Re: Positive uses for rootkits

["Bosschert, B. (is-ks)" <Bas.Bosschert () ASZ NL>]

Answers:

1. Some rootkits are simple shellscripts, but other ones are real programs.
If they replace ps you won't notice anything about it, only the file size
should be changed.
You can do it with a shell script. Just rename ps to something else, and
then you write a script that does a ps and the grep the things out of it,
the admin may not see.

2. chattr +i works fine. Most scriptkiddies doesn't know anything about file
extensions of the ext2 file system. With +i you can't overwrite the file,
even if you are root.

I don't know any answers 'bout the other three questions.

ttfn,

Asby

> -----Oorspronkelijk bericht-----
> Van:  Daniel McCranie [SMTP:sfml () SNEAKERNETSECURITY COM]
> Verzonden:    woensdag 21 maart 2001 19:59
> Aan:  VULN-DEV () SECURITYFOCUS COM
> Onderwerp:    Positive uses for rootkits
>
> Hi,
>
> I was wondering that since intruders can modify system commands to
> not display certain things, couldn't admins modified the commands
> like cp, mv, rm...  so that they would not be able to replace any
> of the included commands?  These could be made in such a way only to
> work unlimited in single user mode or have the disk mounted to
> another system when there is a legitimate need to change one.
>
> I have just enough UNIX knowledge to be dangerous to myself so be
> gentle :)
>
> Questions:
>
> 1. Are most rootkits simply shell scripts or real programs?
>
> 2. Would there be anyway to stop programs from overwriting those
> files with programming calls?  (Maybe making them read-only and
> modifying chmod...)
>
> 3,4,5: I know that this probably wouldn't be good in a standard
> distro but what about a hardening kit?  Has this been tried before?
> Is there something blatantly wrong?
>
>
> Dan