Vulnerability Development mailing list archives
Re: Positive uses for rootkits
From: "Bosschert, B. (is-ks)" <Bas.Bosschert () ASZ NL>
Date: Fri, 23 Mar 2001 11:06:52 +0100
Answers: 1. Some rootkits are simple shellscripts, but other ones are real programs. If they replace ps you won't notice anything about it, only the file size should be changed. You can do it with a shell script. Just rename ps to something else, and then you write a script that does a ps and the grep the things out of it, the admin may not see. 2. chattr +i works fine. Most scriptkiddies doesn't know anything about file extensions of the ext2 file system. With +i you can't overwrite the file, even if you are root. I don't know any answers 'bout the other three questions. ttfn, Asby
-----Oorspronkelijk bericht----- Van: Daniel McCranie [SMTP:sfml () SNEAKERNETSECURITY COM] Verzonden: woensdag 21 maart 2001 19:59 Aan: VULN-DEV () SECURITYFOCUS COM Onderwerp: Positive uses for rootkits Hi, I was wondering that since intruders can modify system commands to not display certain things, couldn't admins modified the commands like cp, mv, rm... so that they would not be able to replace any of the included commands? These could be made in such a way only to work unlimited in single user mode or have the disk mounted to another system when there is a legitimate need to change one. I have just enough UNIX knowledge to be dangerous to myself so be gentle :) Questions: 1. Are most rootkits simply shell scripts or real programs? 2. Would there be anyway to stop programs from overwriting those files with programming calls? (Maybe making them read-only and modifying chmod...) 3,4,5: I know that this probably wouldn't be good in a standard distro but what about a hardening kit? Has this been tried before? Is there something blatantly wrong? Dan
Current thread:
- Re: Positive uses for rootkits, (continued)
- Re: Positive uses for rootkits Big Woz (Mar 28)
- Re: Positive uses for rootkits Renee Teunissen (Mar 26)
- Re: Positive uses for rootkits Dick Visser (Mar 26)
- The use of immunix Renee Teunissen (Mar 26)
- Re: Positive uses for rootkits Ben Ford (Mar 27)
- Re: Positive uses for rootkits Martin 'Goran' Moravec (Mar 28)
- Re: Positive uses for rootkits Kev (Mar 28)
- Re: Positive uses for rootkits Ryan Permeh (Mar 29)
- Kernel-level security (was Re: Positive uses for rootkits) Craig Boston (Mar 29)
- Re: Positive uses for rootkits Gregor Binder (Mar 29)
- ICQ exploit Geo. (Mar 28)
- Re: ICQ exploit Jonathan James (Mar 28)
- Re: ICQ exploit Mikko Ruskola (Mar 28)
- Re: ICQ exploit Knud Erik Højgaard - CyberCity Support (Mar 28)
- Re: ICQ exploit John (Mar 28)
- Re: ICQ exploit Blake Frantz (Mar 28)