Vulnerability Development mailing list archives
Re: Positive uses for rootkits
From: Cedric Blancher <blancher () CARTEL-INFO FR>
Date: Fri, 23 Mar 2001 09:49:55 +0100
On Wed, 21 Mar 2001 19:58:31 Daniel McCranie wrote:
I was wondering that since intruders can modify system commands to not display certain things, couldn't admins modified the commands like cp, mv, rm... so that they would not be able to replace any of the included commands? These could be made in such a way only to work unlimited in single user mode or have the disk mounted to another system when there is a legitimate need to change one.
Changing programs is not sufficient, because you can't change every executable that is reading filesystem for example. If you want to hide some stuff, you'll have to act at kernel level.
I have just enough UNIX knowledge to be dangerous to myself so be gentle :) Questions: 1. Are most rootkits simply shell scripts or real programs?
A rootkit is often a set of programs that aims to replace usual commands as ls, ps, netstat and so on in order to hide some files, process, connections, etc... But you have "more clever" rootkit, such as modules which directly act on inputs and outputs at kernel level.
2. Would there be anyway to stop programs from overwriting those files with programming calls? (Maybe making them read-only and modifying chmod...)
Yes. On Linux for exemple, you can use capabilities. LIDS security patch does this and allows you to control each kernel system call.
3,4,5: I know that this probably wouldn't be good in a standard distro but what about a hardening kit? Has this been tried before? Is there something blatantly wrong?
Have a look a LIDS for it is a great patch. http://www.lids.org/ You can control almost everything. Have a look at the doc. -- Cedric Blancher Consultant securite systeme et reseau Cartel Informatique http://securite.cartel-info.fr/
Current thread:
- Positive uses for rootkits Daniel McCranie (Mar 22)
- Re: Positive uses for rootkits Nicolas Gregoire (Mar 23)
- Re: Positive uses for rootkits Chih hung Feng (Mar 23)
- Re: Positive uses for rootkits Berend De Schouwer (Mar 23)
- Re: Positive uses for rootkits Gregor Binder (Mar 23)
- Re: Positive uses for rootkits Cedric Blancher (Mar 23)
- Re: Positive uses for rootkits Jason Nicholls (Mar 23)
- Re: Positive uses for rootkits Jonathan James (Mar 25)
- Re: Positive uses for rootkits Dick Visser (Mar 25)
- Re: Positive uses for rootkits Ron DuFresne (Mar 25)
- Re: Positive uses for rootkits Daniel R. Warner (Mar 25)
- Re: Positive uses for rootkits -> off-topic: booting tricks. Alex Schütz (Mar 27)
- Re: Positive uses for rootkits -> off-topic: booting tricks. ze Snark (Mar 28)
- Re: Positive uses for rootkits Dick Visser (Mar 25)
- Re: Positive uses for rootkits The Attitude Adjuster (Mar 25)
- Re: Positive uses for rootkits Ben Ford (Mar 28)
- Re: Positive uses for rootkits Big Woz (Mar 28)