Vulnerability Development mailing list archives
Re: Positive uses for rootkits
From: Berend De Schouwer <bds () jhb ucs co za>
Date: Fri, 23 Mar 2001 08:56:07 +0200
On Wed, 21 Mar 2001 20:58:31 Daniel McCranie wrote: | Hi, | | I was wondering that since intruders can modify system commands to | not display certain things, couldn't admins modified the commands | like cp, mv, rm... so that they would not be able to replace any | of the included commands? These could be made in such a way only to | work unlimited in single user mode or have the disk mounted to | another system when there is a legitimate need to change one. This doesn't help compiling C programs to call the libc functions, or calling the kernel functions directly. Even simpler: if you replace 'cp', I can still copy files using: "cat fileA > fileB". There are a lot of ways to copy files. | I have just enough UNIX knowledge to be dangerous to myself so be | gentle :) | | Questions: | | 1. Are most rootkits simply shell scripts or real programs? Both. | 2. Would there be anyway to stop programs from overwriting those | files with programming calls? (Maybe making them read-only and | modifying chmod...) No. If you are root, you can change permissions back. To stump some people you can try: - Mounting /usr read-only - 'chattr' (file system dependent) To actually prevent even root from changing files, on Linux, try LIDS (www.lids.org). You can prevent root from, for example, modifying /bin/login. | 3,4,5: I know that this probably wouldn't be good in a standard | distro but what about a hardening kit? Has this been tried before? | Is there something blatantly wrong? There are such kits to some degree. For RedHat Linux, look for Bastille. | Dan | Kind regards, Berend -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS
Current thread:
- Positive uses for rootkits Daniel McCranie (Mar 22)
- Re: Positive uses for rootkits Nicolas Gregoire (Mar 23)
- Re: Positive uses for rootkits Chih hung Feng (Mar 23)
- Re: Positive uses for rootkits Berend De Schouwer (Mar 23)
- Re: Positive uses for rootkits Gregor Binder (Mar 23)
- Re: Positive uses for rootkits Cedric Blancher (Mar 23)
- Re: Positive uses for rootkits Jason Nicholls (Mar 23)
- Re: Positive uses for rootkits Jonathan James (Mar 25)
- Re: Positive uses for rootkits Dick Visser (Mar 25)
- Re: Positive uses for rootkits Ron DuFresne (Mar 25)
- Re: Positive uses for rootkits Daniel R. Warner (Mar 25)
- Re: Positive uses for rootkits -> off-topic: booting tricks. Alex Schütz (Mar 27)
- Re: Positive uses for rootkits -> off-topic: booting tricks. ze Snark (Mar 28)
- Re: Positive uses for rootkits Dick Visser (Mar 25)
- Re: Positive uses for rootkits The Attitude Adjuster (Mar 25)