A linux server has Node.js installed with the http-server package. The server wi

Question

A linux server has Node.js installed with the http-server package. The server will respond to requests on port 80 with a file in the same directory named index.html.

An interesting characteristic of this server is that it exposes full read access to guest users via ssh. Any file on the system can be read by guests (except the SSL private key). Guest users can confirm that the SHA hashes of the node, http-server, and ssh binaries on the system match reference versions, and can confirm that those binaries are the currently running processes.

Is it possible for an attacker (via privilege escalation) or the owner of the server to modify the server in such a way that it serves a different version of index.html to specific IP addresses, while hiding this fact from any third party?

Explanation / Answer

As long as you don't setup the server yourself you cannot be sure that what you are seeing with ssh is actually what is happening on the server. At the end your ssh access could just be a well built honeypot and nothing you see there relates to real server activity.

Even if you've setup the server yourself you cannot be sure, because there is still the BIOS, the firmware on the network cards, router in between client and server etc. All of these can affect what data get actually transferred to the client but all of these could be used to compromise the data.

And even if ssh shows the proper state of the server and no router, iptables or others are tampering with the server provided data: there might still be an in-memory malware like Darkleech affecting what actually gets served. You will not detect this when looking at the process table and you will not detect this when looking at the files, because it is just in the memory of the HTTP server.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.