081201/1fca84cd/attachment.htm 


More information about the PLUG-discuss mailing list